Downloads |
Table Of Contents
Finding Feature Information in This Module
Netegrity Cookie-Based Single SignOn Support
TCP Port Forwarding and Thin Client
How to Configure SSL VPN Services on a Router
Configuring an SSL VPN Gateway
Configuring a Generic SSL VPN Gateway
Configuring an SSL VPN Context
Configuring an SSL VPN Policy Group
Configuring Local AAA Authentication for SSL VPN User Sessions
Configuring AAA for SSL VPN Users Using a Secure Access Control Server
Configuring RADIUS Accounting for SSL VPN User Sessions
Monitoring and Maintaining RADIUS Accounting for an SSL VPN Session
Configuring RADIUS Attribute Support for SSL VPN
Configuring a URL List for Clientless Remote Access
Configuring Microsoft File Shares for Clientless Remote Access
Common Internet File System Support
NetBIOS Name Service Resolution
Configuring Citrix Application Support for Clientless Remote Access
Configuring Application Port Forwarding
Administrative Privileges on the Remote Client
Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files
Remote Client Software Installation Requirements
Configuring Cisco Secure Desktop Support
Configuring Cisco AnyConnect VPN Client Full Tunnel Support
Remote Client Software from the SSL VPN Gateway
A Manual Entry to the IP Forwarding Table
Configuring Advanced SSL VPN Tunnel Features
Microsoft Internet Explorer Proxy Configuration
Configuring VRF Virtualization
Associating an ACL Attribute with a Policy Group
Monitoring and Maintaining ACLs
Configuring SSO Netegrity Cookie Support for a Virtual Context
Associating an SSO Server with a Policy Group
Configuring URL Obfuscation (Masking)
Adding a CIFS Server URL List to an SSL VPN Context
and Attaching It to a Policy GroupConfiguring User-Level Bookmarks
Verifying SSL VPN Configurations
Configuration Examples for SSL VPN
Configuring a Generic SSL VPN Gateway: Example
Configuring HTTP Proxy: Example
RADIUS Accounting for SSL VPN Sessions: Example
URL Obfuscation (Masking): Example
Adding a CIFS Server URL List and Attaching It to a Policy List: Example
Typical SSL VPN Configuration: Example
debug Command Output: Examples
webvpn enable (Privileged EXEC)
Feature Information for SSL VPN
SSL VPN
First Published: February 27, 2006Last Updated: January 23, 2009The SSL VPN feature (also known as WebVPN) provides support, in Cisco IOS software, for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer- (SSL-) enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish a secure Virtual Private Network (VPN) tunnel using a web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support. SSL VPN delivers three modes of SSL VPN access: clientless, thin-client, and full-tunnel client support.
This document is primarily for system administrators. If you are a remote user, see the document SSL VPN Remote User Guide.
Note
The Cisco AnyConnect VPN Client is introduced in Cisco IOS Release 12.4(15)T. This feature is the next-generation SSL VPN Client. If you are using Cisco software before Cisco IOS Release 12.4(15)T, you should be using SSL VPN Client and see GUI for the SSL VPN Client when you are web browsing. However, if you are using Cisco software Release 12.4(15)T or later, you should be using Cisco AnyConnect VPN Client and see GUI for Cisco AnyConnect VPN Client when you are web browsing.
For "What's New" information about SSL VPN features by release, see the section "Finding Feature Information in This Module," which follows.
Finding Feature Information in This Module
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for SSL VPN" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
•
Prerequisites for SSL VPN
•
–
–
–
Note
•
•
•
–
Note
•
•
•
•
•
•
•
ACL Support
•
Single SignOn (SSO) Netegrity Cookie Support
•
Restrictions for SSL VPN
•
Cisco AnyConnect VPN Client
CiscoAnyConnect VPN Client does not support the following:
•
•
•
•
•
•
•
•
•
Thin Client Control List Support
•
HTTP Proxy
•
•
Information About SSL VPN
To configure SSL VPN, you should understand the following concepts:
•
SSL VPN Overview
Cisco IOS SSL VPN provides SSL VPN remote-access connectivity from almost any Internet-enabled location using only a web browser that natively supports SSL encryption. This feature allows your company to extend access to its secure enterprise network to any authorized user by providing remote-access connectivity to corporate resources from any Internet-enabled location.
Cisco IOS SSL VPN can also support access from noncorporate-owned machines, including home computers, Internet kiosks, and wireless hot spots. These locations are difficult places to deploy and manage VPN client software and remote configuration required to support IPsec VPN connections.
Figure 1 shows how a mobile worker (the lawyer at the courthouse) can access protected resources from the main office and branch offices. Site-to-site IPsec connectivity between the main and remote sites is unaltered. The mobile worker needs only Internet access and supported software (web browser and operating system) to securely access the corporate network.
Figure 1 Secure SSL VPN Access Model
SSL VPN delivers the following three modes of SSL VPN access:
•
•
•
SSL VPN application accessibility is somewhat constrained relative to IPsec VPNs; however, SSL-based VPNs provide access to a growing set of common software applications, including web page access, web-enabled services such as file access, e-mail, and TCP-based applications (by way of a downloadable thin-client applet). SSL-based VPN requires slight changes to user workflow because some applications are presented through a web browser interface, not through their native GUI. The advantage for SSL VPN comes from accessibility from almost any Internet-connected system without needing to install additional desktop software.
Modes of Remote Access
This section includes the following:
Remote Access Overview
End-user login and authentication is performed by the web browser to the secure gateway using an HTTP request. This process creates a session that is referenced by a cookie. After authentication, the remote user is shown a portal page that allows access to the SSL VPN networks. All requests sent by the browser include the authentication cookie. The portal page provides all the resources available on the internal networks. For example, the portal page could provide a link to allow the remote user to download and install a thin-client Java applet (for TCP port forwarding) or a tunneling client.
Figure 2 shows an overview of the remote access modes.
Figure 2 Modes of Remote Access Overview
Table 1 summarizes the level of SSL VPN support that is provided by each access mode.
Table 1 Access Mode Summary
Clientless Mode
In clientless mode, the remote user accesses the internal or corporate network using the web browser on the client machine. The PC of the remote user must run the Windows 2000, Windows XP, or Linux operating systems.
The following applications are supported in clientless mode:
•
•
–
–
–
–
–
–
–
–
–
–
–
Note
•
Thin-Client Mode
Thin-client mode, also called TCP port forwarding, assumes that the client application uses TCP to connect to a well-known server and port. In thin-client mode, the remote user downloads a Java applet by clicking the link provided on the portal page, or the Java applet is downloaded automatically (see "Options for Configuring HTTP Proxy and the Portal Page" and "Options for Configuring HTTP Proxy and the Portal Page"). The Java applet acts as a TCP proxy on the client machine for the services that you configure on the gateway.
The applications that are supported in thin-client mode are mainly e-mail-based (SMTP, POP3, and Internet Map Access Protocol version 4 [IMAP4] applications.
Note
The Java applet initiates an HTTP request from the remote user client to the SSL VPN gateway. The name and port number of the internal e-mail server is included in the HTTP request (POST or CONNECT). The SSL VPN gateway creates a TCP connection to that internal e-mail server and port.
The Java applet starts a new SSL connection for every client connection.
You should observe the following restrictions when using thin-client mode:
•
•
Note
Options for Configuring HTTP Proxy and the Portal Page
Effective with Cisco IOS Release 12.4(11)T, administrators have more options for configuring the HTTP proxy and the portal page. If HTTP proxy is enabled, the Java applet acts as the proxy for the browser of the user, thereby connecting the client workstation with the gateway. The home page of the user (as defined by the user group) is opened automatically or, if configured by the administrator, the user is directed to a new website.
HTTP proxy supports both HTTP and HTTPS.
Benefits of Configuring HTTP Proxy
HTTP supports all client-side web technologies (including HTML, Cascading Style Sheets [CSS], JavaScript, VBScript, ActiveX, Java, and flash), HTTP Digest authentication, and client certificate authentication. Remote users can use their own bookmarks, and there is no limit on cookies. Because there is no mangling involved and the client can cache the objects, performance is much improved over previous options for configuring the HTTP proxy and portal page.
Illustrations of Port Forwarding with and Without an HTTP Proxy Configuration
Figure 3 illustrates TCP port forwarding without HTTP proxy configured.
Figure 3 TCP Port Forwarding Without HTTP Proxy Configured
In Figure 3, the following steps must occur:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Figure 4 illustrates TCP port forwarding when HTTP proxy is configured.
Figure 4 HTTP Proxy
In Figure 4, the following steps occur:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Note
Tunnel Mode
In a typical clientless remote access scenario, remote users establish an SSL tunnel to move data to and from the internal networks at the application layer (for example, web and e-mail). In tunnel mode, remote users use an SSL tunnel to move data at the network (IP) layer. Therefore, tunnel mode supports most IP-based applications. Tunnel mode supports many popular corporate applications (for example, Microsoft Outlook, Microsoft Exchange, Lotus Notes E-mail, and Telnet).
The tunnel connection is determined by the group policy configuration. The Cisco AnyConnect VPN Client is downloaded and installed on the remote user PC, and the tunnel connection is established when the remote user logs into the SSL VPN gateway.
By default, the Cisco AnyConnect VPN Client is removed from the client PC after the connection is closed. However, you have the option to keep the Cisco AnyConnect VPN Client installed on the client PC.
SSL VPN Features
SSL VPN includes the following features:
•
•
Application ACL Support
Effective with Cisco IOS Release 12.4(11)T, this feature provides administrators with the flexibility to fine-tune access control on the application layer level, for example, on the basis of a URL.
For information about configuring this feature, see the sections "Configuring ACL Rules" and "Associating an ACL Attribute with a Policy Group."
Automatic Applet Download
Effective with Cisco IOS Release 12.4(9)T, administrators have the option of automatically downloading the port-forwarding Java applet. This feature must be configured on a group policy basis.
Note
To configure the automatic download, see the section "Configuring an SSL VPN Policy Group."
Front-Door VRF Support
Effective with Cisco IOS Release 12.4(15)T, front-door virtual routing and forwarding (FVRF) support, coupled with the already supported internal virtual routing and forwarding (IVRF), provides for increased security. The feature allows the SSL VPN gateway to be fully integrated into a Multiprotocol Label Switching (MPLS) or non-MPLS network (wherever the VRFs are deployed). The virtual gateway can be placed into a VRF that is separate from the Internet to avoid internal MPLS and IP network exposure. This placement reduces the vulnerability of the router by separating the Internet routes or the global routing table. Clients can now reach the gateway by way of the FVRF, which can be separate from the global VRF. The backend, or IVRF, functionality remains the same.
This FVRF feature provides for overlapping IP addresses.
Figure 5 is a scenario in which FVRF has been applied.
Figure 5 Scenario in Which FVRF Has Been Applied
To configure FVRF, see "Configuring FVRF" section.
GUI Enhancements
In Cisco IOS Release 12.4(15)T, ergonomic improvements were made to the GUI user interface of the Cisco IOS SSL VPN gateway. The improved customization of the user interface provides for greater flexibility and the ability to tailor portal pages for individualized looks. Enhancements were made to the following web screens:
•
•
Login Screen
Figure 6 is an example of a typical login screen.
Figure 6 Typical Login Screen
Banner
The banner is a small pop-up box (see Figure 7) that appears after the user is logged in and before the portal page appears.
The message in the pop-up box is configured using the banner command.
Figure 7 Banner
Customizing a Login Page
Login screens can be customized by an administrator. Figure 8 shows the fields that can be customized.
For information about setting various elements of the login page, see the document Cisco IOS Security Command Reference, Release 12.4T, for the logo, title, title-color, login-message, text-color, secondary-color, login-photo, and color commands.
Figure 8 Login Page with Callouts of the Fields That Can Be Customized
Portal Page
The portal page (Figure 9) is the main page for the SSL VPN functionality. You can customize this page to contain the following:
•
•
•
•
•
Note
•
•
Note
•
Items that you have not configured are not displayed on the portal page.
Note
Figure 9 is an example of a typical portal page.
Figure 9 Typical Portal Page
Customizing a Portal Page
Portal pages can be customized by an administrator. Figure 10 shows various fields, including the fields that can be customized by an administrator. The fields that can be customized by an administrator are as follows:
•
•
•
•
•
Figure 10 Portal Page with Callouts of Various Fields, Including Those That Can Be Customized
Table 2 provides information about various fields on the portal page. For information about setting elements such as color or titles, see command information in the Cisco IOS Security Command Reference, Release 12.4T, for the logo, title, title-color, functions, port-forward, color, secondary-text-color, url-list, secondary-color, and hide-url-bar commands.
Netegrity Cookie-Based Single SignOn Support
The Netegrity SiteMinder product provides a Single SignOn (SSO) feature that allows a user to log on a single time for various web applications. The benefit of this feature is that users are prompted to log on only once. This feature is accomplished by setting a cookie in the browser of a user when the user initially logs on.
Effective with Cisco IOS Release 12.4(11)T, Netegrity cookie-based SSO is integrated with SSL VPN. It allows administrators to configure an SSO server that sets a SiteMinder cookie in the browser of a user when the user initially logs on. This cookie is validated by a SiteMinder agent on subsequent user requests to resources that are protected by a SiteMinder realm. The agent decrypts the cookie and verifies whether the user has already been authenticated.
For information about configuring SSO Netegrity Cookie Support and associating it with a policy group using the CLI, see the sections "Configuring SSO Netegrity Cookie Support for a Virtual Context" and "Associating an SSO Server with a Policy Group," respectively.
An SSO server can also be associated with a policy group using RADIUS attributes, as in the following example:
webvpn:sso-server-name=server1For a list of RADIUS attribute-value (AV) pairs that support SSL VPN, see the section "Configuring RADIUS Attribute Support for SSL VPN."
NTLM Authentication
NT LAN Manager (NTLM) is supported for SSL VPN effective with Cisco IOS Release 12.4(9)T. The feature is configured by default.
RADIUS Accounting
Effective with Cisco IOS Release 12.4(9)T, this feature provides for RADIUS accounting of SSL VPN user sessions.
For information about configuring SSL VPN RADIUS accounting for SSL VPN user sessions, see the section "Configuring RADIUS Accounting for SSL VPN User Sessions."
For more information about configuring RADIUS accounting, see the "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide, Release 12.4 at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part10/ch05/
index.htmFor a list of RADIUS AV pairs that support SSL VPN, see the section "Configuring RADIUS Attribute Support for SSL VPN."
TCP Port Forwarding and Thin Client
Note
Note
When the remote user clicks the Start button of the Thin Client Application (under "Application Access), a new window is displayed. This window initiates the downloading of a port-forwarding applet. Another window is then displayed. This window asks the remote user to verify the certificate with which this applet is signed. When the remote user accepts the certificate, the applet starts running, and port-forwarding entries are displayed (see Figure 11). The number of active connections and bytes that are sent and received is also listed on this window.
Note
You should have configured IP addresses, Domain Name System (DNS) names, and port numbers for the e-mail servers. The remote user can then launch the e-mail client, which is configured to contact the above e-mail servers and send and receive e-mails. POP3, IMAP, and SMTP protocols are supported.
The window attempts to close automatically if the remote user is logged out using JavaScript. If the session terminated and a new port forwarding connection is established, the applet displays an error message.
Figure 11 TCP Port Forwarding Page
Caution
Table 3 lists remote system requirements for Thin Client.
Table 3 SSL VPN Remote System Thin Client Requirements
Client applications installed.
—
Cookies enabled on browser.
—
Administrator priviliges.
You must be the local administrator on your PC.
Sun Microsystems JRE version 1.4 or later installed.
SSL VPN automatically checks for JRE whenever the remote user starts Thin Client. If it is necessary to install JRE, a pop-up window displays directing remote users to a site where it is available.
Client applications configured, if necessary.
Note
To configure the client application, use the locally mapped IP address and port number of the server. To find this information, do the following:
•
•
•
Windows XP SP2 patch.
If you are running Windows XP SP2, you must install a patch from Microsoft that is available at the following address:
http://support.microsoft.com/?kbid=884020
This problem is a known Microsoft issue.
URL Obfuscation
The URL Obfuscation feature provides administrators with the ability to obfuscate, or mask, sensitive portions of an enterprise URL, such as IP addresses, hostnames, or part numbers. For example, if URL masking is configured for a user, the URL in the address bar could have the port and hostname portion garbled, as in this example:
https://slvpn-gateway.examplecompany.com/http/cF9HxnBjRmSFEzBWpDtfXfigzL559MQo51Qj/cgi-bin/submit.p
For information about configuring this feature, see the section "Associating an SSO Server with a Policy Group."
User-Level Bookmarking
Effective with Cisco IOS Release 12.4(15)T, users can bookmark URLs while connected through an SSL VPN tunnel. Users can access the bookmarked URLs by clicking the URLs.
User-level bookmarking is turned by default. There is no way to turn it off. To set the storage location, administrators can use the user-profile location command. If the user-profile location command is not configured, the location flash:/webvpn/{context name}/ is used.
Other SSL VPN Features
Table 4 lists the requirements for various SSL VPN features.
Table 4 SSL VPN Remote User System Requirements
Web Browsing
Usernames and passwords for protected websites
Users should log out on SSL VPN sessions when they are finished.
The look and feel of web browsing with SSL VPN might be different from what users are accustomed to. For example, when they are using SSL VPN, the following should be noted:
•
•
–
–
–
Also, depending on how a particular account was configured, the following might have occurred:
•
•
Network Browsing and File Management
File permissions configured for shared remote access
Only shared folders and files are accessible through SSL VPN.
Server name and passwords are necessary for protected file servers
Domain, workgroup, and server names where folders and files reside
A user might not be familiar with how to locate his or her files through the network of an organization.
Note
Using e-mail:
Thin ClientSame requirements as for Thin Client (see the "TCP Port Forwarding and Thin Client" section on page 17)
To use e-mail, users must start Thin Client from the SSL VPN home page. The e-mail client is then available for use.
Note
Other Mail Clients
Microsoft Outlook Express versions 5.5 and 6.0 have been tested.
SSL VPN should support other SMTPS, POP3S, or IMAP4S e-mail programs, such as Netscape Mail, Lotus Notes, and Eudora, but they have not been verified.
Using e-mail:
Web AccessWeb-based e-mail product installed
Supported products are as follows:
•
Netscape, Mozilla, and Internet Explorer are supported with OWA 5.5 and 2000.
Internet Explorer 6.0 or later version is required with OWA 2003. Netscape and Mozilla are supported with OWA 2003.
•
Operating system support:
Note
•
•
•
SSL VPN-supported browser:
The following browsers have been verified for SSL VPN. Other browsers might not fully support SSL VPN features.
Note
•
•
•
Other web-based e-mail products should also work, but they have not been verified.
Using the Cisco Tunnel Connection
To retrieve Tunnel Connection log messages using the Windows Event Viewer, go to Program Files > Administrative Tools > Event Viewer in Windows.
Using Secure Desktop Manager
A Secure Desktop Manager-supported browser
On Microsoft Windows:
•
•
On Linux:
•
Using Cache Cleaner or Secure Desktop
A Cisco Secure Desktop-supported browser
Any browser supported for Secure Desktop Manager.
Platform Support
For information about platform support for the SSL VPN feature, see the data sheet Cisco IOS SSL VPN ("Feature Availability" section).
Licensing
Cisco IOS SSL VPN is a licensed feature available on Cisco routers running the Cisco IOS Advanced Security feature set. Each security bundle entitles you to a certain number of free users. Beyond that, you need to purchase additional feature licenses. For more information about licensing, see the bulletin Cisco IOS SSL VPN Licensing Information.
How to Configure SSL VPN Services on a Router
This section contains the following tasks:
Configuring and Enabling SSL VPN Services
•
•
•
•
Configuring AAA-Related Features for SSL VPN
•
•
•
•
•
Customizing and Enabling SSL VPN Features
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Monitoring and Maintaining SSL VPN Features
•
•
•
Configuring an SSL VPN Gateway
The SSL VPN gateway acts as a proxy for connections to protected resources. Protected resources are accessed through an SSL-encrypted connection between the gateway and a web-enabled browser on a remote device, such as a personal computer. Entering the webvpn gateway command places the router in SSL VPN gateway configuration mode. The following are accomplished in this task:
•
•
•
•
•
•
SSL VPN Encryption
The SSL VPN provides remote-access connectivity from almost any Internet-enabled location using only a web browser and its native SSL encryption. The ssl encryption command is configured to restrict the encryption algorithms that SSL uses in Cisco IOS software.
Note
SSL VPN Trustpoints
The configuration of the ssl trustpoint command is required only if you need to configure a specific CA certificate. A self-signed certificate is automatically generated when an SSL VPN gateway is put in service.
SUMMARY STEPS
Required Steps
1.
2.
3.
Optional Steps
4.
5.
6.
7.
8.
9.
DETAILED STEPS
What to Do Next
SSL VPN context and policy group configurations must be configured before an SSL VPN gateway can be operationally deployed. Proceed to the section "Configuring an SSL VPN Context" to see information on SSL VPN context configuration.
Configuring a Generic SSL VPN Gateway
To configure a generic SSL VPN gateway, perform the following steps in privileged EXEC mode.
Note
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuring an SSL VPN Context
The SSL VPN context defines the virtual configuration of the SSL VPN. Entering the webvpn context command places the router in SSL VPN configuration mode. The following are accomplished in this task:
•
•
•
•
•
•
Context Defaults
The ssl authenticate verify all command is enabled by default when a context configuration is created. The context cannot be removed from the router configuration while an SSL VPN gateway is in an enabled state (in service).
Configuring a Virtual Host
A virtual hostname is specified when multiple virtual hosts are mapped to the same IP address on the SSL VPN gateway (similar to the operation of a canonical domain name). The virtual hostname differentiates host requests on the gateway. The host header in the HTTP message is modified to direct traffic to the virtual host. The virtual hostname is configured with the gateway command in webvpn context configuration mode.
Prerequisites
The SSL VPN gateway configuration has been completed.
SUMMARY STEPS
Required Steps
1.
2.
3.
Optional Steps
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
DETAILED STEPS
What to Do Next
an SSL VPN policy group configuration must be defined before an SSL VPN gateway can be operationally deployed. Proceed to the next section to see information on SSL VPN policy group configuration.
Configuring an SSL VPN Policy Group
The policy group is a container that defines the presentation of the portal and the permissions for resources that are configured for a group of remote users. Entering the policy group command places the router in webvpn group policy configuration mode. After it is configured, the group policy is attached to the SSL VPN context configuration by configuring the default-group-policy command. The following tasks are accomplished in this configuration:
•
•
•
•
•
Outlook Web Access 2003
OWA 2003 is supported by the SSL VPN gateway upon competition of this task. The Outlook Exchange Server must be reachable by the SSL VPN gateway via TCP/IP.
URL-List Configuration
A URL list can be configured under the SSL VPN context configuration and then separately for each individual policy group configuration. Individual URL list configurations must have unique names.
SUMMARY STEPS
Required Steps
1.
2.
3.
4.
Optional Steps
5.
6.
7.
8.
9.
10.
DETAILED STEPS
What to Do Next
At the completion of this task, the SSL VPN gateway and context configurations are operational and enabled (in service), and the policy group has been defined. The SSL VPN gateway is operational for clientless remote access (HTTPS only). Proceed to the next section to see information about configuring AAA for remote-user connections.
Configuring Local AAA Authentication for SSL VPN User Sessions
The steps in this task show how to configure a local AAA database for remote-user authentication. AAA is configured in global configuration mode. In this task, the aaa authentication command is not configured under the SSL VPN context configuration. Omitting this command from the SSL VPN context configuration causes the SSL VPN gateway to use global authentication parameters by default.
Prerequisites
SSL VPN gateway and context configurations are enabled and operational.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
What to Do Next
The database that is configured for remote-user authentication on the SSL VPN gateway can be a local database, as shown in this task, or the database can be accessed through any RADIUS or TACACS+ AAA server.
It is recommended that you use a separate AAA server, such as a Cisco ACS. A separate AAA server provides a more robust security solution. It allows you to configure unique passwords for each remote user and accounting and logging for remote-user sessions. Proceed to the next section to see more information.
Configuring AAA for SSL VPN Users Using a Secure Access Control Server
The steps in this task show how to configure AAA using a separate RADIUS or TACACS+ server. AAA is configured in global configuration mode. The authentication list/method is referenced in the SSL VPN context configuration with the aaa authentication command. The steps in this task configure AAA using a RADIUS server.
Prerequisites
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
What to Do Next
Proceed to the section "Configuring RADIUS Attribute Support for SSL VPN" to see RADIUS attribute-value pair information introduced to support this feature.
Configuring RADIUS Accounting for SSL VPN User Sessions
To configure RADIUS accounting for SSL VPN user sessions, perform the following steps.
Prerequisites
•
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Monitoring and Maintaining RADIUS Accounting for an SSL VPN Session
To monitor and maintain your RADIUS accounting configuration, perform the following steps (the debug commands can be used together or individually).
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuring RADIUS Attribute Support for SSL VPN
This section lists RADIUS attribute-value (AV) pair information introduced to support SSL VPN. For information on using RADIUS AV pairs with Cisco IOS software, see the "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide, Release 12.4 at the following URL:
Table 5 shows information about SSL VPN RADIUS attribute-value pairs.
Note
webvpn:urllist-name=cisco
webvpn:nbnslist-name=cifs
webvpn:default-domain=cisco.com
Table 5 SSL VPN RADIUS Attribute-Value Pairs
addr (Framed-IP-Address1 )
ipaddr
IP_address
addr-pool
string
name
auto-applet-download
integer
0 (disable)
1 (enable)20
banner
string
citrix-enabled
integer
0 (disable)
1 (enable)30
default-domain
string
dns-servers
ipaddr
IP_address
dpd-client-timeout
integer (seconds)
0 (disabled)-3600
300
dpd-gateway-timeout
integer (seconds)
0 (disabled)-3600
300
file-access
integer
0 (disable)
1 (enable)30
file-browse
integer
0 (disable)
1 (enable)30
file-entry
integer
0 (disable)
1 (enable)30
hide-urlbar
integer
0 (disable)
1 (enable)30
home-page
string
idletime (Idle-Timeout1)
integer (seconds)
0-3600
2100
ie-proxy-exception
string
DNS_name
ipaddr
IP_address
ie-proxy-server
ipaddr
IP_address
inacl
integer
1-199,
1300-2699string
name
keep-svc-installed
integer
0 (disable)
1 (enable)31
nbnslist-name
string
name
netmask (Framed-IP-Netmask1)
ipaddr
IP_address_mask
port-forward-auto
integer
0 (disable)
1 (enable)If this AV pair is not configured, the default is whatever was configured for the group policy.
If this AV pair is configured with an integer of 1, the 1 will override a group policy value of 0.
port-forward-http-proxy
integer
0 (disable)
1 (enable)HTTP proxy is not enabled.
If this AV pair is configured with an integer of 1, the 1 will override a group policy value of 0.
port-forward-http-proxy-url
string
URL address (for example, http://example.com)
port-forward-name
string
name
primary-dns
ipaddr
IP_address
rekey-interval
integer (seconds)
0-43200
21600
secondary-dns
ipaddr
IP_address
split-dns
string
split-exclude4
ipaddr ipaddr
IP_address IP_address_mask
word
local-lans
split-include4
ipaddr ipaddr
IP_address IP_address_mask
sso-server-name
string
name
svc-enabled5
integer
0 (disable)
1 (enable)30
svc-ie-proxy-policy
word
none, auto, bypass-local
svc-required5
integer
0 (disable)
1 (enable)30
timeout (Session-Timeout1)
integer (seconds)
1-1209600
43200
urllist-name
string
name
user-vpn-group
string
name
wins-server-primary
ipaddr
IP_address
wins-servers
ipaddr
IP_address
wins-server-secondary
ipaddr
IP_address
1 Standard IETF RADIUS attributes.
2 Any integer other than 0 enables this feature.
3 Any integer other than 0 enables this feature.
4 You can specify either split-include or split-exclude, but you cannot specify both options.
5 You can specify either svc-enable or svc-required, but you cannot specify both options.
What to Do Next
Proceed to the next section to see information about customizing the URL list configured in Step 10 of the section "Configuring an SSL VPN Policy Group."
Configuring a URL List for Clientless Remote Access
The steps in this configuration task show how to configure a URL list. The URL list, as the name implies, is a list of HTTP URLs that are displayed on the portal page after a successful login. The URL list is configured in webvpn context configuration and webvpn group policy configuration modes.
Prerequisites
SSL VPN gateway and context configurations are enabled and operational.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
What to Do Next
Proceed to the next section to see information about configuring clientless remote access to file shares.
Configuring Microsoft File Shares for Clientless Remote Access
In clientless remote access mode, files and directories created on Microsoft Windows servers can be accessed by the remote client through the HTTPS-enabled browser. When enabled, a list of file server and directory links are displayed on the portal page after login. The administrator can customize permissions on the SSL VPN gateway to provide limited read-only access for a single file or full-write access and network browsing capabilities. The following access capabilities can be configured:
•
•
•
•
•
•
•
•
•
Common Internet File System Support
CIFS is the protocol that provides access to Microsoft file shares and support for common operations that allow shared files to be accessed or modified.
NetBIOS Name Service Resolution
Windows Internet Name Service (WINS) uses NetBIOS name resolution to map and establish connections between Microsoft servers. A single server must be identified by its IP address in this configuration. Up to three servers can be added to the configuration. If multiple servers are added, one server should be configured as the master browser.
Samba Support
Microsoft file shares can be accessed through the browser on a Linux system that is configured to run Samba.
Prerequisites
•
•
Restrictions
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
NBNS Server List Example
The following example, starting in global configuration mode, configures a server list for NBNS resolution:
Router(config)# webvpn context context1Router(config-webvpn-context)# nbns-list SERVER_LISTRouter(config-webvpn-nbnslist)# nbns-server 172.16.1.1 master
Router(config-webvpn-nbnslist)# nbns-server 172.16.2.2 timeout 10 retries 5
Router(config-webvpn-nbnslist)# nbns-server 172.16.3.3 timeout 10 retries 5Router(config-webvpn-nbnslist)# exitFile Share Permissions Example
The following example attaches the server list to and enables full file and network access permissions for policy group ONE:
Router(config-webvpn-context)# policy group ONERouter(config-webvpn-group)# nbns-list SERVER_LISTRouter(config-webvpn-group)# functions file-access
Router(config-webvpn-group)# functions file-browse
Router(config-webvpn-group)# functions file-entryRouter(config-webvpn-group)# endWhat to Do Next
Proceed to the next section to see information about configuring clientless remote access for Citrix- enabled applications.
Configuring Citrix Application Support for Clientless Remote Access
Clientless Citrix support allows the remote user to run Citrix-enabled applications through the SSL VPN as if the application were locally installed (similar to traditional thin-client computing). Citrix applications run on a MetaFrame XP server (or server farm). The SSL VPN gateway provides access to the remote user. The applications run in real time over the SSL VPN. This task shows how to enable Citrix support for policy group remote users.
ICA Client
The Independent Computing Architecture (ICA) client carries keystrokes and mouse clicks from the remote user to the MetaFrame XP server. ICA traffic is carried over TCP port number 1494. This port is opened when a Citrix application is accessed. If multiple application are accessed, the traffic is carried over a single TCP session.
Prerequisites
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Examples
The following example, starting in global configuration mode, enables Citrix application support for remote users with a source IP address in the 192.168.1.0/24 network:
Router(config)# access-list 100 permit ip 192.168.1.0 0.255.255.255 anyRouter(config)# webvpn context context1Router(config-webvpn-context)# policy group ONERouter(config-webvpn-group)# citrix enabledRouter(config-webvpn-group)# filter citrix 100What to Do Next
Support for standard applications that use well-known port numbers, such as e-mail and Telnet, can be configured using the port forwarding feature. Proceed to the next section to see more information.
Configuring Application Port Forwarding
Application port forwarding is configured for thin client mode SSL VPN. Port forwarding extends the cryptographic functions of the SSL-protected browser to provide remote access to TCP and UDP-based applications that use well-known port numbers, such as POP3, SMTP, IMAP, Telnet, and SSH.
When port forwarding is enabled, the hosts file on the SSL VPN client is modified to map the application to the port number configured in the forwarding list. The application port mapping is restored to default when the user terminates the SSL VPN session.
Administrative Privileges on the Remote Client
When enabling port forwarding, the SSL VPN gateway will modify the hosts file on the PC of the remote user. Some software configurations and software security applications will detect this modification and prompt the remote user to select "Yes" to permit. To permit the modification, the remote user must have local administrative privileges.
Note
Prerequisites
SSL VPN gateway and SSL VPN context configurations are enabled and operational.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
The following example, starting in global configuration mode, configures port forwarding for well-known e-mail application port numbers:
Router(config)# webvpn context context1Router(config-webvpn-context)# port-forward EMAILRouter(config-webvpn-port-fwd)# local-port 30016 remote-server mail1.company.com remote-port 110 description POP3Router(config-webvpn-port-fwd)# local-port 30017 remote-server mail2.company.com remote-port 25 description SMTPRouter(config-webvpn-port-fwd)# local-port 30018 remote-server mail3.company.com remote-port 143 description IMAPRouter(config-webvpn-port-fwd)# exitRouter(config-webvpn-context)# policy group ONERouter(config-webvpn-group)# port-forward EMAILRouter(config-webvpn-group)# endConfiguring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files
The SSL VPN gateway is preconfigured to distribute Cisco Secure Desktop (CSD) and/or Cisco AnyConnect VPN Client software package files to remote users. The files are distributed only when CSD or Cisco AnyConnect VPN Client support is needed. The administrator performs the following tasks to prepare the gateway:
•
•
•
Remote Client Software Installation Requirements
The remote user must have administrative privileges, and the JRE for Windows version 1.4 or later must be installed before the CSD client package can be installed.
For Cisco AnyConnect VPN Client software installation, the remote user must have either the Java Runtime Environment for Windows (version 1.4 or later), or the browser must support or be configured to permit Active X controls.
Remote PC System Requirements
The AnyConnect client supports the following operating systems on the remote PC:
•
•
•
•
•
•
The legacy SSL VPN Client (SVC) supports the following operating systems on the remote PC:
•
•
Software Package Download
The latest versions of the CSD and Cisco AnyConnect VPN Client software client packages should be installed for distribution on the SSL VPN gateway.
The CSD software package can be downloaded at the following URL:
•
The Cisco AnyConnect VPN Client software package can be downloaded at the following URL:
•
Note
Prerequisites
•
•
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Examples
The following example, starting in global configuration mode, installs the Cisco AnyConnect VPN Client package to an SSL VPN gateway:
Router(config)# webvpn install svc flash:/webvpn/svc.pkgSSL VPN Package SSL-VPN-Client : installed successfullyThe following example, starting in global configuration mode, installs the CSD package to an SSL VPN gateway:
Router(config)# webvpn install csd flash:/securedesktop_10_1_0_9.pkgSSL VPN Package Cisco-Secure-Desktop : installed successfullyWhat to Do Next
Support for CSD and Cisco AnyConnect VPN Client can be enabled for remote users after the gateway has been prepared to distribute CSD or Cisco AnyConnect VPN Client software.
Configuring Cisco Secure Desktop Support
CSD provides a session-based interface where sensitive data can be shared for the duration of an SSL VPN session. All session information is encrypted. All traces of the session data are removed from the remote client when the session is terminated, even if the connection is terminated abruptly. CSD support for remote clients is enabled in this task.
Java Runtime Environment
The remote user (PC or device) must have administrative privileges, and the JRE for Windows version 1.4 or later must be installed before the CSD client packages can be installed.
Prerequisites
•
•
See the "Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files" section if you have not already prepared the SSL VPN gateway to distribute CSD software.
Restrictions
•
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
What to Do Next
Upon competition of this task, the SSL VPN gateway has been configured to provide clientless and thin client support for remote users. The SSL VPN feature also has the capability to provide full VPN access (similar to IPsec). Proceed to the next section to see more information.
Configuring Cisco AnyConnect VPN Client Full Tunnel Support
The Cisco AnyConnect VPN Client is an application that allows a remote user to establish a full VPN connection similar to the type of connection that is established with an IPsec VPN. Cisco AnyConnect VPN Client software is pushed (downloaded) and installed automatically on the PC of the remote user. The Cisco AnyConnect VPN Client uses SSL to provide the security of an IPsec VPN without the complexity required to install IPsec in your network and on remote devices. The following tasks are completed in this configuration:
•
•
•
•
•
•
•
•
•
Remote Client Software from the SSL VPN Gateway
The Cisco AnyConnect VPN Client software package is pushed from the SSL VPN gateway to remote clients when support is needed. The remote user (PC or device) must have either the Java Runtime Environment for Windows (version 1.4 later), or the browser must support or be configured to permit Active X controls. In either scenario, the remote user must have local administrative privileges.
The Address Pool
The address pool is first defined with the ip local pool command in global configuration mode. The standard configuration assumes that the IP addresses in the pool are reachable from a directly connected network.
Address Pools for Nondirectly Connected Networks
If you need to configure an address pool for IP addresses from a network that is not directly connected, perform the following steps:
1.
2.
3.
4.
See the examples in this section for a complete configuration example.
A Manual Entry to the IP Forwarding Table
If the SSL VPN software client is unable to update the IP forwarding table on the PC of the remote user, the following error message will be displayed in the router console or syslog:
Error : SSL VPN client was unable to Modify the IP forwarding table ......This error can occur if the remote client does not have a default route. You can work around this error by performing the following steps:
1.
2.
3.
C:\>route ADD 0.0.0.0 MASK 0.0.0.0 10.1.1.1Prerequisites
•
•
•
See the "Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files" section if you have not already prepared the SSL VPN gateway to distribute SSL VPN software.
Restrictions
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
DETAILED STEPS
Examples
Tunnel Filter Configuration
The following example, starting in global configuration mode, configures a deny access filter for any host from the 172.16.2/24 network:
Router(config)# access-list 101 deny ip 172.16.2.0 0.0.0.255 anyRouter(config)# webvpn context context1Router(config-webvpn-context)# policy group ONERouter(config-webvpn-group)# filter tunnel 101Router(config-webvpn-group)# endAddress Pool (Directly Connected Network) Configuration
The following example, starting in global configuration mode, configures the 192.168.1/24 network as an address pool:
Router(config)# ip local pool ADDRESSES 192.168.1.1 192.168.1.254Router(config)# webvpn context context1Router(config-webvpn-context)# policy group ONERouter(config-webvpn-group)# svc address-pool ADDRESSESRouter(config-webvpn-group)# endAddress Pool (Nondirectly Connected Network) Configuration
The following example, starting in global configuration mode, configures the 172.16.1/24 network as an address pool. Because the network is not directly connected, a local loopback interface is configured.
Router(config)# interface loopback 0Router(config-int)# ip address 172.16.1.126 255.255.255.0Router(config-int)# no shutdownRouter(config-int)# exitRouter(config)# ip local pool ADDRESSES 172.16.1.1 172.16.1.254Router(config)# webvpn context context1Router(config-webvpn-context)# policy group ONERouter(config-webvpn-group)# svc address-pool ADDRESSESRouter(config-webvpn-group)# endFull Tunnel Configuration
The following example, starting in global configuration mode, configures full Cisco AnyConnect VPN Client tunnel support on an SSL VPN gateway:
Router(config)# webvpn context context1
Router(config-webvpn-context)# policy group ONE
Router(config-webvpn-group)# functions svc-enabled
Router(config-webvpn-group)# functions svc-requiredRouter(config-webvpn-group)# svc default-domain cisco.comRouter(config-webvpn-group)# svc dns-server primary 192.168.3.1
Router(config-webvpn-group)# svc dns-server secondary 192.168.4.1Router(config-webvpn-group)# svc dpd-interval gateway 30
Router(config-webvpn-group)# svc dpd-interval client 300Router(config-webvpn-group)# svc homepage www.cisco.comRouter(config-webvpn-group)# svc keep-client-installed
Router(config-webvpn-group)# svc rekey method new-tunnel
Router(config-webvpn-group)# svc rekey time 3600Router(config-webvpn-group)# endWhat to Do Next
Proceed to the next section to see advanced Cisco AnyConnect VPN Client tunnel configuration information.
Configuring Advanced SSL VPN Tunnel Features
This section describes advanced Cisco AnyConnect VPN Client tunnel configurations. The following configuration steps are completed in this task:
•
•
•
Microsoft Internet Explorer Proxy Configuration
The SSL VPN gateway can be configured to pass or bypass Microsoft Internet Explorer (MSIE) proxy settings. Only HTTP proxy settings are supported by the SSL VPN gateway. MSIE proxy settings have no effect on any other supported browser.
Split Tunneling
Split tunnel support allows you to configure a policy that permits specific traffic to be carried outside of the Cisco AnyConnect VPN Client tunnel. Traffic is either included (resolved in tunnel) or excluded (resolved through the Internet Service Provider [ISP] or WAN connection). Tunnel resolution configuration is mutually exclusive. An IP address cannot be both included and excluded at the same time. Entering the local-lans keyword permits the remote user to access resources on a local LAN, such as network printer.
Prerequisites
•
•
Restrictions
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
Split DNS Configuration
The following example, starting in global configuration mode, configures the following DNS names to be resolved in the Cisco AnyConnect VPN Client tunnel:
Router(config)# webvpn context context1Router(config-webvpn-context)# policy group ONERouter(config-webvpn-group)# svc split dns www.example.com
Router(config-webvpn-group)# svc split dns my.company.comIncluding and Excluding IP Prefixes
The following example configures a list of IP addresses to be resolved over the tunnel (included) and a list to be resolved outside of the tunnel (excluded):
Router(config-webvpn-group)# svc split exclude 192.168.1.0 255.255.255.0Router(config-webvpn-group)# svc split include 172.16.1.0 255.255.255.0MSIE Proxy Configuration
The following example configures MSIE proxy settings:
Router(config-webvpn-group)# svc msie-proxy option auto
Router(config-webvpn-group)# svc msie-proxy exception www.example.com
Router(config-webvpn-group)# svc msie-proxy exception 10.20.20.1Router(config-webvpn-group)# svc msie-proxy server 10.10.10.1:80WINS Server Configuration
The following example configures primary and secondary WINS servers for the policy group:
Router(config-webvpn-group)# svc wins-server primary 172.31.1.1Router(config-webvpn-group)# svc wins-server secondary 172.31.2.1Router(config-webvpn-group)# svc wins-server secondary 172.31.3.1Router(config-webvpn-group)# endConfiguring VRF Virtualization
VRF Virtualization allows you to associate a traditional VRF with an SSL VPN context configuration. This feature allows you to apply different configurations and reuse address space for different groups of users in your organization.
Prerequisites
•
•
•
Restrictions
•
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Examples
The following example, starting in global configuration mode, associates the VRF under the SSL VPN context configuration:
Router(config)# ip vrf BLUERouter(config-vrf)# rd 10.100.100.1Router(config-vrf)# exitRouter(config)# webvpn context BLUERouter(config-webvpn-context)# policy group BLUERouter(config-webvpn-group)# exitRouter(config-webvpn-context)# default-group-policy BLUERouter(config-webvpn-context)# vrf-name BLUERouter(config-webvpn-context)# endConfiguring ACL Rules
To configure ACL rules on the application layer level for an individual user, perform the following tasks.
Note
•
Prerequisites
Before configuring the ACL rules, you must have first configured the time range using the time-range command (this prerequisite is in addition to optionally configuring the time range, in the task table below, as part of the permit or deny entries).
Restrictions
There is no limitation on the maximum number of filtering rules that can be configured for each ACL entry, but keeping the number below 50 should have no significant impact on router performance.
SUMMARY STEPS
Required Steps
1.
2.
3.
4.
5.
or
deny [url [any | url-string]] [ip | tcp | udp | http | https | cifs] [any | source-ip source-mask] [any | destination-ip destination-mask] [time-range time-range-name] [syslog]
Optional Steps
6.
7.
8.
9.
DETAILED STEPS
Associating an ACL Attribute with a Policy Group
To associate an ACL attribute with a policy group, perform the following steps.
Note
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Monitoring and Maintaining ACLs
To monitor and maintain your ACL configuration, perform the following steps.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuring SSO Netegrity Cookie Support for a Virtual Context
To configure SSO Netegrity cookie support, perform the following steps.
Prerequisites
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Associating an SSO Server with a Policy Group
To associate an SSO server with a policy group, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring URL Obfuscation (Masking)
To configure URL obfuscation, masking, for a policy group, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Adding a CIFS Server URL List to an SSL VPN Context
and Attaching It to a Policy GroupTo add a CIFS server URL list to an SSL VPN context and attach it to a policy group, perform the following steps.
Prerequisites
Before adding a CIFS server URL list to an SSL VPN context, you must have already set up the Web VPN context using the webvpn context command, and you must be in webvpn context configuration mode.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Configuring User-Level Bookmarks
To configure user-level bookmarks, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring FVRF
To configure FVRF so that the SSL VPN gateway is fully integrated into an MPLS network, perform the following steps.
Prerequisites
As the following configuration task shows, IP VRF must be configured before the FVRF can be associated with the SSL VPN gateway. For more information about configuring IP VRF, see the subsection "Configuring IP VRF (ip vrf command)" in the "Related Documents" section.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Using SSL VPN Clear Commands
This section describes clear commands that are used to perform the following tasks:
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Verifying SSL VPN Configurations
This section describes show commands that are used to verify the following:
•
•
•
•
•
•
•
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Using SSL VPN Debug Commands
To monitor and manage your SSL VPN configurations, perform the following steps.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Remote User Guide
For information specifically for the remote user, see the document SSL VPN Remote User Guide.
Configuration Examples for SSL VPN
This section includes the following configuration examples:
•
•
•
•
•
•
•
•
Configuring a Generic SSL VPN Gateway: Example
The following output example shows that a generic SSL VPN gateway has been configured in privileged EXEC mode:
Router# show running-configwebvpn gateway SSL_gateway2ip address 10.1.1.1. port 442ssl trustpoint TP_self_signed _4138349635inservice!webvpn context SSL_gateway2ssl authenticate verify all!!policy group defaultdefault-group-policy defaultgateway SSL_gateway2inservice
Configuring an ACL: Example
The following output example shows the ACL is "acl1." It has been associated with policy group "default."
Router# show running-configwebvpn context context1ssl authenticate verify all!acl "acl1"error-msg "warning!!!..."permit url "http://www.example1.com"deny url "http://www.example2.com"permit http any any!nbns-list l1nbns-server 10.1.1.20!cifs-url-list "c1"heading "cifs-url"url-text "SSL VPN-SERVER2" url-value "\\SSL VPN-SERVER2"url-text "SSL-SERVER2" url-value "\\SSL-SERVER2"!policy group defaultacl "acl1"cifs-url-list "c1"nbns-list "l1"functions file-accessfunctions file-browsefunctions file-entrydefault-group-policy defaultgateway publicinservice!Configuring HTTP Proxy: Example
The following output example shows that HTTP proxy has been configured and that the portal (home) page from URL "http://www.example.com" will automatically download the home page of the user:
Router# show running-configwebvpn context myContextssl authenticate verify all!!port-forward "email"local-port 20016 remote-server "ssl-server1.SSL VPN-ios.com" remote-port 110 description "POP-ssl-server1"!policy group myPolicyport-forward "email" auto-download http-proxy proxy-url "http://www.example.com"inserviceRADIUS Accounting for SSL VPN Sessions: Example
The following output example shows that RADIUS accounting has been configured for SSL VPN user sessions:
Router# show running-configversion 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname host1!aaa new-model!!aaa accounting network SSL VPNaaa start-stop group radiusaaa accounting update periodic 1aaa session-id commonip subnet-zeroip cef!!no ip domain lookupip domain name cisco.comip name-server 172.16.2.133ip name-server 172.16.11.48!line con 0exec-timeout 0 0line aux 0line vty 0 4!!webvpn gateway GW1ip address 172.19.216.141 port 443inservice!webvpn gateway SSL VPNno inservice!webvpn install svc flash:/webvpn/svc.pkgwebvpn aaa accounting-list SSL VPNaaa!webvpn context Default_contextssl encryptionssl authenticate verify all!no inservice!!URL Obfuscation (Masking): Example
The following output example shows that URL obfuscation (masking) has been configured for policy group "gp_urlobf."
Router: show running-config!!policy group gp_urlobfmask-urlsdefault-group-policy gp_urlobfgateway gw domain dominservice!!Adding a CIFS Server URL List and Attaching It to a Policy List: Example
The following output example shows that the CIFS server URLs "SSLVPN-SERVER2" and "SSL-SERVER2" have been added as portal page URLs to which a user has access. The output also shows that the two servers have been attached to a policy group.
webvpn context context_1ssl authenticate verify all!acl "acl1"error-msg "warning!!!..."permit url "http://www.example1.com"deny url "http://www.example2.com"permit http any any!nbns-list l1nbns-server 10.1.1.20!cifs-url-list "c1"heading "cifs-url"url-text "SSLVPN-SERVER2" url-value "\\SSLVPN-SERVER2"url-text "SSL-SERVER2" url-value "\\SSL-SERVER2"!policy group defaultacl "acl1"cifs-url-list "c1"nbns-list "l1"functions file-accessfunctions file-browsefunctions file-entrydefault-group-policy defaultgateway publicinservice!Typical SSL VPN Configuration: Example
The following output is an example of an SSL VPN configuration that includes most of the features that are available using SSL VPN:
Router# show running-confighostname sslvpn!!aaa new-model!!aaa authentication login default local group radius!!crypto pki trustpoint Gatewayenrollment selfsignedip-address 192.168.22.13revocation-check crlrsakeypair keys 1024 1024!!crypto pki certificate chain Gatewaycertificate self-signed 02!!interface Loopback0ip address 10.10.10.1 255.255.255.0!!interface GigabitEthernet0/1ip address 192.168.22.14 255.255.255.0 secondaryip address 192.168.22.13 255.255.255.0duplex autospeed automedia-type rj45!!ip local pool svc-pool 10.10.10.100 10.10.10.110!!ip radius source-interface FastEthernet1/1!!webvpn gateway ssl-vpnip address 192.168.22.13 port 443http-redirect port 80ssl trustpoint Gatewayinservice!! The following line is required for SSLVPN Client.webvpn install svc flash:/webvpn/svc.pkg!! The following line is required for Cisco Secure Desktop.webvpn install csd flash:/webvpn/sdesktop.pkg!webvpn context ssl-vpnssl authenticate verify all!url-list "sslvpn-dt"url-text "sslvpn-dt" url-value "http://10.1.1.40"url-text "Exchange Server" url-value "http://10.1.1.40/exchange"!sso-server "netegrity"web-agent-url "http://10.1.1.37/vpnauth/"secret-key "sslvpn1"retries 3timeout 15!nbns-list cifsnbns-server 10.1.1.40!port-forward "mail_test"local-port 30016 remote-server "mail.sslvpn-dt.com" remote-port 143 description "IMAP-test"local-port 30017 remote-server "mail.sslvpn-dt.com" remote-port 110 description "POP3-test"local-port 30018 remote-server "mail.sslvpn-dt.com" remote-port 25 description "SMTP-test"!policy group default! The following line applies the URL list.url-list "sslvpn-dt"! The following line applies TCP port forwarding.port-forward "mail_test"! The following line applies CIFS.nbns-list "cifs"! The following line enables CIFS functionality.functions file-access! The following line enables CIFS functionality.functions file-browse! The following line enables CIFS functionality.functions file-entry! The following line enables SSLVPN Client.functions svc-enabled! The following line enables clientless Citrix.citrix enableddefault-group-policy default! The following line maps this context to the virtual gateway and defines the domain to use.gateway ssl-vpn domain sslvpn! The following line enables Cisco Secure Desktop.csd enableinservice!!enddebug Command Output: Examples
Configuring SSO: Example
The following output example displays ticket creation, session setup, and response handling information for an SSO configuration:
Router# debug webvpn sso*Jun 12 20:37:01.052: WV-SSO: Redirect to SSO web agent URL - http://example.examplecompany.com/vpnauth/*Jun 12 20:37:01.052: WV_SSO: Set session cookie with SSO redirect*Jun 12 20:37:01.056: WV-SSO: Set SSO auth flag*Jun 12 20:37:01.056: WV-SSO: Attach credentials - building auth ticket*Jun 12 20:37:01.060: WV-SSO: user: [user11], secret: [secret123], version: [1.0], login time: [BCEFC86D], session key: [C077F97A], SHA1 hash : [B07D0A924DB33988D423AE9F937C1C5A66404819]*Jun 12 20:37:01.060: WV-SSO: auth_ticket : user11:1.0@C077F97A@BCEFC86D@B07D0A924DB33988D423AE9F937C1C5A66404819*Jun 12 20:37:01.060: WV-SSO: Base64 credentials for the auth_ticket: dXNlcjExOjEuMEBDMDc3Rjk3QUBCQ0VGQzg2REBCMDdEMEE5MjREQjMzOTg4RDQyM0FFOUY5MzdDMUM1QTY2NDA0OD E5*Jun 12 20:37:01.060: WV-SSO: Decoded credentials = user11:1.0@C077F97A@BCEFC86D@B07D0A924DB33988D423AE9F937C1C5A66404819*Jun 12 20:37:01.060: WV-SSO: Starting SSO request timer for 15-second*Jun 12 20:37:01.572: WV-SSO: SSO auth response rcvd - status[200]*Jun 12 20:37:01.572: WV-SSO: Parsed non-SM cookie: SMCHALLENGE*Jun 12 20:37:01.576: WV-SSO: Parsed SMSESSION cookie*Jun 12 20:37:01.576: WV-SSO: Sending logon page after SSO auth successshow Command Output: Examples
The following examples display information about various SSL VPN features and scenarios:
•
•
•
•
•
•
•
•
•
•
show webvpn context Example
The following is sample output from the show webvpn context command:
Router# show webvpn contextCodes: AS - Admin Status, OS - Operation StatusVHost - Virtual HostContext Name Gateway Domain/VHost VRF AS OS------------ ------- ------------ ------- ---- --------Default_context n/a n/a n/a down downcon-1 gw-1 one - up upcon-2 - - - down downshow webvpn context name Example
The following is sample output from the show webvpn context command, entered with the name of a specific SSL VPN context:
Router# show webvpn context context1Admin Status: upOperation Status: upCSD Status: DisabledCertificate authentication type: All attributes (like CRL) are verifiedAAA Authentication List not configuredAAA Authentication Domain not configuredDefault Group Policy: PG_1Associated WebVPN Gateway: GW_ONEDomain Name: DOMAIN_ONEMaximum Users Allowed: 10000 (default)NAT Address not configuredVRF Name not configuredshow webvpn gateway Example
The following is sample output from the show webvpn gateway command:
Router# show webvpn gatewayGateway Name Admin Operation------------ ----- ---------GW_1 up upGW_2 down downshow webvpn gateway name Example
The following is sample output from the show webvpn gateway command, entered with a specific SSL VPN gateway name:
Router# show webvpn gateway GW_1Admin Status: upOperation Status: upIP: 10.1.1.1, port: 443SSL Trustpoint: TP-self-signed-26793562show webvpn install file Example
The following is sample output from the show webvpn install command, entered with the file keyword:
Router# show webvpn install file \webvpn\stc\version.txtSSL VPN File \webvpn\stc\version.txt installed:CISCO STC win2k+ 1.0.01,1,0,116Fri 06/03/2005 03:02:46.43show webvpn install package svc Example
The following is sample output from the show webvpn install command, entered with the package svc keywords:
Router# show webvpn install package svcSSL VPN Package SSL-VPN-Client installed:File: \webvpn\stc\1\binaries\detectvm.class, size: 555File: \webvpn\stc\1\binaries\java.htm, size: 309File: \webvpn\stc\1\binaries\main.js, size: 8049File: \webvpn\stc\1\binaries\ocx.htm, size: 244File: \webvpn\stc\1\binaries\setup.cab, size: 176132File: \webvpn\stc\1\binaries\stc.exe, size: 94696File: \webvpn\stc\1\binaries\stcjava.cab, size: 7166File: \webvpn\stc\1\binaries\stcjava.jar, size: 4846File: \webvpn\stc\1\binaries\stcweb.cab, size: 13678File: \webvpn\stc\1\binaries\update.txt, size: 11File: \webvpn\stc\1\empty.html, size: 153File: \webvpn\stc\1\images\alert.gif, size: 2042File: \webvpn\stc\1\images\buttons.gif, size: 1842File: \webvpn\stc\1\images\loading.gif, size: 313File: \webvpn\stc\1\images\title.gif, size: 2739File: \webvpn\stc\1\index.html, size: 4725File: \webvpn\stc\2\index.html, size: 325File: \webvpn\stc\version.txt, size: 63Total files: 18show webvpn install status svc Example
The following is sample output from the show webvpn install command, entered with the status svc keywords:
Router# show webvpn install status svcSSL VPN Package SSL-VPN-Client version installed:CISCO STC win2k+ 1.0.01,0,2,127Fri 07/22/2005 12:14:45.43show webvpn nbns context all Example
The following sample output from the show webvpn nbns command, entered with the context all keywords:
Router# show webvpn nbns context allNetBIOS name IP Address Timestamp0 total entriesNetBIOS name IP Address Timestamp0 total entriesNetBIOS name IP Address Timestamp0 total entries
show webvpn policy Example
The following is sample output from the show webvpn policy command:
Router# show webvpn policy group ONE context allWEBVPN: group policy = ONE ; context = SSL VPNidle timeout = 2100 secsession timeout = 43200 seccitrix disableddpd client timeout = 300 secdpd gateway timeout = 300 seckeep SSL VPN client installed = disabledrekey interval = 3600 secrekey method =lease duration = 43200 secWEBVPN: group policy = ONE ; context = SSL VPN_TWOidle timeout = 2100 secsession timeout = 43200 seccitrix disableddpd client timeout = 300 secdpd gateway timeout = 300 seckeep SSL VPN client installed = disabledrekey interval = 3600 secrekey method =lease duration = 43200 secshow webvpn policy Example (with NTLM disabled)
The following is sample output from the show webvpn policy command. NTLM authentication has been disabled.
Router# show webvpn policy group ntlm context ntlmWEBVPN: group policy = ntlm; context = ntlmurl list name = "ntlm-server"idle timeout = 2100 secsession timeout = 43200 secfunctions =httpauth-disabledfile-accesssvc-enabledcitrix disableddpd client timeout = 300 secdpd gateway timeout = 300 seckeep SSL VPN client installed = disabledrekey interval = 3600 secrekey method =lease duration = 43200 secshow webvpn session Example
The following is sample output from the show webvpn session command. The output is filtered to display user session information for only the specified context.
Router# show webvpn session context SSL VPNWebVPN context name: SSL VPNClient_Login_Name Client_IP_Address No_of_Connections Created Last_Useduser1 10.2.1.220 2 04:47:16 00:01:26user2 10.2.1.221 2 04:48:36 00:01:56show webvpn session user Example
The following is sample output from the show webvpn session command. The output is filtered to display session information for a specific user.
Router# show webvpn session user user1 context allWebVPN user name = user1 ; IP address = 10.2.1.220; context = SSL VPNNo of connections: 0Created 00:00:19, Last-used 00:00:18CSD enabledCSD Session PolicyCSD Web Browsing AllowedCSD Port Forwarding AllowedCSD Full Tunneling DisabledCSD FILE Access AllowedUser Policy ParametersGroup name = ONEGroup Policy Parametersurl list name = "Cisco"idle timeout = 2100 secsession timeout = 43200 secport forward name = "EMAIL"tunnel mode = disabledcitrix disableddpd client timeout = 300 secdpd gateway timeout = 300 seckeep stc installed = disabledrekey interval = 3600 secrekey method = ssllease duration = 3600 secshow webvpn stats Example
The following is sample output from the show webvpn stats command entered with the detail and context keywords:
Router# show webvpn stats detail context SSL VPNWebVPN context name : SSL VPNUser session statistics:Active user sessions : 0 AAA pending reqs : 0Peak user sessions : 0 Peak time : neverActive user TCP conns : 0 Terminated user sessions : 0Session alloc failures : 0 Authentication failures : 0VPN session timeout : 0 VPN idle timeout : 0User cleared VPN sessions: 0 Exceeded ctx user limit : 0CEF switched packets - client: 0 , server: 0CEF punted packets - client: 0 , server: 0Mangling statistics:Relative urls : 0 Absolute urls : 0Non-http(s) absolute urls: 0 Non-standard path urls : 0Interesting tags : 0 Uninteresting tags : 0Interesting attributes : 0 Uninteresting attributes : 0Embedded script statement: 0 Embedded style statement : 0Inline scripts : 0 Inline styles : 0HTML comments : 0 HTTP/1.0 requests : 0HTTP/1.1 requests : 0 Unknown HTTP version : 0GET requests : 0 POST requests : 0CONNECT requests : 0 Other request methods : 0Through requests : 0 Gateway requests : 0Pipelined requests : 0 Req with header size >1K : 0Processed req hdr bytes : 0 Processed req body bytes : 0HTTP/1.0 responses : 0 HTTP/1.1 responses : 0HTML responses : 0 CSS responses : 0XML responses : 0 JS responses : 0Other content type resp : 0 Chunked encoding resp : 0Resp with encoded content: 0 Resp with content length : 0Close after response : 0 Resp with header size >1K: 0Processed resp hdr size : 0 Processed resp body bytes: 0Backend https response : 0 Chunked encoding requests: 0CIFS statistics:SMB related Per Context:TCP VC's : 0 UDP VC's : 0Active VC's : 0 Active Contexts : 0Aborted Conns : 0NetBIOS related Per Context:Name Queries : 0 Name Replies : 0NB DGM Requests : 0 NB DGM Replies : 0NB TCP Connect Fails : 0 NB Name Resolution Fails : 0HTTP related Per Context:Requests : 0 Request Bytes RX : 0Request Packets RX : 0 Response Bytes TX : 0Response Packets TX : 0 Active Connections : 0Active CIFS context : 0 Requests Dropped : 0Socket statistics:Sockets in use : 0 Sock Usr Blocks in use : 0Sock Data Buffers in use : 0 Sock Buf desc in use : 0Select timers in use : 0 Sock Select Timeouts : 0Sock Tx Blocked : 0 Sock Tx Unblocked : 0Sock Rx Blocked : 0 Sock Rx Unblocked : 0Sock UDP Connects : 0 Sock UDP Disconnects : 0Sock Premature Close : 0 Sock Pipe Errors : 0Sock Select Timeout Errs : 0Port Forward statistics:Connections serviced : 0 Server Aborts (idle) : 0Client Serverin pkts : 0 out pkts : 0in bytes : 0 out bytes : 0out pkts : 0 in pkts : 0out bytes : 0 in bytes : 0WEBVPN Citrix statistics:Connections serviced : 0Server ClientPackets in : 0 0Packets out : 0 0Bytes in : 0 0Bytes out : 0 0Tunnel Statistics:Active connections : 0Peak connections : 0 Peak time : neverConnect succeed : 0 Connect failed : 0Reconnect succeed : 0 Reconnect failed : 0SVCIP install IOS succeed: 0 SVCIP install IOS failed : 0SVCIP clear IOS succeed : 0 SVCIP clear IOS failed : 0SVCIP install TCP succeed: 0 SVCIP install TCP failed : 0DPD timeout : 0Client Serverin CSTP frames : 0 out IP pkts : 0in CSTP data : 0 out stitched pkts : 0in CSTP control : 0 out copied pkts : 0in CSTP Addr Reqs : 0 out bad pkts : 0in CSTP DPD Reqs : 0 out filtered pkts : 0in CSTP DPD Resps : 0 out non fwded pkts : 0in CSTP Msg Reqs : 0 out forwarded pkts : 0in CSTP bytes : 0 out IP bytes : 0out CSTP frames : 0 in IP pkts : 0out CSTP data : 0 in invalid pkts : 0out CSTP control : 0 in congested pkts : 0out CSTP Addr Resps : 0 in bad pkts : 0out CSTP DPD Reqs : 0 in nonfwded pkts : 0out CSTP DPD Resps : 0 in forwarded pkts : 0out CSTP Msg Reqs : 0out CSTP bytes : 0 in IP bytes : 0show webvpn stats sso Examples
The following output example displays statistics for an SSO server:
webvpn# show webvpn stats ssoSingle Sign On statistics:Auth Requests : 4 Pending Auth Requests :0Successful Requests : 1 Failed Requests :3Retranmissions : 0 DNS Errors :0Connection Errors : 0 Request Timeouts :0Unknown Responses :
