Selected ASDM VPN Configuration Procedures for the Cisco ASA 5500 Series, Version 5.1(1) - Configuring Group Policies [Cisco Adaptive Security Device Manager]

Table Of Contents

Configuring Group Policies

Overview of Group Policies, Tunnel Groups, and Users

Group Policies

Default Group Policy

Configuring Group Policies

Configuring an External Group Policy

Adding an External Group Policy

Editing an External Group Policy

Configuring an Internal Group Policy

Configuring Internal Group Policy General Attributes

Configuring Tunneling Protocols

Configuring the ACL Filter

Configuring General VPN Connection Settings Attributes

Configuring WINS and DNS Servers and DHCP Scope

Configuring IPSec Attributes

Configuring Reauthentication on IKE Rekey

Configuring IP Compression

Configuring Perfect Forward Secrecy

Configuring Tunnel Group Locking

Configuring Client Access Rules

Configuring Client Configuration Parameters

Configuring the Banner Message

Configuring Domain Attributes for Tunneling

Configuring Split-Tunneling Attributes

Configuring Cisco Client Parameters

Configuring Firewall Attributes

Configuring Attributes for VPN Hardware Clients

Configuring Group-Policy WebVPN Attributes

Configuring Group-Policy WebVPN Function Tab Attributes

Configuring Content Filtering Tab Attributes

Configuring the User Homepage

Enabling Port Forwarding (WebVPN Application Access) for a Group Policy

Configuring Server and List Arguments Using the WebVPN Other Tab

Configuring the SSL VPN Client Tab Attributes

Configuring Group Policies

This chapter describes how to configure VPN group policies using ASDM. This chapter includes the following sections.

•Overview of Group Policies, Tunnel Groups, and Users

•Group Policies

•Default Group Policy

•Configuring Group Policies

•Configuring an External Group Policy

•Configuring an Internal Group Policy

Groups, group policies, tunnel groups, and users, are interdependent. In summary, you first configure tunnel groups to set the values for the connection. Then you configure group policies. These set values for users in the aggregate. Then you configure users, which can inherit values from groups and configure certain values on an individual user basis. This chapter describes how and why to configure group policies.

Overview of Group Policies, Tunnel Groups, and Users

Although this chapter deals only with group policies, you should understand the context in which these group policies exist. Groups and users are core concepts in managing the security of virtual private networks (VPNs) and in configuring the security appliance. They specify attributes that determine user access to and use of the VPN. A group is a collection of users treated as a single entity. Users get their attributes from group policies. Tunnel groups identify the group policy for a specific connection. If you do not assign a particular group policy to a user, the default group policy for the connection applies.

Tunnel groups and group policies simplify system management. To streamline the configuration task, the security appliance provides a default LAN-to-LAN tunnel group, a default remote access tunnel group, a default WebVPN tunnel group, and a default group policy (DfltGrpPolicy). The default tunnel groups and group policy provide settings that are likely to be common for many users. As you add users, you can specify that they "inherit" parameters from a group policy. Thus you can quickly configure VPN access for large numbers of users.

If you decide to grant identical rights to all VPN users, then you do not need to configure specific tunnel groups or group policies, but VPNs seldom work that way. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Tunnel groups and group policies provide the flexibility to do so securely.

Note The security appliance also includes the concept of object groups, which are a superset of network lists. Object groups let you define VPN access to ports as well as networks. Object groups relate to ACLs rather than to group policies and tunnel groups. For more information about using object groups, see Cisco Security Appliance Command Line Configuration Guide, Chapter 13, "Identifying Traffic with Access Lists."

Group Policies

A group policy is a set of user-oriented attribute/value pairs for IPSec connections that are stored either internally (locally) on the device or externally on a RADIUS or LDAP server. A tunnel group uses a group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user. You can also modify the group-policy attributes for a specific user

To assign a group policy to users or to modify a group policy for specific users, select Configuration > VPN > General > Group Policy (Figure 4-1).

Figure 4-1 Group Policy Window

.

You can configure internal and external group policies. Internal groups are configured on the security appliance internal database. External groups are configured on an external authentication server, such as RADIUS or LDAP. Group policies include the following attributes:

•Identity

•Server definitions

•Client firewall settings

•Tunneling protocols

•IPSec settings

•Hardware client settings

•Filters

•Client configuration settings

•WebVPN functions

•Connection settings

Default Group Policy

The security appliance supplies a default group policy, named DfltGrpPolicy, which always exists on the security appliance. This default group policy does not take effect unless you configure the security appliance to use it. DfltGrpPolicy is always an internal group policy. You can modify this default group policy, but you cannot delete it. When you configure other group policies, any attribute that you do not explicitly specify takes its value from the default group policy.

The Group Policy window lets you manage VPN group policies. Configuring the default VPN group policy lets users inherit attributes that you have not configured at the individual group or username level. By default, VPN users have no group policy association. The group policy information is used by VPN tunnel groups and user accounts.

The "child" windows, tabs, and dialog boxes let you configure the default group parameters. These parameters are those that are most likely to be common across all groups and users, and they streamline the configuration task. Groups can "inherit" parameters from this default group, and users can "inherit" parameters from their group or the default group. You can override these parameters as you configure groups and users.

To modify the default group policy, select DfltGrpPolicy in the table on the Group Policy window and click Edit. The Edit Internal Group Policy: DfltGrpPolicy window appears (Figure 4-2):

Figure 4-2 Edit Internal Group Policy: DfltGrpPolicy Window

To change any of the attributes of the default group policy, work through the selections on the various tabs on the Edit Internal Group Policy: DfltGrpPolicy window, just as you would for any other internal group policy, as described in Configuring an Internal Group Policy.

The default group policy, DfltGrpPolicy, that the security appliance has the following attributes:
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
 wins-server none
 dns-server none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 banner none
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  no html-content-filter
  no homepage
  no filter
  no url-list
  no port-forward
  port-forward-name value Application Access
Configuring Group Policies

This section includes the following sections:

•Default Group Policy

•Adding an External Group Policy

•Editing an External Group Policy

•Configuring Internal Group Policy General Attributes

•Configuring IPSec Attributes

•Configuring Client Configuration Parameters

•Configuring Attributes for VPN Hardware Clients

•Configuring Group-Policy WebVPN Attributes

A group policy can apply to any kind of tunnel. In each case, if you do not explicitly define a parameter, the group takes the value from the default group policy. To configure (add or modify) a group policy, follow the steps in the subsequent sections.

If you click the Add dialog box, a small menu appears giving you the option to create a new internal group policy, or an external group policy that is stored externally on a RADIUS or LDAP server. Both the Add Internal Group Policy window and the Edit Group Policy window include six tabbed sections. If you click the WebVPN tab, you expose six additional tabs. Click each tab to display its parameters. As you move from tab to tab, the security appliance retains your settings. When you have finished setting parameters on all tabbed sections, click OK or Cancel.

In these dialog boxes, you configure the following kinds of parameters:

•General Parameters: Protocols, filtering, connection settings, and servers.

•IPSec Parameters: IP Security tunneling protocol parameters and client access rules.

•Client Configuration Parameters: Banner, password storage, split-tunneling policy, default domain name, IPSec over UDP, backup servers.

•Client FW Parameters: VPN Client personal firewall requirements.

•Hardware Client Parameters: Interactive hardware client and individual user authentication; network extension mode.

•WebVPN Parameters: SSL VPN access.

Before configuring these parameters, you should configure:

•Access hours.

•Rules and filters.

•IPSec Security Associations.

•Network lists for filtering and split tunneling

•User authentication servers, and specifically the internal authentication server.

Configuring an External Group Policy

External group policies take their attribute values from the external server that you specify. For an external group policy, you must identify the AAA server group that the security appliance can query for attributes and specify the password to use when retrieving attributes from the external AAA server group. If you are using an external authentication server, keep in mind that usernames and group names must be unique. When naming a group, do not pick a name that matches the name of any external user. Conversely, when assigning a name to an external user, do not choose the name of any existing group.

The security appliance supports user authorization on an external LDAP or RADIUS server. Before you configure the security appliance to use an external server, you must configure the server with the correct security appliance authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions in the Cisco Security Appliance Command Line Configuration Guide, Appendix E, "Configuring an External Server for Security Appliance User Authorization" to configure your external server.

Adding an External Group Policy

The following steps explain how to add an external group policy.

Step 1 To add an external group policy, select Configuration > VPN > General > Group Policy, click Add, and select External Group Policy from the menu (Figure 4-3).

Figure 4-3 Adding an External Group Policy

The Add External Group Policy dialog box appears (Figure 4-4).

Figure 4-4 Add External Group Policy Dialog Box

To configure the attributes of the new external group policy, do the following steps, specifying a name and type for the group policy, along with the server-group name and a password.

Step 2 Enter a name for the group policy and a password for the server. Then select a server group from the list or click New to create a new server group. When you click New, a menu appears. Select either a new RADIUS server group or a new LDAP server group. Either of these options opens the Add AAA Server Group dialog box (Figure 4-5). Click OK when done.

Note For an external group policy, RADIUS is the only supported AAA server type.

Figure 4-5 Add AAA Server Group Dialog Box

Step 3 Configure the AAA server group parameters. The Add AAA Server Group dialog box lets you configure a new AAA server group with the following attributes. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.

•Server Group—Specifies the name of the server group.

•Protocol—(Display only) Indicates whether this is a RADIUS or an LDAP server group. For an external group policy, this is always RADIUS.

•Accounting Mode—(RADIUS and TACACS+ protocols only) Indicates whether to use simultaneous or single accounting mode. In single mode, the security appliance sends accounting data to only one server. In simultaneous mode, the security appliance sends accounting data to all servers in the group.

•Reactivation Mode—Specifies the method by which failed servers are reactivated: Depletion or Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the servers in the group become inactive. In Timed mode, failed servers are reactivated after 30 seconds of down time.

•Dead Time—Specifies, for depletion mode, the number of minutes that must elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. This field is not available for timed mode.

•Max Failed Attempts— Specifies the number (an integer in the range 1 through 5) of failed connection attempts allowed before declaring a nonresponsive server inactive.

Note You can configure several vendor-specific attributes (VSAs), as described inCisco Security Appliance Command Line Configuration Guide Appendix E, "Configuring an External Server for Security Appliance User Authorization". If a RADIUS server is configured to return the Class attribute (#25), the security appliance uses that attribute to authenticate the Group Name. On the RADIUS server, the attribute must be formatted as: OU=groupname; where groupname is identical to the Group Name configured on the security appliance—for example, OU=Finance.

If the server group name that you specify does not contain any servers, you see the following message (Figure 4-6):

Figure 4-6 Empty Server Group Message

To add servers to a group, select Configuration > Properties >AAA Setup > AAA Groups. To continue after seeing this message, click OK. To exit the external group configuration procedure, click Cancel.

Editing an External Group Policy

The procedures for editing a group policy are similar to those for adding, except that when you click Edit on the Group Policy window, the Edit Group Policy window appears, with the Name field already filled in. The rest of the fields on this window are the same. You can also add a AAA server group when you edit an external group policy. See Steps 2 and 3 of Adding an External Group Policy.

Configuring an Internal Group Policy

Internal group policies are configured on the security appliance internal database. To configure the attributes of the new internal group policy, do the following steps.

Step 1 To add or edit an internal group policy, select Configuration >VPN > General >Group Policy. The Group Policy window appears (Figure 4-7).

Figure 4-7 Group Policy Window, Add Internal Group Policy

Step 2 Click Add or Edit.

•If you are adding an internal group policy, select Internal Group Policy from the menu. The Add Internal Group Policy window appears (Figure 4-8).

•If you are editing an internal group policy, the Edit Internal Group Policy window appears.

The contents of these windows are similar, the only difference being that for editing, the Name field is display-only. Because of this similarity, the following procedures show only the Add Internal Group Policy window.

Figure 4-8 Add Internal Group Policy Window

This window offers several tabs, on which you configure function-specific attributes. In most cases, you can check the Inherit check box to take the corresponding setting from the default group policy. Allowing inheritance can greatly simplify the configuration process. You can explicitly configure those attributes that you do not want to be inherited. The following sections explain how to configure the group policy attributes for an internal group policy.

Configuring Internal Group Policy General Attributes

The Add or Edit Internal Group Policy window, General tab lets you configure tunneling protocols, ACL filters, connection settings, and servers for the group policy being added or modified. For each of the fields on this window, checking the Inherit check box lets the corresponding setting take its value from the default group policy. Clearing the Inherit check box lets you configure specific values.

The following sections explain how to configure the values of each of the attributes in the General tab.

Configuring Tunneling Protocols

Select the tunneling protocol or protocols that this group can use. Users can use only the selected protocols. You must configure at least one tunneling mode for users to connect over a VPN tunnel. The default is IPSec.

The choices are as follows:

•IPSec—IP Security Protocol. Regarded as the most secure protocol, IPSec provides the most complete architecture for VPN tunnels. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. When you check the IPSec check box, the security appliance negotiates an IPSec tunnel between two peers (a remote access client or another secure gateway) and creates security associations that govern authentication, encryption, encapsulation, and key management.

•WebVPN—VPN via SSL/TLS. Checking the WebVPN check box provides VPN services to remote users via an HTTPS-enabled web browser and does not require a client (either hardware or software). This protocol uses a web browser to establish a secure remote-access tunnel to a security appliance. WebVPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.

Note If no protocol is selected, an error message appears.

To remove a protocol attribute from the running configuration, clear the check box for that protocol.

Configuring the ACL Filter

Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol. You configure ACLs to permit or deny various types of traffic for this group policy. (You can also configure this attribute in username mode, in which case the value configured under username supersedes the group-policy value.)

Note The security appliance supports only an inbound ACL on an interface.

At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not permitted. If traffic is not explicitly permitted by an access control entry (ACE), it is denied. ACEs are referred to as rules in this topic.:

To specify that you want the group policy to inherit the filter from the default group policy, click the Inherit check box. To specify a different filter, either select a filter from the menu or select None. With any of these options, you do not add or modify an existing filter, so you can skip to Configuring General VPN Connection Settings Attributes in these instructions.

To create a new filter (ACL) or modify an existing filter, click Manage. The ACL Manager dialog box (Figure 4-9) appears. In this dialog box, you can add, edit, and delete Access Control Lists (ACLs) and Extended Access Control Lists (ACEs) to control the access of a specific host or network to another host/network, including the protocol or port that can be used.

To remove an ACL from the group policy, select None from the menu. To delete a group policy from the configuration, click Delete in the ACL Manager dialog box.

A group policy can inherit this value from another group policy. To prevent inheriting a value, select None instead of specifying an ACL name. The None option indicates that there is no access list and sets a null value, thereby disallowing an access list.

Note A group policy can inherit this value from another group policy. This is the default behavior and is indicated by a checked Inherit check box.

However, you do not know at the configuration time what values the group policy is inheriting. To ensure that no ACL is associated with a particular group policy, clear the Inherit check box and select None in the ACL (Filter/Web-VPN ACL ID/...) drop-down list.

If you are dealing with one of the default group policies, the part about inheritance is inapplicable, so only selecting None is relevant.

Figure 4-9 ACL Manager Dialog Box

The fields in this dialog box are as follows:

•# column—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

•Rule Enabled—Enables or disables a rule. Implicit rules cannot be disabled.

•Action—Shows the action that applies to the rule, either Permit or Deny.

•Source Host/Network—Shows the IP addresses that are permitted or denied to send traffic to the IP addresses listed in the Destination Host/Network column. An address column might contain an interface name with the word any, such as inside: any. This means that any host on the inside interface is affected by the rule.

•Destination Host/Network—Shows the IP addresses that are permitted or denied to send traffic to the IP addresses listed in the Source Host/Network column. In detail mode (see the Show Detail radio button), an address column might contain an interface name with the word any, such as outside: any. This means that any host on the outside interface is affected by the rule. An address column might also contain IP addresses in square brackets; for example [209.165.201.1-209.165.201.30]. These addresses are translated addresses. When an inside host makes a connection to an outside host, the firewall maps the address of the inside host to an address from the pool. After a host creates an outbound connection, the firewall maintains this address mapping. The address mapping structure is called an xlate, and remains in memory for a period of time. During this time, outside hosts can initiate connections to the inside host using the translated address from the pool, if allowed by the ACL. Normally, outside-to-inside connections require a static translation so that the inside host always uses the same IP address.

•Service—Names the service and protocol specified by the rule.

•Log Level Interval—Shows the logging level and the interval in seconds between log messages (if you enable logging for the ACL). To set logging options, including enabling and disabling logging, right-click this column, and choose Edit Log Option. The Log Options window appears.

•Time Range—Shows the name of the time range to be applied in this rule. The time range specifies the access hours during which the user can connect using this group policy. The default value is Not Applied, meaning that there is no restriction on when the user can connect.

•Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule." To edit the description, right-click this column, and choose Edit Description.

Rules are applied in the order in which they appear in the table in the ACL Manager dialog box. To move a rule up or down in the list, click Move Up or Move Down. To delete a rule, click Delete. To add a filter rule, click Add ACE. To edit a filter rule, click Edit ACE. The Add or Edit Extended Access List Rule dialog box appears (Figure 4-10).

Figure 4-10 Add Extended Access List Rule

This dialog box lets you configure whether to permit or deny traffic, specify a time range to apply or define a new time range, configure the syslog options, specify the source and destination host or network, specify the protocol, service (source and destination ports) to which to apply this rule and manage the service groups. Optionally, you can also enter a description of this rule. Your entries here appear in the Configure ACLs table in the ACL Manager dialog box.

Configuring Syslog Options (Extended Access List Rule Dialog Box)

To specify the system log as something other than the default syslog, click More Options in the Syslog area. The Log Options dialog box appears (Figure 4-11), in which you can configure the system log options.

Figure 4-11 Syslog Dialog Box—Log Options

Log Options

The Log Options dialog box lets you set logging options for each access control entry (also called a rule) for an access control list. Conduits and outbound lists do not support logging. See the online Help for Configuration > Properties > Logging > Logging Setup and subsequent windows for an explanation of how to set global logging options.

The Log Options dialog box lets you choose the type of logging mechanism to use:

•The default logging behavior is that if a packet is denied, then the security appliance generates log message 106023. If a packet is permitted, no syslog message appears. Select this option to return to the default logging behavior.

•Enable logging for the rule. The security appliance generates a syslog message when a new flow is permitted or denied by the rule. Subsequent syslog messages are generated at the end of an interval to summarize the hit count of the flow. The default interval is 300 seconds. You may specify another interval, from 1 through 600 seconds.

By default, syslog messages are generated at the informational level (level 6). You can select a different level of logging messages to be sent to the syslog server from the drop-down list in the Syslog Level field. Logging levels are as follows:

–Emergency (level 0)—The security appliance does not use this level.

–Alert (level 1, immediate action needed)

–Critical (level 2, critical condition)

–Error (level 3, error condition)

–Warning (level 4, warning condition)

–Notification (level 5, normal but significant condition)

–Informational (level 6, informational message only)

–Debugging (level 7, appears during debugging only)

If a packet matches the ACE, the security appliance creates a flow entry to track the number of packets received within a specific interval (see the Logging Interval field that follows). The security appliance generates a syslog message at the first hit and at the end of each interval, identifying the total number of hits during the interval. At the end of each interval, the security appliance resets the hit count to 0. If no packets match the ACE during an interval, the security appliance deletes the flow entry.

Note Logging consumes a certain amount of memory when enabled.

• Logging Interval—Sets the amount of time in seconds (1-600) the security appliance waits before sending the flow statistics to the syslog. This setting also serves as the timeout value for deleting a flow if no packets match the ACE. The default is 300 seconds.

• Disable logging for the rule—Disables all logging for the ACE. No syslog messages appear.

Note Ignore the "Advanced Options" section of this dialog box. This dialog box is reachable from several different paths, and the information in this section does not apply to all paths.

Configuring the Source and Destination Host/Network Area

Use this area to identify the source and destination networks. Specify the following parameters for both the source and destination areas:

•Source and Destination Host/Network IP Address—Click this radio button to identify the networks by IP address, interface name, or group.

•IP address—When you select the IP Address radio button, use this field to specify the IP address of the host or network.

•Mask—Select the subnet mask of the host or network.

•Name—The interface on which the host or network resides.

•Group—Select the name of a group of networks and hosts that you grouped together on the Hosts/Networks tab.

Configuring Protocol and Service Area Attributes

Use this area to specify the protocol and type of service for this rule. The content of these areas depends on your protocol choice.

•Protocol—Select the protocol for the rule. Possible values are TCP, UDP, ICMP, and IP.

•Source/Destination Port Service (TCP and UDP)—Click this option to specify a port number, a range of ports, or a well-known service name from a list of services, such as HTTP or FTP, that the ACL uses to match packets. The operator list specifies how the ACL matches the port. Choose one of the following operators: = (equals the port number), not = (does not equal the port number), > (greater than the port number), < (less than the port number), range (equal to one of the port numbers in the range). With either of these protocol choices, the Manage Service Groups button becomes active. See Managing Service Groups.

• Source Port Service Group— (TCP and UDP) Select a service group from the drop-down list.

•Protocol and Service, ICMP, ICMP Type—Select the ICMP type for the rule in the ICMP type box. The browse button (indicated by ...) displays the Service dialog box, which lets you select an ICMP type from a preconfigured list.

•Protocol and Service, IP, IP Protocol—Specifies the IP protocol for the rule in the IP protocol box. The browse button(...) displays the Protocols dialog box, which lets you select an IP protocol from a preconfigured list.

Managing Service Groups

Service groups let you identify multiple non-contiguous port numbers that you want the ACL to match. For example, if you want to filter HTTP, FTP, and port numbers 5, 8, and 9, define a service group that includes all these ports. Without service groups, you would have to create a separate rule for each port.

You can create service groups for TCP, UDP, and TCP-UDP. A service group with the TCP-UDP protocol contains services, ports, and ranges that might use either the TCP or UDP protocol.

In the Protocol and Service area of the Add Extended Access List rule dialog box, you configure the connection protocol and the type of service or the service group for the source and destination ports. If you do not want to make any changes, go on to the Description field. To manage these service groups, click Manage Service Groups. The Manage Service Groups dialog box (Figure 4-12) appears.

Figure 4-12 Manage Service Groups Dialog Box

The Manage Service Groups dialog box lets you associate multiple TCP, UDP, or TCP-UDP services (ports) in a named group. You can then use the service group in an access or IPSec rule, a conduit, or other functions within ASDM and the CLI.

The term service refers to higher layer protocols associated with application level services having well known port numbers and "literal" names such as ftp, telnet, and smtp.

The security appliance permits the following TCP literal names: bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323, hostname, http, ident, irc, klogin, kshell, lpd, nntp, pop2, pop3, pptp, smtp, sqlnet, sunrpc, tacacs, talk, telnet, time, uucp, whois, www.

The Name of a service group must be unique to all four types of object groups. For example, a service group and a network group may not share the same name.

Multiple service groups can be nested into a "group of groups" and used the same as a single group. When a service object group is deleted, it is removed from all service object groups where it is used.

If a service group is used in an access rule, do not remove it. A service group used in an access rule cannot be made empty.

The fields in the Manage Service Groups dialog box are as follows:

•Manage a group of TCP.UDP services/ports—Select one of the following options:

– TCP—Select this option to add TCP services or port numbers to an object group.

– UDP—Select this option to add UDP services or port numbers to an object group.

– TCP-UDP—Select this option to add services or port numbers that are common to TCP and UDP to an object group.

•The Service Group table—This table contains a descriptive name for each service object group. To modify or delete a group on this list, select the group and choose Edit or Delete. To add a new group to this list, choose Add. Clicking Add or Edit opens the Add or Edit Service Group dialog box (Figure 4-13).

Figure 4-13 Add Service Group Dialog Box

Adding or Editing a Service Group

The Add or Edit Service Group dialog box lets you manage a group of TCP/UDP services/ports. The fields are as follows:

• Service Group Name—Specifies the name of the service group. The name must be unique for all object groups. A service group name cannot share a name with a network group.

• Description—Specifies a description of the service group.

• Service—Lets you select services for the service group from a predefined drop-down list.

• Range/Port #—Lets you specify a range of ports for the service group.

Configuring General VPN Connection Settings Attributes

Follow the steps in this section to configure attributes that set the values of VPN connection attributes. These attributes control the access hours, the number of simultaneous logins allowed, the timeouts, the name of the ACL to use for VPN connections, and the tunnel protocol. For all the attributes in this section, you can check the Inherit check box to allow the group policy to inherit a value from the default group policy.

Configuring Access Hours

The VPN access hours determine when users in this group can connect to the security appliance. To set the VPN access hours, you associate a group policy with a previously configured time-range policy, which determines the actual access hours.

A time range is a variable specifying the range of access hours during which a user can connect to the security appliance using this group policy. You select the name of this variable from a menu when you want to restrict access hours.

To view the characteristics of the existing time ranges, select Configuration > Global Objects > Time Ranges. To select an existing time range to use with an ACL filter, choose a name from the drop-down Time Range menu in the Add/Edit Extended Access List Rule dialog box. To specify no time range restriction for this filter, choose Not Applied from the menu. In either case, since you are not defining a new time range, skip to Configuring Syslog Options (Extended Access List Rule Dialog Box).

You can check the Inherit check box to allow the group policy to inherit the access hours variable from the group policy. If you choose this option, skip to Configuring Simultaneous Logins.

To define a new time range, click New in the Time Range area in the Add Extended Access List Rule dialog box. The Add Time Range dialog box appears (Figure 4-14).

Figure 4-14 Add Time Range Dialog Box

First, specify a name for this time range. When needed, you select this time range by choosing this name from a drop-down list when you configure a group policy with a time range.

Specify the starting and ending times. If you configure specific starting and ending times, note that these times are inclusive.

You can further constrain the active time of this range by specifying recurring time ranges, which are active within the start and end times specified. To remove a recurring time range, select the range and click Delete. To add or edit a recurring time range, click Add or Edit. The Add or Edit Recurring Time Ranges dialog box appears (Figure 4-15).

Figure 4-15 Add or Edit Recurring Time Ranges Dialog Box.

Specify the recurring time ranges either as days of the week and times on which this recurring range is active or as a weekly interval when this recurring range is active, and click OK. Click OK to complete the configuration on the Add Time Range dialog box.

Configuring Simultaneous Logins

Specify the number of simultaneous logins allowed for any user. The default value is 3. The range is an integer in the range 0 through 2147483647. A group policy can inherit this value from another group policy. Enter 0 to disable login and prevent user access.

Caution While the maximum limit for the number of simultaneous logins is very large, allowing several could compromise security and affect performance.

Configuring Maximum Connect Time

Configure a maximum amount of time for VPN connections. At the end of this period of time, the security appliance terminates the connection. To allow unlimited connection time, check the Unlimited check box. To configure a specific time limit, clear the Unlimited check box. This makes the minutes field available. The minimum time is 1 minute, and the maximum time is 35791394 minutes. There is no default value.

Configuring User Idle Timeout

Configure the user idle timeout period by either checking the Unlimited check box or specifying a number of minutes that the system can remain idle. If there is no communication activity on the connection in this period, the security appliance terminates the connection. The minimum time is 1 minute, and the maximum time is 35791394 minutes. The default is 30 minutes.

Configuring WINS and DNS Servers and DHCP Scope

You can configure primary and secondary WINS servers and DNS servers and the DHCP scope. The default value in each case is none. To configure these attributes, do the following steps:

Step 1 Specify the primary and secondary DNS servers. The first IP address specified is that of the primary DNS server. The second (optional) IP address is that of the secondary DNS server. Leaving the first field blank instead of providing an IP address sets DNS servers to a null value, which allows no DNS servers and prevents inheriting a value from a default or specified group policy.

Every time that you enter a DNS Server value, you overwrite the existing setting. For example, if you configure the primary DNS server as 10.10.10.15 and later configure the primary DNS server to be 10.10.10.30, the later specification overwrites the first, and 10.10.10.30 becomes the primary DNS server.

Step 2 Specify the primary and secondary WINS servers. The first IP address specified is that of the primary WINS server. The second (optional) IP address is that of the secondary WINS server. Specifying the none keyword instead of an IP address sets WINS servers to a null value, which allows no WINS servers and prevents inheriting a value from a default or specified group policy.

Every time that you enter the wins-server command, you overwrite the existing setting. For example, if you configure WINS server x.x.x.x and then configure WINS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole WINS server. The same is true for multiple servers. To add a WINS server rather than overwrite previously configured servers, include the IP addresses of all WINS servers when you enter this command.

The following example shows how to configure WINS servers with the IP addresses 10.10.10.15 and 10.10.10.30 for the group policy named FirstGroup:

Step 3 Specify the DHCP scope; that is the range of servers IP addresses the security appliance DHCP server should use to assign addresses to users of this group policy.

Configuring IPSec Attributes

The IPSec tab on the Add or Edit Internal Group Policy window lets you specify security attributes for this group policy. Figure 4-16 shows the IPSec tab.

Figure 4-16 Add Internal Group Policy Window, IPSec Tab

Check an Inherit check box to let the corresponding setting take its value from the default group policy. The following sections explain how to configure the attributes on this tab.

Configuring Reauthentication on IKE Rekey

Specify whether to require that users reauthenticate on IKE rekey by choosing Enable or Disable. If you enable reauthentication on IKE rekey, the security appliance prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs. Reauthentication provides additional security. Reauthentication on IKE rekey is disabled by default if you clear the Inherit check box.

If the configured rekey interval is very short, users might find the repeated authorization requests inconvenient. To avoid repeated authorization requests, disable reauthentication. To check the configured rekey statistics, select Monitoring > VPN > VPN Statistics > Crypto Statistics to view the security association statistics.

Note Reauthentication fails if there is no user at the other end of the connection.

Configuring IP Compression

Specify whether to enable IP compression, which is disabled by default. Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems. IP compression is disabled by default.

Caution Data compression increases the memory requirement and CPU usage for each user session and consequently decreases the overall throughput of the security appliance. For this reason, we recommend that you enable data compression only for remote users connecting with a modem. Design a group policy specific to modem users, and enable compression only for them.

To enable or disable LZS IP compression, select Enable or Disable.

Configuring Perfect Forward Secrecy

Specify whether to enable perfect forward secrecy. In IPSec negotiations, perfect forward secrecy ensures that each new cryptographic key is unrelated to any previous key. A group policy can inherit a value for perfect forward secrecy from the default group policy if you check the Inherit check box. Otherwise, perfect forward secrecy is disabled by default. To enable or disable perfect forward secrecy, select Enable or Disable.

Configuring Tunnel Group Locking

Specify whether to restrict remote users to access only through the tunnel group, by enabling or disabling the Tunnel Group Lock attribute.

The tunnel-grp-name variable specifies the name of an existing tunnel group that the security appliance requires for the user to connect. Tunnel group lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure group-lock, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default.

To remove the group-lock attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value from another group policy.

To disable group-lock, enter the group-lock command with the none keyword. The none keyword sets group-lock to a null value, thereby allowing no group-lock restriction. It also prevents inheriting a group-lock value from a default or specified group policy.

Configuring Client Access Rules

The Client Access Rules area lets you specify up to 25 rules that determine whether to permit or deny access by certain types and versions of VPN clients. Either the group policy can inherit these rules from the default group policy, or you can specify particular rules for this group policy.

The table in this area shows the priority, action, client type and VPN client version that each rule specifies.

To configure rules that limit the remote access client types and versions that can connect via IPSec through the security appliance, clear the Inherit check box. This makes the buttons at the side of the table active. By default, there are no access rules. When there are no client access rules, all client types and versions can connect. To delete individual rules, click Delete.

The columns in the Client Access Rules table are as follows:

• Priority—Shows the priority for this rule. Determines the priority of the rule. The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type and/or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.

• Action—Specifies whether this rule permits or denies access for clients of a particular type and version.

• VPN Client Type—Specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset. Identifies device types via free-form strings, for example VPN 3002. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can use the * character as a wildcard.

• VPN Client Version —Specifies the version or versions of the VPN client to which this rule applies. This box contains a comma-separated list of software or firmware images appropriate for this client. Identifies the device version via free-form strings, for example 7.0. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can use the * character as a wildcard.

To add a new rule for an IPSec group policy, click Add. To modify an existing rule for an IPSec group policy, click Edit. The Add or Edit Client Access Rule dialog box appears (Figure 4-17).

Figure 4-17 Add Client Access Rule Dialog Box

Construct rules according to these caveats:

•If you do not define any rules, the security appliance permits all connection types.

•When a client matches none of the rules, the security appliance denies the connection. This means that if you define a deny rule, you must also define at least one permit rule, or the security appliance denies all connections.

•For both software and hardware clients, type and version must match exactly their appearance in the Monitoring > VPN > VPN Statistics > Sessions window.

•The * character is a wildcard, which you can use multiple times in each rule. For example, specifying the VPN client version as version 3.* in a client access rule applies that rule to the specified client type running release versions 3.x software.

•You can construct a maximum of 25 rules per group policy.

•There is a limit of 255 characters for an entire set of rules.

•You can use n/a for clients that do not send client type and/or version.

Configuring Client Configuration Parameters

Use the Client Configuration tab of the Add/Edit Internal Group Policy Window (Figure 4-18) to configure the following parameters:

•Banner

•Default Domain

•Split Tunnel DNS Names

•Split Tunnel Policy

•Split Tunnel Network List

•Cisco Client Parameters

Figure 4-18 Edit Internal Group Policy Client Configuration Window

Configuring the Banner Message

The banner is a message that is displayed to remote clients when they connect. The default is no banner. If you choose not to inherit the banner from the default group policy, clear the Inherit check box and click Edit Banner. The View/Config Banner dialog box appears (Figure 4-19).

Figure 4-19 View/Config Banner Dialog Box

To specify the banner, or welcome message, if any, that you want to display, enter the banner text, up to 510 characters in length. Enter the "\n" sequence to insert a carriage return.

Note A carriage-return/line-feed included in the banner counts as two characters.

To delete a banner, remove the text.

Configuring Domain Attributes for Tunneling

You can specify a default domain name for tunneled packets or a list of domains to be resolved through the split tunnel. The following sections describe how to set these domains.

Defining a Default Domain Name for Tunneled Packets

The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. When there are no default domain names, users inherit the default domain name in the default group policy. To specify the default domain name for users of the group policy, clear the Inherit check box and enter the default domain name in the field.

The domain name that you enter identifies the default domain name for the group. To specify that there is no default domain name, leave this field blank. This command sets a default domain name with a null value, which disallows a default domain name and prevents inheriting a default domain name from a default or specified group policy.

Defining a List of Domains for Split Tunneling

To provide a list of domains for split-tunneling, clear the Inherit check box and enter a space-delimited list of domains to be resolved through the split tunnel. When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, leave this list blank.

The domain name attribute provides a domain name that the security appliance resolves through the split tunnel. Leaving this list blank indicates that there is no split DNS list. It also sets a split DNS list with a null value, thereby disallowing a split DNS list, and prevents inheriting a split DNS list from a default or specified group policy.

Enter a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.). If the default domain name is to be resolved through the tunnel, you must explicitly include that name in this list.

Configuring Split-Tunneling Attributes

Split tunneling lets a remote-access IPSec client conditionally direct packets over an IPSec tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. This command applies this split tunneling policy to a specific network.

Setting the Split-Tunneling Policy

Set the rules for tunneling traffic by specifying the split-tunneling policy. The default is to tunnel all traffic. To set a split tunneling policy, clear the Inherit check box and select the split-tunnel policy from the drop-down menu. To remove the split-tunnel policy attribute from the running configuration, leave this field blank. This enables inheritance of a value for split tunneling from another group policy.

•Select Tunnel All Networks to specify that no traffic goes in the clear or to any other destination than the security appliance. This, in effect, disables split tunneling. Remote users reach Internet networks through the corporate network and do not have access to local networks. This is the default option.

•Select Tunnel Network List Below to tunnel all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear and is routed by the remote user's Internet service provider.

•Select Exclude Network List Below to define a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN client.

Note Split tunneling is primarily a traffic management feature, not a security feature. For optimum security, we recommend that you do not enable split tunneling.

Creating a Network List for Split-Tunneling

Select a network list name for split tunneling from the Split Tunnel Network List drop-down menu. Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling. The security appliance makes split tunneling decisions on the basis of a network list, which is an ACL that consists of a list of addresses on the private network. Only standard-type ACLs are allowed. Clicking Manage opens the ACL Manager dialog box, where you can configure the ACLs. For information on using ACL Manager dialog box, see Configuring the ACL Filter.

The access-list name that you select identifies an access list that enumerates the networks to tunnel or not tunnel. Selecting None indicates that there is no network list for split tunneling; the security appliance tunnels all traffic. Selecting None sets a split tunneling network list with a null value, thereby disallowing split tunneling. It also prevents inheriting a default split tunneling network list from a default or specified group policy.

Configuring Cisco Client Parameters

The attributes in the Cisco Client Parameters area specify certain security settings for the group, including password storage, IPSec over UPD settings, and IPSec backup servers.

Configuring Password Storage

You can specify whether to let users store their login passwords on the client system. For security reasons, password storage is disabled by default. Enable password storage only on systems that you know to be in secure sites.

To enable or disable password storage, clear the Inherit check box for the Store Password on Client System attribute and select either Yes (enable) or No (disable).

This action does not apply to interactive hardware client authentication or individual user authentication for hardware clients.

Configuring IPSec-UDP Attributes

IPSec over UDP, sometimes called IPSec through NAT, lets a Cisco VPN client or hardware client connect via UDP to a security appliance that is running NAT. It is disabled by default. IPSec over UDP is proprietary; it applies only to remote-access connections, and it requires mode configuration. The security appliance exchanges configuration parameters with the client while negotiating SAs. Using IPSec over UDP may slightly degrade system performance.

To enable or disable IPSec over UDP, clear the Inherit check box and choose either Enable or Disable.

The Cisco VPN client must also be configured to use IPSec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPSec over UDP.

To use IPSec over UDP, you must also configure the IPSec over UDP Port attribute, which sets a UDP port number for IPSec over UDP. In IPSec negotiations, the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic. To configure the IPSec over UDP Port attribute, clear the Inherit check box and enter a port number into the field. The port numbers can range from 4001 through 49151. The default port value is 10000.

Configuring IPSec Backup Servers

Configure backup servers if you plan on using them. IPSec backup servers let a VPN client connect to the central site when the primary security appliance is unavailable.When you configure backup servers, the security appliance pushes the server list to the client as the IPSec tunnel is established. Backup servers do not exist until you configure them, either on the client or on the primary security appliance.

Configure backup servers either on the client or on the primary security appliance. If you configure backup servers on the security appliance, it pushes the backup server policy to the clients in the group, replacing the backup server list on the client if one is configured.

Note If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind a hardware client obtain DNS and WINS information from the hardware client via DHCP, and the connection to the primary server is lost, and the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires. In addition, if you use hostnames and the DNS server is unavailable, significant delays can occur.

To specify one or more backup servers or to remove the configured backup server or servers from the client configuration, do the following:

Step 1 Clear the Inherit check box.

Step 2 Select one of the following options from the drop-down menu:

•Keep Client Configuration— Specifies that the security appliance sends no backup server information to the client. The client uses its own backup server list, if configured. This is the default.

•Clear Client Configuration—Specifies that the client uses no backup servers. The security appliance pushes a null server list.

•Use the Backup Servers Below—Specifies that you want to configure a list of servers to use if the primary security appliance is unavailable.

Step 3 If you select Use the Backup Servers Below, you must fill in one or more server addresses in the Server Addresses field. This list is a space-delimited, priority-ordered list of servers for the VPN client to use when the primary security appliance is unavailable. This list identifies servers by IP address or hostname. The list can be 500 characters long, and it can contain up to10 entries.

Configuring Firewall Attributes

A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user's PC, and thereby the corporate network, from intrusions by way of the Internet or the user's local LAN. Remote users connecting to the security appliance with the VPN client can choose the appropriate firewall option. When there are no firewall policies, users inherit any that exist in the default or other group policy.

Set personal firewall policies that the security appliance pushes to the VPN client during IKE tunnel negotiation on the Client Firewall tab (Figure 4-20).

Figure 4-20 Edit Internal Group Policy Client Firewall Tab

Note Only VPN clients running Microsoft Windows can use these firewall features. They are currently not available to hardware clients or other (non-Windows) software clients.

The following examples illustrate the use of the client firewall.

In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN client drops the connection to the security appliance. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it periodic "are you there?" messages; if no reply comes, the VPN client knows the firewall is down and terminates its connection to the security appliance.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration.

In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the security appliance, you create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security appliance pushes this policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which enforces it.

The Add or Edit Internal Group Policy window, Client Firewall tab, lets you configure firewall settings for VPN clients for the group policy being added or modified. To specify the client firewall settings, clear the Inherit check box and configure the following attributes in the Client Firewall Attributes area

Configuring Firewall Setting

Specify whether there is no firewall, or whether the firewall is optional or required by selecting the appropriate setting from the drop-down menu.

Note If you have remote users in this group who do not yet have firewall capacity, choose Firewall Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do not—for example, you may have a group that is in gradual transition, in which some members have set up firewall capacity and others have not yet done so.

Configuring Firewall Type

Select the type of firewall (or no firewall) from the drop-down menu. The options are:

•No Firewall—Indicates that there is no client firewall policy and prevents inheriting a firewall policy from a default or specified group policy.

•Cisco Integrated Firewall—Selects the Cisco Integrated Firewall type.

•Cisco Security Agent—Selects the Cisco Intrusion Prevention Security Agent firewall type.

•Zone Labs Firewalls—Selects either the Zone Labs Zone Alarm or the Zone Alarm Pro firewall type or both.

•Sygate Personal Firewalls—Selects either the Sygate Personal firewall type, the Sygate Personal Pro firewall type, or the Sygate Security Agent firewall type.

•Network ICE, Black ICE Firewall—Selects the Network ICE Black ICE firewall type.

•Custom Firewall—Indicates that this policy uses a custom firewall. With this selection, the Custom Firewall and Firewall Policy areas become active.

Configuring a Custom Firewall

If you selected Custom Firewall as the firewall type, you must also configure the custom firewall attributes, as follows:

•Vendor ID—Identifies the firewall vendor.

•Product ID—Identifies the model or product name of the firewall product.

•Description—Optionally provides additional information about the custom firewall.

Configure the Firewall Policy attributes to specify the source and characteristics of the firewall policy, as follows:

•Policy defined by remote firewall (AYT)—Specifies that the policy is to use the firewall installed on the remote user PC and, after the connection is established, polls that firewall every 30 seconds to ensure that it is running. This is the "Are You There" or AYT mechanism. The local firewall enforces the firewall policy on the VPN client. The security appliance allows VPN clients in this group to connect only if they have the designated firewall installed and running. If the designated firewall is not running, the connection fails.

•Policy Pushed (CPP)—Enforces a centralized firewall policy for personal firewalls on VPN client PCs. This firewall policy is called "push policy" or Central Protection Policy, because the policy is pushed from the peer. If you select this option, the Inbound Traffic Policy and Outbound Traffic Policy lists and the Manage button become active.The security appliance enforces on the VPN clients in this group the traffic management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down menu. The choices available on the menu are filters defined on this security appliance, including the default filters. Keep in mind that the security appliance pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the security appliance. For example, "in" and "out" refer to traffic coming into the VPN client or going outbound from the VPN client. If the VPN client also has a local firewall, the policy pushed from the security appliance works with the policy of the local firewall. Any packet that is blocked by the rules of either firewall is dropped.

If you select Policy Pushed (CPP), you must also select the policies that the client uses for inbound and outbound traffic.

Clicking Manage opens the ACL Manager dialog box (Figure 4-9), i n which you can create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security appliance pushes this policy down to the VPN client, which, in turn, passes the policy to the local firewall, which enforces it.

Configuring Attributes for VPN Hardware Clients

The Add or Edit Internal Group Policy Hardware Client tab (Figure 4-21)lets you configure attributes specific to VPN hardware clients. On this tab you can enable or disable secure unit authentication and user authentication and set a user authentication timeout value for VPN hardware clients. You can also allow Cisco IP phones and LEAP packets to bypass individual user authentication and allow hardware clients using Network Extension Mode to connect.

Figure 4-21 Edit Internal Group Policy Hardware Client Tab

Requiring Interactive Client Authentication (Secure Unit Authentication)

Secure unit authentication provides additional security by requiring VPN hardware clients to authenticate with a username and password each time that the client initiates a tunnel. With this feature enabled, the hardware client does not have a saved username and password. Secure unit authentication is disabled by default.

Note With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username and password.

Secure unit authentication requires that you have an authentication server group configured for the tunnel group the hardware client(s) use. If you require secure unit authentication on the primary security appliance, be sure to configure it on any backup servers as well.

Interactive hardware client authentication provides additional security by requiring the VPN 3002 Hardware Client to authenticate with a username and password that you enter manually each time the VPN 3002 initiates a tunnel. With this feature enabled, the VPN 3002 does not have a saved username and password. When you enter the username and password, the VPN 3002 sends these credentials to the security appliance to which it connects. The security appliance facilitates authentication, on either the internal or an external authentication server. If the username and password are valid, the tunnel is established.

When you enable interactive hardware client authentication for a group, the security appliance pushes that policy to the VPN 3002s in the group. If you have previously set a username and password on the VPN 3002, the software deletes them from the configuration file. When you try to connect, the software prompts you for a username and password.

If, on the security appliance, you subsequently disable interactive hardware authentication for the group, it is enabled locally on the VPN 3002s, and the software continues to prompt for a username and password. This lets the VPN 3002 connect, even though it lacks a saved username and password, and the security appliance has disabled interactive hardware client authentication. If you subsequently configure a username and password, the feature is disabled, and the prompt no longer displays. The VPN 3002 connects to the security appliance using the saved username and password.

Specify whether to enable or disable the requirement for interactive client authentication by clearing the Inherit check box and selecting either Enable or Disable. This parameter is disabled by default.

Requiring Individual User Authentication

When enabled, user authentication requires that individual users behind a hardware client authenticate to gain access to the network across the tunnel. Individual users authenticate according to the order of authentication servers that you configure. Individual user authentication for these users is disabled by default. To display a banner to VPN 3002 devices in a group, individual user authentication must be enabled.

If you require user authentication on the primary security appliance, be sure to configure it on any backup servers as well.

Individual user authentication protects the central site from access by unauthorized persons on the private network of the VPN 3002. When you enable individual user authentication, each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the security appliance, even though the tunnel already exists.

Note You cannot use the command-line interface to log in if user authentication is enabled. You must use a browser.

If you have a default home page on the remote network behind the security appliance, or if you direct the browser to a website on the remote network behind the security appliance, the VPN 3002 directs the browser to the proper pages for user login. When you successfully log in, the browser displays the page you originally entered.

If you try to access resources on the network behind the security appliance that are not web-based, for example, e-mail, the connection fails until you authenticate using a browser.

To authenticate, you must enter the IP address for the private interface of the VPN 3002 in the browser Location or Address field. The browser then displays the login screen for the VPN 3002. To authenticate, click the Connect/Login Status button.

One user can log in for a maximum of four sessions simultaneously. Individual users authenticate according to the order of authentication servers that you configure for a group.

Configuring an Idle Timeout

To set an idle timeout for individual users behind hardware clients, clear the Inherit check box and either check the Unlimited check box to specify that there is no idle timeout or specify a specific number of minutes. If there is no communication activity by a user behind a hardware client in the idle timeout period, the security appliance terminates the client's access.

Note The user-authentication-idle-timeout command terminates only the client's access through the VPN tunnel, not the VPN tunnel itself.

The minutes field specifies the number of minutes in the idle timeout period.The minimum is 1 minute, the default is 30 minutes, and the maximum is 35791394 minutes. If you clear both the Inherit and Unlimited check boxes, you must specify a value in the minutes field.

Configuring IP Phone Bypass

You can allow Cisco IP phones to bypass individual user authentication behind a hardware client. To enable or disable IP Phone Bypass, clear the Inherit check box and select Enable or Disable. IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes. IP Phone Bypass is disabled by default. If enabled, secure unit authentication remains in effect.

Note You must configure the VPN 3002 to use network extension mode for IP phone connections.

Configuring LEAP Bypass

LEAP users behind a VPN 3002 have a circular dilemma: they cannot negotiate LEAP authentication because they cannot send their credentials to the RADIUS server behind the central site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a RADIUS server before individual users authenticate. Then the users proceed with individual user authentication.

LEAP Bypass works as intended under the following conditions:

• The interactive unit authentication feature (intended for wired devices) must be disabled. If interactive unit authentication is enabled, a non-LEAP (wired) device must authenticate the VPN 3002 before LEAP devices can connect using that tunnel.

• Individual user authentication is enabled (if it is not, you do not need LEAP Bypass).

• Access points in the wireless environment must be Cisco Aironet Access Points. The wireless NIC cards for PCs can be other brands.

• The Cisco Aironet Access Point must be running Cisco Discovery Protocol (CDP).

• The VPN 3002 can operate in either client mode or network extension mode.

• LEAP packets travel over the tunnel to a RADIUS server via ports 1645 or 1812.

When LEAP Bypass is enabled, LEAP packets from wireless devices behind a VPN 3002 hardware client travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate again per user authentication (if enabled). LEAP Bypass is disabled by default.

To allow LEAP packets from Cisco wireless access points to bypass individual users authentication, clear the Inherit check box and select Enable. To disable LEAP bypass, select Disable.

Note IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs with strong mutual authentication between clients and authentication servers, which can provide dynamic per-user, per session wireless encryption privacy (WEP) keys, removing administrative burdens and security issues that are present with static WEP keys.

Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP (Lightweight Extensible Authentication Protocol) implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium.

Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting services.

This feature does not work as intended if you enable interactive hardware client authentication.

Caution There might be security risks to your network in allowing any unauthenticated traffic to traverse the tunnel.

Enabling Network Extension Mode

Network extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the hardware client to networks behind the security appliance. PAT does not apply. Therefore, devices behind the security appliance have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.

Network extension mode is required for the VPN 3002 to support IP phone connections, because the Call Manager can communicate only with actual IP addresses.

Note If you disallow network extension mode, the default setting, the VPN 3002 can connect to this security appliance in PAT mode only. If you disallow network extension mode here, be careful to configure all VPN 3002s in a group for PAT mode. If a VPN 3002 is configured to use network extension mode and the security appliance to which it connects disallows network extension mode, the VPN 3002 attempts to connect every 4 seconds, and every attempt is rejected. In this situation, the VPN 3002 puts an unnecessary processing load on the security appliance to which it connects; if large numbers of VPN 3002s are misconfigured in this way, the security appliance has a reduced ability to provide service.

Enable or disable network extension mode for hardware clients by clearing the Inherit check box and selecting Enable or Disable.

Configuring Group-Policy WebVPN Attributes

WebVPN lets users establish a secure, remote-access VPN tunnel to the security appliance using a web browser. There is no need for either a software or hardware client. WebVPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTPS Internet sites. WebVPN uses SSL and its successor, TLS1, to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. By default, WebVPN is disabled.

You can customize a WebVPN configuration for specific internal group policies.

In the Add or Edit Internal Group Policy WebVPN tab, you can specify whether to inherit the settings for all the functions or customize the WebVPN attributes, each of which is described in the subsequent sections:

•Functions

•Content Filtering

•Homepage

•Port Forwarding

•Other (such as servers and URL lists)

•SSL VPN Client (SVC)

In many instances, you define the WebVPN attributes as part of configuring WebVPN, then you apply those definitions to specific groups when you configure the group-policy webvpn attributes. The attributes in the WebVPN tab for group policies define access to files, MAPI proxy, URLs and TCP applications over WebVPN. They also identify ACLs and types of traffic to filter. WebVPN is disabled by default. See the description of WebVPN in the online Help for this tab and the Cisco Security Appliance Command Line Configuration Guide and Cisco Security Appliance Command Reference for more information about configuring the WebVPN attributes.

You do not need to configure WebVPN to use e-mail proxies.

Configuring Group-Policy WebVPN Function Tab Attributes

The Functions tab (Figure 4-22) lets you configure basic WebVPN functions. To configure the WebVPN functions (such as file access and file browsing, HTTP Proxy, MAPI Proxy, and URL entry over WebVPN) that you want to enable, clear the Inherit check box and check the check boxes for the individual functions that you want to enable or apply. These functions are disabled by default.

Figure 4-22 Edit Internal Group Policy WebVPN Tab Functions Tab

The functions that you can configure on this tab are as follows:

•Enable URL entry—Enables or disables user entry of URLs and places the URL entry box on the home page. When enabled, the security appliance still restricts URLs with any configured URL or network ACLs. Users can enter web addresses in the URL entry box, and use WebVPN to access those websites. When URL entry is disabled, the security appliance restricts WebVPN users to the URLs on the home page.

Using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote user's PC or workstation and the security appliance on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security appliance to the destination web server is not secured.

In a WebVPN connection, the security appliance acts as a proxy between the end user's web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the server's SSL certificate. The end user's browser never receives the presented certificate, so therefore cannot examine and validate the certificate. The current implementation of WebVPN does not permit communication with sites that present expired certificates. Neither does the security appliance perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.

To limit Internet access for WebVPN users, deselect the Enable URL Entry field. This prevents WebVPN users from surfing the Web during a WebVPN connection.

•Enable file server access—Enables or disables Windows file access (SMB/CIFS files only) through HTTPS. When enabled, the WebVPN home page lists file servers in the server list. You must enable file access to enable file browsing and/or file entry.

When this box is checked, users can access Windows files on the network. If you enable only this parameter for WebVPN file sharing, users can access only servers that you configure in the Servers and URLs area (see the description of Configuring Server and List Arguments Using the WebVPN Other Tab). To let users access servers directly or to browse servers on the network, see the Enable file server entry and Enable file server browsing attribute descriptions.

With this check box checked, users can download, edit, delete, rename, and move files. They can also add files and folders.

Shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements.

File access, server/domain access, and browsing require that you configure a WINS server or a master browser, typically on the same network as the security appliance, or reachable from that network. The WINS server or master browser provides the security appliance with an list of the resources on the network. You cannot use a DNS server instead.

Note File access is not supported in an Active Native Directory environment when used with Dynamic DNS. It is supported if used with a WINS server.

•Enable file server entry—Enables of disables user ability to enter names of file servers. Places the file server entry box on the portal page. File server access must be enabled.

With this check box checked, users can enter pathnames to directly Windows files. They can download, edit, delete, rename, and move files. They can also add files and folders. Again, shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements.

•Enable file server browsing—Enables or disables browsing for file the Windows network for domains/workgroups, file servers and shares. You must enable file browsing to allow user entry of a file server. File server access must be enabled.

With this check box checked, users can select domains and workgroups and can browse servers and shares within those domains. Shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing servers, according to network requirements.

•Enable auto applet download—Lets users automatically download and start the port forwarding java applet upon WebVPN login. Disabled by default, you can enable this feature only if port forwarding, Outlook/Exchange proxy, or HTTP proxy is also enabled. You can also enable auto applet download in the default group policy (DfltGrpPolicy) or in user-defined group policies.

•Enable port forwarding—WebVPN Port Forwarding provides access for remote users in the group to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application. Cisco has tested the following applications: Windows Terminal Services, Telnet, Secure FTP (FTP over SSH), Perforce, Outlook Express, and Lotus Notes. Other TCP-based applications may also work, but Cisco has not tested them.

Note Port Forwarding does not work with some SSL/TLS versions.

With this check box checked users can access client/server applications by mapping TCP ports on the local and remote systems.

Note When users authenticate using digital certificates, the TCP Port Forwarding JAVA applet does not work. JAVA cannot access the web browser's keystore; therefore JAVA cannot use the certificates that the browser uses for user authentication, and the application cannot start. Do not use digital certificates to authenticate WebVPN users if you want them to be able to access applications.

•Enable Outlook/Exchange proxy—Enables or disables Microsoft Outlook/Exchange e-mail proxy.

•Apply Web-type ACL—Applies the WebVPN access control list defined for the users of this group.

•Enable HTTP proxy—Enables or disables the forwarding of an HTTP applet proxy to the client. The proxy is useful for technologies that interfere with proper content transformation ("mangling"), such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browser's old proxy configuration automatically and redirects all HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser supported is Microsoft Internet Explorer.

•Enable Citrix/MetaFrame—Enables support for terminal services from a MetaFrame Application Server to the client. This attribute lets the security appliance act as a secure gateway within a secure Citrix configuration. These services provide users with access to MetaFrame applications through a standard Web browser.

Configuring Content Filtering Tab Attributes

The Content Filtering tab (Figure 4-23) lets you configure the security appliance to block or remove the parts of websites that use Java or Active X, scripts, display images, and deliver cookies. By default, these parameters are disabled, which means that no filtering occurs. To configure the WebVPN filters, clear the Inherit check box and check the check boxes for the individual filters that you want to enable. These functions are disabled by default.

Figure 4-23 Edit Internal Group Policy WebVPN Tab, Content Filtering Tab

The filters that you can configure on this tab are as follows:

• Filter Java/ActiveX—Removes references to Java and ActiveX; that is, it removes <applet>, <embed> and <object> tags from HTML.

• Filter scripts—Removes references to scripting; that is, it removes <script> tags from HTML.

• Filter images—Removes <img> tags from HTML. Removing images dramatically speeds the delivery of web pages.

• Filter cookies from images—Removes cookies that are delivered with images. This might preserve user privacy, because advertisers use cookies to track visitors.

Configuring the User Homepage

ASDM lets you customize a home page that the user sees upon logging in. You define a home page customization (such as color, logo, and so on) as part of the WebVPN configuration, then apply that customization when you configure a particular group policy. The Add or Edit Group Policy window, WebVPN tab, Homepage tab (Figure 4-24), lets you configure what, if any, home page that you want users to see upon logging in and specify the name of any previously defined customization that you want to apply to change the look-and-feel of that login web page. There is no default home page, and the default for customization is no customization. For information about configuring web-page customizations, see the online help for Configuration > VPN > WebVPN > Webpage Customization.

Figure 4-24 Edit Internal Group Policy WebVPN Tab Homepage Tab

To specify the Webpage Customization attribute, clear the Inherit check box and either select the name of a customization from the drop-down menu or click New to define a new customization. Clicking New opens the Add Customization Object dialog box. Click the Homepage tab in that dialog box to configure the customizations for the user home page. The other tabs in this dialog box configure other web page customizations to apply to the various GUI pages that the user sees. For information about how to configure web page customizations, see the online Help for that dialog box.

Regardless of whether you specify customizations, you can specify a particular home page that the user sees upon logging in. There is no default home page. To specify a URL for the web page that you want to display when a user in this group logs in, clear the Inherit check box in the Custom Homepage area and select Specify URL. Select either http or https (the default) as http or https as the connection protocol for the home page. In the field to the right of the :// characters, specify the URL of the Web page to use as the home page.

To remove a configured home page, select Use None. This sets a null value, thereby disallowing a home page and prevents inheriting an home page.

Enabling Port Forwarding (WebVPN Application Access) for a Group Policy

Port forwarding, also known as application access, lets you control the list of applications that WebVPN users can access through their remote connection. Port forwarding is disabled by default. The Add or Edit Group Policy window, WebVPN tab, Port Forwarding tab (Figure 4-25), lets you configure port forwarding parameters.

Figure 4-25 Edit Internal Group Policy WebVPN Tab Port Forwarding Tab

You configure a list of applications to make available through port forwarding either as part of the WebVPN configuration or in the group-policy Port Forwarding tab. To apply port forwarding to a group policy, clear the Inherit check box or boxes and configure the following fields:

• Port Forwarding List—Specifies whether to inherit the port forwarding list from the default group policy, select one from the list, or create a new port forwarding list. The default is None which prevents inheriting a port forwarding list.

•Click New to create a new port-forwarding applications list. Clicking New opens a dialog box in which you can add a new port forwarding list. See the description of the Add or Edit Port Forwarding List window.

• Applet Name—Specifies whether to inherit the applet name or to use the name specified in the field. Specify this name to identify port forwarding to end users. The name you configure appears in the end user interface as a hotlink. When users click this link, a Java applet opens a window that displays a table that lists and provides access to port forwarding applications that you configure for these users. The default applet name is Application Access.

The Add or Edit Port Forwarding List dialog box (Figure 4-26) lets you configure a new port forwarding list entry or modify an existing entry for WebVPN users for the group policy being added or modified.

Figure 4-26 Add Port Forwarding List Dialog Box

To add a port forwarding list, click Add and configure the following fields. To edit an existing port forwarding list, select the list entry in the table area, then click Edit and configure the appropriate fields. To remove a port forwarding entry from this list, click Delete. The field descriptions follow:

• List Name—Specifies the name of this port forwarding list. If list entries already exist, the Add, Edit, and Delete buttons are active. The table below the list name contains the following columns:

• Local TCP Port—Specifies the local TCP port for this list.

• Remote Server—Specifies the name or IP address of the remote peer.

• Remote TCP Port—Specifies the TCP port used on the remote peer.

• Description—Provides a brief description of this list.

Note Port forwarding supports only those TCP applications that use static TCP ports. It does not support applications that use dynamic ports or multiple TCP ports. For example, SecureFTP, which uses port 22, works over WebVPN port forwarding, but standard FTP, which uses ports 20 and 21, does not.

Configuring Server and List Arguments Using the WebVPN Other Tab

The Add or Edit Group Policy window, WebVPN tab, Other tab (Figure 4-27), lets you configure servers and URL lists and the Web-type ACL ID.

Figure 4-27 Edit Internal Group Policy WebVPN Tab Other Tab

This tab lets you configure an assortment of server and management functions, as follows. To configure individual fields, clear the Inherit check box for that field.

• Servers and URL Lists specifies whether to inherit the list of Servers and URLs, to select an existing list, or to create a new list. Select the name of a list from the drop-down menu or click New, which opens the Add Server and URL List dialog box (Figure 4-28), in which you can add a new server or URL to the list. The URL display name that you add in this dialog box appears in the list for the Servers and URL Lists argument in the Add or Edit Internal Group Policy WebVPN tab Other tab window. To change the order of entries in the URL list, click Move Up or Move Down. There is no default URL list.

Figure 4-28 Add Server and URL List Dialog Box

•You configure ACLs to permit or deny various types of traffic for this group policy. You then apply those ACLs for WebVPN traffic. Web-Type ACL ID specifies the name of the access list to apply for WebVPN connections for this group policy. If you clear the Inherit check box, select the identifier of an existing Web-Type ACL to use, or add or modify a web-type ACL. To remove the access list, and to prevent inheriting filter values, select None from the drop-down list.

• Clicking Manage opens the Web Type ACL dialog box (Figure 4-29) in which you can manage web-type ACLs.

Figure 4-29 Web Type ACL Dialog Box

Clicking Add ACL, Add ACE, or Edit ACE opens a dialog box in which you can perform these functions. See Configuring the ACL Filter for an explanation of the fields and buttons on these dialog boxes. Figure Figure 4-30 shows the Add Web-Type ACL dialog box.

Figure 4-30 Add Web-Type ACL Dialog Box

The ACL ID value provides the name of the previously configured access list. After you add a Web Type ACL, you can configure that ACL by clicking Add ACE. This opens the Add Web Type ACE dialog box, in which you configure the action (permit/deny), filter (URL or IP address, subnet mask, and port), syslog options, and time range name, just as you would for other ACLs/ACEs.

Note To use ACL filtering with WebVPN, you must define the WebVPN-Type ACL here. WebVPN does not use ACLs defined in the ACL Manager.

•Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The SSO Server attribute specifies whether to inherit the single-sign-on server setting, to select an existing SSO server from the list, or to add a new SSO server. The default policy assigned to the SSO server is DfltGrpPolicy. To remove the assignment and prevent inheriting the default policy, select None from the drop-down list.

Note This attribute requires that your configuration include CA SiteMinder.

Click New to open the Add SSO Server dialog box (Figure 4-31) in which you can add a new server to the list.

Figure 4-31 Add SSO Server

Configure the fields in this dialog box as follows:

–Specify the name of the server in the Server Name field. This name appears in the drop-down menu for the SSO Server attribute in the Add or Edit Internal Group Policy WebVPN tab Other tab. If you are editing, instead of adding, a server, this field is display only; it displays the name of the selected SSO server.

–The Authentication Type field is display only. It displays the type of SSO server. The type currently supported by the security appliance is SiteMinder.

–In the URL field, select the protocol (http or https) from the drop-down menu, then enter the SSO server URL to which the security appliance makes SSO authentication requests.

–Enter a Secret Key to use to encrypt authentication requests to the SSO server. Key characters can be any regular or shifted alphanumeric characters. There is no minimum or maximum number of characters. The secret key is similar to a password: you create it, save it, and configure it. It is configured on both the security appliance and the SiteMinder Policy Server using the Cisco Java plug-in authentication scheme.

–In the Maximum Retries field, enter the number of times the security appliance retries a failed SSO authentication attempt before the authentication times-out. The range is from 1 to 5 retries inclusive, and the default is 3 retries.

–In the Request Timeout field, enter the number of seconds before a failed SSO authentication attempt times out. The range is from1 to 30 seconds inclusive, and the default is 5 seconds.

•HTTP Compression specifies whether to inherit the HTTP Compression setting from the default group, or explicitly to enable or disable HTTP compression. To enable or disable compression of HTTP data over an SVC connection for a specific group policy, clear the Inherit check box and select Enable or Disable, as appropriate. By default, SVC compression is enabled.

•Network devices exchange short keepalive messages to ensure that the virtual circuit between them is still active. The length of these messages can vary. The Keepalive Ignore attribute lets you tell the security appliance to consider all messages that are less than or equal to the specified size as keepalive messages and not as traffic when updating the session timer. The range is 0 through 900 KB. The default is 4 KB.

•The Deny Message attribute configures a message to be delivered to remote users who log in to WebVPN successfully, but have no VPN privileges, as follows:

–Check the Inherit check box to inherit from the default group the message to be sent to remote users who log in to WebVPN successfully, but have no VPN privileges.

– Clear the Inherit check box and erase any text in the field, to not send a message to remote users who log into WebVPN successfully, but have no VPN privileges.

– Clear the Inherit check box and create or modify the message in the field, to be sent to remote users who log in to WebVPN successfully, but have no VPN privileges. The message can be up to 491 alphanumeric characters long, including special characters, spaces, and punctuation, but not counting the enclosing quotation marks. Carriage return/line feeds count as two characters. The text appears on the remote user's browser upon login. The default deny message is: "Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information."

Configuring the SSL VPN Client Tab Attributes

The SSL VPN Client (SVC) is a VPN tunneling technology that gives remote users the benefits of an IPSec VPN client without the need for network administrators to install and configure IPSec VPN clients on remote computers. The SVC uses the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the security appliance.

To establish an SVC session, the remote user enters the IP address of a WebVPN interface of the security appliance in the browser, and the browser connects to that interface and displays the WebVPN login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the SVC, the security appliance downloads the SVC to the remote computer. If the security appliance identifies the user as having the option to use the SVC, the security appliance downloads the SVC to the remote computer while presenting a link on the user screen to skip the SVC installation.

After downloading, the SVC installs and configures itself, and then the SVC either remains or uninstalls itself (depending on the configuration) from the remote computer when the connection terminates.

The security appliance might have several unique SVC images residing in cache memory for different remote computer operating systems. When the user attempts to connect, the security appliance can consecutively download portions of these images to the remote computer until the image and operating system match, at which point it downloads the entire SVC. You can order the SVC images to minimize connection setup time, with the first image downloaded representing the most commonly-encountered remote computer operating system. For complete information about installing and using SVC, see Cisco Security Appliance Command Line Configuration Guide, Chapter 31, "Configuring SSL VPN Client."

After enabling SVC, as described in that configuration guide chapter, you can enable or require SVC features for a specific group. This feature is disabled by default. If you enable or require SVC, you can then enable a succession of svc commands, described in this section.

The Edit Internal Group Policy window WebVPN tab SSL VPN tab (Figure 4-32) lets you configure connection settings for the SSL VPN Client. Each attribute can inherit its value from the default group policy, or, if you clear the Inherit check box, you can explicitly configure individual attributes.

Figure 4-32 Edit Internal Group Policy WebVPN Tab SSL VPN Client Tab

Configure the SSL VPN Client attributes as follows:

•Specify when to use the SSL VPN client by clearing the Use SSL VPN Client Inherit check box and selecting Always, Optional, or Never, as appropriate.

•Keep Installer on Client System enables permanent SVC installation and disables the automatic uninstalling feature of the SVC. If you select Yes, the security appliance downloads SVC files to remote computers, and the SVC remains installed on the remote computer for subsequent SVC connections, reducing the SVC connection time for the remote user. If you select No, the security appliance does not download SVC files. By default, this attribute is disabled.

•Compression enables or disables compression on the SVC connection. SVC compression increases the communications performance between the security appliance and the SVC by reducing the size of the packets being transferred.

•The Keepalive Messages attribute adjusts the frequency of keepalive messages, in the range of 15 to 600 seconds, to ensure that an SVC connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Clicking Enable activates the Interval field. You can adjust the interval (frequency) of keepalive messages to ensure that an SVC connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the frequency also ensures that the SVC does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.

•The attributes in the Key Renegotiation Settings area define the renegotiation interval and method. When the security appliance and the SVC perform a rekey, they renegotiate the crypto keys and initialization vectors, increasing the security of the connection.

–Renegotiation Interval specifies the number of minutes from the start of the session until the rekey takes place, either Unlimited or an interval from 1 through 10080 (1 week).

–Renegotiation Method specifies whether the SVC establishes a new tunnel during SVC rekey. Selecting None disables SVC rekey. Selecting SSL means that SSL renegotiation takes place during SVC rekey. Selecting New tunnel specifies that SVC creates a new VPN tunnel during SVC rekey.

•The attributes in the Dead Peer Detection (DPD) area ensure that the security appliance (gateway) or the SVC can quickly detect a condition where the peer is not responding, and the connection has failed. The attribute you select in this area determines which side of the connection performs DPD. For either of the following attributes, clearing the Inherit check box and the Enable check box and leaving the Interval field blank disables the attribute.

–Gateway Side Detection enables DPD performed by the security appliance (gateway) and specifies the frequency, from 30 to 3600 seconds (1 hour), with which the security appliance performs DPD. If you check disable, DPD performed by the security appliance is disabled.

–Client Side Detection enables DPD performed by the SVC (client), and specifies the frequency, from 30 to 3600 seconds (1 hour), with which the SVC performs DPD.

You have now completed the configuration of an internal group policy.

	Selected ASDM VPN Configuration Procedures for the Cisco ASA 5500 Series, Version 5.1(1)
	Configuring Group Policies
Selected ASDM VPN Configuration Procedures for the Cisco ASA 5500 Series, Version 5.1(1) About This Guide Enrolling for Digital Certificates Configuring Citrix MetaFrame Services Configuring Client Update Configuring Group Policies Configuring an LDAP AAA Server Load Balancing Configuring Single Sign-on for WebVPN Configuring SSL VPN Client Index	Download this chapter Configuring Group Policies Table Of Contents Configuring Group Policies Overview of Group Policies, Tunnel Groups, and Users Group Policies Default Group Policy Configuring Group Policies Configuring an External Group Policy Adding an External Group Policy Editing an External Group Policy Configuring an Internal Group Policy Configuring Internal Group Policy General Attributes Configuring Tunneling Protocols Configuring the ACL Filter Configuring General VPN Connection Settings Attributes Configuring WINS and DNS Servers and DHCP Scope Configuring IPSec Attributes Configuring Reauthentication on IKE Rekey Configuring IP Compression Configuring Perfect Forward Secrecy Configuring Tunnel Group Locking Configuring Client Access Rules Configuring Client Configuration Parameters Configuring the Banner Message Configuring Domain Attributes for Tunneling Configuring Split-Tunneling Attributes Configuring Cisco Client Parameters Configuring Firewall Attributes Configuring Attributes for VPN Hardware Clients Configuring Group-Policy WebVPN Attributes Configuring Group-Policy WebVPN Function Tab Attributes Configuring Content Filtering Tab Attributes Configuring the User Homepage Enabling Port Forwarding (WebVPN Application Access) for a Group Policy Configuring Server and List Arguments Using the WebVPN Other Tab Configuring the SSL VPN Client Tab Attributes Configuring Group Policies This chapter describes how to configure VPN group policies using ASDM. This chapter includes the following sections. •Overview of Group Policies, Tunnel Groups, and Users •Group Policies •Default Group Policy •Configuring Group Policies •Configuring an External Group Policy •Configuring an Internal Group Policy Groups, group policies, tunnel groups, and users, are interdependent. In summary, you first configure tunnel groups to set the values for the connection. Then you configure group policies. These set values for users in the aggregate. Then you configure users, which can inherit values from groups and configure certain values on an individual user basis. This chapter describes how and why to configure group policies. Overview of Group Policies, Tunnel Groups, and Users Although this chapter deals only with group policies, you should understand the context in which these group policies exist. Groups and users are core concepts in managing the security of virtual private networks (VPNs) and in configuring the security appliance. They specify attributes that determine user access to and use of the VPN. A group is a collection of users treated as a single entity. Users get their attributes from group policies. Tunnel groups identify the group policy for a specific connection. If you do not assign a particular group policy to a user, the default group policy for the connection applies. Tunnel groups and group policies simplify system management. To streamline the configuration task, the security appliance provides a default LAN-to-LAN tunnel group, a default remote access tunnel group, a default WebVPN tunnel group, and a default group policy (DfltGrpPolicy). The default tunnel groups and group policy provide settings that are likely to be common for many users. As you add users, you can specify that they "inherit" parameters from a group policy. Thus you can quickly configure VPN access for large numbers of users. If you decide to grant identical rights to all VPN users, then you do not need to configure specific tunnel groups or group policies, but VPNs seldom work that way. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Tunnel groups and group policies provide the flexibility to do so securely. Note The security appliance also includes the concept of object groups, which are a superset of network lists. Object groups let you define VPN access to ports as well as networks. Object groups relate to ACLs rather than to group policies and tunnel groups. For more information about using object groups, see Cisco Security Appliance Command Line Configuration Guide, Chapter 13, "Identifying Traffic with Access Lists." Group Policies A group policy is a set of user-oriented attribute/value pairs for IPSec connections that are stored either internally (locally) on the device or externally on a RADIUS or LDAP server. A tunnel group uses a group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user. You can also modify the group-policy attributes for a specific user To assign a group policy to users or to modify a group policy for specific users, select Configuration > VPN > General > Group Policy (Figure 4-1). Figure 4-1 Group Policy Window . You can configure internal and external group policies. Internal groups are configured on the security appliance internal database. External groups are configured on an external authentication server, such as RADIUS or LDAP. Group policies include the following attributes: •Identity •Server definitions •Client firewall settings •Tunneling protocols •IPSec settings •Hardware client settings •Filters •Client configuration settings •WebVPN functions •Connection settings Default Group Policy The security appliance supplies a default group policy, named DfltGrpPolicy, which always exists on the security appliance. This default group policy does not take effect unless you configure the security appliance to use it. DfltGrpPolicy is always an internal group policy. You can modify this default group policy, but you cannot delete it. When you configure other group policies, any attribute that you do not explicitly specify takes its value from the default group policy. The Group Policy window lets you manage VPN group policies. Configuring the default VPN group policy lets users inherit attributes that you have not configured at the individual group or username level. By default, VPN users have no group policy association. The group policy information is used by VPN tunnel groups and user accounts. The "child" windows, tabs, and dialog boxes let you configure the default group parameters. These parameters are those that are most likely to be common across all groups and users, and they streamline the configuration task. Groups can "inherit" parameters from this default group, and users can "inherit" parameters from their group or the default group. You can override these parameters as you configure groups and users. To modify the default group policy, select DfltGrpPolicy in the table on the Group Policy window and click Edit. The Edit Internal Group Policy: DfltGrpPolicy window appears (Figure 4-2): Figure 4-2 Edit Internal Group Policy: DfltGrpPolicy Window To change any of the attributes of the default group policy, work through the selections on the various tabs on the Edit Internal Group Policy: DfltGrpPolicy window, just as you would for any other internal group policy, as described in Configuring an Internal Group Policy. The default group policy, DfltGrpPolicy, that the security appliance has the following attributes: group-policy DfltGrpPolicy internal group-policy DfltGrpPolicy attributes wins-server none dns-server none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable banner none ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions url-entry no html-content-filter no homepage no filter no url-list no port-forward port-forward-name value Application Access Configuring Group Policies This section includes the following sections: •Default Group Policy •Adding an External Group Policy •Editing an External Group Policy •Configuring Internal Group Policy General Attributes •Configuring IPSec Attributes •Configuring Client Configuration Parameters •Configuring Attributes for VPN Hardware Clients •Configuring Group-Policy WebVPN Attributes A group policy can apply to any kind of tunnel. In each case, if you do not explicitly define a parameter, the group takes the value from the default group policy. To configure (add or modify) a group policy, follow the steps in the subsequent sections. If you click the Add dialog box, a small menu appears giving you the option to create a new internal group policy, or an external group policy that is stored externally on a RADIUS or LDAP server. Both the Add Internal Group Policy window and the Edit Group Policy window include six tabbed sections. If you click the WebVPN tab, you expose six additional tabs. Click each tab to display its parameters. As you move from tab to tab, the security appliance retains your settings. When you have finished setting parameters on all tabbed sections, click OK or Cancel. In these dialog boxes, you configure the following kinds of parameters: •General Parameters: Protocols, filtering, connection settings, and servers. •IPSec Parameters: IP Security tunneling protocol parameters and client access rules. •Client Configuration Parameters: Banner, password storage, split-tunneling policy, default domain name, IPSec over UDP, backup servers. •Client FW Parameters: VPN Client personal firewall requirements. •Hardware Client Parameters: Interactive hardware client and individual user authentication; network extension mode. •WebVPN Parameters: SSL VPN access. Before configuring these parameters, you should configure: •Access hours. •Rules and filters. •IPSec Security Associations. •Network lists for filtering and split tunneling •User authentication servers, and specifically the internal authentication server. Configuring an External Group Policy External group policies take their attribute values from the external server that you specify. For an external group policy, you must identify the AAA server group that the security appliance can query for attributes and specify the password to use when retrieving attributes from the external AAA server group. If you are using an external authentication server, keep in mind that usernames and group names must be unique. When naming a group, do not pick a name that matches the name of any external user. Conversely, when assigning a name to an external user, do not choose the name of any existing group. The security appliance supports user authorization on an external LDAP or RADIUS server. Before you configure the security appliance to use an external server, you must configure the server with the correct security appliance authorization attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow the instructions in the Cisco Security Appliance Command Line Configuration Guide, Appendix E, "Configuring an External Server for Security Appliance User Authorization" to configure your external server. Adding an External Group Policy The following steps explain how to add an external group policy. Step 1 To add an external group policy, select Configuration > VPN > General > Group Policy, click Add, and select External Group Policy from the menu (Figure 4-3). Figure 4-3 Adding an External Group Policy The Add External Group Policy dialog box appears (Figure 4-4). Figure 4-4 Add External Group Policy Dialog Box To configure the attributes of the new external group policy, do the following steps, specifying a name and type for the group policy, along with the server-group name and a password. Step 2 Enter a name for the group policy and a password for the server. Then select a server group from the list or click New to create a new server group. When you click New, a menu appears. Select either a new RADIUS server group or a new LDAP server group. Either of these options opens the Add AAA Server Group dialog box (Figure 4-5). Click OK when done. Note For an external group policy, RADIUS is the only supported AAA server type. Figure 4-5 Add AAA Server Group Dialog Box Step 3 Configure the AAA server group parameters. The Add AAA Server Group dialog box lets you configure a new AAA server group with the following attributes. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols. •Server Group—Specifies the name of the server group. •Protocol—(Display only) Indicates whether this is a RADIUS or an LDAP server group. For an external group policy, this is always RADIUS. •Accounting Mode—(RADIUS and TACACS+ protocols only) Indicates whether to use simultaneous or single accounting mode. In single mode, the security appliance sends accounting data to only one server. In simultaneous mode, the security appliance sends accounting data to all servers in the group. •Reactivation Mode—Specifies the method by which failed servers are reactivated: Depletion or Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the servers in the group become inactive. In Timed mode, failed servers are reactivated after 30 seconds of down time. •Dead Time—Specifies, for depletion mode, the number of minutes that must elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. This field is not available for timed mode. •Max Failed Attempts— Specifies the number (an integer in the range 1 through 5) of failed connection attempts allowed before declaring a nonresponsive server inactive. Note You can configure several vendor-specific attributes (VSAs), as described inCisco Security Appliance Command Line Configuration Guide Appendix E, "Configuring an External Server for Security Appliance User Authorization". If a RADIUS server is configured to return the Class attribute (#25), the security appliance uses that attribute to authenticate the Group Name. On the RADIUS server, the attribute must be formatted as: OU=groupname; where groupname is identical to the Group Name configured on the security appliance—for example, OU=Finance. If the server group name that you specify does not contain any servers, you see the following message (Figure 4-6): Figure 4-6 Empty Server Group Message To add servers to a group, select Configuration > Properties >AAA Setup > AAA Groups. To continue after seeing this message, click OK. To exit the external group configuration procedure, click Cancel. Editing an External Group Policy The procedures for editing a group policy are similar to those for adding, except that when you click Edit on the Group Policy window, the Edit Group Policy window appears, with the Name field already filled in. The rest of the fields on this window are the same. You can also add a AAA server group when you edit an external group policy. See Steps 2 and 3 of Adding an External Group Policy. Configuring an Internal Group Policy Internal group policies are configured on the security appliance internal database. To configure the attributes of the new internal group policy, do the following steps. Step 1 To add or edit an internal group policy, select Configuration >VPN > General >Group Policy. The Group Policy window appears (Figure 4-7). Figure 4-7 Group Policy Window, Add Internal Group Policy Step 2 Click Add or Edit. •If you are adding an internal group policy, select Internal Group Policy from the menu. The Add Internal Group Policy window appears (Figure 4-8). •If you are editing an internal group policy, the Edit Internal Group Policy window appears. The contents of these windows are similar, the only difference being that for editing, the Name field is display-only. Because of this similarity, the following procedures show only the Add Internal Group Policy window. Figure 4-8 Add Internal Group Policy Window This window offers several tabs, on which you configure function-specific attributes. In most cases, you can check the Inherit check box to take the corresponding setting from the default group policy. Allowing inheritance can greatly simplify the configuration process. You can explicitly configure those attributes that you do not want to be inherited. The following sections explain how to configure the group policy attributes for an internal group policy. Configuring Internal Group Policy General Attributes The Add or Edit Internal Group Policy window, General tab lets you configure tunneling protocols, ACL filters, connection settings, and servers for the group policy being added or modified. For each of the fields on this window, checking the Inherit check box lets the corresponding setting take its value from the default group policy. Clearing the Inherit check box lets you configure specific values. The following sections explain how to configure the values of each of the attributes in the General tab. Configuring Tunneling Protocols Select the tunneling protocol or protocols that this group can use. Users can use only the selected protocols. You must configure at least one tunneling mode for users to connect over a VPN tunnel. The default is IPSec. The choices are as follows: •IPSec—IP Security Protocol. Regarded as the most secure protocol, IPSec provides the most complete architecture for VPN tunnels. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec. When you check the IPSec check box, the security appliance negotiates an IPSec tunnel between two peers (a remote access client or another secure gateway) and creates security associations that govern authentication, encryption, encapsulation, and key management. •WebVPN—VPN via SSL/TLS. Checking the WebVPN check box provides VPN services to remote users via an HTTPS-enabled web browser and does not require a client (either hardware or software). This protocol uses a web browser to establish a secure remote-access tunnel to a security appliance. WebVPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites. Note If no protocol is selected, an error message appears. To remove a protocol attribute from the running configuration, clear the check box for that protocol. Configuring the ACL Filter Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol. You configure ACLs to permit or deny various types of traffic for this group policy. (You can also configure this attribute in username mode, in which case the value configured under username supersedes the group-policy value.) Note The security appliance supports only an inbound ACL on an interface. At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not permitted. If traffic is not explicitly permitted by an access control entry (ACE), it is denied. ACEs are referred to as rules in this topic.: To specify that you want the group policy to inherit the filter from the default group policy, click the Inherit check box. To specify a different filter, either select a filter from the menu or select None. With any of these options, you do not add or modify an existing filter, so you can skip to Configuring General VPN Connection Settings Attributes in these instructions. To create a new filter (ACL) or modify an existing filter, click Manage. The ACL Manager dialog box (Figure 4-9) appears. In this dialog box, you can add, edit, and delete Access Control Lists (ACLs) and Extended Access Control Lists (ACEs) to control the access of a specific host or network to another host/network, including the protocol or port that can be used. To remove an ACL from the group policy, select None from the menu. To delete a group policy from the configuration, click Delete in the ACL Manager dialog box. A group policy can inherit this value from another group policy. To prevent inheriting a value, select None instead of specifying an ACL name. The None option indicates that there is no access list and sets a null value, thereby disallowing an access list. Note A group policy can inherit this value from another group policy. This is the default behavior and is indicated by a checked Inherit check box. However, you do not know at the configuration time what values the group policy is inheriting. To ensure that no ACL is associated with a particular group policy, clear the Inherit check box and select None in the ACL (Filter/Web-VPN ACL ID/...) drop-down list. If you are dealing with one of the default group policies, the part about inheritance is inapplicable, so only selecting None is relevant. Figure 4-9 ACL Manager Dialog Box The fields in this dialog box are as follows: •# column—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen. •Rule Enabled—Enables or disables a rule. Implicit rules cannot be disabled. •Action—Shows the action that applies to the rule, either Permit or Deny. •Source Host/Network—Shows the IP addresses that are permitted or denied to send traffic to the IP addresses listed in the Destination Host/Network column. An address column might contain an interface name with the word any, such as inside: any. This means that any host on the inside interface is affected by the rule. •Destination Host/Network—Shows the IP addresses that are permitted or denied to send traffic to the IP addresses listed in the Source Host/Network column. In detail mode (see the Show Detail radio button), an address column might contain an interface name with the word any, such as outside: any. This means that any host on the outside interface is affected by the rule. An address column might also contain IP addresses in square brackets; for example [209.165.201.1-209.165.201.30]. These addresses are translated addresses. When an inside host makes a connection to an outside host, the firewall maps the address of the inside host to an address from the pool. After a host creates an outbound connection, the firewall maintains this address mapping. The address mapping structure is called an xlate, and remains in memory for a period of time. During this time, outside hosts can initiate connections to the inside host using the translated address from the pool, if allowed by the ACL. Normally, outside-to-inside connections require a static translation so that the inside host always uses the same IP address. •Service—Names the service and protocol specified by the rule. •Log Level Interval—Shows the logging level and the interval in seconds between log messages (if you enable logging for the ACL). To set logging options, including enabling and disabling logging, right-click this column, and choose Edit Log Option. The Log Options window appears. •Time Range—Shows the name of the time range to be applied in this rule. The time range specifies the access hours during which the user can connect using this group policy. The default value is Not Applied, meaning that there is no restriction on when the user can connect. •Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule." To edit the description, right-click this column, and choose Edit Description. Rules are applied in the order in which they appear in the table in the ACL Manager dialog box. To move a rule up or down in the list, click Move Up or Move Down. To delete a rule, click Delete. To add a filter rule, click Add ACE. To edit a filter rule, click Edit ACE. The Add or Edit Extended Access List Rule dialog box appears (Figure 4-10). Figure 4-10 Add Extended Access List Rule This dialog box lets you configure whether to permit or deny traffic, specify a time range to apply or define a new time range, configure the syslog options, specify the source and destination host or network, specify the protocol, service (source and destination ports) to which to apply this rule and manage the service groups. Optionally, you can also enter a description of this rule. Your entries here appear in the Configure ACLs table in the ACL Manager dialog box. Configuring Syslog Options (Extended Access List Rule Dialog Box) To specify the system log as something other than the default syslog, click More Options in the Syslog area. The Log Options dialog box appears (Figure 4-11), in which you can configure the system log options. Figure 4-11 Syslog Dialog Box—Log Options Log Options The Log Options dialog box lets you set logging options for each access control entry (also called a rule) for an access control list. Conduits and outbound lists do not support logging. See the online Help for Configuration > Properties > Logging > Logging Setup and subsequent windows for an explanation of how to set global logging options. The Log Options dialog box lets you choose the type of logging mechanism to use: •The default logging behavior is that if a packet is denied, then the security appliance generates log message 106023. If a packet is permitted, no syslog message appears. Select this option to return to the default logging behavior. •Enable logging for the rule. The security appliance generates a syslog message when a new flow is permitted or denied by the rule. Subsequent syslog messages are generated at the end of an interval to summarize the hit count of the flow. The default interval is 300 seconds. You may specify another interval, from 1 through 600 seconds. By default, syslog messages are generated at the informational level (level 6). You can select a different level of logging messages to be sent to the syslog server from the drop-down list in the Syslog Level field. Logging levels are as follows: –Emergency (level 0)—The security appliance does not use this level. –Alert (level 1, immediate action needed) –Critical (level 2, critical condition) –Error (level 3, error condition) –Warning (level 4, warning condition) –Notification (level 5, normal but significant condition) –Informational (level 6, informational message only) –Debugging (level 7, appears during debugging only) If a packet matches the ACE, the security appliance creates a flow entry to track the number of packets received within a specific interval (see the Logging Interval field that follows). The security appliance generates a syslog message at the first hit and at the end of each interval, identifying the total number of hits during the interval. At the end of each interval, the security appliance resets the hit count to 0. If no packets match the ACE during an interval, the security appliance deletes the flow entry. Note Logging consumes a certain amount of memory when enabled. • Logging Interval—Sets the amount of time in seconds (1-600) the security appliance waits before sending the flow statistics to the syslog. This setting also serves as the timeout value for deleting a flow if no packets match the ACE. The default is 300 seconds. • Disable logging for the rule—Disables all logging for the ACE. No syslog messages appear. Note Ignore the "Advanced Options" section of this dialog box. This dialog box is reachable from several different paths, and the information in this section does not apply to all paths. Configuring the Source and Destination Host/Network Area Use this area to identify the source and destination networks. Specify the following parameters for both the source and destination areas: •Source and Destination Host/Network IP Address—Click this radio button to identify the networks by IP address, interface name, or group. •IP address—When you select the IP Address radio button, use this field to specify the IP address of the host or network. •Mask—Select the subnet mask of the host or network. •Name—The interface on which the host or network resides. •Group—Select the name of a group of networks and hosts that you grouped together on the Hosts/Networks tab. Configuring Protocol and Service Area Attributes Use this area to specify the protocol and type of service for this rule. The content of these areas depends on your protocol choice. •Protocol—Select the protocol for the rule. Possible values are TCP, UDP, ICMP, and IP. •Source/Destination Port Service (TCP and UDP)—Click this option to specify a port number, a range of ports, or a well-known service name from a list of services, such as HTTP or FTP, that the ACL uses to match packets. The operator list specifies how the ACL matches the port. Choose one of the following operators: = (equals the port number), not = (does not equal the port number), > (greater than the port number), < (less than the port number), range (equal to one of the port numbers in the range). With either of these protocol choices, the Manage Service Groups button becomes active. See Managing Service Groups. • Source Port Service Group— (TCP and UDP) Select a service group from the drop-down list. •Protocol and Service, ICMP, ICMP Type—Select the ICMP type for the rule in the ICMP type box. The browse button (indicated by ...) displays the Service dialog box, which lets you select an ICMP type from a preconfigured list. •Protocol and Service, IP, IP Protocol—Specifies the IP protocol for the rule in the IP protocol box. The browse button(...) displays the Protocols dialog box, which lets you select an IP protocol from a preconfigured list. Managing Service Groups Service groups let you identify multiple non-contiguous port numbers that you want the ACL to match. For example, if you want to filter HTTP, FTP, and port numbers 5, 8, and 9, define a service group that includes all these ports. Without service groups, you would have to create a separate rule for each port. You can create service groups for TCP, UDP, and TCP-UDP. A service group with the TCP-UDP protocol contains services, ports, and ranges that might use either the TCP or UDP protocol. In the Protocol and Service area of the Add Extended Access List rule dialog box, you configure the connection protocol and the type of service or the service group for the source and destination ports. If you do not want to make any changes, go on to the Description field. To manage these service groups, click Manage Service Groups. The Manage Service Groups dialog box (Figure 4-12) appears. Figure 4-12 Manage Service Groups Dialog Box The Manage Service Groups dialog box lets you associate multiple TCP, UDP, or TCP-UDP services (ports) in a named group. You can then use the service group in an access or IPSec rule, a conduit, or other functions within ASDM and the CLI. The term service refers to higher layer protocols associated with application level services having well known port numbers and "literal" names such as ftp, telnet, and smtp. The security appliance permits the following TCP literal names: bgp, chargen, cmd, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323, hostname, http, ident, irc, klogin, kshell, lpd, nntp, pop2, pop3, pptp, smtp, sqlnet, sunrpc, tacacs, talk, telnet, time, uucp, whois, www. The Name of a service group must be unique to all four types of object groups. For example, a service group and a network group may not share the same name. Multiple service groups can be nested into a "group of groups" and used the same as a single group. When a service object group is deleted, it is removed from all service object groups where it is used. If a service group is used in an access rule, do not remove it. A service group used in an access rule cannot be made empty. The fields in the Manage Service Groups dialog box are as follows: •Manage a group of TCP.UDP services/ports—Select one of the following options: – TCP—Select this option to add TCP services or port numbers to an object group. – UDP—Select this option to add UDP services or port numbers to an object group. – TCP-UDP—Select this option to add services or port numbers that are common to TCP and UDP to an object group. •The Service Group table—This table contains a descriptive name for each service object group. To modify or delete a group on this list, select the group and choose Edit or Delete. To add a new group to this list, choose Add. Clicking Add or Edit opens the Add or Edit Service Group dialog box (Figure 4-13). Figure 4-13 Add Service Group Dialog Box Adding or Editing a Service Group The Add or Edit Service Group dialog box lets you manage a group of TCP/UDP services/ports. The fields are as follows: • Service Group Name—Specifies the name of the service group. The name must be unique for all object groups. A service group name cannot share a name with a network group. • Description—Specifies a description of the service group. • Service—Lets you select services for the service group from a predefined drop-down list. • Range/Port #—Lets you specify a range of ports for the service group. Configuring General VPN Connection Settings Attributes Follow the steps in this section to configure attributes that set the values of VPN connection attributes. These attributes control the access hours, the number of simultaneous logins allowed, the timeouts, the name of the ACL to use for VPN connections, and the tunnel protocol. For all the attributes in this section, you can check the Inherit check box to allow the group policy to inherit a value from the default group policy. Configuring Access Hours The VPN access hours determine when users in this group can connect to the security appliance. To set the VPN access hours, you associate a group policy with a previously configured time-range policy, which determines the actual access hours. A time range is a variable specifying the range of access hours during which a user can connect to the security appliance using this group policy. You select the name of this variable from a menu when you want to restrict access hours. To view the characteristics of the existing time ranges, select Configuration > Global Objects > Time Ranges. To select an existing time range to use with an ACL filter, choose a name from the drop-down Time Range menu in the Add/Edit Extended Access List Rule dialog box. To specify no time range restriction for this filter, choose Not Applied from the menu. In either case, since you are not defining a new time range, skip to Configuring Syslog Options (Extended Access List Rule Dialog Box). You can check the Inherit check box to allow the group policy to inherit the access hours variable from the group policy. If you choose this option, skip to Configuring Simultaneous Logins. To define a new time range, click New in the Time Range area in the Add Extended Access List Rule dialog box. The Add Time Range dialog box appears (Figure 4-14). Figure 4-14 Add Time Range Dialog Box First, specify a name for this time range. When needed, you select this time range by choosing this name from a drop-down list when you configure a group policy with a time range. Specify the starting and ending times. If you configure specific starting and ending times, note that these times are inclusive. You can further constrain the active time of this range by specifying recurring time ranges, which are active within the start and end times specified. To remove a recurring time range, select the range and click Delete. To add or edit a recurring time range, click Add or Edit. The Add or Edit Recurring Time Ranges dialog box appears (Figure 4-15). Figure 4-15 Add or Edit Recurring Time Ranges Dialog Box. Specify the recurring time ranges either as days of the week and times on which this recurring range is active or as a weekly interval when this recurring range is active, and click OK. Click OK to complete the configuration on the Add Time Range dialog box. Configuring Simultaneous Logins Specify the number of simultaneous logins allowed for any user. The default value is 3. The range is an integer in the range 0 through 2147483647. A group policy can inherit this value from another group policy. Enter 0 to disable login and prevent user access. Caution While the maximum limit for the number of simultaneous logins is very large, allowing several could compromise security and affect performance. Configuring Maximum Connect Time Configure a maximum amount of time for VPN connections. At the end of this period of time, the security appliance terminates the connection. To allow unlimited connection time, check the Unlimited check box. To configure a specific time limit, clear the Unlimited check box. This makes the minutes field available. The minimum time is 1 minute, and the maximum time is 35791394 minutes. There is no default value. Configuring User Idle Timeout Configure the user idle timeout period by either checking the Unlimited check box or specifying a number of minutes that the system can remain idle. If there is no communication activity on the connection in this period, the security appliance terminates the connection. The minimum time is 1 minute, and the maximum time is 35791394 minutes. The default is 30 minutes. Configuring WINS and DNS Servers and DHCP Scope You can configure primary and secondary WINS servers and DNS servers and the DHCP scope. The default value in each case is none. To configure these attributes, do the following steps: Step 1 Specify the primary and secondary DNS servers. The first IP address specified is that of the primary DNS server. The second (optional) IP address is that of the secondary DNS server. Leaving the first field blank instead of providing an IP address sets DNS servers to a null value, which allows no DNS servers and prevents inheriting a value from a default or specified group policy. Every time that you enter a DNS Server value, you overwrite the existing setting. For example, if you configure the primary DNS server as 10.10.10.15 and later configure the primary DNS server to be 10.10.10.30, the later specification overwrites the first, and 10.10.10.30 becomes the primary DNS server. Step 2 Specify the primary and secondary WINS servers. The first IP address specified is that of the primary WINS server. The second (optional) IP address is that of the secondary WINS server. Specifying the none keyword instead of an IP address sets WINS servers to a null value, which allows no WINS servers and prevents inheriting a value from a default or specified group policy. Every time that you enter the wins-server command, you overwrite the existing setting. For example, if you configure WINS server x.x.x.x and then configure WINS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole WINS server. The same is true for multiple servers. To add a WINS server rather than overwrite previously configured servers, include the IP addresses of all WINS servers when you enter this command. The following example shows how to configure WINS servers with the IP addresses 10.10.10.15 and 10.10.10.30 for the group policy named FirstGroup: Step 3 Specify the DHCP scope; that is the range of servers IP addresses the security appliance DHCP server should use to assign addresses to users of this group policy. Configuring IPSec Attributes The IPSec tab on the Add or Edit Internal Group Policy window lets you specify security attributes for this group policy. Figure 4-16 shows the IPSec tab. Figure 4-16 Add Internal Group Policy Window, IPSec Tab Check an Inherit check box to let the corresponding setting take its value from the default group policy. The following sections explain how to configure the attributes on this tab. Configuring Reauthentication on IKE Rekey Specify whether to require that users reauthenticate on IKE rekey by choosing Enable or Disable. If you enable reauthentication on IKE rekey, the security appliance prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs. Reauthentication provides additional security. Reauthentication on IKE rekey is disabled by default if you clear the Inherit check box. If the configured rekey interval is very short, users might find the repeated authorization requests inconvenient. To avoid repeated authorization requests, disable reauthentication. To check the configured rekey statistics, select Monitoring > VPN > VPN Statistics > Crypto Statistics to view the security association statistics. Note Reauthentication fails if there is no user at the other end of the connection. Configuring IP Compression Specify whether to enable IP compression, which is disabled by default. Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems. IP compression is disabled by default. Caution Data compression increases the memory requirement and CPU usage for each user session and consequently decreases the overall throughput of the security appliance. For this reason, we recommend that you enable data compression only for remote users connecting with a modem. Design a group policy specific to modem users, and enable compression only for them. To enable or disable LZS IP compression, select Enable or Disable. Configuring Perfect Forward Secrecy Specify whether to enable perfect forward secrecy. In IPSec negotiations, perfect forward secrecy ensures that each new cryptographic key is unrelated to any previous key. A group policy can inherit a value for perfect forward secrecy from the default group policy if you check the Inherit check box. Otherwise, perfect forward secrecy is disabled by default. To enable or disable perfect forward secrecy, select Enable or Disable. Configuring Tunnel Group Locking Specify whether to restrict remote users to access only through the tunnel group, by enabling or disabling the Tunnel Group Lock attribute. The tunnel-grp-name variable specifies the name of an existing tunnel group that the security appliance requires for the user to connect. Tunnel group lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure group-lock, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default. To remove the group-lock attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value from another group policy. To disable group-lock, enter the group-lock command with the none keyword. The none keyword sets group-lock to a null value, thereby allowing no group-lock restriction. It also prevents inheriting a group-lock value from a default or specified group policy. Configuring Client Access Rules The Client Access Rules area lets you specify up to 25 rules that determine whether to permit or deny access by certain types and versions of VPN clients. Either the group policy can inherit these rules from the default group policy, or you can specify particular rules for this group policy. The table in this area shows the priority, action, client type and VPN client version that each rule specifies. To configure rules that limit the remote access client types and versions that can connect via IPSec through the security appliance, clear the Inherit check box. This makes the buttons at the side of the table active. By default, there are no access rules. When there are no client access rules, all client types and versions can connect. To delete individual rules, click Delete. The columns in the Client Access Rules table are as follows: • Priority—Shows the priority for this rule. Determines the priority of the rule. The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type and/or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it. • Action—Specifies whether this rule permits or denies access for clients of a particular type and version. • VPN Client Type—Specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset. Identifies device types via free-form strings, for example VPN 3002. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can use the * character as a wildcard. • VPN Client Version —Specifies the version or versions of the VPN client to which this rule applies. This box contains a comma-separated list of software or firmware images appropriate for this client. Identifies the device version via free-form strings, for example 7.0. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can use the * character as a wildcard. To add a new rule for an IPSec group policy, click Add. To modify an existing rule for an IPSec group policy, click Edit. The Add or Edit Client Access Rule dialog box appears (Figure 4-17). Figure 4-17 Add Client Access Rule Dialog Box Construct rules according to these caveats: •If you do not define any rules, the security appliance permits all connection types. •When a client matches none of the rules, the security appliance denies the connection. This means that if you define a deny rule, you must also define at least one permit rule, or the security appliance denies all connections. •For both software and hardware clients, type and version must match exactly their appearance in the Monitoring > VPN > VPN Statistics > Sessions window. •The * character is a wildcard, which you can use multiple times in each rule. For example, specifying the VPN client version as version 3.* in a client access rule applies that rule to the specified client type running release versions 3.x software. •You can construct a maximum of 25 rules per group policy. •There is a limit of 255 characters for an entire set of rules. •You can use n/a for clients that do not send client type and/or version. Configuring Client Configuration Parameters Use the Client Configuration tab of the Add/Edit Internal Group Policy Window (Figure 4-18) to configure the following parameters: •Banner •Default Domain •Split Tunnel DNS Names •Split Tunnel Policy •Split Tunnel Network List •Cisco Client Parameters Figure 4-18 Edit Internal Group Policy Client Configuration Window Configuring the Banner Message The banner is a message that is displayed to remote clients when they connect. The default is no banner. If you choose not to inherit the banner from the default group policy, clear the Inherit check box and click Edit Banner. The View/Config Banner dialog box appears (Figure 4-19). Figure 4-19 View/Config Banner Dialog Box To specify the banner, or welcome message, if any, that you want to display, enter the banner text, up to 510 characters in length. Enter the "\n" sequence to insert a carriage return. Note A carriage-return/line-feed included in the banner counts as two characters. To delete a banner, remove the text. Configuring Domain Attributes for Tunneling You can specify a default domain name for tunneled packets or a list of domains to be resolved through the split tunnel. The following sections describe how to set these domains. Defining a Default Domain Name for Tunneled Packets The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. When there are no default domain names, users inherit the default domain name in the default group policy. To specify the default domain name for users of the group policy, clear the Inherit check box and enter the default domain name in the field. The domain name that you enter identifies the default domain name for the group. To specify that there is no default domain name, leave this field blank. This command sets a default domain name with a null value, which disallows a default domain name and prevents inheriting a default domain name from a default or specified group policy. Defining a List of Domains for Split Tunneling To provide a list of domains for split-tunneling, clear the Inherit check box and enter a space-delimited list of domains to be resolved through the split tunnel. When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, leave this list blank. The domain name attribute provides a domain name that the security appliance resolves through the split tunnel. Leaving this list blank indicates that there is no split DNS list. It also sets a split DNS list with a null value, thereby disallowing a split DNS list, and prevents inheriting a split DNS list from a default or specified group policy. Enter a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.). If the default domain name is to be resolved through the tunnel, you must explicitly include that name in this list. Configuring Split-Tunneling Attributes Split tunneling lets a remote-access IPSec client conditionally direct packets over an IPSec tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. This command applies this split tunneling policy to a specific network. Setting the Split-Tunneling Policy Set the rules for tunneling traffic by specifying the split-tunneling policy. The default is to tunnel all traffic. To set a split tunneling policy, clear the Inherit check box and select the split-tunnel policy from the drop-down menu. To remove the split-tunnel policy attribute from the running configuration, leave this field blank. This enables inheritance of a value for split tunneling from another group policy. •Select Tunnel All Networks to specify that no traffic goes in the clear or to any other destination than the security appliance. This, in effect, disables split tunneling. Remote users reach Internet networks through the corporate network and do not have access to local networks. This is the default option. •Select Tunnel Network List Below to tunnel all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear and is routed by the remote user's Internet service provider. •Select Exclude Network List Below to define a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN client. Note Split tunneling is primarily a traffic management feature, not a security feature. For optimum security, we recommend that you do not enable split tunneling. Creating a Network List for Split-Tunneling Select a network list name for split tunneling from the Split Tunnel Network List drop-down menu. Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling. The security appliance makes split tunneling decisions on the basis of a network list, which is an ACL that consists of a list of addresses on the private network. Only standard-type ACLs are allowed. Clicking Manage opens the ACL Manager dialog box, where you can configure the ACLs. For information on using ACL Manager dialog box, see Configuring the ACL Filter. The access-list name that you select identifies an access list that enumerates the networks to tunnel or not tunnel. Selecting None indicates that there is no network list for split tunneling; the security appliance tunnels all traffic. Selecting None sets a split tunneling network list with a null value, thereby disallowing split tunneling. It also prevents inheriting a default split tunneling network list from a default or specified group policy. Configuring Cisco Client Parameters The attributes in the Cisco Client Parameters area specify certain security settings for the group, including password storage, IPSec over UPD settings, and IPSec backup servers. Configuring Password Storage You can specify whether to let users store their login passwords on the client system. For security reasons, password storage is disabled by default. Enable password storage only on systems that you know to be in secure sites. To enable or disable password storage, clear the Inherit check box for the Store Password on Client System attribute and select either Yes (enable) or No (disable). This action does not apply to interactive hardware client authentication or individual user authentication for hardware clients. Configuring IPSec-UDP Attributes IPSec over UDP, sometimes called IPSec through NAT, lets a Cisco VPN client or hardware client connect via UDP to a security appliance that is running NAT. It is disabled by default. IPSec over UDP is proprietary; it applies only to remote-access connections, and it requires mode configuration. The security appliance exchanges configuration parameters with the client while negotiating SAs. Using IPSec over UDP may slightly degrade system performance. To enable or disable IPSec over UDP, clear the Inherit check box and choose either Enable or Disable. The Cisco VPN client must also be configured to use IPSec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPSec over UDP. To use IPSec over UDP, you must also configure the IPSec over UDP Port attribute, which sets a UDP port number for IPSec over UDP. In IPSec negotiations, the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic. To configure the IPSec over UDP Port attribute, clear the Inherit check box and enter a port number into the field. The port numbers can range from 4001 through 49151. The default port value is 10000. Configuring IPSec Backup Servers Configure backup servers if you plan on using them. IPSec backup servers let a VPN client connect to the central site when the primary security appliance is unavailable.When you configure backup servers, the security appliance pushes the server list to the client as the IPSec tunnel is established. Backup servers do not exist until you configure them, either on the client or on the primary security appliance. Configure backup servers either on the client or on the primary security appliance. If you configure backup servers on the security appliance, it pushes the backup server policy to the clients in the group, replacing the backup server list on the client if one is configured. Note If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind a hardware client obtain DNS and WINS information from the hardware client via DHCP, and the connection to the primary server is lost, and the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires. In addition, if you use hostnames and the DNS server is unavailable, significant delays can occur. To specify one or more backup servers or to remove the configured backup server or servers from the client configuration, do the following: Step 1 Clear the Inherit check box. Step 2 Select one of the following options from the drop-down menu: •Keep Client Configuration— Specifies that the security appliance sends no backup server information to the client. The client uses its own backup server list, if configured. This is the default. •Clear Client Configuration—Specifies that the client uses no backup servers. The security appliance pushes a null server list. •Use the Backup Servers Below—Specifies that you want to configure a list of servers to use if the primary security appliance is unavailable. Step 3 If you select Use the Backup Servers Below, you must fill in one or more server addresses in the Server Addresses field. This list is a space-delimited, priority-ordered list of servers for the VPN client to use when the primary security appliance is unavailable. This list identifies servers by IP address or hostname. The list can be 500 characters long, and it can contain up to10 entries. Configuring Firewall Attributes A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user's PC, and thereby the corporate network, from intrusions by way of the Internet or the user's local LAN. Remote users connecting to the security appliance with the VPN client can choose the appropriate firewall option. When there are no firewall policies, users inherit any that exist in the default or other group policy. Set personal firewall policies that the security appliance pushes to the VPN client during IKE tunnel negotiation on the Client Firewall tab (Figure 4-20). Figure 4-20 Edit Internal Group Policy Client Firewall Tab Note Only VPN clients running Microsoft Windows can use these firewall features. They are currently not available to hardware clients or other (non-Windows) software clients. The following examples illustrate the use of the client firewall. In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN client drops the connection to the security appliance. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it periodic "are you there?" messages; if no reply comes, the VPN client knows the firewall is down and terminates its connection to the security appliance.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration. In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the security appliance, you create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security appliance pushes this policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which enforces it. The Add or Edit Internal Group Policy window, Client Firewall tab, lets you configure firewall settings for VPN clients for the group policy being added or modified. To specify the client firewall settings, clear the Inherit check box and configure the following attributes in the Client Firewall Attributes area Configuring Firewall Setting Specify whether there is no firewall, or whether the firewall is optional or required by selecting the appropriate setting from the drop-down menu. Note If you have remote users in this group who do not yet have firewall capacity, choose Firewall Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do not—for example, you may have a group that is in gradual transition, in which some members have set up firewall capacity and others have not yet done so. Configuring Firewall Type Select the type of firewall (or no firewall) from the drop-down menu. The options are: •No Firewall—Indicates that there is no client firewall policy and prevents inheriting a firewall policy from a default or specified group policy. •Cisco Integrated Firewall—Selects the Cisco Integrated Firewall type. •Cisco Security Agent—Selects the Cisco Intrusion Prevention Security Agent firewall type. •Zone Labs Firewalls—Selects either the Zone Labs Zone Alarm or the Zone Alarm Pro firewall type or both. •Sygate Personal Firewalls—Selects either the Sygate Personal firewall type, the Sygate Personal Pro firewall type, or the Sygate Security Agent firewall type. •Network ICE, Black ICE Firewall—Selects the Network ICE Black ICE firewall type. •Custom Firewall—Indicates that this policy uses a custom firewall. With this selection, the Custom Firewall and Firewall Policy areas become active. Configuring a Custom Firewall If you selected Custom Firewall as the firewall type, you must also configure the custom firewall attributes, as follows: •Vendor ID—Identifies the firewall vendor. •Product ID—Identifies the model or product name of the firewall product. •Description—Optionally provides additional information about the custom firewall. Configure the Firewall Policy attributes to specify the source and characteristics of the firewall policy, as follows: •Policy defined by remote firewall (AYT)—Specifies that the policy is to use the firewall installed on the remote user PC and, after the connection is established, polls that firewall every 30 seconds to ensure that it is running. This is the "Are You There" or AYT mechanism. The local firewall enforces the firewall policy on the VPN client. The security appliance allows VPN clients in this group to connect only if they have the designated firewall installed and running. If the designated firewall is not running, the connection fails. •Policy Pushed (CPP)—Enforces a centralized firewall policy for personal firewalls on VPN client PCs. This firewall policy is called "push policy" or Central Protection Policy, because the policy is pushed from the peer. If you select this option, the Inbound Traffic Policy and Outbound Traffic Policy lists and the Manage button become active.The security appliance enforces on the VPN clients in this group the traffic management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down menu. The choices available on the menu are filters defined on this security appliance, including the default filters. Keep in mind that the security appliance pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the security appliance. For example, "in" and "out" refer to traffic coming into the VPN client or going outbound from the VPN client. If the VPN client also has a local firewall, the policy pushed from the security appliance works with the policy of the local firewall. Any packet that is blocked by the rules of either firewall is dropped. If you select Policy Pushed (CPP), you must also select the policies that the client uses for inbound and outbound traffic. Clicking Manage opens the ACL Manager dialog box (Figure 4-9), i n which you can create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security appliance pushes this policy down to the VPN client, which, in turn, passes the policy to the local firewall, which enforces it. Configuring Attributes for VPN Hardware Clients The Add or Edit Internal Group Policy Hardware Client tab (Figure 4-21)lets you configure attributes specific to VPN hardware clients. On this tab you can enable or disable secure unit authentication and user authentication and set a user authentication timeout value for VPN hardware clients. You can also allow Cisco IP phones and LEAP packets to bypass individual user authentication and allow hardware clients using Network Extension Mode to connect. Figure 4-21 Edit Internal Group Policy Hardware Client Tab Requiring Interactive Client Authentication (Secure Unit Authentication) Secure unit authentication provides additional security by requiring VPN hardware clients to authenticate with a username and password each time that the client initiates a tunnel. With this feature enabled, the hardware client does not have a saved username and password. Secure unit authentication is disabled by default. Note With this feature enabled, to bring up a VPN tunnel, a user must be present to enter the username and password. Secure unit authentication requires that you have an authentication server group configured for the tunnel group the hardware client(s) use. If you require secure unit authentication on the primary security appliance, be sure to configure it on any backup servers as well. Interactive hardware client authentication provides additional security by requiring the VPN 3002 Hardware Client to authenticate with a username and password that you enter manually each time the VPN 3002 initiates a tunnel. With this feature enabled, the VPN 3002 does not have a saved username and password. When you enter the username and password, the VPN 3002 sends these credentials to the security appliance to which it connects. The security appliance facilitates authentication, on either the internal or an external authentication server. If the username and password are valid, the tunnel is established. When you enable interactive hardware client authentication for a group, the security appliance pushes that policy to the VPN 3002s in the group. If you have previously set a username and password on the VPN 3002, the software deletes them from the configuration file. When you try to connect, the software prompts you for a username and password. If, on the security appliance, you subsequently disable interactive hardware authentication for the group, it is enabled locally on the VPN 3002s, and the software continues to prompt for a username and password. This lets the VPN 3002 connect, even though it lacks a saved username and password, and the security appliance has disabled interactive hardware client authentication. If you subsequently configure a username and password, the feature is disabled, and the prompt no longer displays. The VPN 3002 connects to the security appliance using the saved username and password. Specify whether to enable or disable the requirement for interactive client authentication by clearing the Inherit check box and selecting either Enable or Disable. This parameter is disabled by default. Requiring Individual User Authentication When enabled, user authentication requires that individual users behind a hardware client authenticate to gain access to the network across the tunnel. Individual users authenticate according to the order of authentication servers that you configure. Individual user authentication for these users is disabled by default. To display a banner to VPN 3002 devices in a group, individual user authentication must be enabled. If you require user authentication on the primary security appliance, be sure to configure it on any backup servers as well. Individual user authentication protects the central site from access by unauthorized persons on the private network of the VPN 3002. When you enable individual user authentication, each user that connects through a VPN 3002 must open a web browser and manually enter a valid username and password to access the network behind the security appliance, even though the tunnel already exists. Note You cannot use the command-line interface to log in if user authentication is enabled. You must use a browser. If you have a default home page on the remote network behind the security appliance, or if you direct the browser to a website on the remote network behind the security appliance, the VPN 3002 directs the browser to the proper pages for user login. When you successfully log in, the browser displays the page you originally entered. If you try to access resources on the network behind the security appliance that are not web-based, for example, e-mail, the connection fails until you authenticate using a browser. To authenticate, you must enter the IP address for the private interface of the VPN 3002 in the browser Location or Address field. The browser then displays the login screen for the VPN 3002. To authenticate, click the Connect/Login Status button. One user can log in for a maximum of four sessions simultaneously. Individual users authenticate according to the order of authentication servers that you configure for a group. Configuring an Idle Timeout To set an idle timeout for individual users behind hardware clients, clear the Inherit check box and either check the Unlimited check box to specify that there is no idle timeout or specify a specific number of minutes. If there is no communication activity by a user behind a hardware client in the idle timeout period, the security appliance terminates the client's access. Note The user-authentication-idle-timeout command terminates only the client's access through the VPN tunnel, not the VPN tunnel itself. The minutes field specifies the number of minutes in the idle timeout period.The minimum is 1 minute, the default is 30 minutes, and the maximum is 35791394 minutes. If you clear both the Inherit and Unlimited check boxes, you must specify a value in the minutes field. Configuring IP Phone Bypass You can allow Cisco IP phones to bypass individual user authentication behind a hardware client. To enable or disable IP Phone Bypass, clear the Inherit check box and select Enable or Disable. IP Phone Bypass lets IP phones behind hardware clients connect without undergoing user authentication processes. IP Phone Bypass is disabled by default. If enabled, secure unit authentication remains in effect. Note You must configure the VPN 3002 to use network extension mode for IP phone connections. Configuring LEAP Bypass LEAP users behind a VPN 3002 have a circular dilemma: they cannot negotiate LEAP authentication because they cannot send their credentials to the RADIUS server behind the central site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a RADIUS server before individual users authenticate. Then the users proceed with individual user authentication. LEAP Bypass works as intended under the following conditions: • The interactive unit authentication feature (intended for wired devices) must be disabled. If interactive unit authentication is enabled, a non-LEAP (wired) device must authenticate the VPN 3002 before LEAP devices can connect using that tunnel. • Individual user authentication is enabled (if it is not, you do not need LEAP Bypass). • Access points in the wireless environment must be Cisco Aironet Access Points. The wireless NIC cards for PCs can be other brands. • The Cisco Aironet Access Point must be running Cisco Discovery Protocol (CDP). • The VPN 3002 can operate in either client mode or network extension mode. • LEAP packets travel over the tunnel to a RADIUS server via ports 1645 or 1812. When LEAP Bypass is enabled, LEAP packets from wireless devices behind a VPN 3002 hardware client travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate again per user authentication (if enabled). LEAP Bypass is disabled by default. To allow LEAP packets from Cisco wireless access points to bypass individual users authentication, clear the Inherit check box and select Enable. To disable LEAP bypass, select Disable. Note IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs with strong mutual authentication between clients and authentication servers, which can provide dynamic per-user, per session wireless encryption privacy (WEP) keys, removing administrative burdens and security issues that are present with static WEP keys. Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP (Lightweight Extensible Authentication Protocol) implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium. Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting services. This feature does not work as intended if you enable interactive hardware client authentication. Caution There might be security risks to your network in allowing any unauthenticated traffic to traverse the tunnel. Enabling Network Extension Mode Network extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the hardware client to networks behind the security appliance. PAT does not apply. Therefore, devices behind the security appliance have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange. Network extension mode is required for the VPN 3002 to support IP phone connections, because the Call Manager can communicate only with actual IP addresses. Note If you disallow network extension mode, the default setting, the VPN 3002 can connect to this security appliance in PAT mode only. If you disallow network extension mode here, be careful to configure all VPN 3002s in a group for PAT mode. If a VPN 3002 is configured to use network extension mode and the security appliance to which it connects disallows network extension mode, the VPN 3002 attempts to connect every 4 seconds, and every attempt is rejected. In this situation, the VPN 3002 puts an unnecessary processing load on the security appliance to which it connects; if large numbers of VPN 3002s are misconfigured in this way, the security appliance has a reduced ability to provide service. Enable or disable network extension mode for hardware clients by clearing the Inherit check box and selecting Enable or Disable. Configuring Group-Policy WebVPN Attributes WebVPN lets users establish a secure, remote-access VPN tunnel to the security appliance using a web browser. There is no need for either a software or hardware client. WebVPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTPS Internet sites. WebVPN uses SSL and its successor, TLS1, to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The security appliance recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. By default, WebVPN is disabled. You can customize a WebVPN configuration for specific internal group policies. In the Add or Edit Internal Group Policy WebVPN tab, you can specify whether to inherit the settings for all the functions or customize the WebVPN attributes, each of which is described in the subsequent sections: •Functions •Content Filtering •Homepage •Port Forwarding •Other (such as servers and URL lists) •SSL VPN Client (SVC) In many instances, you define the WebVPN attributes as part of configuring WebVPN, then you apply those definitions to specific groups when you configure the group-policy webvpn attributes. The attributes in the WebVPN tab for group policies define access to files, MAPI proxy, URLs and TCP applications over WebVPN. They also identify ACLs and types of traffic to filter. WebVPN is disabled by default. See the description of WebVPN in the online Help for this tab and the Cisco Security Appliance Command Line Configuration Guide and Cisco Security Appliance Command Reference for more information about configuring the WebVPN attributes. You do not need to configure WebVPN to use e-mail proxies. Configuring Group-Policy WebVPN Function Tab Attributes The Functions tab (Figure 4-22) lets you configure basic WebVPN functions. To configure the WebVPN functions (such as file access and file browsing, HTTP Proxy, MAPI Proxy, and URL entry over WebVPN) that you want to enable, clear the Inherit check box and check the check boxes for the individual functions that you want to enable or apply. These functions are disabled by default. Figure 4-22 Edit Internal Group Policy WebVPN Tab Functions Tab The functions that you can configure on this tab are as follows: •Enable URL entry—Enables or disables user entry of URLs and places the URL entry box on the home page. When enabled, the security appliance still restricts URLs with any configured URL or network ACLs. Users can enter web addresses in the URL entry box, and use WebVPN to access those websites. When URL entry is disabled, the security appliance restricts WebVPN users to the URLs on the home page. Using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote user's PC or workstation and the security appliance on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security appliance to the destination web server is not secured. In a WebVPN connection, the security appliance acts as a proxy between the end user's web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the server's SSL certificate. The end user's browser never receives the presented certificate, so therefore cannot examine and validate the certificate. The current implementation of WebVPN does not permit communication with sites that present expired certificates. Neither does the security appliance perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it. To limit Internet access for WebVPN users, deselect the Enable URL Entry field. This prevents WebVPN users from surfing the Web during a WebVPN connection. •Enable file server access—Enables or disables Windows file access (SMB/CIFS files only) through HTTPS. When enabled, the WebVPN home page lists file servers in the server list. You must enable file access to enable file browsing and/or file entry. When this box is checked, users can access Windows files on the network. If you enable only this parameter for WebVPN file sharing, users can access only servers that you configure in the Servers and URLs area (see the description of Configuring Server and List Arguments Using the WebVPN Other Tab). To let users access servers directly or to browse servers on the network, see the Enable file server entry and Enable file server browsing attribute descriptions. With this check box checked, users can download, edit, delete, rename, and move files. They can also add files and folders. Shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements. File access, server/domain access, and browsing require that you configure a WINS server or a master browser, typically on the same network as the security appliance, or reachable from that network. The WINS server or master browser provides the security appliance with an list of the resources on the network. You cannot use a DNS server instead. Note File access is not supported in an Active Native Directory environment when used with Dynamic DNS. It is supported if used with a WINS server. •Enable file server entry—Enables of disables user ability to enter names of file servers. Places the file server entry box on the portal page. File server access must be enabled. With this check box checked, users can enter pathnames to directly Windows files. They can download, edit, delete, rename, and move files. They can also add files and folders. Again, shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements. •Enable file server browsing—Enables or disables browsing for file the Windows network for domains/workgroups, file servers and shares. You must enable file browsing to allow user entry of a file server. File server access must be enabled. With this check box checked, users can select domains and workgroups and can browse servers and shares within those domains. Shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing servers, according to network requirements. •Enable auto applet download—Lets users automatically download and start the port forwarding java applet upon WebVPN login. Disabled by default, you can enable this feature only if port forwarding, Outlook/Exchange proxy, or HTTP proxy is also enabled. You can also enable auto applet download in the default group policy (DfltGrpPolicy) or in user-defined group policies. •Enable port forwarding—WebVPN Port Forwarding provides access for remote users in the group to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application. Cisco has tested the following applications: Windows Terminal Services, Telnet, Secure FTP (FTP over SSH), Perforce, Outlook Express, and Lotus Notes. Other TCP-based applications may also work, but Cisco has not tested them. Note Port Forwarding does not work with some SSL/TLS versions. With this check box checked users can access client/server applications by mapping TCP ports on the local and remote systems. Note When users authenticate using digital certificates, the TCP Port Forwarding JAVA applet does not work. JAVA cannot access the web browser's keystore; therefore JAVA cannot use the certificates that the browser uses for user authentication, and the application cannot start. Do not use digital certificates to authenticate WebVPN users if you want them to be able to access applications. •Enable Outlook/Exchange proxy—Enables or disables Microsoft Outlook/Exchange e-mail proxy. •Apply Web-type ACL—Applies the WebVPN access control list defined for the users of this group. •Enable HTTP proxy—Enables or disables the forwarding of an HTTP applet proxy to the client. The proxy is useful for technologies that interfere with proper content transformation ("mangling"), such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browser's old proxy configuration automatically and redirects all HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser supported is Microsoft Internet Explorer. •Enable Citrix/MetaFrame—Enables support for terminal services from a MetaFrame Application Server to the client. This attribute lets the security appliance act as a secure gateway within a secure Citrix configuration. These services provide users with access to MetaFrame applications through a standard Web browser. Configuring Content Filtering Tab Attributes The Content Filtering tab (Figure 4-23) lets you configure the security appliance to block or remove the parts of websites that use Java or Active X, scripts, display images, and deliver cookies. By default, these parameters are disabled, which means that no filtering occurs. To configure the WebVPN filters, clear the Inherit check box and check the check boxes for the individual filters that you want to enable. These functions are disabled by default. Figure 4-23 Edit Internal Group Policy WebVPN Tab, Content Filtering Tab The filters that you can configure on this tab are as follows: • Filter Java/ActiveX—Removes references to Java and ActiveX; that is, it removes <applet>, <embed> and <object> tags from HTML. • Filter scripts—Removes references to scripting; that is, it removes <script> tags from HTML. • Filter images—Removes <img> tags from HTML. Removing images dramatically speeds the delivery of web pages. • Filter cookies from images—Removes cookies that are delivered with images. This might preserve user privacy, because advertisers use cookies to track visitors. Configuring the User Homepage ASDM lets you customize a home page that the user sees upon logging in. You define a home page customization (such as color, logo, and so on) as part of the WebVPN configuration, then apply that customization when you configure a particular group policy. The Add or Edit Group Policy window, WebVPN tab, Homepage tab (Figure 4-24), lets you configure what, if any, home page that you want users to see upon logging in and specify the name of any previously defined customization that you want to apply to change the look-and-feel of that login web page. There is no default home page, and the default for customization is no customization. For information about configuring web-page customizations, see the online help for Configuration > VPN > WebVPN > Webpage Customization. Figure 4-24 Edit Internal Group Policy WebVPN Tab Homepage Tab To specify the Webpage Customization attribute, clear the Inherit check box and either select the name of a customization from the drop-down menu or click New to define a new customization. Clicking New opens the Add Customization Object dialog box. Click the Homepage tab in that dialog box to configure the customizations for the user home page. The other tabs in this dialog box configure other web page customizations to apply to the various GUI pages that the user sees. For information about how to configure web page customizations, see the online Help for that dialog box. Regardless of whether you specify customizations, you can specify a particular home page that the user sees upon logging in. There is no default home page. To specify a URL for the web page that you want to display when a user in this group logs in, clear the Inherit check box in the Custom Homepage area and select Specify URL. Select either http or https (the default) as http or https as the connection protocol for the home page. In the field to the right of the :// characters, specify the URL of the Web page to use as the home page. To remove a configured home page, select Use None. This sets a null value, thereby disallowing a home page and prevents inheriting an home page. Enabling Port Forwarding (WebVPN Application Access) for a Group Policy Port forwarding, also known as application access, lets you control the list of applications that WebVPN users can access through their remote connection. Port forwarding is disabled by default. The Add or Edit Group Policy window, WebVPN tab, Port Forwarding tab (Figure 4-25), lets you configure port forwarding parameters. Figure 4-25 Edit Internal Group Policy WebVPN Tab Port Forwarding Tab You configure a list of applications to make available through port forwarding either as part of the WebVPN configuration or in the group-policy Port Forwarding tab. To apply port forwarding to a group policy, clear the Inherit check box or boxes and configure the following fields: • Port Forwarding List—Specifies whether to inherit the port forwarding list from the default group policy, select one from the list, or create a new port forwarding list. The default is None which prevents inheriting a port forwarding list. •Click New to create a new port-forwarding applications list. Clicking New opens a dialog box in which you can add a new port forwarding list. See the description of the Add or Edit Port Forwarding List window. • Applet Name—Specifies whether to inherit the applet name or to use the name specified in the field. Specify this name to identify port forwarding to end users. The name you configure appears in the end user interface as a hotlink. When users click this link, a Java applet opens a window that displays a table that lists and provides access to port forwarding applications that you configure for these users. The default applet name is Application Access. The Add or Edit Port Forwarding List dialog box (Figure 4-26) lets you configure a new port forwarding list entry or modify an existing entry for WebVPN users for the group policy being added or modified. Figure 4-26 Add Port Forwarding List Dialog Box To add a port forwarding list, click Add and configure the following fields. To edit an existing port forwarding list, select the list entry in the table area, then click Edit and configure the appropriate fields. To remove a port forwarding entry from this list, click Delete. The field descriptions follow: • List Name—Specifies the name of this port forwarding list. If list entries already exist, the Add, Edit, and Delete buttons are active. The table below the list name contains the following columns: • Local TCP Port—Specifies the local TCP port for this list. • Remote Server—Specifies the name or IP address of the remote peer. • Remote TCP Port—Specifies the TCP port used on the remote peer. • Description—Provides a brief description of this list. Note Port forwarding supports only those TCP applications that use static TCP ports. It does not support applications that use dynamic ports or multiple TCP ports. For example, SecureFTP, which uses port 22, works over WebVPN port forwarding, but standard FTP, which uses ports 20 and 21, does not. Configuring Server and List Arguments Using the WebVPN Other Tab The Add or Edit Group Policy window, WebVPN tab, Other tab (Figure 4-27), lets you configure servers and URL lists and the Web-type ACL ID. Figure 4-27 Edit Internal Group Policy WebVPN Tab Other Tab This tab lets you configure an assortment of server and management functions, as follows. To configure individual fields, clear the Inherit check box for that field. • Servers and URL Lists specifies whether to inherit the list of Servers and URLs, to select an existing list, or to create a new list. Select the name of a list from the drop-down menu or click New, which opens the Add Server and URL List dialog box (Figure 4-28), in which you can add a new server or URL to the list. The URL display name that you add in this dialog box appears in the list for the Servers and URL Lists argument in the Add or Edit Internal Group Policy WebVPN tab Other tab window. To change the order of entries in the URL list, click Move Up or Move Down. There is no default URL list. Figure 4-28 Add Server and URL List Dialog Box •You configure ACLs to permit or deny various types of traffic for this group policy. You then apply those ACLs for WebVPN traffic. Web-Type ACL ID specifies the name of the access list to apply for WebVPN connections for this group policy. If you clear the Inherit check box, select the identifier of an existing Web-Type ACL to use, or add or modify a web-type ACL. To remove the access list, and to prevent inheriting filter values, select None from the drop-down list. • Clicking Manage opens the Web Type ACL dialog box (Figure 4-29) in which you can manage web-type ACLs. Figure 4-29 Web Type ACL Dialog Box Clicking Add ACL, Add ACE, or Edit ACE opens a dialog box in which you can perform these functions. See Configuring the ACL Filter for an explanation of the fields and buttons on these dialog boxes. Figure Figure 4-30 shows the Add Web-Type ACL dialog box. Figure 4-30 Add Web-Type ACL Dialog Box The ACL ID value provides the name of the previously configured access list. After you add a Web Type ACL, you can configure that ACL by clicking Add ACE. This opens the Add Web Type ACE dialog box, in which you configure the action (permit/deny), filter (URL or IP address, subnet mask, and port), syslog options, and time range name, just as you would for other ACLs/ACEs. Note To use ACL filtering with WebVPN, you must define the WebVPN-Type ACL here. WebVPN does not use ACLs defined in the ACL Manager. •Single sign-on support, available only for WebVPN, lets users access different secure services on different servers without entering a username and password more than once. The SSO Server attribute specifies whether to inherit the single-sign-on server setting, to select an existing SSO server from the list, or to add a new SSO server. The default policy assigned to the SSO server is DfltGrpPolicy. To remove the assignment and prevent inheriting the default policy, select None from the drop-down list. Note This attribute requires that your configuration include CA SiteMinder. Click New to open the Add SSO Server dialog box (Figure 4-31) in which you can add a new server to the list. Figure 4-31 Add SSO Server Configure the fields in this dialog box as follows: –Specify the name of the server in the Server Name field. This name appears in the drop-down menu for the SSO Server attribute in the Add or Edit Internal Group Policy WebVPN tab Other tab. If you are editing, instead of adding, a server, this field is display only; it displays the name of the selected SSO server. –The Authentication Type field is display only. It displays the type of SSO server. The type currently supported by the security appliance is SiteMinder. –In the URL field, select the protocol (http or https) from the drop-down menu, then enter the SSO server URL to which the security appliance makes SSO authentication requests. –Enter a Secret Key to use to encrypt authentication requests to the SSO server. Key characters can be any regular or shifted alphanumeric characters. There is no minimum or maximum number of characters. The secret key is similar to a password: you create it, save it, and configure it. It is configured on both the security appliance and the SiteMinder Policy Server using the Cisco Java plug-in authentication scheme. –In the Maximum Retries field, enter the number of times the security appliance retries a failed SSO authentication attempt before the authentication times-out. The range is from 1 to 5 retries inclusive, and the default is 3 retries. –In the Request Timeout field, enter the number of seconds before a failed SSO authentication attempt times out. The range is from1 to 30 seconds inclusive, and the default is 5 seconds. •HTTP Compression specifies whether to inherit the HTTP Compression setting from the default group, or explicitly to enable or disable HTTP compression. To enable or disable compression of HTTP data over an SVC connection for a specific group policy, clear the Inherit check box and select Enable or Disable, as appropriate. By default, SVC compression is enabled. •Network devices exchange short keepalive messages to ensure that the virtual circuit between them is still active. The length of these messages can vary. The Keepalive Ignore attribute lets you tell the security appliance to consider all messages that are less than or equal to the specified size as keepalive messages and not as traffic when updating the session timer. The range is 0 through 900 KB. The default is 4 KB. •The Deny Message attribute configures a message to be delivered to remote users who log in to WebVPN successfully, but have no VPN privileges, as follows: –Check the Inherit check box to inherit from the default group the message to be sent to remote users who log in to WebVPN successfully, but have no VPN privileges. – Clear the Inherit check box and erase any text in the field, to not send a message to remote users who log into WebVPN successfully, but have no VPN privileges. – Clear the Inherit check box and create or modify the message in the field, to be sent to remote users who log in to WebVPN successfully, but have no VPN privileges. The message can be up to 491 alphanumeric characters long, including special characters, spaces, and punctuation, but not counting the enclosing quotation marks. Carriage return/line feeds count as two characters. The text appears on the remote user's browser upon login. The default deny message is: "Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information." Configuring the SSL VPN Client Tab Attributes The SSL VPN Client (SVC) is a VPN tunneling technology that gives remote users the benefits of an IPSec VPN client without the need for network administrators to install and configure IPSec VPN clients on remote computers. The SVC uses the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the security appliance. To establish an SVC session, the remote user enters the IP address of a WebVPN interface of the security appliance in the browser, and the browser connects to that interface and displays the WebVPN login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the SVC, the security appliance downloads the SVC to the remote computer. If the security appliance identifies the user as having the option to use the SVC, the security appliance downloads the SVC to the remote computer while presenting a link on the user screen to skip the SVC installation. After downloading, the SVC installs and configures itself, and then the SVC either remains or uninstalls itself (depending on the configuration) from the remote computer when the connection terminates. The security appliance might have several unique SVC images residing in cache memory for different remote computer operating systems. When the user attempts to connect, the security appliance can consecutively download portions of these images to the remote computer until the image and operating system match, at which point it downloads the entire SVC. You can order the SVC images to minimize connection setup time, with the first image downloaded representing the most commonly-encountered remote computer operating system. For complete information about installing and using SVC, see Cisco Security Appliance Command Line Configuration Guide, Chapter 31, "Configuring SSL VPN Client." After enabling SVC, as described in that configuration guide chapter, you can enable or require SVC features for a specific group. This feature is disabled by default. If you enable or require SVC, you can then enable a succession of svc commands, described in this section. The Edit Internal Group Policy window WebVPN tab SSL VPN tab (Figure 4-32) lets you configure connection settings for the SSL VPN Client. Each attribute can inherit its value from the default group policy, or, if you clear the Inherit check box, you can explicitly configure individual attributes. Figure 4-32 Edit Internal Group Policy WebVPN Tab SSL VPN Client Tab Configure the SSL VPN Client attributes as follows: •Specify when to use the SSL VPN client by clearing the Use SSL VPN Client Inherit check box and selecting Always, Optional, or Never, as appropriate. •Keep Installer on Client System enables permanent SVC installation and disables the automatic uninstalling feature of the SVC. If you select Yes, the security appliance downloads SVC files to remote computers, and the SVC remains installed on the remote computer for subsequent SVC connections, reducing the SVC connection time for the remote user. If you select No, the security appliance does not download SVC files. By default, this attribute is disabled. •Compression enables or disables compression on the SVC connection. SVC compression increases the communications performance between the security appliance and the SVC by reducing the size of the packets being transferred. •The Keepalive Messages attribute adjusts the frequency of keepalive messages, in the range of 15 to 600 seconds, to ensure that an SVC connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Clicking Enable activates the Interval field. You can adjust the interval (frequency) of keepalive messages to ensure that an SVC connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the frequency also ensures that the SVC does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer. •The attributes in the Key Renegotiation Settings area define the renegotiation interval and method. When the security appliance and the SVC perform a rekey, they renegotiate the crypto keys and initialization vectors, increasing the security of the connection. –Renegotiation Interval specifies the number of minutes from the start of the session until the rekey takes place, either Unlimited or an interval from 1 through 10080 (1 week). –Renegotiation Method specifies whether the SVC establishes a new tunnel during SVC rekey. Selecting None disables SVC rekey. Selecting SSL means that SSL renegotiation takes place during SVC rekey. Selecting New tunnel specifies that SVC creates a new VPN tunnel during SVC rekey. •The attributes in the Dead Peer Detection (DPD) area ensure that the security appliance (gateway) or the SVC can quickly detect a condition where the peer is not responding, and the connection has failed. The attribute you select in this area determines which side of the connection performs DPD. For either of the following attributes, clearing the Inherit check box and the Enable check box and leaving the Interval field blank disables the attribute. –Gateway Side Detection enables DPD performed by the security appliance (gateway) and specifies the frequency, from 30 to 3600 seconds (1 hour), with which the security appliance performs DPD. If you check disable, DPD performed by the security appliance is disabled. –Client Side Detection enables DPD performed by the SVC (client), and specifies the frequency, from 30 to 3600 seconds (1 hour), with which the SVC performs DPD. You have now completed the configuration of an internal group policy.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.