Selected ASDM VPN Configuration Procedures for the Cisco ASA 5500 Series, Version 5.2
Configuring Group Policies
Downloads: This chapterpdf (PDF - 1.37MB) The complete bookPDF (PDF - 4.16MB) | Feedback

Configuring Group Policies

Table Of Contents

Configuring Group Policies

Overview of Group Policies, Tunnel Groups, and Users

Group Policies

Default Group Policy

Configuring Group Policies

Configuring an External Group Policy

Adding an External Group Policy

Editing an External Group Policy

Configuring an Internal Group Policy

Configuring Internal Group Policy General Attributes

Configuring Tunneling Protocols

Configuring the ACL Filter

Configuring General VPN Connection Settings Attributes

Configuring WINS and DNS Servers and DHCP Scope

Configuring IPSec Attributes

Configuring Reauthentication on IKE Rekey

Configuring IP Compression

Configuring Perfect Forward Secrecy

Configuring Tunnel Group Locking

Configuring Client Access Rules

Configuring Client Configuration Parameters

Configuring General Client Parameters

Configuring the Banner Message

Configuring Domain Attributes for Tunneling

Configuring Split-Tunneling Attributes

Configuring Cisco Client Parameters

Configuring Microsoft Client Parameters

Configuring Firewall Attributes

Configuring Attributes for VPN Hardware Clients

Configuring Network Admission Control

Configuring Group-Policy WebVPN Attributes

Configuring Group-Policy WebVPN Function Tab Attributes

Configuring Content Filtering Tab Attributes

Configuring the User Homepage

Enabling Port Forwarding (WebVPN Application Access) for a Group Policy

Configuring Server and List Arguments Using the WebVPN Other Tab

Configuring the SSL VPN Client Tab Attributes

Configuring the Auto Signon Tab Attributes


Configuring Group Policies


This chapter describes how to configure VPN group policies using ASDM. This chapter includes the following sections.

Overview of Group Policies, Tunnel Groups, and Users

Group Policies

Default Group Policy

Configuring Group Policies

Configuring an External Group Policy

Configuring an Internal Group Policy

Groups, group policies, tunnel groups, and users, are interdependent. In summary, you first configure tunnel groups to set the values for the connection. Then you configure group policies. These set values for users in the aggregate. Then you configure users, which can inherit values from groups and configure certain values on an individual user basis. This chapter describes how and why to configure group policies.

Overview of Group Policies, Tunnel Groups, and Users

Although this chapter deals only with group policies, you should understand the context in which these group policies exist. Groups and users are core concepts in managing the security of virtual private networks (VPNs) and in configuring the security appliance. They specify attributes that determine user access to and use of the VPN. A group is a collection of users treated as a single entity. Users get their attributes from group policies. Tunnel groups identify the group policy for a specific connection. If you do not assign a particular group policy to a user, the default group policy for the connection applies.

Tunnel groups and group policies simplify system management. To streamline the configuration task, the security appliance provides a default LAN-to-LAN tunnel group, a default remote access tunnel group, a default WebVPN tunnel group, and a default group policy (DfltGrpPolicy). The default tunnel groups and group policy provide settings that are likely to be common for many users. As you add users, you can specify that they "inherit" parameters from a group policy. Thus, you can quickly configure VPN access for large numbers of users.

If you decide to grant identical rights to all VPN users, then you do not need to configure specific tunnel groups or group policies, but VPNs seldom work that way. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Tunnel groups and group policies provide the flexibility to do so securely.


Note The security appliance also includes the concept of object groups, which are a superset of network lists. Object groups let you define VPN access to ports as well as networks. Object groups relate to ACLs rather than to group policies and tunnel groups. For more information about using object groups, see Cisco Security Appliance Command Line Configuration Guide, Chapter 16, "Identifying Traffic with Access Lists."


Group Policies

Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user. You can also modify the group-policy attributes for a specific user.

A group policy is a set of user-oriented attribute/value pairs for IPSec connections that are stored either internally (locally) on the device or externally on a RADIUS or LDAP server. A tunnel group uses a group policy that sets terms for user connections after the tunnel is established.

To assign a group policy to users or to modify a group policy for specific users, select Configuration > VPN > General > Group Policy (Figure 2-1).

Figure 2-1 Group Policy Window

.

You can configure internal and external group policies. Internal groups are configured on the security appliance internal database. External groups are configured on an external authentication server, such as RADIUS or LDAP. Group policies include the following attributes:

Identity

Server definitions

Client firewall settings

Tunneling protocols

IPSec settings

Hardware client settings

Filters

Client configuration settings

Network Admission Control settings

WebVPN functions

Connection settings

Default Group Policy

The security appliance supplies a default group policy, named DfltGrpPolicy, which always exists on the security appliance. This default group policy does not take effect unless you configure the security appliance to use it. DfltGrpPolicy is always an internal group policy. You can modify this default group policy, but you cannot delete it. When you configure other group policies, any attribute that you do not explicitly specify takes its value from the default group policy.

The Group Policy window lets you manage VPN group policies. Configuring the default VPN group policy lets users inherit attributes that you have not configured at the individual group or username level. By default, VPN users have no group policy association. The group policy information is used by VPN tunnel groups and user accounts.

The "child" windows, tabs, and dialog boxes let you configure the default group parameters. These parameters are those that are most likely to be common across all groups and users, and they streamline the configuration task. Groups can "inherit" parameters from this default group, and users can "inherit" parameters from their group or the default group. You can override these parameters as you configure groups and users.

To modify the default group policy, select DfltGrpPolicy in the table on the Group Policy window and click Edit. The Edit Internal Group Policy: DfltGrpPolicy window appears (Figure 2-2):

Figure 2-2 Edit Internal Group Policy: DfltGrpPolicy Window

To change any of the attributes of the default group policy, work through the selections on the various tabs on the Edit Internal Group Policy: DfltGrpPolicy window, just as you would for any other internal group policy, as described in Configuring an Internal Group Policy.

The default group policy, DfltGrpPolicy, that the security appliance has the following attributes:

group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
 wins-server none
 dns-server none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 banner none
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  no html-content-filter
  no homepage
  no filter
  no url-list
  no port-forward
  port-forward-name value Application Access

Configuring Group Policies

This section includes the following sections:

Default Group Policy

Adding an External Group Policy

Editing an External Group Policy

Configuring Internal Group Policy General Attributes

Configuring IPSec Attributes

Configuring Client Configuration Parameters

Configuring Attributes for VPN Hardware Clients

Configuring Group-Policy WebVPN Attributes

A group policy can apply to any kind of tunnel. In each case, if you do not explicitly define a parameter, the group takes the value from the default group policy. To configure (add or modify) a group policy, follow the steps in the subsequent sections.

If you click the Add dialog box, a small menu appears giving you the option to create a new internal group policy, or an external group policy that is stored externally on a RADIUS or LDAP server. Both the Add Internal Group Policy window and the Edit Group Policy window include tabbed sections. If you click the WebVPN tab, you expose several additional tabs. Click each tab to display its parameters. As you move from tab to tab, the security appliance retains your settings. When you have finished setting parameters on all tabbed sections, click OK or Cancel.

In these dialog boxes, you configure the following kinds of parameters:

General Parameters: Protocols, filtering, connection settings, and servers.

IPSec Parameters: IP Security tunneling protocol parameters and client access rules.

Client Configuration Parameters: Banner, password storage, split-tunneling policy, default domain name, IPSec over UDP, backup servers.

Client FW Parameters: VPN Client personal firewall requirements.

Hardware Client Parameters: Interactive hardware client and individual user authentication; network extension mode.

Network Admission Control parameters.

WebVPN Parameters: SSL VPN access.

Before configuring these parameters, you should configure:

Access hours.

Rules and filters.

IPSec Security Associations.

Network lists for filtering and split tunneling

User authentication servers, and specifically the internal authentication server.

Configuring an External Group Policy

External group policies take their attribute values from the external server that you specify. For an external group policy, you must identify the AAA server group that the security appliance can query for attributes and specify the password to use when retrieving attributes from the external AAA server group. If you are using an external authentication server, and if your external group-policy attributes exist in the same RADIUS server as the users that you plan to authenticate, you have to make sure that there is no name duplication between them.


Note External group names on the security appliance refer to user names on the RADIUS server. In other words, if you configure external group X on the security appliance, the RADIUS server sees the query as an authentication request for user X. So external groups are really just user accounts on the RADIUS server that have special meaning to the security appliance. If your external group attributes exist in the same RADIUS server as the users that you plan to authenticate, there must be no name duplication between them.


The security appliance supports user authorization on an external LDAP or RADIUS server. Before you configure the security appliance to use an external server, you must configure the server with the correct security appliance authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions in the Cisco Security Appliance Command Line Configuration Guide, Appendix E, "Configuring an External Server for Security Appliance User Authorization" to configure your external server.

Adding an External Group Policy

The following steps explain how to add an external group policy.


Step 1 To add an external group policy, select Configuration > VPN > General > Group Policy, click Add, and select External Group Policy from the menu (Figure 2-3).

Figure 2-3 Adding an External Group Policy

The Add External Group Policy dialog box appears (Figure 2-4).

Figure 2-4 Add External Group Policy Dialog Box

To configure the attributes of the new external group policy, do the following steps, specifying a name and type for the group policy, along with the server-group name and a password.

Step 2 Enter a name for the group policy and a password for the server. Then select a server group from the list or click New to create a new server group. When you click New, a menu appears. Select either a new RADIUS server group or a new LDAP server group. Either of these options opens the Add AAA Server Group dialog box (Figure 2-5). Click OK when done.


Note For an external group policy, RADIUS is the only supported AAA server type.


Figure 2-5 Add AAA Server Group Dialog Box

Step 3 Configure the AAA server group parameters. The Add AAA Server Group dialog box lets you configure a new AAA server group with the following attributes. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.

Server Group—Specifies the name of the server group. You can specify the name of a new server group, then add servers to that group. If the server group name that you specify does not contain any servers, you see the following message (Figure 2-6):

Figure 2-6 Empty Server Group Message

To add servers to a group, select Configuration > Properties >AAA Setup > AAA Groups. To continue after seeing this message, click OK. To exit the external group configuration procedure, click Cancel.

Protocol—(Display only) Indicates whether this is a RADIUS or an LDAP server group. For an external group policy, this is always RADIUS.

Accounting Mode—(RADIUS and TACACS+ protocols only) Indicates whether to use simultaneous or single accounting mode. In single mode, the security appliance sends accounting data to only one server. In simultaneous mode, the security appliance sends accounting data to all servers in the group.

Reactivation Mode—Specifies the method by which failed servers are reactivated: Depletion or Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the servers in the group become inactive. In Timed mode, failed servers are reactivated after 30 seconds of down time.

Dead Time—Specifies, for depletion mode, the number of minutes that must elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. This field is not available for timed mode.

Max Failed Attempts— Specifies the number (an integer in the range 1 through 5) of failed connection attempts allowed before declaring a nonresponsive server inactive.


Note You can configure several vendor-specific attributes (VSAs), as described in Cisco Security Appliance Command Line Configuration Guide Appendix E, "Configuring an External Server for Security Appliance User Authorization". If a RADIUS server is configured to return the Class attribute (#25), the security appliance uses that attribute to authenticate the Group Name. On the RADIUS server, the attribute must be formatted as: OU=groupname; where groupname is identical to the Group Name configured on the security appliance—for example, OU=Finance.


Editing an External Group Policy

The procedures for editing a group policy are similar to those for adding, except that when you click Edit on the Group Policy window, the Edit Group Policy window appears, with the Name field already filled in. The rest of the fields on this window are the same. You can also add a AAA server group when you edit an external group policy. See Steps 2 and 3 of Adding an External Group Policy.

Configuring an Internal Group Policy

Internal group policies are configured on the security appliance internal database. To configure the attributes of the new internal group policy, do the following steps.


Step 1 To add or edit an internal group policy, select Configuration >VPN > General >Group Policy. The Group Policy window appears (Figure 2-7).

Figure 2-7 Group Policy Window, Add Internal Group Policy

Step 2 Click Add or Edit.

If you are adding an internal group policy, select Internal Group Policy from the menu. The Add Internal Group Policy window appears (Figure 2-8).

If you are editing an internal group policy, the Edit Internal Group Policy window appears.

The contents of these windows are similar, the only difference being that for editing, the Name field is display-only. Because of this similarity, the following procedures show only the Add Internal Group Policy window.

Figure 2-8 Add Internal Group Policy Window

This window offers several tabs, on which you configure function-specific attributes. In most cases, you can check the Inherit check box to take the corresponding setting from the default group policy. Allowing inheritance can greatly simplify the configuration process. You can explicitly configure those attributes that you do not want to be inherited. The following sections explain how to configure the group policy attributes for an internal group policy.

Configuring Internal Group Policy General Attributes

The Add or Edit Internal Group Policy window, General tab lets you configure tunneling protocols, ACL filters, connection settings, and servers for the group policy being added or modified. For each of the fields on this window, checking the Inherit check box lets the corresponding setting take its value from the default group policy. Clearing the Inherit check box lets you configure specific values.

The following sections explain how to configure the values of each of the attributes in the General tab.

Configuring Tunneling Protocols

Select the tunneling protocol or protocols that this group can use. Users can use only the selected protocols. You must configure at least one tunneling mode for users to connect over a VPN tunnel. The default is IPSec.

The choices are as follows:

IPSec—IP Security Protocol. Regarded as the most secure protocol, IPSec provides the most complete architecture for VPN tunnels. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. When you check the IPSec check box, the security appliance negotiates an IPSec tunnel between two peers (a remote access client or another secure gateway) and creates security associations that govern authentication, encryption, encapsulation, and key management.

WebVPN—VPN via SSL/TLS. Checking the WebVPN check box provides VPN services to remote users via an HTTPS-enabled web browser and does not require a client (either hardware or software). This protocol uses a web browser to establish a secure remote-access tunnel to a security appliance. WebVPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.

L2TP over IPSec—Allows remote users with VPN clients provided with several common PC and mobile PC operating systems to establish secure connections over the public IP network to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701) to tunnel the data. The security appliance must be configured for IPSec transport mode.


Note If no protocol is selected, an error message appears.


To remove a protocol attribute from the running configuration, clear the check box for that protocol.

Configuring the ACL Filter

Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol. You configure ACLs to permit or deny various types of traffic for this group policy. (You can also configure this attribute in username mode, in which case the value configured under username supersedes the group-policy value.)


Note The security appliance supports only an inbound ACL on an interface.

At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not explicitly permitted by an access control entry (ACE). ACEs are referred to as rules in this topic.


To specify that you want the group policy to inherit the filter from the default group policy, click the Inherit check box. This is the default value. To specify a different filter, select a filter from the menu. To prevent inheriting a value, select None instead of specifying an ACL name. The None option indicates that there is no access list and sets a null value, thereby disallowing an access list.


Note You might not know at configuration time what values the group policy is inheriting. To ensure that no ACL is associated with a particular group policy, clear the Inherit check box and select None in the ACL (Filter/Web-VPN ACL ID/...) drop-down list.

If you are dealing with one of the default group policies, inheritance is inapplicable, so only selecting None is relevant.


If you select Inherit or None, you do not add or modify an existing filter, so you can skip to Configuring Access Hours in these instructions.

Managing ACLs and ACEs

To create a new filter (ACL) or modify an existing filter, click Manage. The ACL Manager dialog box (Figure 2-9) appears. In this dialog box, you can add, edit, and delete Access Control Lists (ACLs) and Extended Access Control Lists (ACEs) to control the access of a specific host or network to another host/network, including the protocol or port that can be used.

To remove an ACL from the group policy, select Delete from the toolbar. There is no confirmation or undo.

Figure 2-9 ACL Manager Dialog Box

The fields in this dialog box are as follows:

No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

Enabled—Enables or disables a rule. Implicit rules cannot be disabled.

Source—Shows the IP addresses of the hosts/networks that are permitted or denied to send traffic to the IP addresses listed in the Destination column. An address column might contain an interface name with the word any, such as inside: any. This means that any host on the inside interface is affected by the rule.

Destination—Shows the IP addresses of the hosts/networks that are permitted or denied to receive traffic from the IP addresses listed in the Source Host/Network column. An address column might contain an interface name with the word any, such as outside: any. This means that any host on the outside interface is affected by the rule. An address column might also contain IP addresses in square brackets; for example [209.165.201.1-209.165.201.30]. These addresses are translated addresses. When an inside host makes a connection to an outside host, the firewall maps the address of the inside host to an address from the pool. After a host creates an outbound connection, the firewall maintains this address mapping. The address mapping structure is called an xlate, and remains in memory for a period of time. During this time, outside hosts can initiate connections to the inside host using the translated address from the pool, if allowed by the ACL. Normally, outside-to-inside connections require a static translation so that the inside host always uses the same IP address.

Service—Names the service and protocol specified by the rule. See Managing Protocol and Service Groups for more information about protocols and services.

Action—Shows the action that applies to the rule, either Permit or Deny.

Logging—Shows the logging level and the interval in seconds between log messages (if you enable logging for the ACL). To set logging options, including enabling and disabling logging, choose Edit from the toolbar. The Edit ACE dialog box appears. This dialog box is identical to the Add ACE dialog box (Figure 2-12), except for the title bar.

Time—Shows the name of the time range to be applied in this rule. The time range specifies the access hours during which the user can connect using this group policy. The default value is (any), meaning that there is no restriction on when the user can connect.

Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule." To edit the description, choose Edit from the toolbar. The Edit ACE dialog box appears. This dialog box is identical to the Add ACE dialog box (Figure 2-12), except for the title bar.

Rule Flow Diagram—(Read-only) Shows a graphic representation of the selected rule flow. To close this diagram, click the small "X" at the top of the Rule Flow Diagram area.This same diagram appears on the ACL Manager dialog box unless you explicitly close that display.

Rules are applied in the order in which they appear in the table in the ACL Manager dialog box. To move a rule up or down in the list, click the up or down arrows on the toolbar. To delete a rule, select it, then click Delete.

You can also cut, copy, and paste ACLs and ACEs, just as you would in a text document, by clicking the scissors (cut), pages (copy), and clipboard (paste) icons on the toolbar.

Double-clicking on any row of the ACL Manager table opens the Edit ACL dialog box, where you can modify these fields.

To add a new ACL, click Add and select Add ACL from the drop-down list (Figure 2-10).

Figure 2-10 Add/Insert Menu

The Add ACL dialog box appears (Figure 2-11). Enter an ACL name and click OK.

Figure 2-11 Add ACL Dialog Box

After you add an ACL, you can populate it with filter rules using the Add ACE menu selection.

To add a filter rule, click Add ACE (Figure 2-10). To edit a filter rule, select the rule you want to change and click Edit. The Add or Edit Extended Access List Rule dialog box appears (Figure 2-12). The Edit Extended Access List Rule dialog box is identical with the Add ACE dialog box, except for the title.

Figure 2-12 Add ACE

This dialog box lets you configure whether to permit or deny traffic, specify the source and destination host or network, specify the protocol, service (source and destination ports) to which to apply this rule, specify a time range to apply or define a new time range, configure the syslog options, and manage the service groups. Optionally, you can also enter a description of this rule. Your entries here appear in the Rule Flow Diagram and in the Configure ACLs table in the ACL Manager dialog box.


Note The contents of the Source, Destination, Protocol and Service, Rule Flow Diagram, and Options areas on this dialog box change, depending on your selections.


Configuring the Source and Destination Areas

Use these areas to identify the source and destination networks. Specify the following parameters for both the source and destination areas:

Type—Select the type of the source or destination address to which this rule applies. You can identify the networks by IP address, interface IP, or network object group. You can also select the keyword any to specify that this rule applies to any source or destination. The any type has no additional qualifying fields for source or destination.

IP address and Netmask—When you select IP Address in the Type field, use the IP address field to specify the IP address of the source or destination network or host and the Netmask field to select the subnet mask for the specified IP address. For example, the address/netmask 192.168.10.0/255.255.255.0 specifies a network, and 192.168.10.1/255.255.255.255 specifies a host. There is no default.

Browse (...)—Browse for an IP address (instead or entering an IP address manually). Clicking Browse opens the Browse Source (or Destination) Address dialog box (Figure 2-13), on which you can select an already configured object or add, edit, or delete a selected object type. Selecting Add or Edit from the toolbar of the Browse Source Address dialog box opens the Add or Edit dialog box for the selected object type. Use this dialog box to enter or alter the Name, IP Address, and (optionally) the description for the entry.

Figure 2-13 Browse Source Address Dialog Box with Edit IP Name Dialog Box

Group Name—When you select Network Object Group in the Type field, you can select or browse (...) for a named group of networks and hosts (a network object group). There is no default.

Interface—When you select Interface IP in the Type field, you can select an interface on which the host or network resides. The default is outside.

Managing Protocol and Service Groups

Service groups let you identify multiple non-contiguous port numbers that you want the ACL to match. For example, if you want to filter HTTP, FTP, and port numbers 5, 8, and 9, define a service group that includes all these ports. Without service groups, you would have to create a separate rule for each port. You can create service groups for TCP, UDP, IP, ICMP, and other IP protocols.

In the Protocol and Service area of the Add or Edit ACE dialog box, you configure the connection protocol and the type of service or the service group for the source and destination ports. If you do not want to make any changes, go on to the Description field. Figure 2-14 shows the Protocol and Service Area for the TCP protocol.

Figure 2-14 Protocol and Service Area, TCP protocol

You can associate multiple TCP or UDP services (ports) in a named group. You can then use the service group in an access or IPSec rule, a conduit, or other functions within ASDM and the CLI.

The term service refers to higher layer protocols associated with application level services having well known port numbers and "literal" names such as ftp, telnet, and smtp.

The security appliance permits the following TCP literal names: bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323, hostname, http, ident, irc, klogin, kshell, lpd, nntp, pop2, pop3, pptp, smtp, sqlnet, sunrpc, tacacs, talk, telnet, time, uucp, whois, www.

The Name of a service group must be unique across all types of object groups. For example, a service group and a network group may not share the same name.

Multiple service groups can be nested into a "group of groups" and used the same as a single group. When a service object group is deleted, it is removed from all service object groups where it is used.

If a service group is used in an access rule, do not remove it. A service group used in an access rule cannot be made empty.

Use the Protocol and Service area to specify the protocol and type of service for this rule. The content of these areas depends on your protocol choice.

Protocol—Select the protocol for the rule. Possible values are TCP, UDP, ICMP, IP, and IP Other. Depending on this choice, other fields might become available in this area.

If you select IP, no additional fields appear.

If you select IP Other, an Other area appears. In this area, you can select either Protocol or Protocol Group. Selecting Protocol enables a drop-down list, from which you can select a protocol. Selecting Protocol Group enables a drop-down list, from which you can select a protocol group. Alternatively, you can click Browse (...), which opens the Browse Other dialog box (Figure 2-15), listing the names of the predefined IP protocols from which you can make a selection or create a new protocol service group.

Figure 2-15 Browse Other Dialog Box

Selecting one of the service groups in the Add menu opens the Add Service Group dialog box for the selected protocol. Figure 2-16 shows the Add TCP Service Group dialog box, which is representative of all the other such Add Service Group dialog boxes.

Figure 2-16 Add TCP Service Group Dialog Box

On this dialog box, you can specify a group name and description, then select a service/service group or a port/port range and add it to or remove it from the members in the group.

Source/Destination Port—(TCP and UDP) If you select the Type as either TCP or UDP, the Source Port and Destination Port areas appear. Use the fields in these areas to specify a port number, a range of ports, or a well-known service name from a list of services, such as HTTP or FTP, that the ACL uses to match packets.

Service—(TCP and UDP) The operator list specifies how the ACL matches the port. Choose one of the following operators: = (equals the port number), not = (does not equal the port number), > (greater than the port number), < (less than the port number), range (equal to one of the port numbers in the range).

Group— (TCP and UDP) Select a service group from the drop-down list or click Browse (...), which opens the Browse Source (or Destination) Port dialog box (Figure 2-17), on which you can select, add, edit, or delete a source or destination port or create a source or destination port group.

Figure 2-17 Browse Source Port

Selecting one of the service groups in the Add menu opens the Add Service Group dialog box for the selected protocol. Figure 2-16 shows the Add TCP Service Group dialog box, which is representative of all the other such dialog boxes.

If you specify ICMP as the Type, the ICMP area appears. You can select ICMP Type and make a selection from the drop-down list or ICMP Group. If you select ICMP Group, you can either make a selection from the drop-down list or click Browse, which opens the Browse ICMP dialog box (Figure 2-18), on which you select an ICMP group from a preconfigured list.

Figure 2-18 Browse ICMP Dialog Box

Selecting one of the service groups in the Add menu opens the Add Service Group dialog box for the selected protocol. Figure 2-16 shows the Add TCP Service Group dialog box, which is representative of all the other such dialog boxes.

Inserting ACL Rules

ACE rules are evaluated in the order in which they occur in the ACL Manager table. If you want to insert a rule into a particular place in the ACL Manager table, first select an existing ACE, then select Insert or Insert After from the Add menu.These selections respectively open the Insert ACE and Insert After ACE dialog boxes (Figure 2-19), on which you can specify the attributes of the ACE you want to create. These two dialog boxes are identical, except for the title. Insert places the new ACE above the selected ACE, and Insert After places the new ACE below the selected ACE.

Figure 2-19 Insert ACE Dialog Box

Configuring Options

The Options dialog box lets you set options for each ACE rule. The fields in the Options area (Figure 2-20) set optional features for this rule, including logging parameters, time ranges, and description. Use the field descriptions below when setting these options.

Figure 2-20 Options Area, Add or Edit ACE Dialog Box

Logging—Enables or disables logging or specifies the use of the default logging settings. If logging is enabled, the Syslog Level and Log Interval fields become available.

When you enable logging, the security appliance generates a syslog message when a new flow is permitted or denied by the rule. Subsequent syslog messages are generated at the end of a log interval to summarize the hit count of the flow. The default interval is 300 seconds.

Syslog Level—Selects the level of logging activity. The default is Informational.

Log Interval—Specifies the interval for permit and deny logging. This is he amount of time the security appliance waits before sending the flow statistics to the syslog. This setting also serves as the timeout value for deleting a flow if no packets match the ACE. The default is 300 seconds. The range is 1 through 600 seconds.


Note Conduits and outbound lists do not support logging. See the online Help for Configuration > Properties > Logging > Logging Setup and subsequent windows for an explanation of how to set global logging options.


The default logging behavior is that if a packet is denied, then the security appliance generates log message 106023. If a packet is permitted, no syslog message appears. Select this option to return to the default logging behavior.

By default, syslog messages are generated at the informational level (level 6). You can select a different level of logging messages to be sent to the syslog server from the drop-down list in the Syslog Level field. Logging levels are as follows:

Emergencies (level 0)—The security appliance does not use this level.

Alert (level 1, immediate action needed)

Critical (level 2, critical condition)

Errors (level 3, error condition)

Warnings (level 4, warning condition)

Notifications (level 5, normal but significant condition)

Informational (level 6, informational message only)

Debugging (level 7, appears during debugging only)

If a packet matches the ACE, the security appliance creates a flow entry to track the number of packets received within a specific interval (see the description of the Logging Interval field). The security appliance generates a syslog message at the first hit and at the end of each interval, identifying the total number of hits during the interval. At the end of each interval, the security appliance resets the hit count to 0. If no packets match the ACE during an interval, the security appliance deletes the flow entry.


Note Logging consumes a certain amount of memory when enabled.


Time Range—Selects the name of the time range to use with this rule. The default is (any). Click the Browse (...) button to open the Browse Time Range dialog box to select or add a time range (Figure 2-21).

Figure 2-21 Browse Time Range

A time range specifies the range of access hours during which a user can connect to the security appliance using this group policy.To add or edit a time range from the ACL configuration function, click Add or Edit on the Browse Time Range toolbar. The Add or Edit Time Range appears. Figure 2-22 shows the Add Time Range dialog box.

Description—(Optional) Provides a brief description of this rule. A description line can be up to 100 characters long, but you can break a description into multiple lines.

Configuring General VPN Connection Settings Attributes

Follow the steps in this section to configure attributes that set the values of VPN connection attributes. These attributes control the number of simultaneous logins allowed, the timeouts, the name of the ACL to use for VPN connections, and the tunnel protocol. For all the attributes in this section, you can check the Inherit check box to allow the group policy to inherit a value from the default group policy.

Configuring Access Hours

The VPN access hours determine when users in this group can connect to the security appliance. To set the VPN access hours, you associate a group policy with a previously configured time-range policy, which determines the actual access hours.

A time range is a variable specifying the range of access hours during which a user can connect to the security appliance using this group policy. You select the name of a time range from a menu when you want to restrict access hours.

To view the characteristics of the existing time ranges, select Configuration  > Global Objects > Time Ranges. To select an existing time range to use with an ACL filter, choose a name from the drop-down Time Range menu in the Add/Edit ACE dialog box. To specify no time range restriction for this filter, choose Unrestricted from the menu. In either case, if you are not defining a new time range, skip to Configuring Simultaneous Logins.

You can check the Inherit check box to allow the group policy to inherit the access hours variable from the group policy. If you choose this option, skip to Configuring Simultaneous Logins.

To add or edit a time range from the General tab, clear the Inherit check box and click Manage. The Browse Time Range dialog box appears. Alternatively, you can get to the Browse Time Range dialog box by clicking Browse (...) in the Time Range area in the Add or Edit ACE dialog box. The Add or Edit Time Range dialog box appears (Figure 2-22). If you are editing an existing time range, the Time Range Name field is display-only.

Figure 2-22 Add Time Range Dialog Box

If you are adding a time range, specify a name for this time range. When needed, you select this time range by choosing this name from a drop-down list when you configure a group policy with a time range.

Specify the starting and ending times. If you configure specific starting and ending times, note that these times are inclusive.

You can further constrain the active time of this range by specifying recurring time ranges, which are active within the start and end times specified. To remove a recurring time range, select the range and click Delete. To add a recurring time range, click Add or select an existing time range and click Edit. The Add or Edit Recurring Time Ranges dialog box appears (Figure 2-23).

Figure 2-23 Add or Edit Recurring Time Ranges Dialog Box

Specify the recurring time ranges either as days of the week and times on which this recurring range is active or as a weekly interval when this recurring range is active, and click OK. Click OK to complete the configuration on the Add Time Range dialog box.

Configuring Simultaneous Logins

Specify the number of simultaneous logins allowed for any user. The default value is 3. The range is an integer in the range 0 through 2147483647. A group policy can inherit this value from another group policy. Enter 0 to disable login and prevent user access.


Caution While the maximum limit for the number of simultaneous logins is very large, allowing several could compromise security and affect performance.

Configuring Maximum Connect Time

Configure a maximum amount of time for VPN connections. At the end of this period of time, the security appliance terminates the connection. To allow unlimited connection time, check the Unlimited check box. To configure a specific time limit, clear the Unlimited check box. This makes the minutes field available. The minimum time is 1 minute, and the maximum time is 35791394 minutes. There is no default value.

Configuring User Idle Timeout

Configure the user idle timeout period by either checking the Unlimited check box or specifying a number of minutes that the system can remain idle. If there is no communication activity on the connection in this period, the security appliance terminates the connection. The minimum time is 1 minute, and the maximum time is 35791394 minutes. The default is 30 minutes.

Configuring WINS and DNS Servers and DHCP Scope

You can configure primary and secondary WINS servers and DNS servers and the DHCP scope. The default value in each case is none. To configure these attributes, do the following steps:


Step 1 Specify the primary and secondary DNS servers. The first IP address specified is that of the primary DNS server. The second (optional) IP address is that of the secondary DNS server. Leaving the first field blank instead of providing an IP address sets DNS servers to a null value, which allows no DNS servers and prevents inheriting a value from a default or specified group policy.

Every time that you enter a DNS Server value, you overwrite the existing setting. For example, if you configure the primary DNS server as 10.10.10.15 and later configure the primary DNS server to be 10.10.10.30, the later specification overwrites the first, and 10.10.10.30 becomes the primary DNS server.

Step 2 Specify the primary and secondary WINS servers. The first IP address specified is that of the primary WINS server. The second (optional) IP address is that of the secondary WINS server. Specifying the none keyword instead of an IP address sets WINS servers to a null value, which allows no WINS servers and prevents inheriting a value from a default or specified group policy.

Every time that you enter the wins-server command, you overwrite the existing setting. For example, if you configure WINS server x.x.x.x and then configure WINS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole WINS server. The same is true for multiple servers. To add a WINS server rather than overwrite previously configured servers, include the IP addresses of all WINS servers when you enter this command.

The following example shows how to configure WINS servers with the IP addresses 10.10.10.15 and 10.10.10.30 for the group policy named FirstGroup:

Step 3 Specify the DHCP scope; that is the range of IP addresses the security appliance DHCP server should use to assign addresses to users of this group policy. For example, to set an IP subnetwork of 10.10.85.0 (specifying the address range of 10.10.85.0 through 10.10.85.255) for the group policy, you would specify the DHCP scope as 10.10.85.1 (be sure to exclude 10.10.85.1 from the scope on the DHCP server).


Configuring IPSec Attributes

The IPSec tab on the Add or Edit Internal Group Policy window lets you specify security attributes for this group policy. Figure 2-24 shows the IPSec tab.

Figure 2-24 Add Internal Group Policy Window, IPSec Tab

Check an Inherit check box to let the corresponding setting take its value from the default group policy. The following sections explain how to configure the attributes on this tab.

Configuring Reauthentication on IKE Rekey

Specify whether to require that users reauthenticate on IKE rekey by choosing Enable or Disable. If you enable reauthentication on IKE rekey, the security appliance prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs. Reauthentication provides additional security. Reauthentication on IKE rekey is disabled by default if you clear the Inherit check box.

If the configured rekey interval is very short, users might find the repeated authorization requests inconvenient. To avoid repeated authorization requests, disable reauthentication. To check the configured rekey statistics, select Monitoring > VPN > VPN Statistics > Crypto Statistics to view the security association statistics.


Note Reauthentication fails if there is no user at the other end of the connection.


Configuring IP Compression

Specify whether to enable IP compression, which is disabled by default. Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems. IP compression is disabled by default.


Caution Data compression increases the memory requirement and CPU usage for each user session and consequently decreases the overall throughput of the security appliance. For this reason, we recommend that you enable data compression only for remote users connecting with a modem. Design a group policy specific to modem users, and enable compression only for them.

To enable or disable LZS IP compression, select Enable or Disable.

Configuring Perfect Forward Secrecy

Specify whether to enable perfect forward secrecy. In IPSec negotiations, perfect forward secrecy ensures that each new cryptographic key is unrelated to any previous key. A group policy can inherit a value for perfect forward secrecy from the default group policy if you check the Inherit check box. Otherwise, perfect forward secrecy is disabled by default. To enable or disable perfect forward secrecy, select Enable or Disable.

Configuring Tunnel Group Locking

Specify whether to restrict remote users to access only through the tunnel group, by enabling or disabling the Tunnel Group Lock attribute.

On the Add or Edit Internal Group Policy, IPSec tab, uncheck the Inherit check box and select a tunnel-group name from the drop-down list. Users associated with this group policy are then allowed access only through the specified tunnel group.

The tunnel-group name specifies the name of an existing tunnel group that the security appliance requires for the user to connect. Tunnel group lock restricts users by checking whether the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure tunnel group lock, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default.

To remove group locking from the group-policy configuration, select None from the list. This option sets the group lock to a null value, thereby allowing no group-lock restriction. It also prevents inheriting a group-lock value from a default or specified group policy.

Configuring Client Access Rules

The Client Access Rules area lets you specify up to 25 rules that determine whether to permit or deny access by certain types and versions of VPN clients. Either the group policy can inherit these rules from the default group policy, or you can specify particular rules for this group policy.

The table in this area shows the priority, action, client type and VPN client version that each rule specifies.

To configure rules that limit the remote access client types and versions that can connect via IPSec through the security appliance, clear the Inherit check box. This makes the buttons associated with the table active. By default, there are no access rules. When there are no client access rules, all client types and versions can connect. To delete individual rules, click Delete.

The columns in the Client Access Rules table are as follows:

Priority—Shows the priority for this rule. Determines the priority of the rule. The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type and/or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.

Action—Specifies whether this rule permits or denies access for clients of a particular type and version.

Client Type—Specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset. Identifies device types via free-form strings, for example VPN 3002. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can use the * character as a wildcard.

VPN Client Version —Specifies the version or versions of the VPN client to which this rule applies. This box contains a comma-separated list of software or firmware images appropriate for this client. Identifies the device version via free-form strings, for example 7.0. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can use the * character as a wildcard.

To add a new rule for an IPSec group policy, click Add. To modify an existing rule for an IPSec group policy, click Edit. The Add or Edit Client Access Rule dialog box appears (Figure 2-25).

Figure 2-25 Add Client Access Rule Dialog Box

Construct rules according to these caveats:

If you do not define any rules, the security appliance permits all connection types.

When a client matches none of the rules, the security appliance denies the connection. This means that if you define a deny rule, you must also define at least one permit rule, or the security appliance denies all connections.

For both software and hardware clients, type and version must match exactly their appearance in the Monitoring > VPN > VPN Statistics > Sessions window.

The * character is a wildcard, which you can use multiple times in each rule. For example, specifying the VPN client version as version 3.* in a client access rule applies that rule to the specified client type running release versions 3.x software.

You can construct a maximum of 25 rules per group policy.

There is a limit of 255 characters for an entire set of rules.

You can use n/a for clients that do not send client type and/or version.

Configuring Client Configuration Parameters

The Client Configuration tab of the Add/Edit Internal Group Policy Window (Figure 2-26) consists of the following tabs:

General Client parameters

Cisco Client parameters

Microsoft Client parameters

Figure 2-26 General Client Parameters Tab

Configuring General Client Parameters

The General Client Parameters tab configures client attributes that are common across both Cisco and Microsoft clients, including the banner text, default domain, split tunnel parameters, and address pools. In most cases, you can use the Inherit check box (checked by default) to indicate that the corresponding setting takes its value from the default group policy. Clearing the Inherit check box makes other options available for the parameter. Use the following field descriptions when configuring the general client parameters:

Banner—Specifies whether to inherit the banner from the default group policy or enter new banner text.

Edit Banner—Displays the View/Config Banner dialog box, in which you can enter banner text, up to 500 characters. See Configuring the Banner Message for more information.

Default Domain—Specifies whether to inherit the default domain from the default group policy or use a new default domain specified in the field. See Configuring Domain Attributes for Tunneling for more information about this and the following tunneling-related fields.

Split Tunnel DNS Names (space delimited)—Specifies whether to inherit the split-tunnel DNS names or from the default group policy or specify a new name or list of names in the field.

Split Tunnel Policy—Specifies whether to inherit the split-tunnel policy from the default group policy or select a policy from the menu. The menu options are to tunnel all networks, tunnel those in the network list below, or exclude those in the network list below.

Split Tunnel Network List—Specifies whether to inherit the split-tunnel network list from the default group policy or select from the drop-down list.

Manage—Opens the ACL Manager dialog box (Figure 2-27), on which you can manage standard and extended access control lists.

Figure 2-27 ACL Manager Dialog Box, with Standard and Extended ACLs

This ACL Manager dialog box is functionally identical to the one described in Managing ACLs and ACEs, although the standard and extended ACLs are on two different tabs in this case.

Address Pools—Configures the address pools available through this group policy.

Available Pools—Specifies a list of address pools for allocating addresses to remote clients. Deselecting the Inherit check box with no address pools in the Assigned Pools list indicates that no address pools are configured and disables inheritance from other sources of group policy.

Add—Moves the name of an address pool from the Available Pools list to the Assigned Pools list.

Remove—Moves the name of an address pool from the Assigned Pools list to the Available Pools list.

Assigned Pools (up to 6 entries)—Lists the address pools you have added to the assigned pools list. The address-pools settings in this table override the local pool settings in the group. You can specify a list of up to six local address pools to use for local address allocation. The order in which you specify the pools is significant. The security appliance allocates addresses from these pools in the order in which the pools appear in this command.

Configuring the Banner Message

The banner is a message that is displayed to remote clients when they connect. The default is no banner. If you choose not to inherit the banner from the default group policy, clear the Inherit check box and click Edit Banner. The View/Config Banner dialog box appears (Figure 2-28).

Figure 2-28 View/Config Banner Dialog Box

To specify the banner, or welcome message, if any, that you want to display, enter the banner text, up to 510 characters in length. Enter the "\n" sequence to insert a carriage return.


Note A carriage-return/line-feed included in the banner counts as two characters.


To delete a banner, remove the text.

Configuring Domain Attributes for Tunneling

You can specify a default domain name for tunneled packets or a list of domains to be resolved through the split tunnel. The following sections describe how to set these domains.

Defining a Default Domain Name for Tunneled Packets

The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. When there are no default domain names, users inherit the default domain name in the default group policy. To specify the default domain name for users of the group policy, clear the Inherit check box and enter the default domain name in the field.

The domain name that you enter identifies the default domain name for the group. To specify that there is no default domain name, leave this field blank. This command sets a default domain name with a null value, which disallows a default domain name and prevents inheriting a default domain name from a default or specified group policy.

Defining a List of Domains for Split Tunneling

To provide a list of domains for split-tunneling, clear the Inherit check box and enter a space-delimited list of domains to be resolved through the split tunnel. When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, leave this list blank.

The domain name attribute provides a domain name that the security appliance resolves through the split tunnel. Leaving this list blank indicates that there is no split DNS list. It also sets a split DNS list with a null value, thereby disallowing a split DNS list, and prevents inheriting a split DNS list from a default or specified group policy.

Enter a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.). If the default domain name is to be resolved through the tunnel, you must explicitly include that name in this list.

Configuring Split-Tunneling Attributes

Split tunneling lets a remote-access IPSec client conditionally direct packets over an IPSec tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. This command applies this split tunneling policy to a specific network.

Setting the Split-Tunneling Policy

Set the rules for tunneling traffic by specifying the split-tunneling policy. The default is to tunnel all traffic. To set a split tunneling policy, clear the Inherit check box and select the split-tunnel policy from the drop-down menu. To remove the split-tunnel policy attribute from the running configuration, leave this field blank. This enables inheritance of a value for split tunneling from another group policy.

Select Tunnel All Networks to specify that no traffic goes in the clear or to any other destination than the security appliance. This, in effect, disables split tunneling. Remote users reach Internet networks through the corporate network and do not have access to local networks. This is the default option.

Select Tunnel Network List Below to tunnel all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear and is routed by the remote user's Internet service provider.

Select Exclude Network List Below to define a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN client.


Note Split tunneling is primarily a traffic management feature, not a security feature. For optimum security, we recommend that you do not enable split tunneling.


Creating a Network List for Split-Tunneling

Select a network list name for split tunneling from the Split Tunnel Network List drop-down menu. Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling. The security appliance makes split tunneling decisions on the basis of a network list, which is an ACL that consists of a list of addresses on the private network. Only standard-type ACLs are allowed. Clicking Manage opens the ACL Manager dialog box, where you can configure the ACLs. For information on using ACL Manager dialog box, see Configuring the ACL Filter.

The access-list name that you select identifies an access list that enumerates the networks to tunnel or not tunnel. Selecting None indicates that there is no network list for split tunneling; the security appliance tunnels all traffic. Selecting None sets a split tunneling network list with a null value, thereby disallowing split tunneling. It also prevents inheriting a default split tunneling network list from a default or specified group policy.

Configuring Cisco Client Parameters

The attributes on the Cisco Client Parameters tab (Figure 2-29) specify certain security settings for the group, including password storage, IPSec over UPD settings, and IPSec backup servers.

Figure 2-29 Cisco Client Parameters Tab

Configuring Password Storage

You can specify whether to let users store their login passwords on the client system. For security reasons, password storage is disabled by default. Enable password storage only on systems that you know to be in secure sites.

To enable or disable password storage, clear the Inherit check box for the Store Password on Client System attribute and select either Yes (enable) or No (disable).

This action does not apply to interactive hardware client authentication or individual user authentication for hardware clients.

Configuring IPSec-UDP Attributes

IPSec over UDP, sometimes called IPSec through NAT, lets a Cisco VPN client or hardware client connect via UDP to a security appliance that is running NAT. It is disabled by default. IPSec over UDP is proprietary; it applies only to remote-access connections, and it requires mode configuration. The security appliance exchanges configuration parameters with the client while negotiating SAs. Using IPSec over UDP may slightly degrade system performance.

To enable or disable IPSec over UDP, clear the Inherit check box and choose either Enable or Disable.

The Cisco VPN client must also be configured to use IPSec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPSec over UDP.

To use IPSec over UDP, you must also configure the IPSec over UDP Port attribute, which sets a UDP port number for IPSec over UDP. In IPSec negotiations, the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic. To configure the IPSec over UDP Port attribute, clear the Inherit check box and enter a port number into the field. The port numbers can range from 4001 through 49151. The default port value is 10000.

Configuring IPSec Backup Servers

Configure backup servers if you plan on using them. IPSec backup servers let a VPN client connect to the central site when the primary security appliance is unavailable.When you configure backup servers, the security appliance pushes the server list to the client as the IPSec tunnel is established. Backup servers do not exist until you configure them, either on the client or on the primary security appliance.

Configure backup servers either on the client or on the primary security appliance. If you configure backup servers on the security appliance, it pushes the backup server policy to the clients in the group, replacing the backup server list on the client if one is configured.


Note If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind a hardware client obtain DNS and WINS information from the hardware client via DHCP, and the connection to the primary server is lost, and the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires. In addition, if you use hostnames and the DNS server is unavailable, significant delays can occur.


To specify one or more backup servers or to remove the configured backup server or servers from the client configuration, do the following:


Step 1 Clear the Inherit check box.

Step 2 Select one of the following options from the drop-down menu:

Keep Client Configuration— Specifies that the security appliance sends no backup server information to the client. The client uses its own backup server list, if configured. This is the default.

Clear Client Configuration—Specifies that the client uses no backup servers. The security appliance pushes a null server list.

Use the Backup Servers Below—Specifies that you want to configure a list of servers to use if the primary security appliance is unavailable.

Step 3 If you select Use the Backup Servers Below, you must fill in one or more server addresses in the Server Addresses field. This list is a space-delimited, priority-ordered list of servers for the VPN client to use when the primary security appliance is unavailable. This list identifies servers by IP address or hostname. The list can be 500 characters long, and it can contain up to10 entries.


Configuring Microsoft Client Parameters

The Microsoft Client Parameters tab (Figure 2-30) configures client attributes that are specific to Microsoft clients, specifically, proxy server parameters for Microsoft Internet Explorer.

Figure 2-30 Microsoft Client Parameters Tab

Use the fields on this tab to configure parameters specific to Microsoft clients:

Proxy Server Policy—Configures the Microsoft Internet Explorer browser proxy actions ("methods") for a client PC.

Do not modify client proxy settings—Leaves the HTTP browser proxy server setting in Internet Explorer unchanged for this client PC.

Do not use proxy—Disables the HTTP proxy setting in Internet Explorer for the client PC.

Auto-detect proxy—Enables the use of automatic proxy server detection in Internet Explorer for the client PC.

Use proxy server settings specified below—Sets the HTTP proxy server setting in Internet Explorer to use the value configured in the Proxy Server Name or IP Address field.

Proxy Server Settings—Configures the proxy server parameters for Microsoft clients using Microsoft Internet Explorer.

Proxy Server Name or IP Address—Specifies the IP address or name of an Microsoft Internet Explorer server that is applied for this client PC.


Note ASDM lets you configure the proxy server name or IP address. To configure the optional port to use, as well as the server, you must use the msie-proxy server command in group-policy configuration mode.


Bypass Proxy Server for Local Addresses— Configures Microsoft Internet Explorer browser proxy local-bypass settings for a client PC. Select Yes to enable local bypass or No to disable local bypass.

Proxy Server Exception List—Configures Microsoft Internet Explorer browser proxy exception list settings for a local bypass on the client PC. Enter the list of addresses that you do not want to have accessed through a proxy server. This list corresponds to the Exceptions box in the Proxy Settings dialog box in Internet Explorer.

Name or IP Address (use * as a wildcard)—Specifies the IP address or name of an MSIE server that is applied for this client PC.

Add—Add the specified name or IP address to the Proxy Server Exceptions list.

Delete—Remove the specified name or IP address from the Proxy server Exceptions list.

Proxy Server Exceptions—Lists the server names and IP addresses that you want to exclude from proxy server access. This list corresponds to the Exceptions box in the Proxy Settings dialog box in Internet Explorer.

DHCP Intercept—Enables or disables DHCP Intercept. DHCP Intercept lets Microsoft XP clients use split-tunneling with the security appliance. The security appliance replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.


Note A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. To avoid this problem, the security appliance limits the number of routes it sends to 27 to 40 routes, with the number of routes dependent on the classes of the routes.


Intercept DHCP Configure Message—Specifies whether to inherit the DHCP intercept policy from the group policy or to enable (Yes) or disable (No) DHCP policy.

Subnet Mask (optional)—Selects the subnet mask from the drop-down list.

Configuring Firewall Attributes

A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user's PC, and thereby the corporate network, from intrusions by way of the Internet or the user's local LAN. Remote users connecting to the security appliance with the VPN client can choose the appropriate firewall option. When there are no firewall policies, users inherit any that exist in the default or other group policy.

Set personal firewall policies that the security appliance pushes to the VPN client during IKE tunnel negotiation on the Client Firewall tab (Figure 2-31).

Figure 2-31 Edit Internal Group Policy Client Firewall Tab


Note Only VPN clients running Microsoft Windows can use these firewall features. They are currently not available to hardware clients or other (non-Windows) software clients.


The following examples illustrate the use of the client firewall.

In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN client drops the connection to the security appliance. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it periodic "are you there?" messages; if no reply comes, the VPN client knows the firewall is down and terminates its connection to the security appliance.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration.

In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the security appliance, you create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security appliance pushes this policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which enforces it.

The Add or Edit Internal Group Policy window, Client Firewall tab, lets you configure firewall settings for VPN clients for the group policy being added or modified. To specify the client firewall settings, clear the Inherit check box and configure the following attributes in the Client Firewall Attributes area

Configuring Firewall Setting

Specify whether there is no firewall, or whether the firewall is optional or required by selecting the appropriate setting from the drop-down menu.


Note If you have remote users in this group who do not yet have firewall capacity, choose Firewall Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do not—for example, you may have a group that is in gradual transition, in which some members have set up firewall capacity and others have not yet done so.


Configuring Firewall Type

Select the type of firewall (or no firewall) from the drop-down menu. The options are:

No Firewall—Indicates that there is no client firewall policy and prevents inheriting a firewall policy from a default or specified group policy.

Cisco Integrated Firewall—Selects the Cisco Integrated Firewall type.

Cisco Security Agent—Selects the Cisco Intrusion Prevention Security Agent firewall type.

Zone Labs Firewalls—Selects either the Zone Labs Zone Alarm or the Zone Alarm Pro firewall type or both.

Sygate Personal Firewalls—Selects either the Sygate Personal firewall type, the Sygate Personal Pro firewall type, or the Sygate Security Agent firewall type.

Network ICE, Black ICE Firewall—Selects the Network ICE Black ICE firewall type.

Custom Firewall—Indicates that this policy uses a custom firewall. With this selection, the Custom Firewall and Firewall Policy areas become active.

Configuring a Custom Firewall

If you selected Custom Firewall as the firewall type, you must also configure the custom firewall attributes, as follows:

Vendor ID—Identifies the firewall vendor.

Product ID—Identifies the model or product name of the firewall product.

Description—Optionally provides additional information about the custom firewall.

Configure the Firewall Policy attributes to specify the source and characteristics of the firewall policy, as follows:

Policy defined by remote firewall (AYT)—Specifies that the policy is to use the firewall installed on the remote user PC and, after the connection is established, polls that firewall every 30 seconds to ensure that it is running. This is the "Are You There" or AYT mechanism. The local firewall enforces the firewall policy on the VPN client. The security appliance allows VPN clients in this group to connect only if they have the designated firewall installed and running. If the designated firewall is not running, the connection fails.

Policy Pushed (CPP)—Enforces a centralized firewall policy for personal firewalls on VPN client PCs. This firewall policy is called "push policy" or Central Protection Policy, because the policy is pushed from the peer. If you select this option, the Inbound Traffic Policy and Outbound Traffic Policy lists and the Manage button become active.The security appliance enforces on the VPN clients in this group the traffic management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down menu. The choices available on the menu are filters defined on this security appliance, including the default filters. Keep in mind that the security appliance pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the security appliance. For example, "in" and "out" refer to traffic coming into the VPN client or going outbound from the VPN client. If the VPN client also has a local firewall, the policy pushed from the security appliance works with the policy of the local firewall. Any packet that is blocked by the rules of either firewall is dropped.

If you select Policy Pushed (CPP), you must also select the policies that the client uses for inbound and outbound traffic.

Clicking Manage opens the ACL Manager dialog box (Figure 2-9), i n which you can create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security appliance pushes this policy down to the VPN client, which, in turn, passes the policy to the local firewall, which enforces it.

Configuring Attributes for VPN Hardware Clients

The Add or Edit Internal Group Policy Hardware Client tab (Figure 2-32) lets you configure attributes specific to VPN hardware clients. On this tab you can enable or disable secure unit authentication and user authentication and set a user authentication timeout value for VPN hardware clients. You can also allow Cisco IP phones and LEAP packets to bypass individual user authentication and allow hardware clients using Network Extension Mode to connect.

Figure 2-32 Edit Internal Group Policy Hardware Client Tab

Requiring Interactive Client Authentication (Secure Unit Authentication)

Secure unit authentication provides additional security by requiring VPN hardware clients to authenticate with a username and password each time that the client initiates a tunnel. With this feature enabled, the hardware client does not have a saved username and password. Secure unit authentication is disabled by default.


Note With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username and password.


Secure unit authentication requires that you have an authentication server group configured for the tunnel group the hardware client(s) use. If you require secure unit authentication on the primary security appliance, be sure to configure it on any backup servers as well.

Interactive hardware client authentication provides additional security by requiring the VPN 3002 Hardware Client to authenticate with a username and password that you enter manually each time the VPN 3002 initiates a tunnel. With this feature enabled, the VPN 3002 does not have a saved username and password. When you enter the username and password, the VPN 3002 sends these credentials to the security appliance to which it connects. The security appliance facilitates authentication, on either the internal or an external authentication server. If the username and password are valid, the tunnel is established.

When you enable interactive hardware client authentication for a group, the security appliance pushes that policy to the VPN 3002s in the group. If you have previously set a username and password on the VPN 3002, the software deletes them from the configuration file. When you try to connect, the software prompts you for a username and password.

If, on the security appliance, you subsequently disable interactive hardware authentication for the group, it is enabled locally on the VPN 3002s, and the software continues to prompt for a username and password. This lets the VPN 3002 connect, even though it lacks a saved username and password, and the security appliance has disabled interactive hardware client authentication. If you subsequently configure a username and password, the feature is disabled, and the prompt no longer displays. The VPN 3002 connects to the security appliance using the saved username and password.

Specify whether to enable or disable the requirement for interactive client authentication by clearing the Inherit check box and selecting either Enable or Disable. This parameter is disabled by default.

Requiring Individual User Authentication

When enabled, user authentication requires that individual users behind a hardware client authenticate to gain access to the network across the tunnel. Individual users authenticate according to the order of authentication servers that you configure. Individual user authentication for these users is disabled by default. To display a banner to VPN 3002 devices in a group, individual user authentication must be enabled.

If you require user authentication on the primary security appliance, be sure to configure it on any backup servers as well.

Individual user authentication protects the central site from access by unauthorized persons on the private network of the VPN 3002. When you enable individual user authentication, each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the security appliance, even though the tunnel already exists.


Note You cannot use the command-line interface to log in if user authentication is enabled. You must use a browser.


If you have a default home page on the remote network behind the security appliance, or if you direct the browser to a website on the remote network behind the security appliance, the VPN 3002 directs the browser to the proper pages for user login. When you successfully log in, the browser displays the page you originally entered.

If you try to access resources on the network behind the security appliance that are not web-based, for example, e-mail, the connection fails until you authenticate using a browser.

To authenticate, you must enter the IP address for the private interface of the VPN 3002 in the browser Location or Address field. The browser then displays the login screen for the VPN 3002. To authenticate, click the Connect/Login Status button.

One user can log in for a maximum of four sessions simultaneously. Individual users authenticate according to the order of authentication servers that you configure for a group.

Configuring an Idle Timeout

To set an idle timeout for individual users behind hardware clients, clear the Inherit check box and either check the Unlimited check box to specify that there is no idle timeout or specify a specific number of minutes. If there is no communication activity by a user behind a hardware client in the idle timeout period, the security appliance terminates the client's access.


Note The user-authentication-idle-timeout command terminates only the client's access through the VPN tunnel, not the VPN tunnel itself.


The minutes field specifies the number of minutes in the idle timeout period.The minimum is 1 minute, the default is 30 minutes, and the maximum is 35791394 minutes. If you clear both the Inherit and Unlimited check boxes, you must specify a value in the minutes field.

Configuring IP Phone Bypass

You can allow Cisco IP phones to bypass individual user authentication behind a hardware client. To enable or disable IP Phone Bypass, clear the Inherit check box and select Enable or Disable. IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes. IP Phone Bypass is disabled by default. If enabled, secure unit authentication remains in effect.


Note You must configure the VPN 3002 to use network extension mode for IP phone connections.


Configuring LEAP Bypass

LEAP users behind a VPN 3002 have a circular dilemma: they cannot negotiate LEAP authentication because they cannot send their credentials to the RADIUS server behind the central site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a RADIUS server before individual users authenticate. Then the users proceed with individual user authentication.

LEAP Bypass works as intended under the following conditions:

The interactive unit authentication feature (intended for wired devices) must be disabled. If interactive unit authentication is enabled, a non-LEAP (wired) device must authenticate the VPN 3002 before LEAP devices can connect using that tunnel.

Individual user authentication is enabled (if it is not, you do not need LEAP Bypass).

Access points in the wireless environment must be Cisco Aironet Access Points. The wireless NIC cards for PCs can be other brands.

The Cisco Aironet Access Point must be running Cisco Discovery Protocol (CDP).

The VPN 3002 can operate in either client mode or network extension mode.

LEAP packets travel over the tunnel to a RADIUS server via ports 1645 or 1812.

When LEAP Bypass is enabled, LEAP packets from wireless devices behind a VPN 3002 hardware client travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate again per user authentication (if enabled). LEAP Bypass is disabled by default.

To allow LEAP packets from Cisco wireless access points to bypass individual users authentication, clear the Inherit check box and select Enable. To disable LEAP bypass, select Disable.


Note IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs with strong mutual authentication between clients and authentication servers, which can provide dynamic per-user, per session wireless encryption privacy (WEP) keys, removing administrative burdens and security issues that are present with static WEP keys.

Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP (Lightweight Extensible Authentication Protocol) implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium.

Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting services.


This feature does not work as intended if you enable interactive hardware client authentication.


Caution There might be security risks to your network in allowing any unauthenticated traffic to traverse the tunnel.

Enabling Network Extension Mode

Network extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the hardware client to networks behind the security appliance. PAT does not apply. Therefore, devices behind the security appliance have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.

Network extension mode is required for the VPN 3002 to support IP phone connections, because the Call Manager can communicate only with actual IP addresses.


Note If you disallow network extension mode, the default setting, the VPN 3002 can connect to this security appliance in PAT mode only. If you disallow network extension mode here, be careful to configure all VPN 3002s in a group for PAT mode. If a VPN 3002 is configured to use network extension mode and the security appliance to which it connects disallows network extension mode, the VPN 3002 attempts to connect every 4 seconds, and every attempt is rejected. In this situation, the VPN 3002 puts an unnecessary processing load on the security appliance to which it connects; if large numbers of VPN 3002s are misconfigured in this way, the security appliance has a reduced ability to provide service.


Enable or disable network extension mode for hardware clients by clearing the Inherit check box and selecting Enable or Disable.

Configuring Network Admission Control

The Add or Edit Internal Group Policy window, NAC tab (Figure 2-33), lets you configure Network Admission Control settings for the default group policy or an alternative group policy.

Figure 2-33 NAC Tab

The default for all the parameters on this tab is to inherit the value from the default group policy. Clear the Inherit check box for any parameters you want to explicitly configure. The fields on this window are as follows:

Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. This is the default setting for all attributes in this tab.

Enable NAC—Requires posture validation for remote access. If the remote computer passes the validation checks, the ACS server downloads the access policy for the security appliance to enforce. The default setting is Disable.

Status Query Timer—The security appliance starts this timer after each successful posture validation and status query response. The expiration of this timer triggers a query for changes in the host posture, referred to as a status query. Enter the number of seconds in the range 30 to 1800. The default setting is 300.

Revalidation Timer—The security appliance starts this timer after each successful posture validation. The expiration of this timer triggers the next unconditional posture validation. The security appliance maintains posture validation during revalidation. The default group policy becomes effective if the Access Control Server is unavailable during posture validation or revalidation. Enter the interval in seconds between each successful posture validation. The range is 300 to 86400. The default setting is 36000.

Default ACL— (Optional) The security appliance applies the security policy associated with the selected ACL if posture validation fails. Select None or select an extended ACL in the list. The default setting is None. If the setting is None and posture validation fails, the security appliance applies the default group policy.

Use the Manage button to populate the drop-down list and view the configuration of the ACLs in the list.

Manage— Opens the ACL Manager dialog box. Click to view, enable, disable, and delete standard ACLs and the ACEs in each ACL. The list next to the Default ACL attribute displays the ACLs.

Posture Validation Exception List—Displays one or more attributes that exempt remote computers from posture validation. At minimum, each entry lists the operating system and an Enabled setting of Yes or No. An optional filter identifies an ACL used to match additional attributes of the remote computer. An entry that consists of an operating system and a filter requires the remote computer to match both to be exempt from posture validation. The security appliance ignores the entry if the Enabled setting is set to No.

Add—Adds an entry to the Posture Validation Exception list.

Edit—Modifies an entry in the Posture Validation Exception list.

Delete—Removes an entry from the Posture Validation Exception list.

Configuring Group-Policy WebVPN Attributes

WebVPN lets users establish a secure, remote-access VPN tunnel to the security appliance using a web browser. There is no need for either a software or hardware client. WebVPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTPS Internet sites. WebVPN uses SSL and its successor, TLS1, to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. By default, WebVPN is disabled.

You can customize a WebVPN configuration for specific internal group policies.

In the Add or Edit Internal Group Policy WebVPN tab, you can specify whether to inherit the settings for all the functions or customize the WebVPN attributes, each of which is described in the subsequent sections:

Functions

Content Filtering

Homepage

Port Forwarding

Other (such as servers and URL lists)

SSL VPN Client (SVC)

Auto Signon

In many instances, you define the WebVPN attributes as part of configuring WebVPN, then you apply those definitions to specific groups when you configure the group-policy webvpn attributes. The attributes in the WebVPN tab for group policies define access to files, MAPI proxy, URLs and TCP applications over WebVPN. They also identify ACLs and types of traffic to filter. WebVPN is disabled by default. See the description of WebVPN in the online Help for this tab and the Cisco Security Appliance Command Line Configuration Guide and Cisco Security Appliance Command Reference for more information about configuring the WebVPN attributes.

You do not need to configure WebVPN to use e-mail proxies

Configuring Group-Policy WebVPN Function Tab Attributes

The Functions tab (Figure 2-34) lets you configure basic WebVPN functions. To configure the WebVPN functions (such as file access and file browsing, HTTP Proxy, MAPI Proxy, and URL entry over WebVPN) that you want to enable, clear the Inherit check box and check the check boxes for the individual functions that you want to enable or apply. These functions are disabled by default.

Figure 2-34 Edit Internal Group Policy WebVPN Tab Functions Tab

The functions that you can configure on this tab are as follows:

Enable URL entry—Enables or disables user entry of URLs and places the URL entry box on the home page. When enabled, the security appliance still restricts URLs with any configured URL or network ACLs. Users can enter web addresses in the URL entry box, and use WebVPN to access those websites. When URL entry is disabled, the security appliance restricts WebVPN users to the URLs on the home page.

Using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote user's PC or workstation and the security appliance on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security appliance to the destination web server is not secured.

In a WebVPN connection, the security appliance acts as a proxy between the end user's web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the server's SSL certificate. The end user's browser never receives the presented certificate, so therefore cannot examine and validate the certificate. The current implementation of WebVPN does not permit communication with sites that present expired certificates. Neither does the security appliance perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.

To limit Internet access for WebVPN users, deselect the Enable URL Entry field. This prevents WebVPN users from surfing the Web during a WebVPN connection.

Enable file server access—Enables or disables Windows file access (SMB/CIFS files only) through HTTPS. When enabled, the WebVPN home page lists file servers in the server list. You must enable file access to enable file browsing and/or file entry.

When this box is checked, users can access Windows files on the network. If you enable only this parameter for WebVPN file sharing, users can access only servers that you configure in the Servers and URLs area (see the description of Configuring Server and List Arguments Using the WebVPN Other Tab). To let users access servers directly or to browse servers on the network, see the Enable file server entry and Enable file server browsing attribute descriptions.

With this check box checked, users can download, edit, delete, rename, and move files. They can also add files and folders.

Shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements.

File access, server/domain access, and browsing require that you configure a WINS server or a master browser, typically on the same network as the security appliance, or reachable from that network. The WINS server or master browser provides the security appliance with an list of the resources on the network. You cannot use a DNS server instead.


Note File access is not supported in an Active Native Directory environment when used with Dynamic DNS. It is supported if used with a WINS server.


Enable file server entry—Enables of disables user ability to enter names of file servers. Places the file server entry box on the portal page. File server access must be enabled.

With this check box checked, users can enter pathnames to directly Windows files. They can download, edit, delete, rename, and move files. They can also add files and folders. Again, shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements.

Enable file server browsing—Enables or disables browsing for file the Windows network for domains/workgroups, file servers and shares. You must enable file browsing to allow user entry of a file server. File server access must be enabled.

With this check box checked, users can select domains and workgroups and can browse servers and shares within those domains. Shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing servers, according to network requirements.

Enable auto applet download—Lets users automatically download and start the port forwarding java applet upon WebVPN login. Disabled by default, you can enable this feature only if port forwarding, Outlook/Exchange proxy, or HTTP proxy is also enabled. You can also enable auto applet download in the default group policy (DfltGrpPolicy) or in user-defined group policies.

Enable port forwarding—WebVPN Port Forwarding provides access for remote users in the group to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application. Cisco has tested the following applications: Windows Terminal Services, Telnet, Secure FTP (FTP over SSH), Perforce, Outlook Express, and Lotus Notes. Other TCP-based applications may also work, but Cisco has not tested them.


Note Port Forwarding does not work with some SSL/TLS versions.


With this check box checked users can access client/server applications by mapping TCP ports on the local and remote systems.


Note When users authenticate using digital certificates, the TCP Port Forwarding JAVA applet does not work. JAVA cannot access the web browser's keystore; therefore JAVA cannot use the certificates that the browser uses for user authentication, and the application cannot start. Do not use digital certificates to authenticate WebVPN users if you want them to be able to access applications.


Enable Outlook/Exchange proxy—Enables or disables Microsoft Outlook/Exchange e-mail proxy.

Apply Web-type ACL—Applies the WebVPN access control list defined for the users of this group.

Enable HTTP proxy—Enables or disables the forwarding of an HTTP applet proxy to the client. The proxy is useful for technologies that interfere with proper content transformation ("mangling"), such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browser's old proxy configuration automatically and redirects all HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser supported is Microsoft Internet Explorer.

Enable Citrix/MetaFrame—Enables support for terminal services from a MetaFrame Application Server to the client. This attribute lets the security appliance act as a secure gateway within a secure Citrix configuration. These services provide users with access to MetaFrame applications through a standard Web browser.

Configuring Content Filtering Tab Attributes

The Content Filtering tab (Figure 2-35) lets you configure the security appliance to block or remove the parts of websites that use Java or Active X, scripts, display images, and deliver cookies. By default, these parameters are disabled, which means that no filtering occurs. To configure the WebVPN filters, clear the Inherit check box and check the check boxes for the individual filters that you want to enable. These functions are disabled by default.

Figure 2-35 Edit Internal Group Policy WebVPN Tab, Content Filtering Tab

The filters that you can configure on this tab are as follows:

Filter Java/ActiveX—Removes references to Java and ActiveX; that is, it removes <applet>, <embed> and <object> tags from HTML.

Filter scripts—Removes references to scripting; that is, it removes <script> tags from HTML.

Filter images—Removes <img> tags from HTML. Removing images dramatically speeds the delivery of web pages.

Filter cookies from images—Removes cookies that are delivered with images. This might preserve user privacy, because advertisers use cookies to track visitors.

Configuring the User Homepage

ASDM lets you customize a home page that the user sees upon logging in. You define a home page customization (such as color, logo, and so on) as part of the WebVPN configuration, then apply that customization when you configure a particular group policy. The Add or Edit Group Policy window, WebVPN tab, Homepage tab (Figure 2-36), lets you configure what, if any, home page that you want users to see upon logging in and specify the name of any previously defined customization that you want to apply to change the look-and-feel of that login web page. There is no default home page, and the default for customization is no customization. For information about configuring web-page customizations, see the online help for Configuration > VPN > WebVPN > Webpage Customization.

Figure 2-36 Edit Internal Group Policy WebVPN Tab Homepage Tab

To specify the Webpage Customization attribute, clear the Inherit check box and either select the name of a customization from the drop-down menu or click New to define a new customization. Clicking New opens the Add Customization Object dialog box. Click the Homepage tab in that dialog box to configure the customizations for the user home page. The other tabs in this dialog box configure other web page customizations to apply to the various GUI pages that the user sees. For information about how to configure web page customizations, see the online Help for that dialog box.

Regardless of whether you specify customizations, you can specify a particular home page that the user sees upon logging in. There is no default home page. To specify a URL for the web page that you want to display when a user in this group logs in, clear the Inherit check box in the Custom Homepage area and select Specify URL. Select either http or https (the default) as http or https as the connection protocol for the home page. In the field to the right of the :// characters, specify the URL of the Web page to use as the home page.

To remove a configured home page, select Use None. This sets a null value, thereby disallowing a home page and prevents inheriting an home page.

Enabling Port Forwarding (WebVPN Application Access) for a Group Policy

Port forwarding, also known as application access, lets you control the list of applications that WebVPN users can access through their remote connection. Port forwarding is disabled by default. The Add or Edit Group Policy window, WebVPN tab, Port Forwarding tab (Figure 2-37), lets you configure port forwarding parameters.

Figure 2-37 Edit Internal Group Policy WebVPN Tab Port Forwarding Tab

You configure a list of applications to make available through port forwarding either as part of the WebVPN configuration or in the group-policy Port Forwarding tab. To apply port forwarding to a group policy, clear the Inherit check box or boxes and configure the following fields:

Port Forwarding List—Specifies whether to inherit the port forwarding list from the default group policy, select one from the list, or create a new port forwarding list. The default is None, which prevents inheriting a port forwarding list.

Click New to create a new port-forwarding applications list. Clicking New opens a dialog box in which you can add a new port forwarding list. See the description of the Add or Edit Port Forwarding List window.

Applet Name—Specifies whether to inherit the applet name or to use the name specified in the field. Specify this name to identify port forwarding to end users. The name you configure appears in the end user interface as a hotlink. When users click this link, a Java applet opens a window that displays a table that lists and provides access to port forwarding applications that you configure for these users. The default applet name is Application Access.

The Add or Edit Port Forwarding List dialog box (Figure 2-38) lets you configure a new port forwarding list entry or modify an existing entry for WebVPN users for the group policy being added or modified.

Figure 2-38 Add Port Forwarding List Dialog Box

To add a port forwarding list, click Add and configure the following fields. To edit an existing port forwarding list, select the list entry in the table area, then click Edit and configure the appropriate fields. To remove a port forwarding entry from this list, click Delete. The field descriptions follow:

List Name—Specifies the name of this port forwarding list. If list entries already exist, the Add, Edit, and Delete buttons are active. The table below the list name contains the following columns:

Local TCP Port—Specifies the local TCP port for this list.

Remote Server—Specifies the name or IP address of the remote peer.

Remote TCP Port—Specifies the TCP port used on the remote peer.

Description—Provides a brief description of this list.


Note Port forwarding supports only those TCP applications that use static TCP ports. It does not support applications that use dynamic ports or multiple TCP ports. For example, SecureFTP, which uses port 22, works over WebVPN port forwarding, but standard FTP, which uses ports 20 and 21, does not.


Configuring Server and List Arguments Using the WebVPN Other Tab

The Add or Edit Group Policy window, WebVPN tab, Other tab (Figure 2-39), lets you configure servers and URL lists and the Web-type ACL ID.

Figure 2-39 Edit Internal Group Policy WebVPN Tab Other Tab

This tab lets you configure an assortment of server and management functions, as follows. To configure individual fields, clear the Inherit check box for that field.

Servers and URL Lists specifies whether to inherit the list of Servers and URLs, to select an existing list, or to create a new list. Select the name of a list from the drop-down menu or click New, which opens the Add Server and URL List dialog box (Figure 2-40), in which you can add a new server or URL to the list. The URL display name that you add in this dialog box appears in the list for the Servers and URL Lists argument in the Add or Edit Internal Group Policy WebVPN tab Other tab window. To change the order of entries in the URL list, click Move Up or Move Down. There is no default URL list.

Figure 2-40 Add Server and URL List Dialog Box

You configure ACLs to permit or deny various types of traffic for this group policy. You then apply those ACLs for WebVPN traffic. Web-Type ACL ID specifies the name of the access list to apply for WebVPN connections for this group policy. If you clear the Inherit check box, select the identifier of an existing Web-Type ACL to use, or add or modify a web-type ACL. To remove the access list, and to prevent inheriting filter values, select None from the drop-down list.

Clicking Manage opens the Web Type ACL dialog box (Figure 2-9) in which you can manage web-type ACLs.

Clicking Add ACL, Add ACE, or Edit ACE opens a dialog box in which you can perform these functions. See Configuring the ACL Filter for an explanation of the fields and buttons on these dialog boxes.

After you add a Web Type ACL, you can configure that ACL by clicking Add ACE. This opens the Add ACE dialog box, in which you configure the action (permit/deny), filter (URL or IP address, subnet mask, and port), syslog options, and time range name, just as you would for other ACLs/ACEs.


Note To use ACL filtering with WebVPN, you must define the WebVPN-Type ACL here. WebVPN does not use ACLs defined in the ACL Manager.


The SSO Server attribute specifies whether to inherit the single-sign-on server setting, to select an existing SSO server from the list, or to add a new SSO server.Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The default policy assigned to the SSO server is DfltGrpPolicy. To remove the assignment and prevent inheriting the default policy, select None from the drop-down list.


Note This attribute requires that your configuration include CA SiteMinder.


Click New to open the Add SSO Server dialog box (Figure 2-41) in which you can add a new server to the list.

Figure 2-41 Add SSO Server

Configure the fields in this dialog box as follows:

Specify the name of the server in the Server Name field. This name appears in the drop-down menu for the SSO Server attribute in the Add or Edit Internal Group Policy WebVPN tab Other tab. If you are editing, instead of adding, a server, this field is display only; it displays the name of the selected SSO server.

The Authentication Type field is display only. It displays the type of SSO server. The type currently supported by the security appliance is SiteMinder.

In the URL field, select the protocol (http or https) from the drop-down menu, then enter the SSO server URL to which the security appliance makes SSO authentication requests.

Enter a Secret Key to use to encrypt authentication requests to the SSO server. Key characters can be any regular or shifted alphanumeric characters. There is no minimum or maximum number of characters. The secret key is similar to a password: you create it, save it, and configure it. It is configured on both the security appliance and the SiteMinder Policy Server using the Cisco Java plug-in authentication scheme.

In the Maximum Retries field, enter the number of times the security appliance retries a failed SSO authentication attempt before the authentication times-out. The range is from 1 to 5 retries inclusive, and the default is 3 retries.

In the Request Timeout field, enter the number of seconds before a failed SSO authentication attempt times out. The range is from1 to 30 seconds inclusive, and the default is 5 seconds.

HTTP Compression specifies whether to inherit the HTTP Compression setting from the default group, or explicitly to enable or disable HTTP compression. To enable or disable compression of HTTP data over an SVC connection for a specific group policy, clear the Inherit check box and select Enable or Disable, as appropriate. By default, SVC compression is enabled.

Network devices exchange short keepalive messages to ensure that the virtual circuit between them is still active. The length of these messages can vary. The Keepalive Ignore attribute lets you tell the security appliance to consider all messages that are less than or equal to the specified size as keepalive messages and not as traffic when updating the session timer. The range is 0 through 900 KB. The default is 4 KB.

The Deny Message attribute configures a message to be delivered to remote users who log in to WebVPN successfully, but have no VPN privileges, as follows:

Check the Inherit check box to inherit from the default group the message to be sent to remote users who log in to WebVPN successfully, but have no VPN privileges.

Clear the Inherit check box and erase any text in the field, to not send a message to remote users who log into WebVPN successfully, but have no VPN privileges.

Clear the Inherit check box and create or modify the message in the field, to be sent to remote users who log in to WebVPN successfully, but have no VPN privileges. The message can be up to 491 alphanumeric characters long, including special characters, spaces, and punctuation, but not counting the enclosing quotation marks. Carriage return/line feeds count as two characters. The text appears on the remote user's browser upon login. The default deny message is: "Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information."

Configuring the SSL VPN Client Tab Attributes

The SSL VPN Client (SVC) is a VPN tunneling technology that gives remote users the benefits of an IPSec VPN client without the need for network administrators to install and configure IPSec VPN clients on remote computers. The SVC uses the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the security appliance.

To establish an SVC session, the remote user enters the IP address of a WebVPN interface of the security appliance in the browser, and the browser connects to that interface and displays the WebVPN login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the SVC, the security appliance downloads the SVC to the remote computer. If the security appliance identifies the user as having the option to use the SVC, the security appliance downloads the SVC to the remote computer while presenting a link on the user screen to skip the SVC installation.

After downloading, the SVC installs and configures itself, and then the SVC either remains or uninstalls itself (depending on the configuration) from the remote computer when the connection terminates.

The security appliance might have several unique SVC images residing in cache memory for different remote computer operating systems. When the user attempts to connect, the security appliance can consecutively download portions of these images to the remote computer until the image and operating system match, at which point it downloads the entire SVC. You can order the SVC images to minimize connection setup time, with the first image downloaded representing the most commonly-encountered remote computer operating system. For complete information about installing and using SVC, see Cisco Security Appliance Command Line Configuration Guide, Chapter 31, "Configuring SSL VPN Client."

After enabling SVC, as described in that configuration guide chapter, you can enable or require SVC features for a specific group. This feature is disabled by default. If you enable or require SVC, you can then enable a succession of svc commands, described in this section.

The Edit Internal Group Policy window WebVPN tab SSL VPN tab (Figure 2-42) lets you configure connection settings for the SSL VPN Client. Each attribute can inherit its value from the default group policy, or, if you clear the Inherit check box, you can explicitly configure individual attributes.

Figure 2-42 Edit Internal Group Policy WebVPN Tab SSL VPN Client Tab

Configure the SSL VPN Client attributes as follows:

Specify when to use the SSL VPN client by clearing the Use SSL VPN Client Inherit check box and selecting Always, Optional, or Never, as appropriate.

Keep Installer on Client System enables permanent SVC installation and disables the automatic uninstalling feature of the SVC. If you select Yes, the security appliance downloads SVC files to remote computers, and the SVC remains installed on the remote computer for subsequent SVC connections, reducing the SVC connection time for the remote user. If you select No, the security appliance does not download SVC files. By default, this attribute is disabled.

Compression enables or disables compression on the SVC connection. SVC compression increases the communications performance between the security appliance and the SVC by reducing the size of the packets being transferred.

The Keepalive Messages attribute adjusts the frequency of keepalive messages, in the range of 15 to 600 seconds, to ensure that an SVC connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Clicking Enable activates the Interval field. You can adjust the interval (frequency) of keepalive messages to ensure that an SVC connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the frequency also ensures that the SVC does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.

The attributes in the Key Renegotiation Settings area define the renegotiation interval and method. When the security appliance and the SVC perform a rekey, they renegotiate the crypto keys and initialization vectors, increasing the security of the connection.

Renegotiation Interval specifies the number of minutes from the start of the session until the rekey takes place, either Unlimited or an interval from 1 through 10080 (1 week).

Renegotiation Method specifies whether the SVC establishes a new tunnel during SVC rekey. Selecting None disables SVC rekey. Selecting SSL means that SSL renegotiation takes place during SVC rekey. Selecting New tunnel specifies that SVC creates a new VPN tunnel during SVC rekey.

The attributes in the Dead Peer Detection (DPD) area ensure that the security appliance (gateway) or the SVC can quickly detect a condition where the peer is not responding, and the connection has failed. The attribute you select in this area determines which side of the connection performs DPD. For either of the following attributes, clearing the Inherit check box and the Enable check box and leaving the Interval field blank disables the attribute.

Gateway Side Detection enables DPD performed by the security appliance (gateway) and specifies the frequency, from 30 to 3600 seconds (1 hour), with which the security appliance performs DPD. If you check disable, DPD performed by the security appliance is disabled.

Client Side Detection enables DPD performed by the SVC (client), and specifies the frequency, from 30 to 3600 seconds (1 hour), with which the SVC performs DPD.

Configuring the Auto Signon Tab Attributes

The Auto Signon WebVPN tab (Figure 2-43) lets you configure or edit auto signon for WebVPN users.

Figure 2-43 WebVPN Auto Signon Tab

Auto signon is a simplified single signon method that you can use if you do not already have an SSO method deployed on your internal network. you already have SSO deployed using Computer Associates' SiteMinder SSO server.

You can also have SSO deployed using Computer Associates' SiteMinder SSO server and configure the security appliance to support this solution. You can use SSO with HTTP Forms protocol and configure the security appliance to support this method. With auto signon configured for particular internal servers, the security appliance passes the login credentials that the WebVPN user used to login to the security appliance (username and password) to those particular internal servers. You configure the security appliance to respond to a specific authentication method for a particular range of servers. The authentication methods you can configure the security appliance to respond to are NTLM authentication, HTTP Basic authentication, or both methods.

This section describes the procedure for setting up SSO with auto signon. Except for the Inherit check box, the fields on the Auto Signon tab are identical with those on the Add or Edit Auto Signon Entry dialog box (Figure 2-44).

Figure 2-44 Add Auto Signon Entry Dialog Box

Use the following descriptions when configuring or modifying the fields of an Auto Signon entry:

Inherit—(Auto Signon tab only) Clear the check box to allow WebVPN login credentials to be used to login to specific internal servers.

IP Address—In conjunction with the following Mask, displays the IP address range of the servers to be authenticated to as configured with the Add/Edit Auto Signon dialog box. You can specify a server using either the server URI or the server IP address and mask.

Mask—In conjunction with the preceding IP Address, displays the IP address range of the servers configured to support auto signon with the Add/Edit Auto Signon dialog box.

URI—Displays a URI mask that identifies the servers configured with the Add/Edit Auto Signon dialog box.

Authentication Type— Displays the type of authentication—basic HTTP, NTLM, or basic and NTLM—as configured with the Add/Edit Auto Signon dialog box.

Add/Edit—(Auto Signon tab only) Click to add or edit an auto signon instruction. An auto signon instruction defines a range of internal servers using the auto signon feature and the particular authentication method.

Delete—(Auto Signon tab only) Click to delete an auto signon instruction selected in the Auto Signon table.

You have now completed the configuration of an internal group policy.