Table Of Contents
SSL VPN
Finding Feature Information
Contents
Prerequisites for SSL VPN
Restrictions for SSL VPN
Information About SSL VPN
SSL VPN Overview
Licensing
Modes of Remote Access
Remote Access Overview
Clientless Mode
Thin-Client Mode
Tunnel Mode
SSL VPN Features
Access Control Enhancements
SSL VPN Client Side Certificate Based Authentication
AnyConnect Client Support
Application ACL Support
Automatic Applet Download
Backend HTTP Proxy
Front-Door VRF Support
Full-Tunnel CEF Support
GUI Enhancements
Internationalization
Max-User Limit Message
Netegrity Cookie-Based Single SignOn Support
NTLM Authentication
RADIUS Accounting
Stateless High Availability with Hot Standby Router Protocol
TCP Port Forwarding and Thin Client
URL Obfuscation
URL Rewrite Splitter
User-Level Bookmarking
Virtual Templates
Other SSL VPN Features
Platform Support
How to Configure SSL VPN Services on a Router
Configuring an SSL VPN Gateway
SSL VPN Encryption
SSL VPN Trustpoints
What to Do Next
Configuring a Generic SSL VPN Gateway
Configuring an SSL VPN Context
Context Defaults
Configuring a Virtual Host
Prerequisites
What to Do Next
Configuring an SSL VPN Policy Group
Outlook Web Access 2003
URL-List Configuration
What to Do Next
Configuring Local AAA Authentication for SSL VPN User Sessions
Prerequisites
What to Do Next
Configuring AAA for SSL VPN Users Using a Secure Access Control Server
Prerequisites
What to Do Next
Configuring RADIUS Accounting for SSL VPN User Sessions
Prerequisites
Monitoring and Maintaining RADIUS Accounting for an SSL VPN Session
Configuring RADIUS Attribute Support for SSL VPN
What to Do Next
Configuring a URL List for Clientless Remote Access
Prerequisites
What to Do Next
Configuring Microsoft File Shares for Clientless Remote Access
Common Internet File System Support
NetBIOS Name Service Resolution
Samba Support
Prerequisites
Restrictions
Examples
What to Do Next
Configuring Citrix Application Support for Clientless Remote Access
ICA Client
Prerequisites
Examples
What to Do Next
Configuring Application Port Forwarding
Administrative Privileges on the Remote Client
Prerequisites
Examples
Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files
Remote Client Software Installation Requirements
Software Package Download
Prerequisites
Examples
What to Do Next
Configuring Cisco Secure Desktop Support
Java Runtime Environment
Prerequisites
Restrictions
What to Do Next
Configuring Cisco AnyConnect VPN Client Full Tunnel Support
Remote Client Software from the SSL VPN Gateway
The Address Pool
A Manual Entry to the IP Forwarding Table
Prerequisites
Restrictions
Examples
What to Do Next
Configuring Advanced SSL VPN Tunnel Features
Microsoft Internet Explorer Proxy Configuration
Split Tunneling
Prerequisites
Restrictions
Examples
Configuring VRF Virtualization
Prerequisites
Restrictions
Examples
Configuring ACL Rules
Prerequisites
Restrictions
Associating an ACL Attribute with a Policy Group
Monitoring and Maintaining ACLs
Configuring SSO Netegrity Cookie Support for a Virtual Context
Prerequisites
Associating an SSO Server with a Policy Group
Configuring URL Obfuscation (Masking)
Adding a CIFS Server URL List to an SSL VPN Context
and Attaching It to a Policy Group
Prerequisites
Configuring User-Level Bookmarks
Configuring FVRF
Prerequisites
Disabling Full-Tunnel CEF
Configuring Automatic Authentication and Authorization
Configuring SSL VPN Client Side Certificate Based Authentication
Configuring a URL Rewrite Splitter
Configuring a Backend HTTP Proxy
Configuring Stateless High Availability with HSRP for SSL VPN
Configuring Internationalization
Generating the Template Browser Attribute File
Importing the Browser Attribute File
Verifying That the Browser Attribute File Was Imported Correctly
Creating the Language File
Importing the Language File
Verifying That the Language File Was Imported Correctly
Creating the URL List
Importing the File into the URL List and Binding It to a Policy Group
Verifying That the URL List File Was Bound Correctly to the Policy Group
Configuring a Virtual Template
Prerequisites
Restrictions
Using SSL VPN Clear Commands
Verifying SSL VPN Configurations
Using SSL VPN Debug Commands
Remote User Guide
Configuration Examples for SSL VPN
Configuring a Generic SSL VPN Gateway: Example
Configuring an ACL: Example
Configuring HTTP Proxy: Example
RADIUS Accounting for SSL VPN Sessions: Example
URL Obfuscation (Masking): Example
Adding a CIFS Server URL List and Attaching It to a Policy List: Example
Typical SSL VPN Configuration: Example
CEF-Processed Packets: Example
Multiple AnyConnect VPN Client Package Files: Examples
Local Authorization: Example
URL Rewrite Splitter: Example
Backend HTTP Proxy: Example
Stateless High Availability with HSRP: Example
Internationalization: Examples
Generated Browser Attribute Template: Example
Copying the Browser Attribute File to Another PC for Editing: Example
Copying the Edited File to flash: Example
Output Showing That the Edited File Was Imported: Example
Copying the Language File to Another PC for Editing: Example
Copying the Edited Language File to the Storage Device: Example
Language Template Created: Example
URL List: Examples
Virtual Template: Examples
Debug Command Output: Examples
Configuring SSO: Example
Show Command Output: Examples
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Feature Information for SSL VPN
Notices
OpenSSL/Open SSL Project
License Issues
SSL VPN
First Published: February 27, 2006
Last Updated: October 2, 2009
The SSL VPN feature (also known as WebVPN) provides support, in Cisco IOS software, for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer- (SSL-) enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish a secure Virtual Private Network (VPN) tunnel using a web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support. SSL VPN delivers three modes of SSL VPN access: clientless, thin-client, and full-tunnel client support.
This document is primarily for system administrators. If you are a remote user, see the document SSL VPN Remote User Guide.
Note 
The Cisco AnyConnect VPN Client is introduced in Cisco IOS Release 12.4(15)T. This feature is the next-generation SSL VPN Client. If you are using Cisco software earlier than Cisco IOS Release 12.4(15)T, you should be using SSL VPN Client and see GUI for the SSL VPN Client when you are web browsing. However, if you are using Cisco software Release 12.4(15)T or later, you should be using Cisco AnyConnect VPN Client and see GUI for Cisco AnyConnect VPN Client when you are web browsing.
For "What's New" information about SSL VPN features by release, see the section "Finding Feature Information," which follows.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for SSL VPN" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS, Catalyst OS, and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for SSL VPN
•Restrictions for SSL VPN
•Information About SSL VPN
•How to Configure SSL VPN Services on a Router
•Configuration Examples for SSL VPN
•Additional References
•Feature Information for SSL VPN
•Notices
Prerequisites for SSL VPN
•To securely access resources on a private network behind an SSL VPN gateway, the remote user of an SSL VPN service must have the following:
–An account (login name and password)
–An SSL-enabled browser (for example, Internet Explorer, Netscape, Mozilla, or FireFox)
–Operating system support
Note Later versions of the following software are also supported.
•Microsoft Windows 2000, Windows XP, or Windows Vista
•Macintosh OS X 10.4.6
•Linux (Redhat RHEL 3.0 +, FEDORA 5, or FEDORA 6)
–SSL VPN-supported browser—The following browsers have been verified for SSL VPN. Other browsers might not fully support SSL VPN features.
Note Later versions of the following software are also supported.
•Internet Explorer 6.0 or 7.0
•Firefox 2.0 (Windows and Linux)
•Safari 2.0.3
•"Thin Client" support used for TCP port-forwarding applications requires administrative privileges on the computer of the remote user.
•"Tunnel mode" for Cisco SSL VPN requires administrative privileges for initial installation of the full tunnel client.
•The remote user must have local administrative privileges to use thin client or full tunnel client features.
•The SSL VPN gateway and context configuration must be completed before a remote user can access resources on a private network behind an SSL VPN. This configuration is shown in the section "How to Configure SSL VPN Services on a Router."
ACL Support
•Before configuring this feature, the time range should have already been configured.
Single SignOn (SSO) Netegrity Cookie Support
•A Cisco plug-in must be installed on a Netegrity SiteMinder server.
Licensing
•In Cisco IOS Release 15.0(1)M, the SSL VPN gateway is a seat-counted licensing feature on Cisco 880, Cisco 890, Cisco 1900, Cisco 2900, and Cisco 3900 platforms. A valid licence is required for a successful SSL VPN session.
Restrictions for SSL VPN
•URLs referred by the Macromedia Flash player cannot be modified for secure retrieval by the SSL VPN gateway.
Cisco AnyConnect VPN Client
•The Cisco AnyConnect VPN Client is not supported on Windows Mobile when the client connects to a Cisco IOS headend router.
CiscoAnyConnect VPN Client does not support the following:
•Datagram Transport Layer Security (DTLS) with SSL connections
•Standalone Mode (supported in Cisco IOS Release 12.4(20)T and later versions)
•IPsec
•IPv6 VPN access
•Compression support
•Language translation (localization)
•Client-side authentication
•Adaptive Security Appliance (ASA) and Adaptive Security Device Manager (ASDM) and any command-line interface (CLI) associated with them
•Sequencing
Thin Client Control List Support
•Although there is no limitation on the maximum number of filtering rules that can be applied for each access control list (ACL) entry, keeping the number below 50 should have no impact on router performance.
HTTP Proxy
•This feature works only with Microsoft Internet Explorer.
•This feature will not work if the browser proxy setup cannot be modified because of any security policies that have been placed on the client workstation.
Information About SSL VPN
To configure SSL VPN, you should understand the following concepts:
•SSL VPN Overview
•Licensing
•Modes of Remote Access
•SSL VPN Features
•Other SSL VPN Features
•Platform Support
SSL VPN Overview
Cisco IOS SSL VPN provides SSL VPN remote-access connectivity from almost any Internet-enabled location using only a web browser that natively supports SSL encryption. This feature allows your company to extend access to its secure enterprise network to any authorized user by providing remote-access connectivity to corporate resources from any Internet-enabled location.
Cisco IOS SSL VPN can also support access from noncorporate-owned machines, including home computers, Internet kiosks, and wireless hot spots. These locations are difficult places to deploy and manage VPN client software and remote configuration required to support IPsec VPN connections.
Figure 1 shows how a mobile worker (the lawyer at the courthouse) can access protected resources from the main office and branch offices. Site-to-site IPsec connectivity between the main and remote sites is unaltered. The mobile worker needs only Internet access and supported software (web browser and operating system) to securely access the corporate network.
Figure 1 Secure SSL VPN Access Model
SSL VPN delivers the following three modes of SSL VPN access:
•Clientless—Clientless mode provides secure access to private web resources and will provide access to web content. This mode is useful for accessing most content that you would expect to access in a web browser, such as Internet access, databases, and online tools that employ a web interface.
•Thin Client (port-forwarding Java applet)—Thin client mode extends the capability of the cryptographic functions of the web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet, and Secure Shell (SSH).
•Tunnel Mode—Full tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application.
SSL VPN application accessibility is somewhat constrained relative to IPsec VPNs; however, SSL-based VPNs provide access to a growing set of common software applications, including web page access, web-enabled services such as file access, e-mail, and TCP-based applications (by way of a downloadable thin-client applet). SSL-based VPN requires slight changes to user workflow because some applications are presented through a web browser interface, not through their native GUI. The advantage for SSL VPN comes from accessibility from almost any Internet-connected system without needing to install additional desktop software.
Licensing
Starting from Cisco IOS Release 15.0(1)M, the SSL VPN gateway is a seat-counted licensing feature on the Cisco 880, Cisco 890, Cisco 1900, Cisco 2900, and Cisco 3900 platforms. A license count is associated with each counted license and the count indicates the instances of the feature available for use in the system. In the case of SSL VPN, a seat refers to the maximum number of sessions allowed at a time.
You can get the license at http://www.cisco.com/go/license.
For instructions on installing a license using Cisco License Manager (CLM), see the User Guide for Cisco License Manager, Release 2.2 at http://www.cisco.com/en/US/docs/net_mgmt/license_manager/lm_2_2/2.2_user_guide/ch08_ug.html.
For instructions on installing a license using Cisco command-line interface (CLI), see the Software Activation Configuration Guide at http://www.cisco.com/en/US/docs/ios/csa/configuration/guide/csa_commands_ps6441_TSD_Products_Configuration_Guide_Chapter.html.
SSL VPN supports the following types of licenses:
•Permanent licenses—No usage period is associated with these licenses. All permanent licenses are node locked and validated during installation and usage.
•Evaluation licenses—These are metered licenses that are valid for a limited period. The usage period of a license is based on a system clock. The evaluation licenses are built into the image and are not node locked. The evaluation licenses are used only when there are no permanent, extension or grace period licenses available for a feature. An end-user licence agreement (EULA) has to be accepted before using an evaluation license.
•Extension licenses—Extension licenses are node-locked metered licenses. These licenses are installed using the management interfaces on the device. A EULA has to be accepted as part of installation.
•Grace-rehost licenses—Grace period licenses are node locked metered licenses. These licenses are installed on the device as part of the rehost operation. A EULA has to be accepted as a part of the rehost operation.
For all the license types, except the evaluation license, a EULA has to be accepted during the license installation. This means that all the license types except the evaluation license are activated after installation. In the case of an evaluation license, a EULA is presented during an SSL VPN gateway configuration or an SSL VPN context configuration.
An SSL VPN session corresponds to a successful login to the SSL VPN service. An SSL VPN session is created when a valid license is installed and the user credentials are successfully validated. On a successful user validation, a request is made to the licensing module to get a seat. An SSL VPN session is created only when the request is successful. If a valid license is not installed, the SSL VPN gateway configuration and SSL VPN context configurations are successful, but the user cannot login successfully. When multiple gateways and contexts are configured, the total number of sessions are equal to the total sessions allowed by the license.
The same user can create multiple sessions and for each session a seat count is reserved. The seat reservation does not happen in the following cases:
•Multiple TCP connections such as web server content, Outlook Web Access (OWA) and Common Intermediate Format (CIF) file shares
•Port forward session initiation
•Full tunnel session creation from a browser session
•Full tunnel session is up and a crypto rekey is done
When the total active sessions are equal to the maximum license count of the current active license, no more new sessions are allowed.
The reserved seat count or session is released when
•a user logs out
•a Dead Peer Detection (DPD) failure happens
•a session timeout occurs
•an idle timeout occurs
•a session is cleared administratively using the clear webvpn session command
•disconnected from the tunnel
•context is removed even when there are active sessions
You can use the show webvpn license command to display the available count and the current usage. To display the current license type and time period left in case of a nonpermanent license, use the show license command. To get information related to license operations, events, and errors, use the debug webvpn license command.
For more information about licensing, see the bulletin Cisco IOS SSL VPN Licensing Information.
Modes of Remote Access
This section includes the following:
•Remote Access Overview
•Clientless Mode
•Thin-Client Mode
•Tunnel Mode
Remote Access Overview
End-user login and authentication is performed by the web browser to the secure gateway using an HTTP request. This process creates a session that is referenced by a cookie. After authentication, the remote user is shown a portal page that allows access to the SSL VPN networks. All requests sent by the browser include the authentication cookie. The portal page provides all the resources available on the internal networks. For example, the portal page could provide a link to allow the remote user to download and install a thin-client Java applet (for TCP port forwarding) or a tunneling client.
Figure 2 shows an overview of the remote access modes.
Figure 2 Modes of Remote Access Overview
Table 1 summarizes the level of SSL VPN support that is provided by each access mode.
Table 1 Access Mode Summary
A
|
Clientless Mode
|
B
|
Thin-Client Mode
|
C
|
Tunnel Mode
|
•Browser-based (clientless)
•Microsoft Windows or Linux
•Web-enabled applications, file sharing, Outlook Web Access
•Gateway performs address or protocol conversion and content parsing and rewriting
|
•TCP port forwarding
•Uses Java Applet
•Extends application support
•Telnet, e-mail, SSH, Meeting Maker, Sametime Connect
•Static port-based applications
|
•Works like "clientless" IPsec VPN
•Tunnel client loaded through Java or ActiveX (approximately 500 kB)
•Application agnostic—supports all IP-based applications
•Scalable
•Local administrative permissions required for installation
|
Clientless Mode
In clientless mode, the remote user accesses the internal or corporate network using the web browser on the client machine. The PC of the remote user must run the Windows 2000, Windows XP, or Linux operating systems.
The following applications are supported in clientless mode:
•Web browsing (using HTTP and secure HTTP [HTTPS])—provides a URL box and a list of web server links in the portal page that allows the remote user to browse the web.
•File sharing (using common Internet file system [CIFS])—provides a list of file server links in the portal page that allows the remote user to do the following operations:
–Browse a network (listing of domains)
–Browse a domain (listing of servers)
–Browse a server (listing of shares)
–List the files in a share
–Create a new file
–Create a directory
–Rename a directory
–Update a file
–Download a file
–Remove a file
–Rename a file
Note Linux requires that the Samba application is installed before CIFS file shares can be remotely accessed.
•Web-based e-mail, such as Microsoft Outlook Web Access (OWA) 2003 (using HTTP and HTTPS) with Web Distributed Authoring and Versioning (WebDAV) extensions—provides a link that allows the remote user to connect to the exchange server and read web-based e-mail.
Thin-Client Mode
Thin-client mode, also called TCP port forwarding, assumes that the client application uses TCP to connect to a well-known server and port. In thin-client mode, the remote user downloads a Java applet by clicking the link provided on the portal page, or the Java applet is downloaded automatically (see "Options for Configuring HTTP Proxy and the Portal Page" and "Options for Configuring HTTP Proxy and the Portal Page"). The Java applet acts as a TCP proxy on the client machine for the services that you configure on the gateway.
The applications that are supported in thin-client mode are mainly e-mail-based (SMTP, POP3, and Internet Map Access Protocol version 4 [IMAP4] applications.
Note The TCP port-forwarding proxy works only with the Sun MicroSystems Java Runtime Environment (JRE) version 1.4 or later versions. A Java applet is loaded through the browser that verifies the JRE version. The Java applet will refuse to run if a compatible JRE version is not detected.
The Java applet initiates an HTTP request from the remote user client to the SSL VPN gateway. The name and port number of the internal e-mail server is included in the HTTP request (POST or CONNECT). The SSL VPN gateway creates a TCP connection to that internal e-mail server and port.
The Java applet starts a new SSL connection for every client connection.
You should observe the following restrictions when using thin-client mode:
•The remote user must allow the Java applet to download and install.
•You cannot use thin-client mode for applications such as FTP, where the ports are negotiated dynamically. You can use TCP port forwarding only with static ports.
Note There is a known compatibility issue with the encryption type and Java. If the Java port-forwarding applet does not download properly and the configuration line ssl encryption 3des-sha1 aes-sha1 is present, you should remove the line from the webvpn gateway subconfiguration.
Options for Configuring HTTP Proxy and the Portal Page
Effective with Cisco IOS Release 12.4(11)T, administrators have more options for configuring the HTTP proxy and the portal page. If HTTP proxy is enabled, the Java applet acts as the proxy for the browser of the user, thereby connecting the client workstation with the gateway. The home page of the user (as defined by the user group) is opened automatically or, if configured by the administrator, the user is directed to a new website.
HTTP proxy supports both HTTP and HTTPS.
Benefits of Configuring HTTP Proxy
HTTP supports all client-side web technologies (including HTML, Cascading Style Sheets [CSS], JavaScript, VBScript, ActiveX, Java, and flash), HTTP Digest authentication, and client certificate authentication. Remote users can use their own bookmarks, and there is no limit on cookies. Because there is no mangling involved and the client can cache the objects, performance is much improved over previous options for configuring the HTTP proxy and portal page.
Illustrations of Port Forwarding with and Without an HTTP Proxy Configuration
Figure 3 illustrates TCP port forwarding without HTTP proxy configured.
Figure 3 TCP Port Forwarding Without HTTP Proxy Configured
In Figure 3, the following steps must occur:
1. User downloads the proxy applet.
2. Applet updates the registry to add HTTP as a Remote Procedure Call (RPC) transport.
3. Applet examines the registry to determine the exchange (and local catalog) server and create server entries that refer to those servers.
4. Applet opens local port 80 and listens for connections.
5. User starts Outlook, and Outlook connects to 10.0.0.254:80.
6. Applet opens a connection to the secure gateway and delivers the requests from Outlook.
7. Secure gateway examines the requests to determine the end-point exchange server.
8. Data flows from Outlook, through the applet and the secure gateway, to the exchange server.
9. User terminates Outlook.
10. User closes the applet. Before closing, the applet undoes configuration Steps 3 and 4.
Figure 4 illustrates TCP port forwarding when HTTP proxy is configured.
Figure 4 HTTP Proxy
In Figure 4, the following steps occur:
1. Proxy applet is downloaded automatically.
2. Applet saves the original proxy configuration of the browser.
3. Applet updates the proxy configuration of the browser to be the local loopback address with an available local port (by default, port 8080).
4. Applet opens the available local port and listens for connections.
5. Applet, if so configured, opens the home page of the user, or the user browses to a new website.
6. Applet accepts and looks at the HTTP or HTTPS request to determine the destination web server.
7. Applet opens a connection to the secure gateway and delivers the requests from the browser.
8. Secure gateway examines the requests to determine the end-point web server.
9. Data flows from the browser, through the applet and the secure gateway, to the web server.
10. User closes applet. Before closing, the applet undoes configuration Steps 2 and 3.
Note HTTP proxy can also be enabled on a AAA server. See the section "SSL VPN RADIUS Attribute-Value Pairs" (port-forward-http-proxy and port-forward-http-proxy-url attributes).
Tunnel Mode
In a typical clientless remote access scenario, remote users establish an SSL tunnel to move data to and from the internal networks at the application layer (for example, web and e-mail). In tunnel mode, remote users use an SSL tunnel to move data at the network (IP) layer. Therefore, tunnel mode supports most IP-based applications. Tunnel mode supports many popular corporate applications (for example, Microsoft Outlook, Microsoft Exchange, Lotus Notes E-mail, and Telnet).
The tunnel connection is determined by the group policy configuration. The Cisco AnyConnect VPN Client is downloaded and installed on the remote user PC, and the tunnel connection is established when the remote user logs into the SSL VPN gateway.
By default, the Cisco AnyConnect VPN Client is removed from the client PC after the connection is closed. However, you have the option to keep the Cisco AnyConnect VPN Client installed on the client PC.
SSL VPN Features
SSL VPN includes the following features:
•Access Control Enhancements
•SSL VPN Client Side Certificate Based Authentication
•AnyConnect Client Support
•Application ACL Support
•Automatic Applet Download
•Backend HTTP Proxy
•Front-Door VRF Support
•Full-Tunnel CEF Support
•GUI Enhancements
•Internationalization
•Netegrity Cookie-Based Single SignOn Support
•NTLM Authentication
•RADIUS Accounting
•Stateless High Availability with Hot Standby Router Protocol
•TCP Port Forwarding and Thin Client
•URL Obfuscation
•URL Rewrite Splitter
•User-Level Bookmarking
Access Control Enhancements
Effective with Cisco IOS Release 12.4(20)T, administrators can configure automatic authentication and authorization for users. Users provide their usernames and passwords via the gateway page URL and do not have to reenter their usernames and passwords from the login page. Authorization is enhanced to support more generic authorization, including local authorization. In previous releases, only RADIUS authorization was supported.
For information about configuring this feature, see the section "Configuring Automatic Authentication and Authorization."
SSL VPN Client Side Certificate Based Authentication
This feature enables SSL VPN to authenticate clients based on the clients AAA username and password and also supports webvpn gateway authentication of clients using AAA certificates.
SSL VPN Client Side Certificate Based Authentication includes the following features:
•Certificate Only Authentication and Authorization Mode
•Two factor Authentication and Authorization Mode
•Identification of webvpn Context at Runtime Using Certificate Map Match Rules
•Support for AnyConnect Client to Implement Certificate Matching Based on Client Profile Attributes
Certificate Only Authentication and Authorization Mode
Certificate only authoriztion requires the user to provide a AAA authentication certificate as part of the webvpn request, but does not require the username and password for authorization. The user requests webvpn access with the AAA authentication certificate from the webvpn gateway. The webvpn gateway validates the identity of the client using the AAA authentication certificate presented to it. The webvpn extracts the username from the AAA authentication certificate presented to it and uses it as the username in the AAA request. AAA authentication and AAA authorization are then completed with a hard-coded password. To configure certificate only authorization use the authentication certificate command.
Two factor Authentication and Authorization Mode
Two factor authorization requires the user to request webvpn access and present a AAA authentication certificate. The AAA authentication certificate is validated and the client's identity is verified. The webvpn gateway then presents the login page to the user. The user enters their username and password and webvpn sends AAA authentication and AAA authorization requests to the AAA server. The AAA authentication list and the AAA authorization lists configured on the server are then used for authentication and authorization. To configure two factor authentication and authorization mode use the authentication certificate aaa command.
Note If the username-prefill command is configured, the username textbox on the login page will be disabled. The user will be asked only for their password on the login page.
Identification of webvpn Context at Runtime Using Certificate Map Match Rules
Certificate map match rules are used by SSLVPN to identify the webvpn context at runtime. The webvpn context is required for AAA authentication and authorization mode and trustpoint configuration. When the user does not provide the webvpn context, the identification of the webvpn context at runtime is possible using certificate map matching by matching the certificate presented by the client with the certificate map match rules. To configure certificate map matching in webvpn use the match-certificate command.
Support for AnyConnect Client to Implement Certificate Matching Based on Client Profile Attributes
Cisco AnyConnect client has certificate match functionality allowing it to select a suitable certificate while initiating tunnel connection with SSL VPN. In the case of standalone mode, the certificate selection is made based on the certificate match. When selecting a certificate, Cisco AnyConnect client can select the appropriate certificate based on the AnyConnect client profile attributes. This requires SSL VPN to support AnyConnect client profiles. The profile file is imported after modification by the administrator using the svc profile command. To create an AnyConnect client profile use the template that appears after installing Cisco AnyConnect in this location: \Documents and Settings\All Users\Application Data\Cisco\ CiscoAnyConnectVPNClient\Profile\AnyConnectProfile.tmpl
The following are the certificate match types available with Cisco AnyConnect client:
Certificate Key Usage Matching
Certificate key usage matching offers a set of constraints based on the broad types of operations that can be performed with a given certificate.
Extended Certificate Key Usage Matching
This matching allows an administrator to limit the certificates that can be used by the client based on the Extended Key Usage fields.
Certificate Distinguished Name Mapping
This certificate matching capability allows an administrator to limit the certificates that can be used by the client to those matching the specified criteria and criteria match conditions. This includes the ability to specify that a certificate must or must not have a specified stringand also if wild carding for the string should be allowed.
AnyConnect Client Support
Effective with Cisco IOS Release 12.4(20)T, AnyConnect Client support has been added for several client-side platforms, such as Microsoft Windows, Apple-Mac, and Linux. The ability to install AnyConnect in a standalone mode is also added. In addition, the Release 12.4(20)T allows you to install multiple AnyConnect VPN client packages to a gateway. For information on configuring multiple packages, see the section "Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files."
Application ACL Support
Effective with Cisco IOS Release 12.4(11)T, this feature provides administrators with the flexibility to fine-tune access control on the application layer level, for example, on the basis of a URL.
For information about configuring this feature, see the sections "Configuring ACL Rules" and "Associating an ACL Attribute with a Policy Group."
Automatic Applet Download
Effective with Cisco IOS Release 12.4(9)T, administrators have the option of automatically downloading the port-forwarding Java applet. This feature must be configured on a group policy basis.
Note Users still have to allow the Java applet to be downloaded. The dialog box pops up, asking for permission.
To configure the automatic download, see the section "Configuring an SSL VPN Policy Group."
Backend HTTP Proxy
This feature, added in Cisco IOS Release 12.4(20)T, allows administrators to route user requests through a backend HTTP proxy, providing more flexibility and controllability than routing requests through internal web servers. This feature adds the following new authentication, authorization, and accounting (AAA) attributes:
For information about configuring this feature, see the section "Configuring a Backend HTTP Proxy."
Front-Door VRF Support
Effective with Cisco IOS Release 12.4(15)T, front-door virtual routing and forwarding (FVRF) support, coupled with the already supported internal virtual routing and forwarding (IVRF), provides for increased security. The feature allows the SSL VPN gateway to be fully integrated into a Multiprotocol Label Switching (MPLS) or non-MPLS network (wherever the VRFs are deployed). The virtual gateway can be placed into a VRF that is separate from the Internet to avoid internal MPLS and IP network exposure. This placement reduces the vulnerability of the router by separating the Internet routes or the global routing table. Clients can now reach the gateway by way of the FVRF, which can be separate from the global VRF. The backend, or IVRF, functionality remains the same.
This FVRF feature provides for overlapping IP addresses.
Figure 5 is a scenario in which FVRF has been applied.
Figure 5 Scenario in Which FVRF Has Been Applied
To configure FVRF, see "Configuring FVRF" section.
Full-Tunnel CEF Support
Effective with Cisco IOS Release 12.4(20)T, Full-Tunnel Cisco Express Forwarding (CEF) support has been added for better throughput performance than in earlier releases. This feature is enabled by default. To turn off full-tunnel CEF support, use the no webvpn cef command.
Note To take full advantage of CEF support, the hardware crypto engine is required.
For an example of output showing CEF-processed packets, see the section "CEF-Processed Packets: Example."
GUI Enhancements
In Cisco IOS Release 12.4(15)T, ergonomic improvements were made to the GUI user interface of the Cisco IOS SSL VPN gateway. The improved customization of the user interface provides for greater flexibility and the ability to tailor portal pages for individualized looks. Enhancements were made to the following web screens:
•Login screen
•Portal page
Login Screen
Figure 6 is an example of a typical login screen.
Figure 6 Typical Login Screen
Banner
The banner is a small pop-up box (see Figure 7) that appears after the user is logged in and before the portal page appears.
The message in the pop-up box is configured using the banner command.
Figure 7 Banner
Customizing a Login Page
Login screens can be customized by an administrator. Figure 8 shows the fields that can be customized.
For information about setting various elements of the login page, see the document Cisco IOS Security Command Reference, Release 12.4T, for the logo, title, title-color, login-message, text-color, secondary-color, login-photo, and color commands.
Figure 8 Login Page with Callouts of the Fields That Can Be Customized
Portal Page
The portal page (Figure 9) is the main page for the SSL VPN functionality. You can customize this page to contain the following:
•Custom logo (the default is the Cisco bridge logo)
•Custom title (the default is "WebVPN Services")
•Custom banner (the default is an empty string)
•Custom colors (the default is a combination of white and greens)
•List of web server links (can be customized)
Note The Bookmark links are listed under the Personal folder, and the server links are listed under Network File in Figure 9.
•URL entry box (may be present or can be hidden using the hide-url-bar command)
•Thin Client link (may or may not be present)
Note The Application Access box allows you to download and install the Tunnel Connection and Thin Client Application.
•Links for Help, Home (that is, the portal page), and Logout
Items that you have not configured are not displayed on the portal page.
Note E-mail access is supported by thin-client mode, which is downloaded using the Thin Client link.
Figure 9 is an example of a typical portal page.
Figure 9 Typical Portal Page
Customizing a Portal Page
Portal pages can be customized by an administrator. Figure 10 shows various fields, including the fields that can be customized by an administrator. The fields that can be customized by an administrator are as follows:
•Title
•Logo
•Secondary color
•Administrator-defined bookmarks
•Color
Figure 10 Portal Page with Callouts of Various Fields, Including Those That Can Be Customized
Table 2 provides information about various fields on the portal page. For information about setting elements such as color or titles, see command information in the Cisco IOS Security Command Reference, Release 12.4T, for the logo, title, title-color, functions, port-forward, color, secondary-text-color, url-list, secondary-color, and hide-url-bar commands.
Table 2 Information About Fields on the Portal Page
Field
|
Description
|
User-level bookmark add icon
|
If a user clicks it, a dialog box is added so that a new bookmark can be added to the Personal folder.
|
Network File location bar
|
A user can enter the file server here. Both of the functions file-access and functions file-entry commands must be configured for the input box to appear.
|
Header
|
Shares the same color value as the title.
|
Last login
|
Timestamp of the last login.
|
Browse network
|
Allows a user to browse the file network. Both commands functions file-access and functions file-browse must be configured for the icon to appear.
|
Tunnel Connection
|
A user can choose when to start the tunnel connection by configuring the functions svc-enabled command.
|
Port forwarding
|
Downloads the applet and starts port forwarding.
|
User-level bookmark edit icon
|
Allows a user to edit or delete an existing bookmark.
|
User-level bookmarks
|
A user can add a bookmark by using the plus icon (see below)
on the bookmark panel or toolbar. See the document SSL VPN Remote User Guide for information about the toolbar. A new window is opened when the link is clicked.
|
Administrator-defined bookmarks
|
Administrator-defined URL lists cannot be edited by the user.
|
URL address bar
|
A new window is opened when a user clicks Go.
|
Internationalization
The Internationalization feature provides multilanguage support for messages initiated by the headend for SSL VPN clients, such as Cisco Secure Desktop (CSD) and SSL VPN Client (SVC). With the Internationalization feature, administrators can import their own attribute files in an XML format so that other languages can be imported using an editor that supports multilanguages.
Figure 11 shows a portal page in English. Users can select any language you have imported for certain SSL VPN web pages (currently: login message, title page, and URL lists).
Figure 11 Portal Page in English
Figure 12 shows that an administrator has imported files in Japanese. A user has selected Japanese as the language for certain SSL VPN web pages (currently: login message, title, and URL lists).
Figure 12 Portal Page in Japanese
For information about configuring this feature, see the "Configuring Internationalization" section. For examples relating to this feature, see the "Internationalization: Examples" section.
Max-User Limit Message
When a user tries to log in to a Web VPN context and the maximum user limit has been reached, he or she receives an "Max-user limit reached" message.
Netegrity Cookie-Based Single SignOn Support
The Netegrity SiteMinder product provides a Single SignOn (SSO) feature that allows a user to log on a single time for various web applications. The benefit of this feature is that users are prompted to log on only once. This feature is accomplished by setting a cookie in the browser of a user when the user initially logs on.
Effective with Cisco IOS Release 12.4(11)T, Netegrity cookie-based SSO is integrated with SSL VPN. It allows administrators to configure an SSO server that sets a SiteMinder cookie in the browser of a user when the user initially logs on. This cookie is validated by a SiteMinder agent on subsequent user requests to resources that are protected by a SiteMinder realm. The agent decrypts the cookie and verifies whether the user has already been authenticated.
For information about configuring SSO Netegrity Cookie Support and associating it with a policy group using the CLI, see the sections "Configuring SSO Netegrity Cookie Support for a Virtual Context" and "Associating an SSO Server with a Policy Group," respectively.
An SSO server can also be associated with a policy group using RADIUS attributes, as in the following example:
webvpn:sso-server-name=server1
For a list of RADIUS attribute-value (AV) pairs that support SSL VPN, see the section "Configuring RADIUS Attribute Support for SSL VPN."
NTLM Authentication
NT LAN Manager (NTLM) is supported for SSL VPN effective with Cisco IOS Release 12.4(9)T. The feature is configured by default.
RADIUS Accounting
Effective with Cisco IOS Release 12.4(9)T, this feature provides for RADIUS accounting of SSL VPN user sessions.
For information about configuring SSL VPN RADIUS accounting for SSL VPN user sessions, see the section "Configuring RADIUS Accounting for SSL VPN User Sessions."
For more information about configuring RADIUS accounting, see the "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide, Release 12.4 at the following URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_radius_external_docbase_0900e4b1805afd67_4container_external_docbase_0900e4b1807af99d.html
For a list of RADIUS AV pairs that support SSL VPN, see the section "Configuring RADIUS Attribute Support for SSL VPN."
Stateless High Availability with Hot Standby Router Protocol
Hot Standby Router Protocol (HSRP) provides high network availability by routing IP traffic from hosts on ethernet networks without having to rely on the availability of any single router. HSRP is particularly useful for hosts that do not support a router discovery protocol, such as ICMP Router Discovery Protocol (IRDP), and that do not have the functionality to switch to a new router when their selected router reloads or loses power. Without this functionality, a router that loses its default gateway because of a router failure is unable to communicate with the network.
HSRP is configurable on LAN interfaces using standby command-line interface (CLI). It is now possible to use the standby IP address from an interface as the local IPsec identity, or local tunnel endpoint.
By using the standby IP address as the SSL VPN gateway address, failover can be applied to VPN routers by using HSRP. Remote SSLVPN users connect to the local VPN gateway using the standby address that belongs to the active device in the HSRP group. In the event of failover, the standby device takes over ownership of the standby IP address and begins to service remote VPN users.
Using the Stateless High Availability with Hot Standby Router Protocol feature, the remote user has to be aware of only the HSRP standby address instead of a list of gateway addresses.
Figure 13 shows the enhanced HSRP functionality topology. Traffic is serviced by the active Router P, the active device in the standby group. In the event of failover, traffic is diverted to Router S, the original standby device. Router S assumes the role of the new active router and takes ownership of the standby IP address.
Figure 13 Stateless High Availability with HSRP for SSL VPN
For information about configuring Stateless High Availability with HSRP, see "Configuring Stateless High Availability with HSRP for SSL VPN" section.
Note In case of a failover, HSRP does not facilitate SSL VPN state information transference between VPN gateways. Without this state transference, existing SSL VPN sessions with the remote users will be deleted, requiring users to reauthenticate and establish SSL VPN sessions with the new active gateway.
TCP Port Forwarding and Thin Client
Note This feature requires the JRE version 1.4 or later releases to properly support SSL connections.
Note Because this feature requires installing JRE and configuring the local clients, and because doing so requires administrator permissions on the local system, it is unlikely that remote users will be able to use applications when they connect from public remote systems.
When the remote user clicks the Start button of the Thin Client Application (under "Application Access), a new window is displayed. This window initiates the downloading of a port-forwarding applet. Another window is then displayed. This window asks the remote user to verify the certificate with which this applet is signed. When the remote user accepts the certificate, the applet starts running, and port-forwarding entries are displayed (see Figure 14). The number of active connections and bytes that are sent and received is also listed on this window.
Note When remote users launch Thin Client, their system may display a dialog box regarding digital certificates, and this dialog box may appear behind other browser windows. If the remote user connection hangs, tell the remote user to minimize the browser windows to check for this dialog box.
You should have configured IP addresses, Domain Name System (DNS) names, and port numbers for the e-mail servers. The remote user can then launch the e-mail client, which is configured to contact the above e-mail servers and send and receive e-mails. POP3, IMAP, and SMTP protocols are supported.
The window attempts to close automatically if the remote user is logged out using JavaScript. If the session terminated and a new port forwarding connection is established, the applet displays an error message.
Figure 14 TCP Port Forwarding Page
Caution Users should always close the Thin Client window when finished using applications by clicking the close icon. Failure to quit the window properly can cause Thin Client or the applications to be disabled. See the section "Application Access—Recovering from Hosts File Errors" in the document SSL VPN Remote User Guide.
Table 3 lists remote system requirements for Thin Client.
Table 3 SSL VPN Remote System Thin Client Requirements
Remote User System Requirements
|
Specifications or Use Suggestions
|
Client applications installed.
|
—
|
Cookies enabled on browser.
|
—
|
Administrator privileges.
|
You must be the local administrator on your PC.
|
Sun Microsystems JRE version 1.4 or later installed.
|
SSL VPN automatically checks for JRE whenever the remote user starts Thin Client. If it is necessary to install JRE, a pop-up window displays directing remote users to a site where it is available.
|
Client applications configured, if necessary.
Note The Microsoft Outlook client does not require this configuration step.
|
To configure the client application, use the locally mapped IP address and port number of the server. To find this information, do the following:
•Start SSL VPN on the remote system and click the Thin Client link on the SSL VPN home page. The Thin Client window is displayed.
•In the Name column, find the name of the server that you want to use, and then identify its corresponding client IP address and port number (in the Local column).
•Use this IP address and port number to configure the client application. The configuration steps vary for each client application.
|
Windows XP SP2 patch.
|
If you are running Windows XP SP2, you must install a patch from Microsoft that is available at the following address:
http://support.microsoft.com/?kbid=884020
This problem is a known Microsoft issue.
|
URL Obfuscation
The URL Obfuscation feature provides administrators with the ability to obfuscate, or mask, sensitive portions of an enterprise URL, such as IP addresses, hostnames, or part numbers. For example, if URL masking is configured for a user, the URL in the address bar could have the port and hostname portion garbled, as in this example:
https://slvpn-gateway.examplecompany.com/http/cF9HxnBjRmSFEzBWpDtfXfigzL559MQo51Qj/cgi-bin/submit.p
For information about configuring this feature, see the section "Associating an SSO Server with a Policy Group."
URL Rewrite Splitter
Effective with Cisco IOS Release 12.4(20)T, the URL Rewrite Splitter feature allows administrators to mangle selective URLs. Mangling is a CPU-intensive and time-consuming process, so mangling only selective URLs can result in a savings of memory and time.
For information about configuring this feature, see the section "Configuring a URL Rewrite Splitter."
User-Level Bookmarking
Effective with Cisco IOS Release 12.4(15)T, users can bookmark URLs while connected through an SSL VPN tunnel. Users can access the bookmarked URLs by clicking the URLs.
User-level bookmarking is turned by default. There is no way to turn it off. To set the storage location, administrators can use the user-profile location command. If the user-profile location command is not configured, the location flash:/webvpn/{context name}/ is used.
Virtual Templates
A virtual template enables SSL VPN to interoperate with IP features such as network address translation (NAT), firewall, and policy-based routing.
For information about configuring this feature, see the section "Configuring a Virtual Template."
Other SSL VPN Features
Table 4 lists the requirements for various SSL VPN features.
Table 4 SSL VPN Remote User System Requirements
Task
|
Remote User System Requirements
|
Additional Information
|
Web Browsing
|
Usernames and passwords for protected websites
|
Users should log out on SSL VPN sessions when they are finished.
|
|
| |
The look and feel of web browsing with SSL VPN might be different from what users are accustomed to. For example, when they are using SSL VPN, the following should be noted:
•The SSL VPN title bar appears above each web page.
•Websites can be accessed as follows:
–Entering the URL in the Enter Web Address field on the SSL VPN home page
–Clicking a preconfigured website link on the SSL VPN home page
–Clicking a link on a webpage accessed by one of the previous two methods
Also, depending on how a particular account was configured, the following might have occurred:
•Some websites are blocked.
•Only the websites that appear as links on the SSL VPN home page are available.
|
Network Browsing and File Management
|
File permissions configured for shared remote access
|
Only shared folders and files are accessible through SSL VPN.
|
Server name and passwords are necessary for protected file servers
|
|
Domain, workgroup, and server names where folders and files reside
|
A user might not be familiar with how to locate his or her files through the network of an organization.
|
Note The user should not interrupt the Copy File to Server operation or navigate to a different window while the copying is in progress. Interrupting this operation can cause an incomplete file to be saved on the server.
|
Using e-mail:
Thin Client
|
Same requirements as for Thin Client (see the "TCP Port Forwarding and Thin Client" section)
|
To use e-mail, users must start Thin Client from the SSL VPN home page. The e-mail client is then available for use.
|
Note If a user is using an IMAP client and loses the e-mail server connection or is unable to make a new connection, the user should close the IMAP application and restart SSL VPN.
|
Other Mail Clients
|
Microsoft Outlook Express versions 5.5 and 6.0 have been tested.
SSL VPN should support other SMTPS, POP3S, or IMAP4S e-mail programs, such as Netscape Mail, Lotus Notes, and Eudora, but they have not been verified.
|
Using e-mail:
Web Access
|
Web-based e-mail product installed
|
Supported products are as follows:
•OWA 5.5, 2000, and 2003
Netscape, Mozilla, and Internet Explorer are supported with OWA 5.5 and 2000.
Internet Explorer 6.0 or later version is required with OWA 2003. Netscape and Mozilla are supported with OWA 2003.
•Lotus Notes
Operating system support:
Note Later versions of the following browsers are also supported.
•Microsoft Windows 2000, Windows XP, or Windows Vista
•Macintosh OS X 10.4.6
•Linux (Redhat RHEL 3.0 +, FEDORA 5, or FEDORA 6)
SSL VPN-supported browser:
The following browsers have been verified for SSL VPN. Other browsers might not fully support SSL VPN features.
Note Later versions of the following software are also supported.
•Internet Explorer 6.0 or 7.0
•Firefox 2.0 (Windows and Linux)
•Safari 2.0.3
Other web-based e-mail products should also work, but they have not been verified.
|
Using the Cisco Tunnel Connection
|
|
To retrieve Tunnel Connection log messages using the Windows Event Viewer, go to Program Files > Administrative Tools > Event Viewer in Windows.
|
Using Secure Desktop Manager
|
A Secure Desktop Manager-supported browser
|
On Microsoft Windows:
•Internet Explorer version 6.0 or 7.0
•Netscape version 7.2
On Linux:
•Netscape version 7.2
|
Using Cache Cleaner or Secure Desktop
|
A Cisco Secure Desktop-supported browser
|
Any browser supported for Secure Desktop Manager.
|
Platform Support
For information about platform support for the SSL VPN feature, see the data sheet Cisco IOS SSL VPN ("Feature Availability" section).
How to Configure SSL VPN Services on a Router
This section contains the following tasks and shows whether they are required or optional:
Configuring and Enabling SSL VPN Services
•Configuring an SSL VPN Gateway (required)
•Configuring a Generic SSL VPN Gateway (optional)
•Configuring an SSL VPN Context (required)
•Configuring an SSL VPN Policy Group (required)
Configuring AAA-Related Features for SSL VPN
•Configuring Local AAA Authentication for SSL VPN User Sessions (optional)
•Configuring AAA for SSL VPN Users Using a Secure Access Control Server (optional)
•Configuring RADIUS Accounting for SSL VPN User Sessions (optional)
•Monitoring and Maintaining RADIUS Accounting for an SSL VPN Session (optional)
•Configuring RADIUS Attribute Support for SSL VPN (optional)
Customizing and Enabling SSL VPN Features
•Configuring a URL List for Clientless Remote Access (optional)
•Configuring Microsoft File Shares for Clientless Remote Access (optional)
•Configuring Citrix Application Support for Clientless Remote Access (optional)
•Configuring Application Port Forwarding (optional)
•Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files (optional)
•Configuring Cisco Secure Desktop Support (optional)
•Configuring Cisco AnyConnect VPN Client Full Tunnel Support (optional)
•Configuring Advanced SSL VPN Tunnel Features (optional)
•Configuring VRF Virtualization (optional)
•Configuring ACL Rules (optional)
•Associating an ACL Attribute with a Policy Group (optional)
•Configuring SSO Netegrity Cookie Support for a Virtual Context (optional)
•Associating an SSO Server with a Policy Group (optional)
•Configuring URL Obfuscation (Masking) (optional)
•Adding a CIFS Server URL List to an SSL VPN Context and Attaching It to a Policy Group (optional)
•Configuring User-Level Bookmarks (optional)
•Configuring FVRF (optional)
•Disabling Full-Tunnel CEF (optional)
•Configuring Automatic Authentication and Authorization (optional)
•Configuring a URL Rewrite Splitter (optional)
•Configuring a Backend HTTP Proxy (optional)
•Configuring Stateless High Availability with HSRP for SSL VPN (optional)
•Configuring Internationalization (optional)
•Configuring a Virtual Template (optional)
Monitoring and Maintaining SSL VPN Features
•Using SSL VPN Clear Commands (optional)
•Verifying SSL VPN Configurations (optional)
•Using SSL VPN Debug Commands (optional)
Configuring an SSL VPN Gateway
The SSL VPN gateway acts as a proxy for connections to protected resources. Protected resources are accessed through an SSL-encrypted connection between the gateway and a web-enabled browser on a remote device, such as a personal computer. Entering the webvpn gateway command places the router in SSL VPN gateway configuration mode. The following are accomplished in this task:
•The gateway is configured with an IP address.
•A port number is configured to carry HTTPS traffic (443 is default).
•A hostname is configured for the gateway.
•Crypto encryption and trust points are configured.
•The gateway is configured to redirect HTTP traffic (port 80) over HTTPS.
•The gateway is enabled.
SSL VPN Encryption
The SSL VPN provides remote-access connectivity from almost any Internet-enabled location using only a web browser and its native SSL encryption. The ssl encryption command is configured to restrict the encryption algorithms that SSL uses in Cisco IOS software.
Note There is a known compatibility issue with the encryption type and Java. If the Java port-forwarding applet does not download properly and the configuration line ssl encryption 3des-sha1 aes-sha1 is present, you should remove the line from the webvpn gateway subconfiguration.
SSL VPN Trustpoints
The configuration of the ssl trustpoint command is required only if you need to configure a specific CA certificate. A self-signed certificate is automatically generated when an SSL VPN gateway is put in service.
SUMMARY STEPS
Required Steps
1. enable
2. configure terminal
3. webvpn gateway name
Optional Steps
4. hostname name
5. ip address number [port number] [standby name]
6. http-redirect [port number]
7. ssl encryption [3des-sha1] [aes-sha1] [rc4-md5]
8. ssl trustpoint name
9. inservice
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn gateway name
Example:
Router(config)# webvpn gateway GW_1
|
Enters webvpn gateway configuration mode to configure an SSL VPN gateway.
•Only one gateway is configured in an SSL VPN-enabled network.
|
Step 4
|
hostname name
Example:
Router(config-webvpn-gateway)# hostname VPN_1
|
Configures the hostname for an SSL VPN gateway.
|
Step 5
|
ip address number [port number] [standby name]
Example:
Router(config-webvpn-gateway)# ip address
10.1.1.1
|
Configures a proxy IP address on an SSL VPN gateway.
•port—Specifies the port number for proxy traffic. A number from 1 to 65535 can be entered for this argument.
•standby—Indicates that the gateway is standby. A redundancy group name must be entered for the name argument.
|
Step 6
|
http-redirect [port number]
Example:
Router(config-webvpn-gateway)# http-redirect
|
Configures HTTP traffic to be carried over HTTPS.
•When this command is enabled, the SSL VPN gateway listens on port 80 and redirects HTTP traffic over port 443 or the port number specified with the port keyword.
|
Step 7
|
ssl encryption [3des-sha1] [aes-sha1] [rc4-md5]
Example:
Router(config-webvpn-gateway)# ssl encryption
rc4-md5
|
Specifies the encryption algorithm that the SSL protocol uses for SSL VPN connections.
•The ordering of the algorithms specifies the preference.
|
Step 8
|
ssl trustpoint name
Example:
Router(config-webvpn-gateway)# ssl trustpoint
CA_CERT
|
(Optional if a self-signed certificate is to be used.) Configures the certificate trust point on an SSL VPN gateway.
Tip Entering the no form of this command configures the SSL VPN gateway to revert to using an autogenerated self-signed certificate.
|
Step 9
|
inservice
Example:
Router(config-webvpn-gateway)# inservice
|
Enables an SSL VPN gateway.
A gateway cannot enabled or put "in service" until a proxy IP address has been configured.
|
What to Do Next
SSL VPN context and policy group configurations must be configured before an SSL VPN gateway can be operationally deployed. Proceed to the section "Configuring an SSL VPN Context" to see information on SSL VPN context configuration.
Configuring a Generic SSL VPN Gateway
To configure a generic SSL VPN gateway, perform the following steps in privileged EXEC mode.
Note The advantage of this configuration over the one in the configuration task "Configuring an SSL VPN Gateway" is that basic commands and context can be configured quickly using just the webvpn enable command.
SUMMARY STEPS
1. enable
2. webvpn enable gateway-addr ip-address
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
webvpn enable gateway-addr ip-address
Example:
Router# webvpn enable gateway-addr 10.1.1.1
|
Enables an SSL VPN gateway.
|
Configuring an SSL VPN Context
The SSL VPN context defines the virtual configuration of the SSL VPN. Entering the webvpn context command places the router in SSL VPN configuration mode. The following are accomplished in this task:
•A gateway and domain is associated.
•The AAA authentication method is specified.
•A group policy is associated.
•The remote user portal (web page) is customized.
•A limit on the number users sessions is configured.
•The context is enabled.
Context Defaults
The ssl authenticate verify all command is enabled by default when a context configuration is created. The context cannot be removed from the router configuration while an SSL VPN gateway is in an enabled state (in service).
Configuring a Virtual Host
A virtual hostname is specified when multiple virtual hosts are mapped to the same IP address on the SSL VPN gateway (similar to the operation of a canonical domain name). The virtual hostname differentiates host requests on the gateway. The host header in the HTTP message is modified to direct traffic to the virtual host. The virtual hostname is configured with the gateway command in webvpn context configuration mode.
Prerequisites
The SSL VPN gateway configuration has been completed.
SUMMARY STEPS
Required Steps
1. enable
2. configure terminal
3. webvpn context name
Optional Steps
4. aaa authentication {domain name | list name}
5. policy group name
6. exit
7. default-group-policy name
8. exit
9. gateway name [domain name | virtual-host name]
10. inservice
11. login-message [message-string]
12. logo [file filename | none]
13. max-users number
14. secondary-color color
15. secondary-text-color {black | white}
16. title [title-string]
17. title-color color
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
Tip The context can be optionally named using the domain or virtual hostname. This is recommended as a best practice. It simplifies the management of multiple context configurations.
|
Step 4
|
aaa authentication {domain name | list name}
Example:
Router(config-webvpn-context)# aaa authentication
domain SERVER_GROUP
|
Specifies a list or method for SSL VPN remote-user authentication.
Tip If this command is not configured, the SSL VPN gateway will use global authentication, authorization, and accounting (AAA) parameters (if configured) for remote-user authentication.
|
Step 5
|
policy group name
Example:
Router(config-webvpn-context)# policy group ONE
|
Creates a policy group within the SSL VPN context and enters webvpn group policy configuration mode.
•Used to define a policy that can be applied to the user.
|
Step 6
|
exit
Example:
Router(webvpn-group-policy)# exit
|
Exits webvpn group policy configuration mode.
|
Step 7
|
default-group-policy name
Example:
Router(webvpn-group-policy)# default-group-policy
ONE
|
Associates a group policy with an SSL VPN context configuration.
•This command is configured to attach the policy group to the SSL VPN context when multiple group policies are defined under the context.
•This policy will be used as default, unless a AAA server pushes an attribute that specifically requests another group policy.
|
Step 8
|
exit
Example:
Router(webvpn-group-policy)# exit
|
Exits webvpn group policy configuration mode.
|
Step 9
|
gateway name [domain name | virtual-host name]
Example:
Router(config-webvpn-context)# gateway GW_1 domain
cisco.com
|
Associates an SSL VPN gateway with an SSL VPN context.
•The gateway configured in the first configuration task table is associated with the SSL VPN context in this configuration step.
|
Step 10
|
inservice
Example:
Router(config-webvpn-gateway)# inservice
|
Enables an SSL VPN context configuration.
•The context is put "in service" by entering this command. However, the context is not operational until it is associated with an enabled SSL VPN gateway.
|
Step 11
|
login-message [message-string]
Example:
Router(config-webvpn-context)# login-message
"Please enter your login credentials"
|
Configures a message for the user login text box displayed on the login page.
|
Step 12
|
logo [file filename | none]
Example:
Router(config-webvpn-context)# logo file
flash:/mylogo.gif
|
Configures a custom logo to be displayed on the login and portal pages of an SSL VPN.
•The source image file for the logo is a gif, jpg, or png file that is up to 255 characters in length (filename) and up to 100 KB in size.
•The file is referenced from a local file system, such as flash memory. An error message will be displayed if the file is not referenced from a local file system.
•No logo will be displayed if the image file is removed from the local file system.
|
Step 13
|
max-users number
Example:
Router(config-webvpn-context)# max-users 500
|
Limits the number of connections to an SSL VPN that will be permitted.
|
Step 14
|
secondary-color color
Example:
Router(config-webvpn-context)# secondary-color
darkseagreen
Router(config-webvpn-context)# secondary-color
#8FBC8F
Router(config-webvpn-context)# secondary-color
143,188,143
|
Configures the color of the secondary title bars on the login and portal pages of an SSL VPN.
•The value for the color argument is entered as a comma-separated red, green, blue (RGB) value, an HTML color value (beginning with a pound sign [#]), or the name of the color that is recognized in HTML (no spaces between words or characters). The value is limited to 32 characters. The value is parsed to ensure that it matches one of the following formats (using Perl regex notation):
–\#/x{6}
–\d{1,3},\d{1,3},\d{1,3} (and each number is from 1 to 255)
–\w+
•The default color is purple.
•The example shows the three forms that the color can be configured.
|
Step 15
|
secondary-text-color {black | white}
Example:
Router(config-webvpn-context)#
secondary-text-color white
|
Configures the color of the text on the secondary bars of an SSL VPN.
•The color of the text on the secondary bars must be aligned with the color of the text on the title bar.
•The default color is black.
|
Step 16
|
title [title-string]
Example:
Router(config-webvpn-context)# title "Secure
Access: Unauthorized users prohibited"
|
Configures the HTML title string that is shown in the browser title and on the title bar of an SSL VPN.
•The optional form of the title command is entered to configure a custom text string. If this command is issued without entering a text string, a title will not be displayed in the browser window. If the no form of this command is used, the default title string "WebVPN Service" is displayed.
|
Step 17
|
title-color color
Example:
Router(config-webvpn-context)# title-color
darkseagreen
Router(config-webvpn-context)# title-color #8FBC8F
Router(config-webvpn-context)# title-color
143,188,143
|
Specifies the color of the title bars on the login and portal pages of an SSL VPN.
•The value for the color argument is entered as a comma-separated red, green, blue (RGB) value, an HTML color value (beginning with a pound sign [#]), or the name of the color that is recognized in HTML (no spaces between words or characters). The value is limited to 32 characters. The value is parsed to ensure that it matches one of the following formats (using Perl regex notation):
–\#/x{6}
–\d{1,3},\d{1,3},\d{1,3} (and each number is from 1 to 255)
–\w+
•The default color is purple.
•The example shows the three forms that can be used to configure the title color.
|
What to Do Next
An SSL VPN policy group configuration must be defined before an SSL VPN gateway can be operationally deployed. Proceed to the next section to see information on SSL VPN policy group configuration.
Configuring an SSL VPN Policy Group
The policy group is a container that defines the presentation of the portal and the permissions for resources that are configured for a group of remote users. Entering the policy group command places the router in webvpn group policy configuration mode. After it is configured, the group policy is attached to the SSL VPN context configuration by configuring the default-group-policy command. The following tasks are accomplished in this configuration:
•The presentation of the SSL VPN portal page is configured.
•A NetBIOS server list is referenced.
•A port-forwarding list is referenced.
•The idle and session timers are configured.
•A URL list is referenced.
Outlook Web Access 2003
OWA 2003 is supported by the SSL VPN gateway upon competition of this task. The Outlook Exchange Server must be reachable by the SSL VPN gateway via TCP/IP.
URL-List Configuration
A URL list can be configured under the SSL VPN context configuration and then separately for each individual policy group configuration. Individual URL list configurations must have unique names.
SUMMARY STEPS
Required Steps
1. enable
2. configure terminal
3. webvpn context name
4. policy group name
Optional Steps
5. banner string
6. hide-url-bar
7. nbns-list name
8. port-forward name [auto-download [http-proxy [proxy-url homepage-url]] | http-proxy [proxy-url homepage-url] [auto-download]]
9. timeout {idle seconds | session seconds}
10. url-list name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
policy group name
Example:
Router(config-webvpn-context)# policy group ONE
|
Enters webvpn group policy configuration mode to configure a group policy.
|
Step 5
|
banner string
Example:
Router(config-webvpn-group)# banner "Login
Successful"
|
Configures a banner to be displayed after a successful login.
|
Step 6
|
hide-url-bar
Example:
Router(config-webvpn-group)# hide-url-bar
|
Prevents the URL bar from being displayed on the SSL VPN portal page.
|
Step 7
|
nbns-list name
Example:
Router(config-webvpn-group)# nbns-list
SERVER_LIST
|
Attaches a NetBIOS Name Service (NBNS) server list to a policy group configuration.
•The NBNS server list is first defined in SSL VPN NBNS list configuration mode.
|
Step 8
|
port-forward name [auto-download [http-proxy
[proxy-url homepage-url]] | http-proxy
[proxy-url homepage-url] [auto-download]]
Example:
Router(config-webvpn-group)# port-forward EMAIL
auto-download http-proxy proxy-url
"http://www.example.com"
|
Attaches a port-forwarding list to a policy group configuration.
•auto-download—(Optional) Allows for automatic download of the port-forwarding Java applet on the portal page of a website.
•http-proxy—(Optional) Allows the Java applet to act as a proxy for the browser of the user.
•proxy-url—(Optional) Page at this URL address opens as the portal (home) page of the user.
•homepage-url—URL of the homepage.
|
Step 9
|
timeout {idle seconds | session seconds}
Example:
Router(config-webvpn-group)# timeout idle 1800
Router(config-webvpn-group)# timeout session
36000
|
Configures the length of time that a remote user session can remain idle or the total length of time that the session can remain connected.
•Upon expiration of either timer, the remote user connection is closed. The remote user must login (reauthenticate) to access the SSL VPN.
|
Step 10
|
url-list name
Example:
Router(config-webvpn-group)# url-list ACCESS
|
Attaches a URL list to policy group configuration.
|
What to Do Next
At the completion of this task, the SSL VPN gateway and context configurations are operational and enabled (in service), and the policy group has been defined. The SSL VPN gateway is operational for clientless remote access (HTTPS only). Proceed to the next section to see information about configuring AAA for remote-user connections.
Configuring Local AAA Authentication for SSL VPN User Sessions
The steps in this task show how to configure a local AAA database for remote-user authentication. AAA is configured in global configuration mode. In this task, the aaa authentication command is not configured under the SSL VPN context configuration. Omitting this command from the SSL VPN context configuration causes the SSL VPN gateway to use global authentication parameters by default.
Prerequisites
SSL VPN gateway and context configurations are enabled and operational.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. username {name secret [0 | 5] password}
5. aaa authentication login default local
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa new-model
Example:
Router(config)# aaa new-model
|
Enables the AAA access control model.
|
Step 4
|
username {name secret [0 | 5] password}
Example:
Router(config)# username USER1 secret 0 PsW2143
|
Establishes a username based authentication system.
•Entering 0 configures the password as clear text. Entering 5 encrypts the password.
|
Step 5
|
aaa authentication login default local
Example:
Router(config)# aaa authentication login
default local
|
Configures local AAA authentication.
|
What to Do Next
The database that is configured for remote-user authentication on the SSL VPN gateway can be a local database, as shown in this task, or the database can be accessed through any RADIUS or TACACS+ AAA server.
It is recommended that you use a separate AAA server, such as a Cisco ACS. A separate AAA server provides a more robust security solution. It allows you to configure unique passwords for each remote user and accounting and logging for remote-user sessions. Proceed to the next section to see more information.
Configuring AAA for SSL VPN Users Using a Secure Access Control Server
The steps in this task show how to configure AAA using a separate RADIUS or TACACS+ server. AAA is configured in global configuration mode. The authentication list/method is referenced in the SSL VPN context configuration with the aaa authentication command. The steps in this task configure AAA using a RADIUS server.
Prerequisites
•SSL VPN gateway and context configurations are enabled and operational.
•A RADIUS or TACACS+ AAA server is operational and reachable from the SSL VPN gateway.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa group server {radius group-name | tacacs+ group-name}
5. server ip-address [auth-port port-number] [acct-port port-number]
6. exit
7. aaa authentication login {default | list-name} method1 [method2...]
8. radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}]
9. webvpn context name
10. aaa authentication {domain name | list name}
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa new-model
Example:
Router(config)# aaa new-model
|
Enables the AAA access control model.
|
Step 4
|
aaa group server {radius group-name | tacacs+
group-name}
Example:
Router(config)# aaa group server radius
myServer
|
Configures a RADIUS or TACACS+ server group and specifies the authentication list or method, and enters server-group configuration mode.
|
Step 5
|
server ip-address [auth-port port-number]
[acct-port port-number]
Example:
Router(config-sg-radius)# server 10.1.1.20
auth-port 1645 acct-port 1646
|
Configures the IP address of the AAA group server.
|
Step 6
|
exit
Example:
Router(config-sg-radius)# exit
|
Exits server-group configuration mode.
|
Step 7
|
aaa authentication login {default | list-name}
method1 [method2...]
Example:
Router(config)# aaa authentication login
default local group myServer
|
Sets AAA login parameters.
|
Step 8
|
radius-server host {hostname | ip-address}
[auth-port port-number] [acct-port port-number]
[timeout seconds] [retransmit retries] [key
string] [alias {hostname | ip-address}]
Example:
Router(config)# radius-server host 10.1.1.20
auth-port 1645 acct-port 1646
|
Specifies a host as the group server.
|
Step 9
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters SSL VPN configuration mode to configure the SSL VPN context.
|
Step 10
|
aaa authentication {domain name | list name}
Example:
Router(config-webvpn-context)# aaa
authentication domain myServer
|
Configures AAA authentication for SSL VPN sessions.
|
What to Do Next
Proceed to the section "Configuring RADIUS Attribute Support for SSL VPN" to see RADIUS attribute-value pair information introduced to support this feature.
Configuring RADIUS Accounting for SSL VPN User Sessions
To configure RADIUS accounting for SSL VPN user sessions, perform the following steps.
Prerequisites
•Before configuring RADIUS accounting for SSL VPN user sessions, you should first have configured AAA-related commands (in global configuration mode) and have set the accounting list.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. webvpn aaa accounting list aaa-list
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
aaa new-model
Example:
Router(config)# aaa new-model
|
Enables the AAA access control model.
|
Step 4
|
webvpn aaa accounting-list aaa-list
Example:
Router(config)# webvpn aaa accounting-list SSL
VPNaaa
|
Enables AAA accounting when you are using RADIUS for SSL VPN sessions.
|
Monitoring and Maintaining RADIUS Accounting for an SSL VPN Session
To monitor and maintain your RADIUS accounting configuration, perform the following steps (the debug commands can be used together or individually).
SUMMARY STEPS
1. enable
2. debug webvpn aaa
3. debug aaa accounting
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
debug webvpn aaa
Example:
Router# debug webvpn aaa
|
Enables SSL VPN session monitoring for AAA.
|
Step 3
|
debug aaa accounting
Example:
Router# debug aaa accounting
|
Displays information on accountable events as they occur.
|
Configuring RADIUS Attribute Support for SSL VPN
This section lists RADIUS attribute-value (AV) pair information introduced to support SSL VPN. For information on using RADIUS AV pairs with Cisco IOS software, see the "Configuring RADIUS" chapter in the Cisco IOS Security Configuration Guide at the following URL:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_radius.html
Table 5 shows information about SSL VPN RADIUS attribute-value pairs.
Note All SSL VPN attributes (except for the standard IETF RADIUS attributes) start with webvpn: as follows:
webvpn:urllist-name=cisco
webvpn:nbnslist-name=cifs
webvpn:default-domain=cisco.com
Table 5 SSL VPN RADIUS Attribute-Value Pairs
Attribute
|
Type of Value
|
Values
|
Default
|
addr (Framed-IP-Address1 )
|
ipaddr
|
IP_address
|
|
addr-pool
|
string
|
name
|
|
auto-applet-download
|
integer
|
0 (disable)
1 (enable)2
|
0
|
banner
|
string
|
|
|
citrix-enabled
|
integer
|
0 (disable)
1 (enable)3
|
0
|
default-domain
|
string
|
|
|
dns-servers
|
ipaddr
|
IP_address
|
|
dpd-client-timeout
|
integer (seconds)
|
0 (disabled)-3600
|
300
|
dpd-gateway-timeout
|
integer (seconds)
|
0 (disabled)-3600
|
300
|
file-access
|
integer
|
0 (disable)
1 (enable)3
|
0
|
file-browse
|
integer
|
0 (disable)
1 (enable)3
|
0
|
file-entry
|
integer
|
0 (disable)
1 (enable)3
|
0
|
hide-urlbar
|
integer
|
0 (disable)
1 (enable)3
|
0
|
home-page
|
string
|
|
|
idletime (Idle-Timeout1)
|
integer (seconds)
|
0-3600
|
2100
|
ie-proxy-exception
|
string
|
DNS_name
|
|
ipaddr
|
IP_address
|
|
ie-proxy-server
|
ipaddr
|
IP_address
|
|
inacl
|
integer
|
1-199,
1300-2699
|
|
string
|
name
|
|
keep-svc-installed
|
integer
|
0 (disable)
1 (enable)3
|
1
|
nbnslist-name
|
string
|
name
|
|
netmask (Framed-IP-Netmask1)
|
ipaddr
|
IP_address_mask
|
|
port-forward-auto
|
integer
|
0 (disable)
1 (enable)
|
If this AV pair is not configured, the default is whatever was configured for the group policy.
If this AV pair is configured with an integer of 1, the 1 will override a group policy value of 0.
|
port-forward-http-proxy
|
integer
|
0 (disable)
1 (enable)
|
HTTP proxy is not enabled.
If this AV pair is configured with an integer of 1, the 1 will override a group policy value of 0.
|
port-forward-http-proxy-url
|
string
|
URL address (for example, http://example.com)
|
|
port-forward-name
|
string
|
name
|
|
primary-dns
|
ipaddr
|
IP_address
|
|
rekey-interval
|
integer (seconds)
|
0-43200
|
21600
|
secondary-dns
|
ipaddr
|
IP_address
|
|
split-dns
|
string
|
|
|
split-exclude4
|
ipaddr ipaddr
|
IP_address IP_address_mask
|
|
word
|
local-lans
|
|
split-include4
|
ipaddr ipaddr
|
IP_address IP_address_mask
|
|
sso-server-name
|
string
|
name
|
|
svc-enabled5
|
integer
|
0 (disable)
1 (enable)3
|
0
|
svc-ie-proxy-policy
|
word
|
none, auto, bypass-local
|
|
svc-required5
|
integer
|
0 (disable)
1 (enable)3
|
0
|
timeout (Session-Timeout1)
|
integer (seconds)
|
1-1209600
|
43200
|
urllist-name
|
string
|
name
|
|
user-vpn-group
|
string
|
name
|
|
wins-server-primary
|
ipaddr
|
IP_address
|
|
wins-servers
|
ipaddr
|
IP_address
|
|
wins-server-secondary
|
ipaddr
|
IP_address
|
|
What to Do Next
Proceed to the next section to see information about customizing the URL list configured in Step 10 of the section "Configuring an SSL VPN Policy Group."
Configuring a URL List for Clientless Remote Access
The steps in this configuration task show how to configure a URL list. The URL list, as the name implies, is a list of HTTP URLs that are displayed on the portal page after a successful login. The URL list is configured in webvpn context configuration and webvpn group policy configuration modes.
Prerequisites
SSL VPN gateway and context configurations are enabled and operational.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. url-list name
5. heading text-string
6. url-text {name url-value url}
7. exit
8. policy group name
9. url-list name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
url-list name
Example:
Router(config-webvpn-context)# url-list ACCESS
|
Enters enter webvpn URL list configuration mode to configure the list of URLs to which a user has access on the portal page of an SSL VPN.
|
Step 5
|
heading text-string
Example:
Router(config-webvpn-url)# heading "Quick
Links"
|
Configures the heading that is displayed above URLs listed on the portal page of an SSL VPN.
•The URL list heading entered as a text string. The heading must be entered inside of quotation marks if it contains spaces.
|
Step 6
|
url-text {name url-value url}
Example:
Router(config-webvpn-url)# url-text "Human
Resources" url-value hr.mycompany.com
|
Adds an entry to a URL list.
|
Step 7
|
exit
Example:
Router(config-webvpn-url)# exit
|
Exits webvpn URL list configuration mode, and enters SSL VPN context configuration mode.
|
Step 8
|
policy group name
Example:
Router(config-webvpn-context)# policy group ONE
|
Enters webvpn group policy configuration mode to configure a group policy.
|
Step 9
|
url-list name
Example:
Router(config-webvpn-group)# url-list ACCESS
|
Attaches the URL list to the policy group configuration.
|
What to Do Next
Proceed to the next section to see information about configuring clientless remote access to file shares.
Configuring Microsoft File Shares for Clientless Remote Access
In clientless remote access mode, files and directories created on Microsoft Windows servers can be accessed by the remote client through the HTTPS-enabled browser. When enabled, a list of file server and directory links are displayed on the portal page after login. The administrator can customize permissions on the SSL VPN gateway to provide limited read-only access for a single file or full-write access and network browsing capabilities. The following access capabilities can be configured:
•Network browse (listing of domains)
•Domain browse (listing of servers)
•Server browse (listing of shares)
•Listing files in a share
•Downloading files
•Modifying files
•Creating new directories
•Creating new files
•Deleting files
Common Internet File System Support
CIFS is the protocol that provides access to Microsoft file shares and support for common operations that allow shared files to be accessed or modified.
NetBIOS Name Service Resolution
Windows Internet Name Service (WINS) uses NetBIOS name resolution to map and establish connections between Microsoft servers. A single server must be identified by its IP address in this configuration. Up to three servers can be added to the configuration. If multiple servers are added, one server should be configured as the master browser.
Samba Support
Microsoft file shares can be accessed through the browser on a Linux system that is configured to run Samba.
Prerequisites
•SSL VPN gateway and context configurations are enabled and operational.
•A Microsoft file server is operational and reachable from the SSL VPN gateway over TCP/IP.
Restrictions
•Only file shares configured on Microsoft Windows 2000 or XP servers are supported.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. nbns-list name
5. nbns-server ip-address [master] [timeout seconds] [retries number]
6. exit
7. policy group name
8. nbns-list name
9. functions {file-access | file-browse | file-entry | svc-enabled | svc-required}
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
nbns-list name
Example:
Router(config-webvpn-context)# nbns-list
SERVER_LIST
|
Enters webvpn nbnslist configuration mode to configure an NBNS server list for CIFS name resolution.
|
Step 5
|
nbns-server ip-address [master] [timeout
seconds] [retries number]
Example:
Router(config-webvpn-nbnslist)# nbns-server
172.16.1.1 master
Router(config-webvpn-nbnslist)# nbns-server
172.16.2.2 timeout 10 retries 5
Router(config-webvpn-nbnslist)# nbns-server
172.16.3.3 timeout 10 retries 5
|
Adds a server to an NBNS server list and enters webvpn nbnslist configuration mode.
•The server specified with the ip-address argument can be a primary domain controller (PDC) in a Microsoft network.
•When multiple NBNS servers are specified, a single server is configured as master browser.
•Up to three NBNS server statements can be configured.
|
Step 6
|
exit
Example:
Router(config-webvpn-nbnslist)# exit
|
Exits webvpn nbnslist configuration mode and enters webvpn context configuration mode.
|
Step 7
|
policy group name
Example:
Router(config-webvpn-context)# policy group ONE
|
Enters webvpn group policy configuration mode to configure a group policy.
|
Step 8
|
nbns-list name
Example:
Router(config-webvpn-group)# nbns-list
SERVER_LIST
|
Attaches a NBNS server list to a policy group configuration.
|
Step 9
|
functions {file-access | file-browse |
file-entry | svc-enabled | svc-required}
Example:
Router(config-webvpn-group)# functions
file-access
Router(config-webvpn-group)# functions
file-browse
Router(config-webvpn-group)# functions
file-entry
|
Configures access for Microsoft file shares.
•Entering the file-access keyword enables network file share access. File servers in the server list are listed on the SSL VPN portal page when this keyword is enabled.
•Entering the file-browse keyword enables browse permissions for server and file shares. The file-access function must be enabled in order to also use this function.
•Entering the file-entry keyword enables "modify" permissions for files in the shares listed on the SSL VPN portal page.
|
Examples
NBNS Server List Example
The following example, starting in global configuration mode, configures a server list for NBNS resolution:
Router(config)# webvpn context context1
Router(config-webvpn-context)# nbns-list SERVER_LIST
Router(config-webvpn-nbnslist)# nbns-server 172.16.1.1 master
Router(config-webvpn-nbnslist)# nbns-server 172.16.2.2 timeout 10 retries 5
Router(config-webvpn-nbnslist)# nbns-server 172.16.3.3 timeout 10 retries 5
Router(config-webvpn-nbnslist)# exit
File Share Permissions Example
The following example attaches the server list to and enables full file and network access permissions for policy group ONE:
Router(config-webvpn-context)# policy group ONE
Router(config-webvpn-group)# nbns-list SERVER_LIST
Router(config-webvpn-group)# functions file-access
Router(config-webvpn-group)# functions file-browse
Router(config-webvpn-group)# functions file-entry
Router(config-webvpn-group)# end
What to Do Next
Proceed to the next section to see information about configuring clientless remote access for Citrix- enabled applications.
Configuring Citrix Application Support for Clientless Remote Access
Clientless Citrix support allows the remote user to run Citrix-enabled applications through the SSL VPN as if the application were locally installed (similar to traditional thin-client computing). Citrix applications run on a MetaFrame XP server (or server farm). The SSL VPN gateway provides access to the remote user. The applications run in real time over the SSL VPN. This task shows how to enable Citrix support for policy group remote users.
ICA Client
The Independent Computing Architecture (ICA) client carries keystrokes and mouse clicks from the remote user to the MetaFrame XP server. ICA traffic is carried over TCP port number 1494. This port is opened when a Citrix application is accessed. If multiple application are accessed, the traffic is carried over a single TCP session.
Prerequisites
•A Citrix Metaframe XP server is operational and reachable from the SSL VPN gateway over TCP/IP.
•SSL VPN gateway and context configurations are enabled and operational.
SUMMARY STEPS
1. enable
2. configure terminal
3. access-list access-list-number {permit | deny} protocol source destination
4. webvpn context name
5. policy group name
6. citrix enabled
7. filter citrix extended-acl
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
access-list access-list-number {permit | deny}
protocol source destination
Example:
Router (config)# access-list 100 permit ip
192.168.1.0 0.255.255.255 any
|
Configures the access list mechanism for filtering frames by protocol type or vendor code.
|
Step 4
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 5
|
policy group name
Example:
Router(config-webvpn-context)# policy group ONE
|
Enters webvpn group policy configuration mode to configure a group policy.
|
Step 6
|
citrix enabled
Example:
Router(config-webvpn-group)# citrix enabled
|
Enables Citrix application support for remote users in a policy group.
|
Step 7
|
filter citrix extended-acl
Example:
Router(config-webvpn-group)# filter citrix 100
|
Configures a Citrix Thin Client filter.
•An extended access list is configured to define the Thin Client filter. This filter is used to control remote user access to Citrix applications.
|
Examples
The following example, starting in global configuration mode, enables Citrix application support for remote users with a source IP address in the 192.168.1.0/24 network:
Router(config)# access-list 100 permit ip 192.168.1.0 0.255.255.255 any
Router(config)# webvpn context context1
Router(config-webvpn-context)# policy group ONE
Router(config-webvpn-group)# citrix enabled
Router(config-webvpn-group)# filter citrix 100
What to Do Next
Support for standard applications that use well-known port numbers, such as e-mail and Telnet, can be configured using the port forwarding feature. Proceed to the next section to see more information.
Configuring Application Port Forwarding
Application port forwarding is configured for thin client mode SSL VPN. Port forwarding extends the cryptographic functions of the SSL-protected browser to provide remote access to TCP and UDP-based applications that use well-known port numbers, such as POP3, SMTP, IMAP, Telnet, and SSH.
When port forwarding is enabled, the hosts file on the SSL VPN client is modified to map the application to the port number configured in the forwarding list. The application port mapping is restored to default when the user terminates the SSL VPN session.
Administrative Privileges on the Remote Client
When enabling port forwarding, the SSL VPN gateway will modify the hosts file on the PC of the remote user. Some software configurations and software security applications will detect this modification and prompt the remote user to select "Yes" to permit. To permit the modification, the remote user must have local administrative privileges.
Note There is a known compatibility issue with the encryption type and Java. If the Java port-forwarding applet does not download properly and the configuration line ssl encryption 3des-sha1 aes-sha1 is present, you should remove the line from the webvpn gateway subconfiguration.
Prerequisites
SSL VPN gateway and SSL VPN context configurations are enabled and operational.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. port-forward name
5. local-port number remote-server name remote-port number description text-string
6. exit
7. policy group name
8. port-forward name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
port-forward name
Example:
Router(config-webvpn-context)# port-forward
EMAIL
|
Enters webvpn port-forward list configuration mode to configure a port forwarding list.
|
Step 5
|
local-port number remote-server name
remote-port number description text-string
Example:
Router(config-webvpn-port-fwd)# local-port
30016 remote-server mail.company.com
remote-port 110 description POP3
|
Remaps (forwards) an application port number in a port forwarding list.
•The remote port number is the well-known port to which the application listens. The local port number is the entry configured in the port forwarding list. A local port number can be configured only once in a given port forwarding list.
|
Step 6
|
exit
Example:
Router(config-webvpn-port-fwd)# exit
|
Exits webvpn port-forward list configuration mode, and enters webvpn context configuration mode.
|
Step 7
|
policy group name
Example:
Router(config-webvpn-context)# policy group ONE
|
Enters webvpn group policy configuration mode to configure a group policy.
|
Step 8
|
port-forward name
Example:
Router(config-webvpn-group)# port-forward EMAIL
|
Attaches a port forwarding list to a policy group configuration.
|
Examples
The following example, starting in global configuration mode, configures port forwarding for well-known e-mail application port numbers:
Router(config)# webvpn context context1
Router(config-webvpn-context)# port-forward EMAIL
Router(config-webvpn-port-fwd)# local-port 30016 remote-server mail1.company.com
remote-port 110 description POP3
Router(config-webvpn-port-fwd)# local-port 30017 remote-server mail2.company.com
remote-port 25 description SMTP
Router(config-webvpn-port-fwd)# local-port 30018 remote-server mail3.company.com
remote-port 143 description IMAP
Router(config-webvpn-port-fwd)# exit
Router(config-webvpn-context)# policy group ONE
Router(config-webvpn-group)# port-forward EMAIL
Router(config-webvpn-group)# end
Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files
The SSL VPN gateway is preconfigured to distribute Cisco Secure Desktop (CSD) and/or Cisco AnyConnect VPN Client software package files to remote users. The files are distributed only when CSD or Cisco AnyConnect VPN Client support is needed. The administrator performs the following tasks to prepare the gateway:
•The current software package is downloaded from www.cisco.com.
•The package file is copied to a local file system.
•The package file is installed for distribution by configuring the webvpn install command.
Note Effective with Cisco IOS Release 12.4(20)T, multiple packages can be downloaded to a gateway.
Remote Client Software Installation Requirements
The remote user must have administrative privileges, and the JRE for Windows version 1.4 or later must be installed before the CSD client package can be installed.
For Cisco AnyConnect VPN Client software installation, the remote user must have either the Java Runtime Environment for Windows (version 1.4 or later), or the browser must support or be configured to permit Active X controls.
Software Package Download
CSD and Cisco AnyConnect VPN Client software packages should be installed for distribution on the SSL VPN gateway. Download the latest version that supports your device and the image you are using (consult a compatibility matrix for your particular setup).
The CSD software package can be downloaded at the following URL:
•http://www.cisco.com/pcgi-bin/tablebuild.pl/securedesktop
The Cisco AnyConnect VPN Client software package can be downloaded at the following URL:
•http://www.cisco.com/pcgi-bin/tablebuild.pl/anyconnect
The Cisco SSL VPN Client software package can be downloaded at the following URL:
•http://www.cisco.com/pcgi-bin/tablebuild.pl/sslvpnclient
Note You will be prompted to enter your login name and password to download these files from Cisco.com.
Prerequisites
•SSL VPN gateway and context configurations are enabled and operational.
•Software installation packages are copied to a local files system, such as flash memory.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn install [csd location-name | svc location-name [sequence sequence-number]]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn install [csd location-name | svc
location-name [sequence sequence-number]]
Example:
Router(config)# webvpn install svc
flash:/webvpn/svc.pkg
or
Example:
Router(config)# webvpn install svc
vpn-2_i386-Release-2.0.0077-k9.pkg sequence 6
Router (config)# webvpn install svc
vpn-3_powerpc-Release-2.0.0077-k9.pkg sequence
8
Router (config)# webvpn install svc svc_1.pkg
sequence 4
|
Installs a CSD or Cisco AnyConnect VPN Client package file to an SSL VPN gateway for distribution to remote users.
•The CSD and Cisco AnyConnect VPN Client software packages are pushed to remote users as access is needed.
•The sequence keyword and sequence-number argument are used to install multiple packages to a gateway.
|
Examples
The following example, starting in global configuration mode, installs the Cisco AnyConnect VPN Client package to an SSL VPN gateway:
Router(config)# webvpn install svc flash:/webvpn/svc.pkg
SSL VPN Package SSL-VPN-Client : installed successfully
The following example, starting in global configuration mode, installs the CSD package to an SSL VPN gateway:
Router(config)# webvpn install csd flash:/securedesktop_10_1_0_9.pkg
SSL VPN Package Cisco-Secure-Desktop : installed successfully
The following example shows that Package B is being installed to an SSL VPN gateway:
Router (config)# webvpn install svc flash:/webvpn/packageB sequence 2
What to Do Next
Support for CSD and Cisco AnyConnect VPN Client can be enabled for remote users after the gateway has been prepared to distribute CSD or Cisco AnyConnect VPN Client software.
Configuring Cisco Secure Desktop Support
CSD provides a session-based interface where sensitive data can be shared for the duration of an SSL VPN session. All session information is encrypted. All traces of the session data are removed from the remote client when the session is terminated, even if the connection is terminated abruptly. CSD support for remote clients is enabled in this task.
Java Runtime Environment
The remote user (PC or device) must have administrative privileges, and the JRE for Windows version 1.4 or later must be installed before the CSD client packages can be installed.
Prerequisites
•SSL VPN gateway and context configurations are enabled and operational.
•The CSD software package is installed for distribution on the SSL VPN gateway.
See the "Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files" section if you have not already prepared the SSL VPN gateway to distribute CSD software.
Restrictions
•Only Microsoft Windows 2000, Windows XP, Windows Vista, Apple-Mac, and Linux are supported on the remote client.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. csd enable
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
csd enable
Example:
Router(config-webvpn-context)# csd enable
|
Enables CSD support for SSL VPN sessions.
|
What to Do Next
Upon competition of this task, the SSL VPN gateway has been configured to provide clientless and thin client support for remote users. The SSL VPN feature also has the capability to provide full VPN access (similar to IPsec). Proceed to the next section to see more information.
Configuring Cisco AnyConnect VPN Client Full Tunnel Support
The Cisco AnyConnect VPN Client is an application that allows a remote user to establish a full VPN connection similar to the type of connection that is established with an IPsec VPN. Cisco AnyConnect VPN Client software is pushed (downloaded) and installed automatically on the PC of the remote user. The Cisco AnyConnect VPN Client uses SSL to provide the security of an IPsec VPN without the complexity required to install IPsec in your network and on remote devices. The following tasks are completed in this configuration:
•An access list is applied to the tunnel to restrict VPN access.
•Cisco AnyConnect VPN Client tunnel support is enabled.
•An address pool is configured for assignment to remote clients.
•The default domain is configured.
•DNS is configured for Cisco AnyConnect VPN Client tunnel clients.
•Dead peer timers are configured the SSL VPN gateway and remote users.
•The login home page is configured.
•The Cisco AnyConnect VPN Client software package is configured to remain installed on the remote client.
•Tunnel key refresh parameters are defined.
Remote Client Software from the SSL VPN Gateway
The Cisco AnyConnect VPN Client software package is pushed from the SSL VPN gateway to remote clients when support is needed. The remote user (PC or device) must have either the Java Runtime Environment for Windows (version 1.4 later), or the browser must support or be configured to permit Active X controls. In either scenario, the remote user must have local administrative privileges.
The Address Pool
The address pool is first defined with the ip local pool command in global configuration mode. The standard configuration assumes that the IP addresses in the pool are reachable from a directly connected network.
Address Pools for Nondirectly Connected Networks
If you need to configure an address pool for IP addresses from a network that is not directly connected, perform the following steps:
1. Create a local loopback interface and configure it with an IP address and subnet mask from the address pool.
2. Configure the address pool with the ip local pool command. The range of addresses must fall under the subnet mask configured in Step 1.
3. Set up the route. If you are using the Routing Information Protocol (RIP), configure the router rip command and then the network command, as usual, to specify a list of networks for the RIP process. If you are using the Open Shortest Path First (OSPF) protocol, configure the ip ospf network point-to-point command in the loopback interface. As a third choice (instead of using the RIP or OSPF protocol), you can set up static routes to the network.
4. Configure the svc address-pool command with the name configured in Step 2.
See the examples in this section for a complete configuration example.
A Manual Entry to the IP Forwarding Table
If the SSL VPN software client is unable to update the IP forwarding table on the PC of the remote user, the following error message will be displayed in the router console or syslog:
Error : SSL VPN client was unable to Modify the IP forwarding table ......
This error can occur if the remote client does not have a default route. You can work around this error by performing the following steps:
1. Open a command prompt (DOS shell) on the remote client.
2. Enter the route print command.
3. If a default route is not displayed in the output, enter the route command followed by the add and mask keywords. Include the default gateway IP address at the end of the route statement. See the following example:
C:\>route ADD 0.0.0.0 MASK 0.0.0.0 10.1.1.1
Prerequisites
•SSL VPN gateway and context configurations are enabled and operational.
•The Cisco AnyConnect VPN Client software package is installed for distribution on the SSL VPN gateway.
•The remote client has administrative privileges. Administrative privileges are required to download the SSL VPN software client.
See the "Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files" section if you have not already prepared the SSL VPN gateway to distribute SSL VPN software.
Restrictions
Only Microsoft Windows 2000, Windows XP, Windows Vista, Apple-Mac, and Linux are supported on the remote client.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. policy group name
5. filter tunnel extended-acl
6. functions {file-access | file-browse | file-entry | svc-enabled | svc-required}
7. svc address-pool name
8. svc default-domain name
9. svc dns-server {primary | secondary} ip-address
10. svc dpd-interval {client | gateway} seconds
11. svc keepalive seconds
12. svc homepage string
13. svc keep-client-installed
14. svc rekey {method {new-tunnel | ssl} | time seconds}
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
policy group name
Example:
Router(config-webvpn-context)# policy group ONE
|
Enters webvpn group policy configuration mode to configure a group policy.
|
Step 5
|
filter tunnel extended-acl
Example:
Router(config-webvpn-group)# filter tunnel 101
|
Configures an SSL VPN tunnel access filter.
•The tunnel access filter is used control network and application level access. The tunnel filter is also defined in an extended access list.
|
Step 6
|
functions {file-access | file-browse |
file-entry | svc-enabled | svc-required}
Example:
Router(config-webvpn-group)# functions
svc-enabled
Router(config-webvpn-group)# functions
svc-required
|
Configures Cisco AnyConnect VPN Client tunnel mode support.
•Entering the svc-enabled keyword enables tunnel support for the remote user. If the Cisco AnyConnect VPN Client software package fails to install, the remote user can continue to use clientless mode or thin-client mode.
•Entering the svc-required keyword enables only tunnel support for the remote user. If the Cisco AnyConnect VPN Client software package fails to install (on the PC of the remote user), the other access modes cannot be used.
|
Step 7
|
svc address-pool name
Example:
Router(config-webvpn-group)# svc address-pool
ADDRESSES
|
Configures configure a pool of IP addresses to assign to remote users in a policy group.
•The address pool is first defined with the ip local pool command in global configuration mode.
•If you are configuring an address pool for a network that is not directly connected, an address from the pool must be configured on a locally loopback interface. See the third example at the end of this section.
|
Step 8
|
svc default-domain name
Example:
Router(config-webvpn-group)# svc default-domain
cisco.com
|
Configures the default domain for a policy group.
|
Step 9
|
svc dns-server {primary | secondary} ip-address
Example:
Router(config-webvpn-group)# svc dns-server
primary 192.168.3.1
Router(config-webvpn-group)# svc dns-server
secondary 192.168.4.1
|
Configures DNS servers for policy group remote users.
|
Step 10
|
svc dpd-interval {client | gateway} seconds
Example:
Router(config-webvpn-group)# svc dpd-interval
gateway 30
Router(config-webvpn-group)# svc dpd-interval
client 300
|
Configures the dead peer detection (DPD) timer value for the gateway or client.
•The DPD timer is reset every time a packet is received over the SSL VPN tunnel from the gateway or remote user.
|
Step 11
|
svc keepalive seconds
Example:
Router(config-webvpn-group)# svc keepalive 300
|
(Optional) The SVC is enabled to send keepalive messages by default with a frequency of 30 seconds.
Use this command to adjust the frequency of keepalive messages to ensure that an SVC connection through a proxy, IOS firewall, or Network Address Translation (NAT) device remains active, even if the device limits the time that the connection can be idle. Adjusting the frequency also ensures that the SVC does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.
If the svc keepalive command is configured with a value of 0 seconds, then the keepalive function is disabled.
|
Step 12
|
svc homepage string
Example:
Router(config-webvpn-group)# svc homepage
www.cisco.com
|
Configures configure the URL of the web page that is displayed upon successful user login.
•The string argument is entered as an HTTP URL. The URL can be up to 255 characters in length.
|
Step 13
|
svc keep-client-installed
Example:
Router(config-webvpn-group)# svc
keep-client-installed
|
Configures the remote user to keep Cisco AnyConnect VPN Client software installed when the SSL VPN connection is not enabled.
|
Step 14
|
svc rekey {method {new-tunnel | ssl} | time
seconds}
Example:
Router(config-webvpn-group)# svc rekey method
new-tunnel
Router(config-webvpn-group)# svc rekey time
3600
|
Configures the time and method that a tunnel key is refreshed for policy group remote users.
•The tunnel key is refreshed by renegotiating the SSL connection or initiating a new tunnel connection.
•The time interval between tunnel refresh cycles is configured in seconds.
|
Examples
Tunnel Filter Configuration
The following example, starting in global configuration mode, configures a deny access filter for any host from the 172.16.2/24 network:
Router(config)# access-list 101 deny ip 172.16.2.0 0.0.0.255 any
Router(config)# webvpn context context1
Router(config-webvpn-context)# policy group ONE
Router(config-webvpn-group)# filter tunnel 101
Router(config-webvpn-group)# end
Address Pool (Directly Connected Network) Configuration
The following example, starting in global configuration mode, configures the 192.168.1/24 network as an address pool:
Router(config)# ip local pool ADDRESSES 192.168.1.1 192.168.1.254
Router(config)# webvpn context context1
Router(config-webvpn-context)# policy group ONE
Router(config-webvpn-group)# svc address-pool ADDRESSES
Router(config-webvpn-group)# end
Address Pool (Nondirectly Connected Network) Configuration
The following example, starting in global configuration mode, configures the 172.16.1/24 network as an address pool. Because the network is not directly connected, a local loopback interface is configured.
Router(config)# interface loopback 0
Router(config-int)# ip address 172.16.1.126 255.255.255.0
Router(config-int)# no shutdown
Router(config)# ip local pool ADDRESSES 172.16.1.1 172.16.1.254
Router(config)# webvpn context context1
Router(config-webvpn-context)# policy group ONE
Router(config-webvpn-group)# svc address-pool ADDRESSES
Router(config-webvpn-group)# end
Full Tunnel Configuration
The following example, starting in global configuration mode, configures full Cisco AnyConnect VPN Client tunnel support on an SSL VPN gateway:
Router(config)# webvpn context context1
Router(config-webvpn-context)# policy group ONE
Router(config-webvpn-group)# functions svc-enabled
Router(config-webvpn-group)# functions svc-required
Router(config-webvpn-group)# svc default-domain cisco.com
Router(config-webvpn-group)# svc dns-server primary 192.168.3.1
Router(config-webvpn-group)# svc dns-server secondary 192.168.4.1
Router(config-webvpn-group)# svc dpd-interval gateway 30
Router(config-webvpn-group)# svc dpd-interval client 300
Router(config-webvpn-group)# svc homepage www.cisco.com
Router(config-webvpn-group)# svc keep-client-installed
Router(config-webvpn-group)# svc rekey method new-tunnel
Router(config-webvpn-group)# svc rekey time 3600
Router(config-webvpn-group)# end
What to Do Next
Proceed to the next section to see advanced Cisco AnyConnect VPN Client tunnel configuration information.
Configuring Advanced SSL VPN Tunnel Features
This section describes advanced Cisco AnyConnect VPN Client tunnel configurations. The following configuration steps are completed in this task:
•Split tunnel support and split DNS resolution are enabled on the SSL VPN gateway.
•SSL VPN gateway support for Microsoft Internet Explorer proxy settings is configured.
•WINS resolution is configured for Cisco AnyConnect VPN Client tunnel clients.
Microsoft Internet Explorer Proxy Configuration
The SSL VPN gateway can be configured to pass or bypass Microsoft Internet Explorer (MSIE) proxy settings. Only HTTP proxy settings are supported by the SSL VPN gateway. MSIE proxy settings have no effect on any other supported browser.
Split Tunneling
Split tunnel support allows you to configure a policy that permits specific traffic to be carried outside of the Cisco AnyConnect VPN Client tunnel. Traffic is either included (resolved in tunnel) or excluded (resolved through the Internet Service Provider [ISP] or WAN connection). Tunnel resolution configuration is mutually exclusive. An IP address cannot be both included and excluded at the same time. Entering the local-lans keyword permits the remote user to access resources on a local LAN, such as network printer.
Prerequisites
•SSL VPN gateway and context configurations are enabled and operational.
•The Cisco AnyConnect VPN Client software package is installed for distribution on the SSL VPN gateway.
Restrictions
•Only Microsoft Windows 2000, Windows XP, Windows Vista, Apple-Mac, and Linux are supported on the remote client.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. policy group name
5. svc split exclude {{ip-address mask | local-lans} | include ip-address mask}
6. svc split dns name
7. svc msie-proxy {exception host | option {auto | bypass-local | none}}
8. svc msie-proxy server host
9. svc wins-server {primary | secondary} ip-address
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
policy group name
Example:
Router(config-webvpn-context)# policy group ONE
|
Enters webvpn group policy configuration mode to configure a group policy.
|
Step 5
|
svc split exclude {{ip-address mask |
local-lans} | include ip-address mask}
Example:
Router(config-webvpn-group)# svc split exclude
192.168.1.1 0.0.0.255
Router(config-webvpn-group)# svc split include
172.16.1.0 255.255.255.0
|
Configures split tunneling for policy group remote users.
•Split tunneling is configured to include or exclude traffic in the Cisco AnyConnect VPN Client tunnel. Traffic that is included is sent over the SSL VPN tunnel. Traffic is excluded is resolved outside of the tunnel.
•Exclude and include statements are configured with IP address/wildcard mask pairs.
|
Step 6
|
svc split dns name
Example:
Router(config-webvpn-group)# svc split dns
www.examplecompany.com
Router(config-webvpn-group)# svc split dns
myexample.com
|
Configures the SSL VPN gateway to resolve the specified fully qualified DNS names through the Cisco AnyConnect VPN Client tunnel.
•A default domain was configured in the previous task with the svc default-domain command. DNS names configured with the svc split dns command are configured in addition.
•Up to 10 split DNS statements can be configured.
|
Step 7
|
svc msie-proxy {exception host | option {auto |
bypass-local | none}}
Example:
Router(config-webvpn-group)# svc msie-proxy
option auto
Router(config-webvpn-group)# svc msie-proxy
exception www.examplecompany.com
Router(config-webvpn-group)# svc msie-proxy
exception 10.20.20.1
|
Configures configure MSIE browser proxy settings for policy group remote users.
•Entering the option auto keywords configures the browser of the remote user to auto-detect proxy settings.
•Entering the option bypass-local keywords configures local addresses to bypass the proxy.
•Entering the option none keywords configures the browser on the remote client to not use a proxy.
|
Step 8
|
svc msie-proxy server host
Example:
Router(config-webvpn-group)# svc msie-proxy
server 10.10.10.1:80
|
Specifies an MSIE proxy server for policy group remote users.
•The proxy server is specified by entering an IP address or a fully qualified domain name.
|
Step 9
|
svc wins-server {primary | secondary}
ip-address
Example:
Router(config-webvpn-group)# svc wins-server
primary 172.31.1.1
Router(config-webvpn-group)# svc wins-server
secondary 172.31.2.1
|
Configures WINS servers for policy group remote users.
|
Examples
Split DNS Configuration
The following example, starting in global configuration mode, configures the following DNS names to be resolved in the Cisco AnyConnect VPN Client tunnel:
Router(config)# webvpn context context1
Router(config-webvpn-context)# policy group ONE
Router(config-webvpn-group)# svc split dns www.example.com
Router(config-webvpn-group)# svc split dns myexample.com
Including and Excluding IP Prefixes
The following example configures a list of IP addresses to be resolved over the tunnel (included) and a list to be resolved outside of the tunnel (excluded):
Router(config-webvpn-group)# svc split exclude 192.168.1.0 255.255.255.0
Router(config-webvpn-group)# svc split include 172.16.1.0 255.255.255.0
MSIE Proxy Configuration
The following example configures MSIE proxy settings:
Router(config-webvpn-group)# svc msie-proxy option auto
Router(config-webvpn-group)# svc msie-proxy exception www.example.com
Router(config-webvpn-group)# svc msie-proxy exception 10.20.20.1
Router(config-webvpn-group)# svc msie-proxy server 10.10.10.1:80
WINS Server Configuration
The following example configures primary and secondary WINS servers for the policy group:
Router(config-webvpn-group)# svc wins-server primary 172.31.1.1
Router(config-webvpn-group)# svc wins-server secondary 172.31.2.1
Router(config-webvpn-group)# svc wins-server secondary 172.31.3.1
Router(config-webvpn-group)# end
Configuring VRF Virtualization
VRF Virtualization allows you to associate a traditional VRF with an SSL VPN context configuration. This feature allows you to apply different configurations and reuse address space for different groups of users in your organization.
Prerequisites
•A VRF has been configured in global configuration mode.
•SSL VPN gateway and context configurations are enabled and operational.
•A policy group has been configured and associated with the WebVPN context.
Restrictions
•Only a single VRF can be configured for each SSL VPN context configuration.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. vrf-name name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
vrf-name name
Example:
Router(config-webvpn-context)# vrf-name BLUE
|
Associates a VRF with an SSL VPN context.
|
Examples
The following example, starting in global configuration mode, associates the VRF under the SSL VPN context configuration:
Router(config)# ip vrf BLUE
Router(config-vrf)# rd 10.100.100.1
Router(config)# webvpn context BLUE
Router(config-webvpn-context)# policy group BLUE
Router(config-webvpn-group)# exit
Router(config-webvpn-context)# default-group-policy BLUE
Router(config-webvpn-context)# vrf-name BLUE
Router(config-webvpn-context)# end
Configuring ACL Rules
To configure ACL rules on the application layer level for an individual user, perform the following tasks.
Note•The ACL rules can be overridden for an individual user when the user logs on to the gateway (using AAA policy attributes).
•If a user session has no ACL attribute configured, all application requests from that user session are permitted by default.
Prerequisites
Before configuring the ACL rules, you must have first configured the time range using the time-range command (this prerequisite is in addition to optionally configuring the time range, in the task table below, as part of the permit or deny entries).
Restrictions
There is no limitation on the maximum number of filtering rules that can be configured for each ACL entry, but keeping the number below 50 should have no significant impact on router performance.
SUMMARY STEPS
Required Steps
1. enable
2. configure terminal
3. webvpn context name
4. acl acl-name
5. permit [url [any | url-string]] [ip | tcp | udp | http | https | cifs] [any | source-ip source-mask] [any | destination-ip destination-mask] [time-range time-range-name] [syslog]
or
deny [url [any | url-string]] [ip | tcp | udp | http | https | cifs] [any | source-ip source-mask] [any | destination-ip destination-mask] [time-range time-range-name] [syslog]
Optional Steps
6. add position acl-entry
7. error-url access-deny-page-url
8. error-msg message-string
9. list
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Required Steps
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
acl acl-name
Example:
Router(config-webvpn-context)# acl acl1
|
Defines the ACL and enters webvpn acl configuration modes.
|
Step 5
|
permit [url [any | url-string]] [ip | tcp | udp
| http | https | cifs] [any | source-ip
source-mask] [any | destination-ip
destination-mask] time-range {time-range-name}
[syslog]
or
deny [url [any | url-string]] [ip | tcp | udp |
http | https | cifs] [any | source-ip
source-mask] [any | destination-ip
destination-mask] [time-range time-range-name]
[syslog]
Example:
Router(config-webvpn-acl)# permit url any
|
Sets conditions in a named SSL VPN access list that will permit or deny packets.
|
Optional Steps
|
Step 6
|
Example:
Router(config-webvpn-acl)# add 3 permit url any
|
Adds an ACL entry at a specified position.
|
Step 7
|
error-url access-deny-page-url
Example:
Router(config-webvpn-acl)# error-url
"http://www.example.com"
|
Defines a URL as an ACL violation page.
•If the error-url command is configured, the user is redirected to a predefined URL for every request that is not allowed. If the error-url command is not configured, the user gets a standard, gateway-generated error page.
|
Step 8
|
Example:
Router(config-webvpn-acl)# error-msg "If you
have any questions, please contact <a
href+mailto:employee1@example.com>Employee1</a>
."
|
Displays a specific error message when a user logs on and his or her request is denied.
|
Step 9
|
Example:
Router(config-webvpn-acl)# list
|
Lists the currently configured ACL entries sequentially and assigns a position number.
|
Associating an ACL Attribute with a Policy Group
To associate an ACL attribute with a policy group, perform the following steps.
Note•Associating an ACL attribute for an individual user must be performed as part of a AAA operation.
•The ACL rules can be overridden for an individual user when the user logs on to the gateway (using AAA policy attributes).
•If a user session has no ACL attribute configured, all application requests from that user session are permitted by default.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. policy group name
5. exit
6. acl acl-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Configures the SSL VPN context and enters webvpn context configuration mode.
|
Step 4
|
policy group name
Example:
Router(config-webvpn-context)# policy group
group1
|
Defines a policy that can be applied to the user and enters webvpn policy group configuration mode.
|
Step 5
|
exit
Example:
Router(config-webvpn-group)# exit
|
Exits webvpn policy group configuration mode.
|
Step 6
|
acl acl-name
Example:
Router(config-webvpn-context)# acl acl1
|
Defines the ACL and enters webvpn acl configuration mode.
|
Monitoring and Maintaining ACLs
To monitor and maintain your ACL configuration, perform the following steps.
SUMMARY STEPS
1. enable
2. debug webvpn acl
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
debug webvpn acl
Example:
Router# debug webvpn acl
|
Displays information about ACLs.
|
Configuring SSO Netegrity Cookie Support for a Virtual Context
To configure SSO Netegrity cookie support, perform the following steps.
Prerequisites
•A Cisco plug-in must first be installed on a Netegrity server.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. sso-server name
5. web-agent-url url
6. secret-key key-name
7. max-retry-attempts number-of-retries
8. request-timeout number-of-seconds
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
sso-server name
Example:
Router(config-webvpn-context)# sso-server
"test-sso-server"
|
Creates a SSO server name under an SSL VPN context and enters webvpn sso server configuration mode
|
Step 5
|
web-agent-url url
Example:
Router(config-webvpn-sso-server)# web-agent-url
http://www.example.comwebvpn/
|
Configures the Netegrity agent URL to which SSO authentication requests will be dispatched.
|
Step 6
|
secret-key key-name
Example:
Router(config-webvpn-sso-server)# secret-key
"12345"
|
Configures the policy server secret key that is used to secure authentication requests.
|
Step 7
|
max-retry-attempts number-of-retries
Example:
Router(config-webvpn-sso-server)#
max-retry-attempts 3
|
Sets the maximum number of retries before SSO authentication fails.
|
Step 8
|
request-timeout number-of-seconds
Example:
Router(config-webvpn-sso-server)#
request-timeout 15
|
Sets the number of seconds before an authentication request times out.
|
Associating an SSO Server with a Policy Group
To associate an SSO server with a policy group, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. policy group name
5. sso-server name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Configures the SSL VPN context and enters webvpn context configuration mode.
|
Step 4
|
policy group name
Example:
Router(config-webvpn-context)# policy group ONE
|
Configures a group policy and enters webvpn group policy configuration mode.
|
Step 5
|
sso-server name
Example:
Router(config-group-webvpn)# sso-server
"test-sso-server"
|
Attaches an SSO server to a policy group.
|
Configuring URL Obfuscation (Masking)
To configure URL obfuscation, masking, for a policy group, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. policy group name
5. mask-urls
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
Example:
Router(config)# webvpn context context1
|
Configures the SSL VPN context and enters webvpn context configuration mode.
|
Step 4
|
policy group name
Example:
Router(config-webvpn-context)# policy group ONE
|
Configures a group policy and enters group policy configuration mode.
|
Step 5
|
mask-urls
Example:
Router(config-webvpn-group)# mask-urls
|
Obfuscates, or masks, sensitive portions of an enterprise URL, such as IP addresses, hostnames, or port numbers.
|
Adding a CIFS Server URL List to an SSL VPN Context
and Attaching It to a Policy Group
To add a CIFS server URL list to an SSL VPN context and attach it to a policy group, perform the following steps.
Prerequisites
Before adding a CIFS server URL list to an SSL VPN context, you must have already set up the Web VPN context using the webvpn context command, and you must be in webvpn context configuration mode.
SUMMARY STEPS
1. cifs-url-list name
2. heading text-string
3. url-text name
4. exit
5. policy group name
6. cifs-url-list name
7. exit
8. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
cifs-url-list name
Example:
Router(config-webvpn-context)# cifs-url-list c1
|
Enters webvpn URL list configuration mode to configure a list of CIFS server URLs to which a user has access on the portal page of an SSL VPN.
|
Step 2
|
heading text-string
Example:
Router(config-webvpn-url)# heading "cifs-url"
|
Configures the heading that is displayed above URLs listed on the portal page of an SSL VPN.
|
Step 3
|
Example:
Router(config-webvpn-url)# url-text
"SSLVPN-SERVER2" url-value "\\SLVPN-SERVER2"
|
Adds an entry to a URL list.
•More than one entry can be added by reentering the url-text command for each subsequent entry.
|
Step 4
|
exit
Example:
Router(config-webvpn-url)# exit
|
Exits webvpn URL list configuration mode.
|
Step 5
|
policy group name
Example:
Router(config)# policy group ONE
|
Enters webvpn group policy configuration mode to configure a group policy.
|
Step 6
|
cifs-url-list name
Example:
Router(config-webvpn-group)# cifs-url-list "c1"
|
Attaches a URL list to a policy group.
|
Step 7
|
exit
Example:
Router (config-webvpn-group)# exit
|
Exits webvpn group policy configuration mode.
|
Step 8
|
exit
Example:
Router(config)# exit
|
Exits global configuration mode.
|
Configuring User-Level Bookmarks
To configure user-level bookmarks, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. user-profile location flash:directory
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
Example:
Router(config)# webvpn context context1
|
Configures the SSL VPN context and enters webvpn context configuration mode.
|
Step 4
|
user-profile location flash:directory
Example:
Router(config-webvpn-context)# user-profile
location flash:webvpn/sslvpn/vpn_context/
|
Stores bookmarks on a directory.
|
Configuring FVRF
To configure FVRF so that the SSL VPN gateway is fully integrated into an MPLS network, perform the following steps.
Prerequisites
As the following configuration task shows, IP VRF must be configured before the FVRF can be associated with the SSL VPN gateway. For more information about configuring IP VRF, see the subsection "Configuring IP VRF (ip vrf command)" in the "Related Documents" section.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip vrf vrf-name
4. exit
5. webvpn gateway name
6. vrfname name
7. exit
8. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
ip vrf vrf-name
Example:
Router(config)# ip vrf vrf_1
|
Defines a VPN VRF instance and enters VRF configuration mode.
Note The vrf-name argument specified here must be the same as the name argument in Step 6.
|
Step 4
|
exit
Example:
Router(config-vrf)# exit
|
Exits VRF configuration mode.
|
Step 5
|
webvpn gateway name
Example:
Router(config)# webvpn gateway mygateway
|
Enters webvpn gateway configuration mode to configure an SSL VPN gateway.
|
Step 6
|
vrfname name
Example:
Router(config-webvpn-gateway)# vrfname vrf_1
|
Associates a VPN FVRF with an SSL VPN gateway.
Note The name argument here must the same as the vrf-name argument in Step 3.
|
Step 7
|
exit
Example:
Router(config-webvpn-gateway)# exit
|
Exits webvpn gateway configuration mode.
|
Step 8
|
exit
Example:
Router(config)# exit
|
Exits global configuration mode.
|
Disabling Full-Tunnel CEF
To disable full-tunnel CEF support, perform the following tasks:
Note The command no webvpn cef disables all Web VPN CEF support, not just full-tunnel CEF support.
SUMMARY STEPS
1. enable
2. configure terminal
3. no webvpn cef
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
no webvpn cef
Example:
Router(config)# no webvpn cef
|
Disables full-tunnel CEF support.
Note The webvpn cef command is enabled by default.
|
Configuring Automatic Authentication and Authorization
To configure automatic authentication and authorization so that a user needs to log in only one time, at login, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. aaa authentication auto
5. authorization list name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
aaa authentication auto
Example:
Router(config-webvpn-context)# aaa
authentication auto
|
Allows automatic authentication for users. Users provide their usernames and passwords via the gateway page URL and do not have to again enter their usernames and passwords from the login page.
|
Step 5
|
aaa authorization list name
Example:
Router(config-webvpn-context)# aaa
authorization list 11
|
Allows user attributes to get "pushed" during authentication.
•name—Name of the list to be automatically authorized.
|
Configuring SSL VPN Client Side Certificate Based Authentication
To configure SSL VPN Client Side Certificate based Authentication, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn import svc profile profile-name device-name
4. webvpn context context-name
5. authentication certificate aaa
6. username-prefill
7. ca trustpoint trustpoint-name
8. match-certificate certificate-name
9. policy group policy-name
10. svc profile profile-name
11. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn import svc profile profile-name
device-name
Example:
Router(config)# webvpn import svc profile
profile1 flash:AnyconnectProfile.tmpl
|
Imports an AnyConnect profile.
|
Step 4
|
webvpn context context-name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 5
|
authentication certificate aaa
Example:
Router(config-webvpn-context)# authentication
certificate aaa
|
Enables certificate based AAA authentication
|
Step 6
|
username-prefill
Example:
Router(config-webvpn-context)# username-prefill
|
Enables trustpoint configuration to prefill the username field from an authentication certificate,
|
Step 7
|
ca trustpoint trustpoint-name
Example:
Router(config-webvpn-context)# ca trustpoint
trustpoint1
|
Enables the trustpoint to authenticate users using the specified trustpoint name,
|
Step 8
|
match-certificate certificate-name
Example:
Router(config-webvpn-context)#
match-certificate certificate-name
|
Enables certificate map matching
|
Step 9
|
policy group policy-name
Example:
Router(config-webvpn-context)# policy group
policy3
|
Enters webvpn group policy configuration mode to configure a webvpn group policy.
|
Step 10
|
svc profile profile-name
Example:
Router(config-webvpn-group)# svc profile
profile-name
|
Enables a webvpn group policy with an AnyConnect profile.
|
Step 11
|
exit
Example:
Router(config-webvpn-group)# exit
|
Exits webvpn group policy mode.
|
Configuring a URL Rewrite Splitter
To configure a URL rewrite splitter, perform the following tasks.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. url rewrite
5. host host-name
6. ip ip-address
7. unmatched-action [direct-access | redirect]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
url rewrite
Example:
Router(config-webvpn-context)# url rewrite
|
Allows you to mangle selective URL requests and enters URL rewrite mode.
Note One of the commands host or ip is required. The unmatched-action command is optional.
|
Step 5
|
host host-name
Example:
Router(config-webvpn-url-rewrite)# host
www.examplecompany.com
|
Hostname of the site to be mangled.
Note One of the commands host or ip is required. The unmatched-action command is optional.
|
Step 6
|
ip ip-address
Example:
Router(config-webvpn-url-rewrite)# ip 10.1.1.0
255.255.0.0
|
IP address of the site to be mangled.
Note One of the commands host or ip is required. The unmatched-action command is optional.
|
Step 7
|
unmatched-action [direct-access | redirect]
Example:
Router(config-webvpn-url-rewrite)#
unmatched-action direct-access
|
(Optional) Defines the action for the request to the public website.
•direct-access—Provides the user with direct access to the URL. In addition, the user receives an information page stating that he or she can access the URL directly.
•redirect—Provides the user with direct access to the URL, but the user does not receive the information page.
|
Configuring a Backend HTTP Proxy
To configure a backend HTTP proxy, perform the following tasks.
SUMMARY STEPS
1. enable
2. configure terminal
3. webvpn context name
4. policy group name
5. http proxy-server {ip-address | dns-name} port port-number
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
webvpn context name
Example:
Router(config)# webvpn context context1
|
Enters webvpn context configuration mode to configure the SSL VPN context.
|
Step 4
|
policy group name
Example:
Router(config-webvpn-context)# policy group g1
|
Enters webvpn group policy configuration mode to configure a group policy.
|
Step 5
|
http proxy-server {ip-address | dns-name} port
port-number
Example:
Router(config-webvpn-context)# http
proxy-server 10.1.1.1 port 2034
|
Allows user requests to go through a backend HTTP proxy.
•ip-address—IP address of the proxy server.
•dns-name—Domain Name System (DNS) of the proxy server.
•port port-number—Proxy port number.
|
Configuring Stateless High Availability with HSRP for SSL VPN
To configure stateless High Availability with HSRP for SSL VPN, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type slot/port
4. standby number ip ip-address
5. standby number name standby-name
6. exit
7. webvpn gateway name
8. ip address number port port-number standby name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
interface type slot/port
Example:
Router(config)# interface gateway 0/0
|
Configures an interface type and enters interface configuration mode.
|
Step 4
|
standby number ip ip-address
Example:
Router(config-if)# standby 0 ip 10.1.1.1
|
Configures a standby IP address.
|
Step 5
|
standby number name standby-name
Example:
Router(config-if)# standby 0 name SSLVPN
|
Configures a standby name.
|
Step 6
|
exit
Example:
Router(config-if)# exit
|
Exits interface configuration mode.
|
Step 7
|
webvpn gateway name
Example:
Router(config)# webvpn gateway Gateway1
|
Enters webvpn gateway configuration mode to configure an SSL VPN gateway.
|
Step 8
|
ip address ip-address port port-number standby
name
Example:
Router(config)# ip address 10.1.1.1 port 443
standby SSLVPN
|
Configures a standby IP address as the proxy IP address on an SSL VPN gateway.
Note The IP address configured here must be the same as the IP address that was configured as the standby IP address (standby number ip ip-address).
|
Configuring Internationalization
To configure multilanguage support messages initiated by the headend for SSL VPN clients, such as CSD and SVC, the following tasks are required or optional:
•Generating the Template Browser Attribute File (required)
•Importing the Browser Attribute File (required)
•Verifying That the Browser Attribute File Was Imported Correctly (optional)
•Creating the Language File (required)
•Importing the Language File (required)
•Verifying That the Language File Was Imported Correctly (optional)
•Creating the URL List (required)
•Importing the File into the URL List and Binding It to a Policy Group (required)
•Verifying That the URL List File Was Bound Correctly to the Policy Group (optional)
Generating the Template Browser Attribute File
To generate the template browser attribute file, perform the following steps.
SUMMARY STEPS
1. enable
2. webvpn create template browser-attribute device:
3. Copy the browser attribute file to another device for editing.
4. Copy the edited file back to the storage device.
DETAILED STEPS
