Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
30-74
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Customizing Clientless SSL VPN Portals
Users of Microsoft Windows Vista who use smart tunnels (or port forwarding) must add the URL of
the ASA device to the Trusted Site zone. Configure the Trusted Site zone in Internet Explorer (Tools
> Internet Options, Security tab).
The user’s browser must be enabled with Java, Microsoft ActiveX, or both.
If the user’s workstation requires a proxy server to reach the security appliance, the URL of the
terminating end of the connection must be in the list of URLs excluded from proxy services. In this
configuration, smart tunnels support only basic authentication.
Tip A stateful failover does not retain smart tunnel connections. Users must reconnect following a failover.
You configure smart tunnel access for an application by creating an SSL VPN smart tunnel list policy
object and including that object in an ASA group policy object. You then assign the ASA group policy
object to a device in the Remote Access VPN > Group Policies policy.
Related Topics
Understanding Group Policies (ASA), page 30-22
Creating Policy Objects, page 6-9
Policy Object Manager, page 6-4
Step 1 Create an SSL VPN smart tunnel list policy object:
a. Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager,
page 6-4), and select SSL VPN Smart Tunnel Lists from the table of contents.
Tip You can also create SSL VPN smart tunnel list objects when you create or edit the ASA group
policy object. For more information, see Selecting Objects for Policies, page 6-2.
b. Click the Add Object button to open the Add and Edit Smart Tunnel List Dialog Boxes, page 33-52.
c. Enter a name for the object, up to 64 characters.
d. To the table of applications, add those applications for which you are granting smart tunnel access
(click the Add Row button to open the Add and Edit A Smart Tunnel Entry Dialog Boxes,
page 33-53). Consider the following:
Enter an application name that is easy to understand and include version numbers if you support
more than one version. For example, Microsoft Outlook.
For the application path, entering only the filename, for example, outlook.exe, is the simplest
and most maintainable option. This allows the user to install the application in any folder. Enter
the full path if you want to enforce a specific installation structure.
Hash values are optional, but you can use them to prevent spoofing. Without hash values, a user
can rename an application to a supported filename; the security appliance checks only the
filename and path (if specified). However, if you enter hash values, you must maintain them as
users apply patches or application upgrades. For specific information on determining hash
values, see Add and Edit A Smart Tunnel Entry Dialog Boxes, page 33-53.
Click OK to save the entry.
e. You can also incorporate other SSL VPN smart list objects into the object. This allows you to create
a core set of smart list objects that you can use repeatedly in other objects.