Table Of Contents
Managing Virtual Contexts
Understanding Virtual Contexts
Viewing Virtual Contexts Summary Screen
Adding Virtual Contexts
Selecting an Authentication List
Configuring Advanced Display Settings
Selecting a Virtual Gateway
Editing Virtual Contexts
Deleting Virtual Contexts
Configuring Features for a Virtual Context
Viewing the Virtual Context Configuration Screen
Editing Display Settings
Configuring VRF Details for a Virtual Context
Viewing VRF Details
Viewing DNS Entries
Editing VRF DNS Entries
Viewing AAA Entries
Viewing Static Routes
Adding a Static Route
Deleting Static Routes
Configuring Port Forward Lists for a Virtual Context
Viewing Port Forward Lists
Adding a Port Forward List
Editing Port Forward List
Deleting Port Forward Lists
Associating Group Policies to a Port Forward List
Adding Port Forward Entries to a Port Forward List
Editing Port Forward Entries in a Port Forward List
Deleting Port Forward Entries from the Port Forward List
Configuring URL Lists for a Virtual Context
Viewing URL Lists
Adding a URL List
Editing a URL List
Deleting URL Lists
Assigning Group Policies to a URL List
Adding URL Links to a URL List
Editing URL Links in a URL List
Deleting URL Links from a URL List
Configuring NBNS Lists for a Virtual Context
Viewing NBNS Lists for a Virtual Context
Adding an NBNS List
Editing an NBNS List
Deleting NBNS Lists
Assigning NBNS Lists to Group Policies
Adding NBNS Entries to an NBNS List
Editing NBNS Entries in an NBNS List
Deleting NBNS Entries from an NBNS List
Configuring Group Policies for a Virtual Context
Viewing Group Policies
Viewing Individual Group Policy Details
Adding Group Policies
Editing Group Policies
Selecting an Address Pool
Deleting Group Policies
Configuring Connection Policies for a Virtual Context
Viewing Connection Policies
Editing TCP Policies
Editing SSL Policies
How Do I Setup a Virtual Context?
Managing Virtual Contexts
CVDM-WebVPNSM supports VPN routing/forwarding instance (VRF) aware virtualization of the Secure Gateway services. In a WebVPN service module, virtualization is meant to partition or logically group the Secure Gateway services.
Managing Virtual Contexts contains the following sections:
•
Understanding Virtual Contexts
•Viewing Virtual Contexts Summary Screen
•Adding Virtual Contexts
•Editing Virtual Contexts
•Deleting Virtual Contexts
•Configuring Features for a Virtual Context
Understanding Virtual Contexts
A virtual WebVPN context (virtual context) is a logical WebVPN instance defined within a physical Secure Gateway. If it is for a VRF-aware domain the virtual context will be configured with a VRF Name, a unique VRF domain, a virtual gateway service, and information specifying how to map a VPN user connected to the virtual gateway to a VRF domain configured on the Cat6500 chassis. It is also configured with all the information that is needed to connect to the servers. VRF awareness means that you can tie a virtual context to a VRF so that the clients can access the resources from their corporate VPN.
To configure a virtual context you must do the following using CVDM-WebVPNSM:
•Configure display settings for login, home and file-access pages for the login portal.
•Associate a Virtual Gateway.
•Associate a VRF for VRF-aware contexts.
•Configure maximum limit for the number of users in a virtual context.
•Configure authentication mechanism for the virtual context.
•Configure NAT Range for clientless and thin-client mode.
•Configure URL Lists.
•Configure NBNS Lists for CIFS.
•Configure Connection Policies.
•Configure Group Policies
To reach the appropriate virtual context, do the following:
•Browse to https://ip_address (for example, https://172.21.65.71) and specify your username and domain name (in the form username@domain_name; for example, sjones@d1) and password.
•Browse to https://virtual_host (for example, to connect to context1, browse to https://ssl-vpn71.cisco.com; to connect to context2, browse to https://webvpn71.cisco.com) and specify their username and password.
Note that the DNS resolution for the virtual hosts (ssl-vpn71.cisco.com and webvpn71.cisco.com) map to the IP address of configured gateway "common" (172.21.65.71).
Viewing Virtual Contexts Summary Screen
You can view the list of virtual contexts in the WebVPN module in the Virtual Contexts window.
Figure 6-1 Virtual Contexts
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Enter the information specified in the following table.
Fields
|
Description
|
Name
|
Name of the virtual context.
|
Virtual Gateway
|
Virtual gateway associated with this virtual context.
|
Domain
|
Corporate specific domain name to be used when sharing the virtual gateway between multiple virtual contexts.
Note This is unique within virtual contexts associated with a virtual gateway.
|
Virtual Host
|
Virtual host name associated with the virtual context used to connect to the virtual gateway.
Note Virtual host is unique across all virtual contexts associated with virtual gateways
|
VRF
|
VRF associated with this virtual context.
|
Admin Status
|
Whether the virtual context is Inservice or OutofService.
|
Operational Status
|
Indicates the operational status of the service.
•A  icon indicates that the service is administratively down.
•A  icon indicates that the service is operationally down.
•A  icon indicates that the service is up.
|
Note A virtual context, Default_context, is configured on the blade by default.
•Select a virtual context from the Virtual Contexts table, click Set Admin Status and select Up or Down to set the admin status of the selected virtual context.
•Click Add to add virtual context.
•Select a virtual context from the Virtual Context table and click Edit to edit the settings for the selected virtual context.
•Select a virtual context or multiple virtual contexts from the Virtual Context table and click Delete to delete a virtual context or virtual contexts from the Virtual Context table. You cannot delete the Default context.
Adding Virtual Contexts
Step 1 Click Setup in the taskbar, click Virtual Context in the left-most pane.
The Virtual Context page appears.
Step 2 Click Add. The Add Context dialog box appears.
Step 3 Enter the appropriate values.
Field
|
Action/Description
|
General
|
Name
|
Name of the virtual context.
|
Admin Status
|
Whether the virtual context is up or down.
|
Maximum Users
|
Specifies the maximum number of client connections that are allowed to be open for the given virtual WebVPN context (per VRF domain).
Note A maximum of 2560 users can be connected for all virtual contexts together at any given instance.
|
VRF
|
Specifies the VRF domain configured for this context. You can create and use a new VRF or select an existing VRF.
|
Backend Certificate
|
Configures the peer certificate verification behavior. This behavior applies to the SSL server certificate when the CVDM-WebVPN Service Module tries to connect to an HTTPS server.
You can select:
•Verify All—Verifies signature authenticity and revocation status based on the associated Trustpoint configuration. This is the default setting.
•Verify None—Accepts any certificate that is in its validity period.
|
Display Settings
|
Title
|
Specifies the title in the browser title and on the title bar. The string is limited to 255 characters. The default string is "WebVPN Service."
|
Logo File
|
Specifies the custom logo image that is displayed on the login and portal pages. The filename is a file that is uploaded by the administrator to the security gateway.
Note You need to have an image (gif, jpg, and png image formats are supported) on device flash to select a logo file in CVDM.
|
Advanced Settings
|
Click on the Advanced Settings tab to configure. For more information see, Configuring Advanced Display Settings.
|
Virtual Gateway Setting
|
Virtual Gateway
|
Specifies the corresponding virtual gateway instance configured on the secure gateway and the mapping methods (domain name or virtual-host). You can create and use a new virtual gateway or select an existing virtual gateway. You cannot specify a virtual gateway if it is associated by a virtual context with no domain or virtual-host.
|
User-Context Mapping
|
Domain
|
Corporate specific domain name to be used when sharing the virtual gateway between multiple virtual contexts.
Note This is unique within all virtual contexts associated with a virtual gateway.
|
Virtual Host
|
Virtual host name associated with the virtual context used to connect to the virtual gateway.
Note Virtual host is unique across all virtual contexts in the service module.
|
NAT Range
|
Specifies the range of NAT addresses to be used in opening a server connection.
Note For NAT to be valid there should be a WebVPN subinterface configured in the same subnet.
|
Start IP Address
|
The first IP address in the IP address range to be used in opening a server connection.
|
End IP Address
|
The last IP address in the IP address range to be used in opening a server connection.
The NAT range should be six consecutive IP addresses. If more than six are set, then the first six IP addresses will be used.
|
Net Mask
|
A subnet mask configured on the WebVPN subinterfaces.
|
Authentication
|
If no "aaa authentication list" is configured in the Virtual context and If the "aaa authentication login default <radius, local, none>" command is configured then the default method _list is used. If the default method_list is not configured, then local is used by default.
Note You will not be able to configure the method List and domain for authentication if the new AAA model is not configured.
|
Method List
|
The authentication list to be used for authentication. You can create and use a new method list or select an existing method list. To use a AAA server group, configure a server group in the same VRF using the AAA in Global Settings.
|
Domain
|
The domain to be used for authentication. This feature allows identical usernames in different virtual contexts to use the same service provider AAA server. Similar user names in different virtual contexts can be differentiated based on domain name. If this is configured, then all the user names in the AAA server need to have this as part of the username, or authentication will fail. This is unique across all virtual contexts.
|
Step 4 Enter the appropriate values and click OK.
Selecting an Authentication List
Step 1 Click the Method List ellipsis selector in the Authentication pane of the Add Virtual Context dialog box. The Select an Authentication List dialog box appears with the following information.
Field
|
Description
|
Name
|
Name of the authentication list.
|
Type
|
Type of authentication list.
|
Method 1
|
The name of the method that the device will attempt to use first for authentication. Authentication services identify users before they are permitted access to the network or network services. Authentication provides the method for identifying users, including username and password, challenge and response, messaging support, and, depending on the security protocol selected, encryption.
A method is a configured server group used for authenticating users. You can configure up to four methods and specify the order in which you want the device to query them. The device attempts to communicate with the first method. If one of the servers in this method authenticates the user, then authentication is successful. If authentication fails, then the router uses the next method in the list.
|
Method 2
|
The name of the method that the device will attempt to use for authentication if the servers referenced in method 1 do not respond.
|
Method 3
|
The name of the method that the device will attempt to use for authentication if the servers referenced in method 1 and method 2 do not respond.
|
Method 4
|
The name of the method that the device will attempt to use for authentication if the servers referenced in method 1, method 2, and method 3 do not respond.
|
Step 2 Select an authentication list and click OK.The selected authentication list will be added to the Method List field.
Configuring Advanced Display Settings
Step 1 Click Setup in the taskbar, click Virtual Context in the left-most pane.
The Virtual Context page appears.
Step 2 Click Add. The Add Virtual Context dialog box appears.
Step 3 Click Advanced Settings in the Display Settings pane. The Advanced Display Settings dialog box appears.
Step 4 Enter the appropriate values.
Field
|
Action/Description
|
Title Color
|
Color of the title bars on the login, home, and file-access pages. Default value is hex #9999CC.
|
Secondary Title Color
|
Color of the secondary title bars on the login, home, and file-access pages. Default value is hex #CCCCFF.
|
Text Color
|
Color of the text on the title bars. It is restricted to just two values to limit the number of icons that need to exist for the toolbar. The default value is white.
|
Secondary Text Color
|
Color of the text on the secondary bars. It has to be aligned with the title bar text color. The default value is black.
|
Login Message
|
HTML text that prompts the user to log in. Limited to 255 characters. Default text is "Please enter your username and password."
|
Step 5 Click OK.
Note You need to have an image (gif, jpg, and png image formats are supported) on device flash to select a logo file in CVDM.
Selecting a Virtual Gateway
Step 1 Click the Virtual Gateway ellipsis selector in the Virtual Gateway Setting pane of the Add Virtual Context dialog box. The gateway selector dialog appears with the following information.
Field
|
Description
|
Gateway Name
|
Name of a virtual gateway configured on the WebVPNSM.
|
Used by Any Context
|
Indicates whether a virtual gateway is currently used by a virtual context.
|
Step 2 Click OK to select an existing Virtual Gateway.
Note Since virtual gateways associated with only one virtual context cannot be shared, they are not displayed in this dialog box.
Editing Virtual Contexts
Step 1 Click Setup in the taskbar, click Virtual Context in the left-most pane.
The Virtual Context page appears.
Step 2 Select the Virtual Context from the Virtual Context table and Click Edit. The Edit Virtual Context dialog box appears.
Step 3 Modify the appropriate values.
Field
|
Action/Description
|
General
|
Name
|
Name of the virtual context. You cannot edit the value in this field.
|
Admin Status
|
Whether the virtual context is up or down.
|
Maximum Users
|
Specifies the maximum number of client connections that are allowed to be open for the given virtual WebVPN context (per VRF domain).
Note A maximum of 2560 users can be connected for all virtual contexts together at any given instance.
|
VRF
|
Specifies the VRF domain configured for this virtual context. You can create and use a new VRF or select an existing VRF.
Note Changing or adding a VRF association may render the virtual context non-operational if a NAT is configured, or an address pool associated group policy exists in the virtual context. Please make sure these configurations are modified appropriately to make the virtual context operational.
Note For Default_context, virtual gateway and VRF associations are not allowed.
|
Backend Certificate
|
Configures the peer certificate verification behavior. This behavior applies to the SSL server certificate when the WebVPN Services Module tries to connect to an HTTPS server.
You can select:
Verify All—Verifies signature authenticity and revocation status based on the associated Trustpoint configuration. This is the default setting.
Verify None—Accepts any certificate that is in its validity period.
|
Virtual Gateway Setting
|
Virtual Gateway
|
Specifies the corresponding virtual gateway instance configured on the secure gateway and the mapping methods (domain name or virtual-host). You can create and use a new virtual gateway or select an existing virtual gateway. You cannot specify a virtual gateway if it is associated by a virtual context with no domain or virtual-host.
Note For Default_context, virtual gateway and VRF associations are not allowed.
|
User-Context Mapping
|
Domain
|
Corporate specific domain name to be used when sharing the virtual gateway between multiple virtual contexts.
Note This is unique within all virtual contexts associated with a virtual gateway.
|
Virtual Host
|
Virtual host name associated with the virtual context used to connect to the virtual gateway.
Note Virtual host is unique across all virtual contexts in the service module.
|
NAT Range
|
Specifies the range of NAT addresses to be used in opening a server connection.
Note For NAT to be valid there should be a WebVPN subinterface configured in the same subnet.
|
Start IP Address
|
The first IP address in the IP address range to be used in opening a server connection.
|
End IP Address
|
The last IP address in the IP address range to be used in opening a server connection. The NAT range should be six consecutive IP addresses. If more than six are set, then the first six IP addresses will be used.
|
Net Mask
|
A subunit mask configured on the WebVPN subinterfaces.
|
Authentication
|
Note You will not be able to configure the Method List and Domain for authentication if the new AAA model is not configured.
|
Method List
|
The authentication list to be used for authentication. You can create and use a new method list or select an existing method list. To use a AAA server group configure a server group in the same VRF using the AAA in Global Settings.
|
Domain
|
The domain to be used for authentication. This feature allows identical usernames in different virtual contexts to use the same service provider AAA server. Similar user names in different virtual contexts can be differentiated based on domain name. If this is configured. then all the user names in the AAA server need to have this as part of the user name else authentication will fail. This is unique across all virtual contexts.
|
Step 4 Click OK.
Deleting Virtual Contexts
Step 1 Click Setup in the taskbar, click Virtual Context in the left-most pane.
The Virtual Contexts page appears.
Step 2 Select a Virtual Context or multiple Virtual Contexts from the Virtual Contexts table and Click Delete. The Virtual Context will be deleted from the Virtual Contexts table.
Note You cannot delete the Default_context.
Configuring Features for a Virtual Context
You can configure the following for a Virtual Context:
•Configuring VRF Details for a Virtual Context
•Configuring Port Forward Lists for a Virtual Context
•Configuring URL Lists for a Virtual Context
•Configuring NBNS Lists for a Virtual Context
•Configuring Group Policies for a Virtual Context
•Configuring Connection Policies for a Virtual Context
Viewing the Virtual Context Configuration Screen
The Virtual Contexts Configuration window displays the details of the virtual contexts configured in the WebVPN module.
Figure 6-2 Virtual Context Configuration window
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select a Virtual Context subgroup folder from the Virtual Contexts Group folder.
The Virtual Context Configuration page appears with the following information.
Field
|
Action/Description
|
General
|
Name
|
Name of the virtual context.
|
Admin Status
|
Whether the virtual context is in service or out of service.
|
Operational Status
|
Indicates the operational status of the service.
•A icon indicates that the service is administratively down. (User brings it down)
•A icon indicates that the service is operationally down.
•A icon indicates that the service is up.
If the admin status is down, operational status will be down—(no reason will be shown).
When admin status is up, the operational status can be down due to any of the following reasons:
•(no gateway)— No gateway is associated with this virtual context.
•(nat invalid)—The specified NAT range does not have a webvpn interface in the same subnet.
•(vrf invalid)—The specified VRF in a virtual context does not exist.
|
Default Group Policy
|
Specifies the default group policy that the virtual WebVPN context instance uses.
|
Maximum Users
|
Maximum users for the virtual context.
|
VRF
|
Specifies the VRF domain configured for this virtual context. You can create and use a new VRF or select an existing VRF.
|
Backend Certificate
|
Configures the peer certificate verification behavior. This behavior applies to the SSL server certificate when the WebVPN Services Module tries to connect to an HTTPS server.
You can select:
•Verify All—Verifies signature authenticity and revocation status based on the associated Trustpoint configuration. This is the default setting.
•Verify None—Accepts any certificate that is in its validity period.
|
Virtual Gateway Setting
|
Virtual Gateway
|
Specifies the corresponding virtual gateway instance configured on the secure gateway and the mapping methods (for example, IP address, URL, and domain name). You can create and use a new virtual gateway or select an existing virtual gateway.
|
Domain
|
A corporate-specific domain name (for example, cisco.com) for the virtual WebVPN instance.
|
Virtual Host
|
Virtual host to which the virtual context maps.
|
NAT Range
|
Start IP Address
|
The first IP address in the IP address range to be used in opening a server connection.
|
End IP Address
|
The last IP address in the IP address range to be used in opening a server connection.
|
Net Mask
|
A subnet mask configured on the WebVPN subinterfaces.
|
Authentication
|
Method List
|
The authentication list to be used for authentication. You can create and use a new method list or select an existing method list.
|
Domain
|
The domain to be used for authentication.
|
Group Policies
|
Name
|
Name of the group policy associated with this virtual context.
|
Configured Modes
|
Various modes of remote access configured for the group policy.
|
•Click Display Settings to edit display settings.
•Click Edit to edit virtual context.
Note the following:
•If no Group policy is configured for a virtual context the link Click here to add a Group Policy will take you to the Group Policies window where you can configure a Group Policy.
•In the Group Policy table each entry is a link to the Group Policy leaf node under the Group Policy folder.
Editing Display Settings
Step 1 From the Virtual Context Configuration page, click Display Settings. The Edit Display Settings dialog box appears with the following fields.
Field
|
Description/Action
|
Title Color
|
Specifies the color of the title bars on the login, home, and file-access portal pages. The default color is purple. Default value is hex #9999CC.
|
Secondary Title Color
|
Specifies the color of the secondary title bars on the login, home, and file-access portal pages. The default color is purple. Default value is hex #CCCCFF.
|
Text Color
|
Specifies the color of the text of the title bars on the portal page. The default value is white.
|
Secondary Text Color
|
Color of the text on the secondary bars. It has to be aligned with the title bar text color. The default value is black.
|
Logo File
|
Specifies the custom logo image that is displayed on the login and portal pages. The file is uploaded by the administrator to the security gateway.
|
Title
|
Specifies the title in the browser title and on the title bar. The string is limited to 255 characters. The default string is "WebVPN Service."
|
Login Message
|
Specifies the text that prompts the end user to log in. The string is limited to 255 characters. The default message is "Please enter your username and password."
|
Step 2 Click OK.
Configuring VRF Details for a Virtual Context
You can configure DNS, AAA and Static Routes for a virtual context using this feature.
•Viewing VRF Details
•Viewing DNS Entries
•Editing VRF DNS Entries
•Viewing AAA Entries
•Viewing Static Routes
•Adding a Static Route
•Deleting Static Routes
Viewing VRF Details
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object VRF from the subgroup folder. The VRF Details page appears with the following information.
Field
|
Action/Description
|
VRF Name
|
VRF associated with the virtual context.
|
DNS Tab
|
DNS entries associated with the VRF.
|
Host Name.
|
Name of host systems associated with the VRF.
|
Name Server
|
Domain name Server associated with the VRF.
|
Domain Name
|
Domain name associated with the VRF.
|
Domain List
|
Domain list associated with the VRF.
|
Static Routes Tab
|
Static routes associated with the VRF.
|
IP Address
|
IP address of the Static route.
|
Net Mask
|
Net mask of static route.
|
Next Hop
|
Next hop interface or IP address.
|
Metric
|
Distance metric for the static route. This is within the range 1-255.
|
AAA Tab
|
Authentication details associated with the VRF.
|
Server Group Name
|
Name of the server group.
|
Servers in Group
|
Servers which are part of the server group.
|
Note If DNS entries are not configured for the VRF, a blank screen with the message DNS entries not associated for the context will be displayed. If no Authentication List is associated with the virtual context a blank screen with the message Authentication List not associated for the context will be displayed.
Viewing DNS Entries
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object VRF from the subgroup folder. The VRF Details page appears with the DNS tab selected as default, with the following information.
Field
|
Action/Description
|
Host Name
|
Name of host systems associated with this VRF.
|
Name Server
|
Domain name Server associated with this VRF.
|
Domain Name
|
Domain name associated with this VRF.
|
Domain List
|
Domain list associated with this VRF.
|
IP Addresses
|
IP address of the host system associated with this VRF.
|
Click Edit to edit VRF DNS details.
Editing VRF DNS Entries
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object VRF from the subgroup folder. The VRF Details page appears with the DNS tab selected as default.
Step 4 Click Edit on the DNS page. The Edit VRF DNS dialog box appears with the following information.
Field
|
Description
|
VRF Name
|
Name of the VRF instance. You cannot edit the value in this field.
|
Domain Name
|
VRF-specific domain name.
|
Domain List
|
Domain List Entry
|
VRF-specific domain list entry to be added to the Domain List.
|
Name Servers
|
Name Server
|
VRF-specific name server IP address entry to be added to the Name Server List.
|
IP Hosts
|
Hostname.
|
Hostname of the IP host.
|
IP Addresses
|
IP address of the IP host.
|
Step 5 Modify the appropriate values and Click OK.
Viewing AAA Entries
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object VRF from the subgroup folder. The VRF Details page appears.
Step 4 Select the AAA tab. The AAA page appears with the following information.
Field
|
Action/Description
|
Server Group Name
|
Name of the server group.
|
Servers in Group
|
Servers which are part of the server group.
|
Viewing Static Routes
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object VRF from the subgroup folder. The VRF Details page appears.
Step 4 Select the Static Routes tab. The Static Routes page appears with the following information.
Field
|
Action/Description
|
IP Address
|
IP address of the static route.
|
Net Mask
|
Net mask of static route.
|
Next Hop
|
Next hop IP address.
|
Metric
|
Distance metric for the static route. This is within the range 1-255.
|
•Click Add to add a Static Route.
•Click Delete to delete a Static Route.
Adding a Static Route
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object VRF from the subgroup folder. The VRF Details page appears.
Step 4 Select the Static Routes tab. The Static Routes page appears.
Step 5 Click Add in the Static Routes page. The Add Static Route dialog box appears with the following information.
Field
|
Description
|
IP Address
|
IP Address of static route.
|
Net Mask
|
Netmask of static route.
|
Next Hop
|
Next hop IP address.
|
Metric
|
Distance metric for the static route. This is within the range 1-255.
|
VRF Name
|
VRF Instance name.
|
Step 6 Enter the appropriate values and click OK.
Deleting Static Routes
Step 1 Select a Static Route from the Static Routes table and click Delete in the Static Routes page. The Delete Static Route pop-up appears.
Step 2 Click Yes.
Configuring Port Forward Lists for a Virtual Context
You can configure the set of applications whose traffic you want to forward using Port Forward Lists. You can view, add, edit and delete Port Forward Lists for a virtual context. You can also associate Group Policies to a Port Forward List.
•Viewing Port Forward Lists
•Adding a Port Forward List
•Editing Port Forward List
•Deleting Port Forward Lists
•Associating Group Policies to a Port Forward List
•Adding Port Forward Entries to a Port Forward List
•Editing Port Forward Entries in a Port Forward List
•Deleting Port Forward Entries from the Port Forward List
Viewing Port Forward Lists
You can configure the set of applications whose traffic you want to forward using Port Forward Lists.
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane. The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object Port Forwards from the subgroup folder. The Port Forward Lists page appears with the following information.
Field
|
Description
|
Name
|
Specifies a name for a list of forwarded ports.
|
No. of Port forwarding Entries
|
Number of Port forwarding entries in a list.
|
Associated Group Policies
|
Group policies associated with the Port Forward List.
|
The first Port forward List/Entry is selected by default. Select any Port Forward List from the table; the following details are displayed.
Field
|
Description
|
Local Port
|
Specifies the local port parameter for the local port that is listened upon; a local port value may be used only once within a given list name.
|
Remote Port
|
The port to connect to on the remote server.
|
Remote Server
|
The hostname or IP address to connect to on the remote server.
|
Description
|
An application name or short description to display on the end user applet window.
|
•From the Port Forward Lists pane, select a Port Forward List and click Associate Group Policy to assign to Group Policies.
•From the Port Forward Lists pane, click Add to add Port Forward List.
•From the Port Forward Lists pane, select a Port Forward List and click Edit to edit Port Forward List.
•From the Port Forward Lists pane, select a Port Forward List or multiple Port Forward Lists and click Delete to delete a Port Forward List or multiple Port Forward Lists.
•From the Port Forward Lists pane, select a Port Forward List and click Add in the Port Forward Details pane to add a Port Forward Entry to the list.
•From the Port Forward Lists pane, select a Port Forward List and click Edit in the Port Forward Details pane to edit a Port Forward Entry in the list.
•From the Port Forward Lists pane, select a Port Forward List, select a Port Forward entry or multiple entries and click Delete in the Port Forward Details pane to delete a Port Forward Entry or multiple entries from the list.
Adding a Port Forward List
Step 1 Click Add in the Port Forward Lists pane of the Port Forward Lists page. The Add Port Forward List dialog box appears with the following fields.
Field
|
Description
|
Name
|
Specifies a name for the list of forwarded ports. The maximum length of the listname is 63 characters.
|
Add Port Forward Entry
|
Local Port
|
Specifies the local port parameter for the local port that is listened upon; a local port value may be used only once within a given list name. The valid ports are from 1024 to 65535 and up to 1024 are reserved ports.
|
Remote Port
|
The port to connect to on the remote server.
|
Remote Server
|
The hostname or IP address to connect to on the remote server.
|
Description
|
An application name or short description to display on the end user applet window.
|
Step 2 Enter the appropriate values, click Add and then click OK to add a Port Forward List. This will add a new Port Forward list to the table.
Select an entry or multiple entries and click Remove to remove an entry or entries from the table.
Editing Port Forward List
Step 1 Select a Port Forward List and click Edit in the Port Forwarding Lists pane of the Port Forwarding Lists page. The Edit Port Forwarding List dialog box appears with the following fields.
Field
|
Description
|
Name
|
Specifies a name for the list of forwarded ports. You cannot edit the value in this field. The maximum length of the listname is 63 characters.
|
Add Port Forward Entry
|
Local Port
|
Specifies the localport parameter for the local port that is listened upon; a localport value may be used only once within a given list name.
|
Remote Port
|
The port to connect to on the remote server.
|
Remote Server
|
The hostname or IP address to connect to on the remote server.
|
Description
|
An application name or short description to display on the end user applet window.
|
Step 2 Modify as appropriate and click Edit and then click OK to edit a Port Forwarding List.
Select an entry and click Remove to remove an entry from the table.
Deleting Port Forward Lists
Step 1 Select a Port Forward List or multiple Port Forward Lists and click Delete in the Port Forward Lists pane of the Port Forward Lists page. The Port Forward Delete Warning pop-up appears.
Step 2 Click Yes to delete the Port Forward List or lists.
Associating Group Policies to a Port Forward List
Step 1 Select a Port Forward List and click (Dis)Associate Group Policy in the Port Forwarding Lists pane of the Port Forwarding Lists page. The Assign to Group Polices window appears.
Step 2 Select a Group Policy you want to associate with the Select Group Policies selector and click Add to move the selected Group Policy to the Select Group Policies pane and associate the Group Policy to the Port Forward List. Select a Group Policy from the Select Group Policies pane and click Remove to disassociate the Group Policy from the Port forwarding List.
Step 3 Click OK.
Adding Port Forward Entries to a Port Forward List
Step 1 From the Port Forward Entry page, select a Port Forward List and click Add in the Port Forward Details pane. The Add Port Forward Entry to the List dialog box appears with the following fields.
Field
|
Description
|
Local Port
|
Specifies the localport parameter for the local port that is listened on; a localport value may be used only once within a given list name. The local port you select should be greater than 1024.
|
Remote Port
|
The port to connect to, on the remote server.
|
Remote Server
|
The hostname or IP address to connect to on the remote server.
|
Description
|
An application name or short description to display on the end user applet window.
|
Step 2 Enter the appropriate values and Click OK to add Port Forward Entry.
Editing Port Forward Entries in a Port Forward List
Step 1 From the Port Forward Entry page, select a Port Forward List and click Edit in the Port Forward Details pane. The Edit Port Forward Entry of the List dialog box appears with the following fields.
Field
|
Description
|
Local Port
|
Specifies the localport parameter for the local port that is listened upon; a localport value may be used only once within a given list name.
|
Remote Port
|
The port to connect to on the remote server.
|
Remote Server
|
The hostname or IP address to connect to on the remote server.
|
Description
|
An application name or short description to display on the end user applet window.
|
Step 2 Modify the values as required and click Edit to edit the Port Forward Entry.
Deleting Port Forward Entries from the Port Forward List
Step 1 From the Port Forward Lists page, select a port forward entry or multiple port forward entries and click Delete in the Port Forward Details pane. The Port Forward Entry Warning pop-up appears.
Step 2 Click Yes to delete Port Forward entry or entries.
Configuring URL Lists for a Virtual Context
You can configure the set of URLs that are to be listed on a user's home page using this feature.
•Viewing URL Lists
•Adding a URL List
•Editing a URL List
•Deleting URL Lists
•Assigning Group Policies to a URL List
•Adding URL Links to a URL List
•Editing URL Links in a URL List
•Deleting URL Links from a URL List
Viewing URL Lists
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object URLs from the subgroup folder. The URL Lists page appears with the following information.
Field
|
Description
|
Name
|
Name of the URL List.
|
No of URL Links
|
Number of URL links in the URL List.
|
Associated Group Policies
|
Group Policies associated with the URL List.
|
Select any URL List from the table; the following details are displayed in the URL Links pane.
Field
|
Description
|
Heading
|
Heading text for group of URLs.
|
Label
|
Text the user sees for the link on the homepage.
|
Link
|
The URL link starting with http:// https://.
|
Link used for OWA
|
Link used to access email using Outlook Web Access (OWA). This will append exchange to the link.
|
•From the URL Lists pane, select a URL List and click Associate Group Policy to assign to Group Policies.
•From the URL Lists pane, click Add to add URL Lists.
•From the URL Lists pane, select a URL List and click Edit to edit URL Lists Settings.
•From the URL Lists pane, select a URL List or multiple URL lists and click Delete to delete a URL List or multiple URL Lists.
•From the URL Lists pane, select a URL List and click Add in the URL Lists Details pane to add a URL Link to the list.
•From the URL Lists pane, select a URL List, select a URL entry in the URL Lists Details pane, and click Edit in the URL Lists Details pane to edit a URL entry in the list.
•From the URL Lists pane, select a URL List, select a URL entry or multiple entries in the URL Lists Details pane and click Delete in the URL List Details pane to delete a URL Entry or multiple entries from the list.
Adding a URL List
Step 1 Click Add in the URL Lists pane of the URL Lists page. The Add URL List dialog box appears with the following fields.
Field
|
Description
|
Name
|
Name of the URL List.
|
Heading
|
Heading text for group of URLs.
|
Add URL
|
URL Label
|
Text the user sees for the link on the homepage.
|
Link
|
The URL link.
|
Use URL for OWA
|
Select the check box if you want the link used to access email using Outlook Web Access (OWA). This will append exchange to the link.
|
Step 2 Enter the appropriate values and click Add in the Add URL pane of the dialog box.
Select an entry or multiple entries and click Remove to remove an entry or multiple entries from the table.
Step 3 Click OK. The URL List will be added to the URL List table.
Editing a URL List
Step 1 Select a URL List from the URL List table and Click Edit in the URL Lists pane of the URL Lists page. The Edit URL List dialog box appears with the following fields.
Field
|
Description
|
Name
|
Name of the URL List.You cannot edit the value in this field.
|
Heading
|
Heading text for group of URLs.
|
Add URL
|
URL Label
|
Text the user sees for the link on the homepage.
|
Link
|
The URL link.
|
Use URL for OWA
|
Select the check box if you want the link used to access email using Outlook Web Access (OWA). This will append exchange to the link.
|
Step 2 Modify the values as appropriate and click Add in the Add URL pane of the dialog box.
Select an entry or multiple entries and click Remove to remove an entry or multiple entries from the table.
Step 3 Click OK. The URL List will be added to the URL List table.
Deleting URL Lists
Step 1 Select a URL List or multiple URL Lists from the URL List table and Click Delete in the URL Lists pane of the URL Lists page. The URL List Delete Warning pop-up appears
Step 2 Click Yes. The URL List or lists will be deleted from the URL List table.
Assigning Group Policies to a URL List
Step 1 Select a URL List and click (Dis)Associate Group Policy in the URL Lists pane of the URL Lists page. The Assign to Group Polices window appears.
Step 2 Select a Group Policy you want to associate with the Select Group Policies selector and click Add to move the selected Group Policy to the Select Group Policies pane and associate the Group Policy to the URL List. Select a Group Policy from the Select Group Policies pane and click Remove to disassociate the Group Policy from the URL List.
Step 3 Click OK.
Adding URL Links to a URL List
Step 1 From the URL Lists page, select a URL List and click Add in the URL List Details pane. The Add URL to the List dialog box appears with the following fields.
Field
|
Description
|
URL Label
|
Text the user sees for the link on the homepage.
|
Link
|
The URL link.
|
Use URL for OWA
|
Select the check box if you want the link used to access email using Outlook Web Access (OWA). This will append exchange to the link.
|
Step 2 Enter the appropriate values and click OK.
Editing URL Links in a URL List
Step 1 From the URL Lists page, select a URL List and click Edit in the URL List Details pane. The Add URL to the List dialog box appears with the following fields.
Field
|
Description
|
URL Label
|
Text the user sees for the link on the homepage. You cannot edit the value in this field.
|
Link
|
The URL link.
|
Use URL for OWA
|
Select the check box if you want the link used to access email using Outlook Web Access (OWA). This will append exchange to the link.
|
Step 2 Enter the appropriate values and click OK.
Deleting URL Links from a URL List
Step 1 From the URL Lists page, select a URL link or multiple URL links and click Delete in the URL List Details pane. The URL Link Warning pop-up appears.
Step 2 Click Yes to delete URL link or URL links.
Configuring NBNS Lists for a Virtual Context
You can configure NetBios name service (NBNS) for CIFS (common internet file system) name resolution using this feature.
•Viewing NBNS Lists for a Virtual Context
•Adding an NBNS List
•Editing an NBNS List
•Deleting NBNS Lists
•Assigning NBNS Lists to Group Policies
•Adding NBNS Entries to an NBNS List
•Editing NBNS Entries in an NBNS List
•Deleting NBNS Entries from an NBNS List
Viewing NBNS Lists for a Virtual Context
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object NBNS Lists from the subgroup folder. The NBNS Lists page appears with the following information.
Field
|
Description
|
NetBios Name Servers List Names
|
List of NetBios name servers.
|
Number of NBNS Entries
|
Number of NBNS entries in the list.
|
Associated Group Policies
|
Group policies associated with the list.
|
Select any NBNS List from the table; the following details are displayed in the NBNS details pane.
Field
|
Description
|
NBNS Server IP Address
|
IP address of the NBNS server.
|
Number of retries
|
Number of retries made by the WebVPN blade to get a response for its query from the NBNS Server.
|
Timeout
|
Time in seconds, the WebVPN blade waits before sending another request to the NBNS server for the same query.
|
Is Master
|
The master NBNS server in the NBNS list which will be queried first.
|
•From the NBNS Lists pane, select an NBNS List and click Associate Group Policy to assign to Group Policies.
•From the NBNS Lists pane, click Add to add an NBNS List.
•From the NBNS Lists pane, select an NBNS List and click Edit to edit the selected NBNS List entry or add or delete entries from the list.
•From the NBNS Lists pane, select an NBNS List and click Delete to delete an NBNS List.
•From the NBNS Lists pane, select an NBNS List and click Add in the NBNS Lists Details pane to add an NBNS entry to the list.
•From the NBNS Lists pane, select an NBNS List and click Edit in the NBNS Lists Details pane to edit a NBNS entry in the list.
•From the NBNS Lists pane, select an NBNS List and click Delete in the NBNS List Details pane to delete a NBNS Entry from the list.
Adding an NBNS List
Step 1 Click Add in the NBNS Lists pane of the NBNS Lists page. The Add NBNS List dialog box appears with the following information.
GUI Element
|
Action/Description
|
Name
|
Name of the NBNS list (Should not be more than 49 characters).
|
NBNS Server IP Address
|
IP address of the NBNS server.
|
Retries
|
Number of retries made by the WebVPN blade to get a response for its query from the NBNS server.
|
Timeout
|
Time in seconds, the WebVPN blade waits before sending another request to the NBNS server for the same query.
|
Master
|
Check this checkbox, to make this server, the master NBNS server in the NBNS list, which will be queried first.
|
Step 2 Add the appropriate values and click Add in the Add NBNS entry pane of the dialog box.
Select an entry or multiple entries and click Remove to remove an entry or entries from the table.
Step 3 Click OK.
Note If you enter an existing IP address in the NBNS Server IP Address field, a warning message telling you the entry already exists and asking you whether you want to over-write the entry is displayed.
Editing an NBNS List
Step 1 Select an NBNS List and click Edit from the NBNS Lists pane of the NBNS Lists page. The Edit NBNS List dialog box appears with the following fields.
Field
|
Description
|
Name
|
Name of the NBNS list. The value in this field cannot be edited.
|
NBNS Server IP Address
|
IP address of the NBNS server.
|
Retries
|
Number of retries made by the WebVPN blade to get a response for its query from the NBNS server.
|
Timeout
|
Time in seconds, the WebVPN blade waits before sending another request to the NBNS server for the same query.
|
Master
|
The master NBNS server in the NBNS list which will be queried first.
|
Step 2 Modify the values as appropriate and click Add in the Add NBNS entry pane of the dialog box.
Select an entry or multiple entries and click Remove to remove an entry or entries from the table.
Step 3 Click OK.
Note If you enter an existing IP address in the NBNS Server IP Address field, a warning message telling you the entry already exists and asking you whether you want to over-write the entry is displayed.
Deleting NBNS Lists
Step 1 Select an NBNS List or multiple NBNS Lists and click Delete from the NBNS Lists pane of the NBNS Lists page. The NBNS Server Delete Warning pop-up appears, with the message that the NBNS list or lists, and if an NBNS list is associated with a group policy, the association too will be removed.
Step 2 Click OK.
Assigning NBNS Lists to Group Policies
Step 1 Select an NBNS List and click (Dis)Associate Group Policy in the NBNS Lists pane of the NBNS Lists page. The Assign to Group Polices window appears.
Step 2 Select the group policy or policies you want to associate from the Select Group Policies box and click Add. To disassociate group policy, select the group policy from the Selected Group Policies box and click Remove.
Step 3 Click OK once the Selected Group Policies box, contains the list of group policies that you would like to associate with the selected NBNS list.
Adding NBNS Entries to an NBNS List
Step 1 From the NBNS Lists page, select an NBNS List and click Add in the NBNS List Details pane. The Add NBNS entry to the List dialog box appears with the following fields.
Field
|
Description
|
NBNS Server IP Address
|
IP address of the NBNS server.
|
Retries
|
Number of retries made by the WebVPN blade to get a response for its query from the NBNS server.
|
Timeout
|
Time in seconds, the WebVPN blade waits before sending another request to the NBNS server for the same query.
|
Master
|
Check this checkbox, to make this server, the master NBNS server in the NBNS list, which will be queried first.
|
Step 2 Enter the appropriate values and click OK.
Note If you enter an existing IP address in the NBNS Server IP Address field, a warning message telling you the entry already exists and asking you whether you want to over-write the entry is displayed.
Editing NBNS Entries in an NBNS List
Step 1 From the NBNS Lists page, select an NBNS List, select the entry you would like to edit, and click Edit in the NBNS List Details pane. The Edit NBNS entry in the List dialog box appears with the following fields.
Field
|
Description
|
NBNS Server IP Address
|
IP address of the NBNS server. You cannot edit the value in this field.
|
Retries
|
Number of retries made by the WebVPN blade to get a response for its query from the NBNS server.
|
Timeout
|
Time in seconds, the WebVPN blade waits before sending another request to the NBNS server for the same query.
|
Master
|
The master NBNS server in the NBNS list which will be queried first.
|
Step 2 Modify the appropriate values and click OK.
Deleting NBNS Entries from an NBNS List
Step 1 From the NBNS Lists page, select an NBNS entry or multiple NBNS entries and click Delete in the NBNS List Details pane. The NBNS Server Delete Warning pop-up appears, with the message that the selected entries from the NBNS list will be removed.
Step 2 Click Yes to delete NBNS Entry or entries.
Configuring Group Policies for a Virtual Context
You can configure a set of WebVPN-related attributes for a specific group of VPN users. This group policy configuration will take effect for those users once the client is successfully authenticated.
•Viewing Group Policies
•Viewing Individual Group Policy Details
•Adding Group Policies
•Editing Group Policies
•Deleting Group Policies
Viewing Group Policies
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder (virtual context) from the Virtual Contexts Group folder.
Step 3 Select the object Group Policies from the subgroup folder. The Group Policies page appears with the following information.
Field
|
Description
|
Name
|
Specifies the group policy name.
|
Clientless Mode
|
Enabled
|
Specifies whether Clientless Mode is enabled or not.
|
URL List
|
This is the URL list associated with the specified Group Policy. This list must be part of the virtual context. If no URL list is associated with this Group Policy, then this field will be empty.
|
NBNS List
|
This is the NBNS list for CIFS associated with the specified Group Policy. This list must be part of the virtual context.
|
Thin Client Mode
|
Enabled
|
Specifies whether Thin Client Mode is enabled.
|
PF List
|
This is the PF List associated with the specified Group Policy. This list must be part of the virtual context.
|
Tunnel Mode
|
Status
|
Specifies the status of the Tunnel Mode. It will be Mandated, Enabled or Not Enabled (field will be empty). If the Tunnel Mode is mandated the Clientless mode and Thin-Client mode will be automatically disabled even if they have been configured.
|
ACL
|
Specifies the Access Control List.
|
•Click Add to add a Group Policy.
•Click Edit to edit Group Policy Settings.
•Click Delete to delete Group Policy Settings.
Note You can view individual Group Policy nodes by selecting each of the group policy nodes under the "Group Policies" object from the subgroup folder for each virtual context.
Viewing Individual Group Policy Details
You can view the details of an individual group policy node by selecting the group policy node under the "Group Policies" object, from the subgroup folder for a virtual context.
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder (virtual context) from the Virtual Contexts Group folder.
Step 3 Select the object Group Policies from the subgroup folder.
Step 4 Select the individual Group Policy node from under the object Group Policies. The Group Policies page for the individual node appears with the following information.
Field
|
Description
|
Policy Name
|
The group policy name.
|
Default Policy for the context
|
Specifies whether this Group Policy is the default for the virtual context.
|
Timeout
|
Session
|
The maximum session timeout value for the user or group. The session timeout specifies the total session time, regardless of activity. Valid values for session timeout are from 1 to 1209600 seconds; the default value is 43200 seconds (12 hours).
|
Idle
|
The end-user idle timeout value for the user or group. The idle timeout specifies the end user inactivity. Valid values for idle timeout are from 0 (disabled) to 3600 seconds; the default value is 2100 seconds (35 minutes).
|
Clientless Tab
|
Web Browsing
|
URL List Name
|
Specifies the URL list as defined in the virtual context configuration.
|
Hide URL bar on the Portal page
|
Disables the URL bar on the portal page.
|
CIFS
|
NBNS Server List Name
|
Specifies the NBNS list for CIFS as defined in the virtual context configuration.
|
Enable File Browse
|
Enables the end user to browse file servers.
|
Enable File Entry
|
Enables the end user to enter file servers or shares directly.
|
Thin Client Tab
|
Port Forward List Name
|
Specifies a name for a list of forwarded ports.
|
Tunnel tab
|
Enable Tunnel Mode
|
Specifies whether to enable Tunnel Mode.
|
Don't Mandate Tunnel
|
Specifies not to mandate a tunnel.
|
Mandate Tunnel
|
Specifies to mandate a tunnel.
|
Keep SVC Installed
|
Specifies that the SVC remains installed on the end user client PC after the connection is closed. By keeping the SVC installed on the end user PC, the end user does not have to download the SVC again when a new connection is established.
|
ACL
|
Access Control List.
|
ReKey Time
|
Specifies when the WebVPN client rekeys the SSL tunnel and the re-key method used by the WebVPN client. Re-keying is disabled by default. If re-keying is enabled, the default method is SSL. Valid values for time interval are 0 to 43200 seconds; the default is 21600 (6 hours).
|
Address Pool
|
Configures the local IP address pool to supply the SVC IP addresses.
|
Session Rekey method
|
SSL—The method SSL keyword triggers the SVC to renegotiate SSL security parameters without terminating the existing tunnel.
New Tunnel—The method new-tunnel keyword terminates the existing tunnel and requests a new tunnel.
The default method is SSL.
|
Homepage
|
Specifies the URL of the web page that is displayed when the end user logs in. The maximum length for the URL is 255 characters.
|
Name Servers
|
Primary DNS Server
|
Specifies the primary DNS servers for web browsing.
|
Secondary DNS Server
|
Specifies the secondary DNS servers for web browsing.
|
Primary WINS Server
|
Specifies the primary WINS server.
|
Secondary WINS Server
|
Specifies the secondary WINS server.
|
DPD Time-out
|
Client
|
Specifies the dead peer detection (DPD) interval values for the client, if tunnel-mode WebVPN is enabled for the user or group.
|
Gateway
|
Specifies the dead peer detection (DPD) interval values for the gateway or the client, if tunnel-mode WebVPN is enabled for the user or group.
|
Advanced Tunnel Tab
|
Include Traffic
|
Specifies which traffic is tunneled to the private network.
|
Exclude Traffic
|
Specifies if traffic destined for an external (non-private) network is sent directly to the external website.
Note Include Traffic and Exclude Traffic are mutually exclusive settings.
|
IP Address
|
The network-id of the network which is either included or excluded.
|
Mask
|
Network mask for Include and exclude Traffic.
|
Split DNS
|
Specifies the list of DNS suffixes (domains) to be resolved through the tunnel. The DNS name can either be a DNS server name or the IP address of the DNS server.
|
Domain Name
|
Specifies Domain Name for Split DNS.
|
MSIE Proxy Settings
|
Specifies the Microsoft Internet Explorer (MSIE) browser proxy settings.
|
Proxy Options
|
Specifies the proxy options for MSIE.
|
None
|
Specifies that the browser does not use a proxy. This setting is the default.
|
Auto
|
Specifies that the browser proxy settings are automatically detected.
|
Bypass Local
|
Specifies that local addresses bypass the proxy.
|
Proxy Server
|
Proxy Server Specifies an IP address or DNS name, that is used by all the proxy settings in the browser (HTTP, Secure, FTP, Gopher) except Socks. If you want to specify a port, do so using the Port field.
|
Port
|
Specifies the proxy port.
|
Proxy Exception
|
Specifies a single DNS name or IP address for traffic that is not sent through a proxy.
|
Note The fields in this page cannot be edited.
Click Edit to edit Group Policy details for the selected Group Policy.
Adding Group Policies
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder (virtual context) from the Virtual Contexts Group folder.
Step 3 Select the object, Group Policies from the subgroup folder. The Group Policies main page appears.
Step 4 Click Add in the Group Policies main page. The Add Group Policy dialog box appears with the following information.
Field
|
Description
|
Policy Name
|
The group policy name.
|
Default Policy for the context
|
Specifies whether this group policy is the default for the virtual context. Check the check box to make this group policy the default for the virtual context, if a group policy has not already been set as default. If a group policy has already been set as default a warning message will be displayed asking you for confirmation.
|
Timeout
|
Session
|
The maximum session timeout value for the user or group. The session timeout specifies the total session time, regardless of activity. Valid values for session timeout are from 1 to 1209600 seconds; the default value is 43200 seconds (12 hours).
|
Idle
|
The end-user idle timeout value for the user or group. The idle timeout specifies the end user inactivity. Valid values for idle timeout are from 0 (disabled) to 3600 seconds; the default value is 2100 seconds (35 minutes).
|
Clientless Tab
|
Web Browsing
|
URL List Name
|
Specifies the URL list as defined in the virtual context configuration.
|
Hide URL bar on the Portal page
|
Disables the URL bar on the portal page.
|
CIFS
|
NBNS Server List Name
|
Specifies the NBNS list for CIFS as defined in the virtual context configuration.
|
Enable File Browse
|
Enables the end user to browse file servers.
|
Enable File Entry
|
Enables the end user to enter file servers or shares directly.
|
Thin Client Tab
|
Port Forward List Name
|
Specifies a name for a list of forwarded ports.
|
Tunnel tab
|
Enable Tunnel Mode
|
Specifies whether to enable Tunnel Mode.
|
Don't Mandate Tunnel
|
Specifies not to mandate a tunnel.
|
Mandate Tunnel
|
Specifies to mandate a tunnel.
|
Keep SVC Installed
|
Specifies that the SVC remains installed on the end user client PC after the connection is closed. By keeping the SVC installed on the end user PC, the end user does not have to download the SVC again when a new connection is established.
|
ACL
|
Access Control List.
|
Re-Key Time
|
Specifies when the WebVPN client re-keys the SSL tunnel and the re-key method used by the WebVPN client. Re-keying is disabled by default. If re-keying is enabled, the default method is SSL. Valid values for time interval are 0 to 43200 seconds; the default is 21600 (6 hours).
|
Address Pool
|
Configures the local IP address pool to supply the SVC IP addresses.
|
Session Rekey method
|
SSL—The method SSL keyword triggers the SVC to renegotiate SSL security parameters without terminating the existing tunnel.
New Tunnel—The method new-tunnel keyword terminates the existing tunnel and requests a new tunnel.
The default method is SSL.
|
Homepage
|
Specifies the URL of the web page that is displayed when the end user logs in. The maximum length for the URL is 255 characters.
|
Name Servers
|
Primary DNS Server
|
Specifies the primary DNS servers for web browsing.
|
Secondary DNS Server
|
Specifies the secondary DNS servers for web browsing.
|
Primary WINS Server
|
Specifies the primary WINS server.
|
Secondary WINS Server
|
Specifies the secondary WINS server.
|
DPD Time-out
|
Client
|
Specifies the dead peer detection (DPD) interval values for the client, if tunnel-mode WebVPN is enabled for the user or group.
|
Gateway
|
Specifies the dead peer detection (DPD) interval values for the gateway or the client, if tunnel-mode WebVPN is enabled for the user or group.
|
Advanced Tunnel Tab
|
Include Traffic
|
Specifies which traffic is tunneled to the private network.
|
Exclude Traffic
|
Specifies if traffic destined for an external (non-private) network is sent directly to the external website.
Note Include Traffic and Exclude Traffic are mutually exclusive settings.
|
IP Address
|
The network-id of the network which is either included or excluded.
|
Mask
|
Network Mask for Include and exclude Traffic.
|
Split DNS
|
Specifies the list of DNS suffixes (domains) to be resolved through the tunnel. The DNS name can either be a DNS server name or the IP address of the DNS server.
|
Domain Name
|
Specifies domain name for split DNS.
|
MSIE Proxy Settings
|
Specifies the Microsoft Internet Explorer (MSIE) browser proxy settings.
|
Proxy Options
|
Specifies the proxy options for MSIE.
|
None
|
Specifies that the browser does not use a proxy. This setting is the default.
|
Auto
|
Specifies that the browser proxy settings are automatically detected.
|
Bypass Local
|
Specifies that local addresses bypass the proxy.
|
Proxy Server
|
Specifies an IP address or DNS name, that is used by all the proxy settings in the browser (HTTP, Secure, FTP, Gopher) except Socks. If you want to specify a port, do so using the Port field.
|
Port
|
Specifies the proxy port.
|
Proxy Exception
|
Specifies a single DNS name or IP address for traffic that is not sent through a proxy.
|
Step 5 Enter the appropriate values and click OK. The newly created group policy will be added to the selected virtual context. This will be displayed as a node under the object Group Policy.
Editing Group Policies
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder (virtual context) from the Virtual Contexts Group folder.
Step 3 Select the object, Group Policies from the subgroup folder.
Step 4 Select a Group Policy from the Group Policy page and click Edit. The Edit Group Policy dialog box appears with the following information.
Field
|
Description
|
Policy Name
|
The group policy name. You cannot edit the value in this field.
|
Default Policy for the context
|
Specifies whether this Group Policy is the default for the virtual context. Check the check box to make this group policy the default for the virtual context, if a group policy has not already been set as default. If a group policy has already been set as default a warning message will be displayed asking you for confirmation.
|
Timeout
|
Session
|
The maximum session timeout value for the user or group. The session timeout specifies the total session time, regardless of activity. Valid values for session timeout are from 1 to 1209600 seconds; the default value is 43200 seconds (12 hours).
|
Idle
|
The end-user idle timeout value for the user or group. The idle timeout specifies the end user inactivity. Valid values for idle timeout are from 0 (disabled) to 3600 seconds; the default value is 2100 seconds (35 minutes).
|
Clientless Tab
|
Web Browsing
|
|
URL List Name
|
Specifies the URL list as defined in the virtual context configuration.
|
Hide URL bar on the Portal page
|
Disables the URL bar on the portal page.
|
CIFS
|
NBNS Server List Name
|
Specifies the NBNS list for CIFS as defined in the virtual context configuration.
|
Enable File Browse
|
Enables the end user to browse file servers.
|
Enable File Entry
|
Enables the end user to enter file servers or shares directly.
|
Thin Client Tab
|
Port Forward List Name
|
Specifies a name for a list of forwarded ports.
|
Tunnel tab
|
Enable Tunnel Mode
|
Specifies whether to enable Tunnel Mode.
|
Don't Mandate Tunnel
|
Specifies not to mandate a tunnel.
|
Mandate Tunnel
|
Specifies to mandate a tunnel.
|
Keep SVC Installed
|
Specifies that the SVC remains installed on the end user client PC after the connection is closed. By keeping the SVC installed on the end user PC, the end user does not have to download the SVC again when a new connection is established.
|
ACL
|
Access Control List.
|
Re-Key Time
|
Specifies when the WebVPN client re-keys the SSL tunnel and the re-key method used by the WebVPN client. Re-keying is disabled by default. If re-keying is enabled, the default method is SSL. Valid values for time interval are 0 to 43200 seconds; the default is 21600 (6 hours).
|
Address Pool
|
Configures the local IP address pool to supply the SVC IP addresses.
|
Session Rekey method
|
SSL—The method SSL keyword triggers the SVC to renegotiate SSL security parameters without terminating the existing tunnel.
New Tunnel—The method new-tunnel keyword terminates the existing tunnel and requests a new tunnel.
The default method is SSL.
|
Homepage
|
Specifies the URL of the web page that is displayed when the end user logs in. The maximum length for the URL is 255 characters.
|
Name Servers
|
Primary DNS Server
|
Specifies the primary DNS servers for web browsing.
|
Secondary DNS Server
|
Specifies the secondary DNS servers for web browsing.
|
Primary WINS Server
|
Specifies the primary WINS server.
|
Secondary WINS Server
|
Specifies the secondary WINS server.
|
DPD Timeout
|
Client
|
Specifies the dead peer detection (DPD) interval values for the client, if tunnel-mode WebVPN is enabled for the user or group.
|
Gateway
|
Specifies the dead peer detection (DPD) interval values for the gateway or the client, if tunnel-mode WebVPN is enabled for the user or group.
|
Advanced Tunnel Tab
|
Include Traffic
|
Specifies which traffic is tunneled to the private network.
|
Exclude Traffic
|
Specifies if traffic destined for an external (non-private) network is sent directly to the external website.
Note Include Traffic and Exclude Traffic are mutually exclusive settings.
|
IP Address
|
The network-id of the network which is either included or excluded.
|
Mask
|
Network Mask for Include and exclude Traffic.
|
Split DNS
|
Specifies the list of DNS suffixes (domains) to be resolved through the tunnel. The DNS name can either be a DNS server name or the IP address of the DNS server.
|
Domain Name
|
Specifies domain name for split DNS.
|
MSIE Proxy Settings
|
Specifies the Microsoft Internet Explorer (MSIE) browser proxy settings.
|
Proxy Options
|
Specifies the proxy options for MSIE.
|
None
|
Specifies that the browser does not use a proxy. This setting is the default.
|
Auto
|
Specifies that the browser proxy settings are automatically detected.
|
Bypass Local
|
Specifies that local addresses bypass the proxy.
|
Proxy Server
|
Specifies an IP address or DNS name, that is used by all the proxy settings in the browser (HTTP, Secure, FTP, Gopher) except Socks. If you want to specify a port, do so using the Port field.
|
Port
|
Specifies the proxy port.
|
Proxy Exception
|
Specifies a single DNS name or IP address for traffic that is not sent through a proxy.
|
Step 5 Modify the appropriate values and click OK.
Selecting an Address Pool
The Select Address Pool dialog displays the following fields:
Field
|
Description
|
Pool Name
|
Name of the Pool.
|
Address Range
|
An IP address range.
|
Select an Address Pool and click OK. The selected address pool will be added to the Address Pool field.
Deleting Group Policies
Step 1 Select a Group Policy or multiple Group Policies from the Group policy page and click Delete. The Group Policy Delete Warning pop-up appears.
Step 2 Click Yes. The tree will be refreshed with existing set of Group Policies.
Configuring Connection Policies for a Virtual Context
You can view the connection policies for a virtual context and also edit the TCP and SSL Policies.
•Viewing Connection Policies
•Editing TCP Policies
•Editing SSL Policies
Viewing Connection Policies
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object Connection Policies from the subgroup folder. The Connection Policies page appears with the following information.
Field
|
Description
|
TCP Policy
|
Policy Name
|
Defines TCP policy templates. All defaults are assumed unless otherwise specified.
|
MSS (bytes)
|
Configures the maximum segment size (MSS), in bytes, that the connection will identify in the SYN packet that it generates. The default is 1460 bytes. The valid range is from 256 to 2460 bytes.
|
Nagle algorithm
|
When you enable the nagle algorithm, small amounts of data that are written by the application are queued into the connection-send queue, but are not sent until one of the following situations occur:
•There is data pending and an ACK arrives that acknowledges the data that was previously sent.
•The application writes more data so that a full-sized segment is created and sent.
When you disable the nagle algorithm, queueing of data does not occur. All data that is written by the application is sent immediately.
Nagle is enabled by default.
|
TOS Carryover
|
Forwards the type of service (ToS) value to all packets within a flow.
|
SYN Timeout
|
Configures the connection establishment timeout. The default is 75 seconds. The valid range is from 5 to 75 seconds.
|
Inactivity timeout
|
Configures the amount of time, in seconds, that an established connection can be inactive. The default is 600 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
|
Reassembly timeout
|
Configures the amount of time, in seconds, before the reassembly queue is cleared. If the transaction is not complete within the specified time, the reassembly queue is cleared and the connection is dropped. The default is 60 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
|
FIN wait timeout
|
Configures the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
|
Rx Buffer Share
|
Configures the maximum receive buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
|
Tx Buffer Share
|
Configures the maximum transmit buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
|
Delayed ACK Threshold
|
Specifies the number of full-sized segments that must be received before a window-update ACK is sent. Valid values for packets are 1 to 10; the default value is 2.
|
Delayed ACK Timeout
|
Specifies the amount of time before a window-update ACK is sent. The default value is 200.
|
SSL Policy
|
Policy Name
|
Defines SSL policy templates.
|
Version
|
Defines the various protocol versions supported by the proxy server.
|
Session Cache
|
Enables the session-caching feature. Session caching is enabled by default.
|
Session Timeout
|
Configures the amount of time that an entry is kept in the session cache. The valid range is from 1 to 72000 seconds.
|
Session Cache Size
|
Specifies the size of the session cache. The valid range is from 1 to 262143 entries.
|
Handshake Timeout
|
Configures how long the module keeps the connection in handshake phase. The valid range is from 0 to 65535 seconds.
|
Close Protocol
|
Configures the SSL close-protocol behavior. Close-protocol is disabled by default.
|
TLS Version Rollback
|
Specifies the version of the SLL protocol (SSL2.0, SSL3.0, TLS1.0) in the ClientHello message. TLS rollback is disabled by default.
|
Acceptable Cipher Suites
|
Configures a list of cipher-suite names acceptable to the proxy server. The cipher-suite names follow the same convention as that of existing SSL stacks.
|
•Click Edit in the TCP policy pane to edit a TCP policy.
•Click Edit in the SSL policy pane to edit an SSL policy.
Editing TCP Policies
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object Connection Policies from the subgroup folder. The Connection Policies page appears with the following information.
Step 4 Click Edit in the TCP Policy pane on the Connection Policies page. The Edit Virtual Context TCP Policy dialog box appears with the following information.
Field
|
Description
|
Policy Name
|
Defines TCP policy templates. All defaults are assumed unless otherwise specified.
|
General
|
MSS (bytes)
|
Configures the maximum segment size (MSS), in bytes, that the connection will identify in the SYN packet that it generates. The default is 1460 bytes. The valid range is from 256 to 2460 bytes
|
Nagle algorithm
|
When you enable the nagle algorithm, small amounts of data that are written by the application are queued into the connection-send queue, but are not sent until one of the following situations occur:
•There is data pending and an ACK arrives that acknowledges the data that was previously sent.
•The application writes more data so that a full-sized segment is created and sent.
When you disable the Nagle algorithm, queueing of data does not occur. All data that is written by the application is sent immediately.
Nagle algorithm is enabled by default.
|
TOS Carryover
|
Forwards the type of service (ToS) value to all packets within a flow.
|
Timers
|
SYN Timeout
|
Configures the connection establishment timeout. The default is 75 seconds. The valid range is from 5 to 75 seconds.
|
Inactivity timeout
|
Configures the amount of time, in seconds, that an established connection can be inactive. The default is 600 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
|
Reassembly timeout
|
Configures the amount of time, in seconds, before the reassembly queue is cleared. If the transaction is not complete within the specified time, the reassembly queue is cleared and the connection is dropped. The default is 60 seconds. The valid range is from 0 to 960 seconds (0 = disabled).
|
FIN wait timeout
|
Configures the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
|
Rx Buffer Share
|
Configures the maximum receive buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
|
Tx Buffer Share
|
Configures the maximum transmit buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
|
FIN wait timeout
|
Configures the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
|
ACK
|
Delayed ACK Threshold
|
Specifies the number of full-sized segments that must be received before a window-update ACK is sent. Valid values for packets are 1 to 10; the default value is 2.
|
Delayed ACK Timeout
|
Specifies the amount of time before a window-update ACK is sent. The default value is 200.
|
Step 5 Modify the values as appropriate and Click OK.
Editing SSL Policies
Step 1 Click Setup in the taskbar and Virtual Contexts in the left-most pane.
The Virtual Contexts page is displayed.
Step 2 Select any subgroup folder from the Virtual Contexts Group folder.
Step 3 Select the object Connection Policies from the subgroup folder. The Connection Policies page appears with the following information.
Step 4 Click Edit in the SSL Policy pane on the Connection Policies page. The Edit Virtual Context SSL Policy dialog box appears with the following information
Field
|
Description
|
Policy Name
|
Defines SSL policy templates.
|
Version
|
Defines the various protocol versions supported by the proxy server.
|
Session Cache
|
Enables the session-caching feature. Session caching is enabled by default.
|
Session Timeout
|
Configures the amount of time that an entry is kept in the session cache. The valid range is from 1 to 72000 seconds.
|
Session Cache Size
|
Specifies the size of the session cache. The valid range is from 1 to 262143 entries.
|
Handshake Timeout
|
Configures how long the module keeps the connection in handshake phase. The valid range is from 0 to 65535 seconds.
|
Close Protocol
|
Configures the SSL close-protocol behavior. Close-protocol is disabled by default.
|
TLS Version Rollback
|
Specifies the version of the SLL protocol (SSL2.0, SSL3.0, TLS1.0) in the ClientHello message. TLS rollback is disabled by default.
|
Acceptable Cipher Suites
|
Configures a list of cipher-suite names acceptable to the proxy server. The cipher-suite names follow the same convention as that of existing SSL stacks.
|
Step 5 Modify the values as appropriate and click OK.
How Do I Setup a Virtual Context?
To set up a virtual context follow the procedure in Adding Virtual Contexts. The virtual context links the previously configured address resolution, gateway, and authentication configurations.
The following parameters are mandatory to make a virtual context operational:
•A valid name.
•A gateway associated with this virtual context.
•A NAT range in the same subnet as the WebVPN interface used for return traffic (required for clientless and thin-client modes).
•An authentication list specifying the AAA server group for RADIUS authentication.
•A VRF if the virtual context is VRF-specific.
After a virtual context is created:
•To configure clientless mode, configure the URL lists and the group policy.
•To access email using Outlook Web Access (OWA), configure the URL list to point to the Microsoft Exchange server (for example, http://ipaddr/exchange).
•To configure thin-client mode, configure the list of ports to forward and the group policy.
•To configure file sharing using the Common Internet File System (CIFS), configure the NetBIOS name service (NBNS) list and server address and the group policy.
