VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7
Configuring the VPN Concentrator for WebVPN
Download this chapter
Configuring the VPN Concentrator for WebVPNConfiguring the VPN Concentrator for WebVPN
give_us_feedback

Table Of Contents

Configuring the VPN Concentrator for WebVPN

WebVPN Security Precautions

Using SSL to Access the VPN Concentrator

Using HTTPS for Management Sessions

Enabling HTTPS Management Sessions

Using HTTPS for WebVPN Sessions

Previous HTTP/HTTPS Filters No Longer Apply

Configuring SSL/TLS Encryption Protocols

Configuring Certificates for WebVPN

Using Certificates to Authenticate E-Mail Proxy Users

Using Certificates to Authenticate Clients

Checking the VPN Concentrator SSL Certificate

Setting WebVPN HTTP/HTTPS Proxy

Enabling Cookies on Browsers for WebVPN

Understanding WebVPN Global and Group Settings

Configuring Authentication and Authorization Globally

Authenticating with Digital Certificates

Configuring DNS Globally

Assigning WebVPN Users to Groups

Using the VPN Concentrator Manager to Configure WebVPN

Configuring E-mail

E-mail Proxies

Web E-Mail: Outlook Web Access for Exchange 2000

Configuring Access

Files and Servers

Applications

Web Access

Using the WebVPN Capture Tool

WebVPN Capture Tool Output

Viewing and Using WebVPN Capture Tool Output

Activating the WebVPN Capture Tool


Configuring the VPN Concentrator for WebVPN

WebVPN lets users establish a secure, remote-access VPN tunnel to a VPN 3000 Concentrator using a web browser. There is no need for either a software or hardware client. WebVPN provides easy access to a broad range of web resources and web-enabled applications from almost any computer that can reach HTTPS Internet sites. WebVPN uses Secure Socket Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site. The VPN Concentrator recognizes connections that need to be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users.

The network administrator provides access to WebVPN resources to users on a group basis. Users have no direct access to resources on the internal network.

This appendix includes the following sections:

WebVPN Security Precautions

Using SSL to Access the VPN Concentrator

Configuring Certificates for WebVPN

Enabling Cookies on Browsers for WebVPN

Understanding WebVPN Global and Group Settings

Using the VPN Concentrator Manager to Configure WebVPN

Configuring E-mail

Configuring Access

Using the WebVPN Capture Tool

WebVPN Security Precautions

WebVPN connections on the Cisco VPN 3000 Concentrator are very different from remote access IPSec connections, particularly with respect to how they interact with SSL-enabled servers, and precautions to reduce security risks.

In a WebVPN connection, the VPN Concentrator acts as a proxy between the end user's web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the VPN Concentrator establishes a secure connection and validates the server's SSL certificate. The end user's browser never receives the presented certificate, so therefore cannot examine and validate the certificate.

The current implementation of WebVPN on the VPN Concentrator does not permit communication with sites that present expired certificates. Nor does the VPN Concentrator perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.

To minimize the risks involved with SSL certificates:

1 Configure a group that consists of all users who need WebVPN access and enable the WebVPN feature only for that group.
2 Limit Internet access for WebVPN users. One way to do this is to uncheck the Enable URL Entry field on the Configuration | User Management | Base Group/Groups | WebVPN Tab. Then configure links to specific targets within the private network (Configuration | Tunneling and Security | WebVPN | Servers and URLs | Add or Modify or Configuration | User Management | Groups | WebVPN Servers and URLs | Add or Modify).
3 Educate users. If an SSL-enabled site is not inside the private network, users should not visit this site over a WebVPN connection. They should open a separate browser window to visit such sites, and use that browser to view the presented certificate.

Using SSL to Access the VPN Concentrator

WebVPN uses Secure Socket Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection between remote users and specific, supported internal resources at a central site.

Using HTTPS for Management Sessions

Release 4.7 requires HTTPS (HTTP over SSL) for WebVPN management sessions.

By default, HTTPS management is enabled on the private interface. To manage the VPN Concentrator through the public or external interfaces after upgrading from Release 4.0 or earlier, you must explicitly enable HTTPS management.

Enabling HTTPS Management Sessions

To enable HTTPS Management for an interface in addition to the Private interface. go to Configuration | Interfaces | Ethernet | WebVPN Tab and enable the parameter "Allow Management HTTPS sessions."

Before you enable HTTPS on the public or external interface, you can access the VPN Concentrator Manager in one of these ways:

Use SSH or HTTPS via the private interface.

Use the console CLI.

Note Release 4.1 removed the function that allowed a Telnet over SSL connection to a VPN Concentrator.

Using HTTPS for WebVPN Sessions

Establishing WebVPN sessions requires:

Using HTTPS to access the VPN Concentrator or load balancing cluster. In a web browser, enter the IP address in the format https://<IP address> instead of http://<IP address>.

Enabling WebVPN sessions on the VPN Concentrator interface that users connect to.

To permit WebVPN sessions on an interface, enable the parameter, "Allow WebVPN HTTPS sessions." Go to Configuration | Interfaces | Ethernet | WebVPN Tab.

Users enter the IP address or DNS hostname of the interface in a supported browser. The format is https://address, where address is the IP address or DNS hostname of the VPN Concentrator interface. If you enable the Redirect HTTP to HTTPS parameter for that interface, which improves security, users need enter only the IP address or hostname.

Previous HTTP/HTTPS Filters No Longer Apply

After you enable HTTPS on the public interface, any rules created previously to allow HTTP and HTTPS traffic no longer apply, regardless of the actual filters you have configured in on the Configuration | Policy Management | Traffic Management | Filters screen.

The 4.0 VPN Concentrator enforces these filter rules as follows:

Rule 1. Allow HTTPS In/Out for PC 1.

Rule 2. Drop all other HTTPS traffic (the default action).

When you upgrade from Release 4.0 or earlier and enable the Allow Management HTTPS sessions or Allow WebVPN HTTPS sessions parameters on the public interface, enforcement changes. The VPN Concentrator now enforces filter rules in the following order:

Rule 1. Allow HTTPS in/out for PC 1.

Rule 2. Allow HTTPS Management sessions and Allow WebVPN HTTPS sessions in/out of an interface.

Rule 3. Drop all other HTTPS traffic (the default action).

Rule 2 prevents Rule 3 from ever being enforced. Any PC on the public network can HTTPS in or out of the VPN Concentrator.

You must explicitly define rules to disallow HTTPS traffic from specific PCs. In the following example, you must define Rule 2:

Rule 1. Allow HTTPS In/Out for PC 1.

Rule 2. Disallow every other PC (0.0.0.0/255.255.255.255).

Rule 3. Allow HTTPS Management sessions and Allow WebVPN HTTPS sessions in/out of an interface.

Rule 4. Drop all other HTTPS traffic (the default action).

Configuring SSL/TLS Encryption Protocols

Make sure that the VPN Concentrator and the browser you use allow the same SSL/TLS encryption protocols. On the VPN Concentrator, configure encryption versions in the Configuration | Tunneling and Security | SSL | Protocols screen.

Configuring Certificates for WebVPN

SSL uses digital certificates for authentication. The VPN Concentrator creates a self-signed SSL server certificate when it boots; or you can install in the VPN Concentrator an SSL certificate that has been issued in a PKI context. For HTTPS, this certificate must then be installed in the client. You need to install the certificate from a given VPN Concentrator only once.

Related information:

For information on installing the SSL digital certificate in your browser and connecting via HTTPS, in the VPN 3000 Series Concentrator Volume I: Configuration guide, see Chapter 1, "Using the VPN Concentrator Manager."

To manage digital certificates, in the VPN 3000 Series Concentrator Volume II: Administration and Monitoring guide, see Chapter 11, "Certificate Management."

Using Certificates to Authenticate E-Mail Proxy Users

For information about using digital certificates for e-mail proxy, see the Certificate option under WebVPN | E-Mail Proxy in Chapter 15, "Tunneling and Security."

Using Certificates to Authenticate Clients

Using digital certificates to authenticate clients requires several steps. For detailed instructions, see the section, Client Authentication option under SSL | HTTPS in Chapter 15, "Tunneling and Security."

Checking the VPN Concentrator SSL Certificate

Make sure that the VPN Concentrator's SSL certificate is current. Chapter 1 of this guide provides detailed information about installing and viewing SSL certificates on Internet Explorer and Netscape.

Setting WebVPN HTTP/HTTPS Proxy

The VPN Concentrator can terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers. These servers act as an intermediary between users and the Internet. Requiring all Internet access via a server the organization controls provides another opportunity for filtering to assure secure Internet access and administrative control.

Set values for HTTP and HTTPS Proxy for WebVPN in the Configuration | Tunneling and Security | WebVPN | HTTP/HTTPS Proxy screen.

Enabling Cookies on Browsers for WebVPN

Browser cookies are required for the proper operation of WebVPN. When cookies are disabled on the web browser, the links from the web portal home page open a new window prompting the user to login once more.

Understanding WebVPN Global and Group Settings

In general, the group-based parameters for IPSec, PPTP and L2TP/IPSec sessions do not apply for WebVPN. The exceptions to this are:

WebVPN parameters from the group's WebVPN tab apply.

The banner from the User Management | Base Group | Client Config Tab /Groups | Client Config Tab applies to WebVPN sessions.

Table B-1 summarizes the group and global settings that WebVPN supports:

Table B-1 WebVPN Group and Global Settings

Parameter
Group
Global/system-wide
Authentication
No
Yes 1
Authorization
No
Yes
Accounting
Yes
Yes2
DNS
No
Yes
Servers/URLs
Yes
Yes
Port Forwarding
Yes
Yes
Enable URL entry
Yes
Yes

1 In this release WebVPN does not support RADIUS with Expiry authentication.

2 If no accounting servers are defined in the group, the system servers apply.


Configuring Authentication and Authorization Globally

Web VPN uses global authentication and authorization settings, not the settings configured for the group. The first active server, independent of type, is used for authentication and authorization of WebVPN sessions.

Authenticating with Digital Certificates

WebVPN users that authenticate using digital certificates do not use global authentication and authorization setting. Instead, they use an authorization server to authenticate according to values set in the Configuration | User Management | Base Group/Groups | IPSec Tab for the following fields:

Authentication

Authorization Type

Authorization Required

DN Field parameters

The VPN Concentrator does not support multiple authentication types for groups of WebVPN users.

Configuring DNS Globally

WebVPN does not use the DNS settings of the group with which it has connected. WebVPN follows the VPN Concentrator global DNS settings. This can be confusing to administrators who have users assigned to the same group and who get different DNS results. Ensure that the global DNS settings of the VPN Concentrator have been configured properly.

Assigning WebVPN Users to Groups

Using a RADIUS server to authenticate users, assign users to groups by following these steps:

Step 1 Authenticate the user with RADIUS and use the Class attribute to assign that user to a particular group.

Step 2 Set the class attribute to the group name in the format OU=group_name

For example, to set a WebVPN user to the SSL_VPN group, set the Radius Class Attribute to a value of OU=SSL_VPN; (Don't omit the semicolon.)

You can also configure users to authenticate to the VPN Concentrator internal authentication server, using the VPN Concentrator to Manager to assign users to groups. For more information about configuring groups, see "User Management," especially Table 13-1, which provides information about the maximum number of users per VPN Concentrator platform that you can configure for internal authentication.

Using the VPN Concentrator Manager to Configure WebVPN

You set some values for WebVPN users on a global basis, and others on either a global or a group basis. Table B-2 provides more information about configuring WebVPN features globally or on a group basis.

Note WebVPN is not supported on the 3005 platform with 32 MB of memory.

.

Table B-2 WebVPN Feature Configuration Options

Features Set Globally
Features Set Globally or by Group
VPN Concentrator Manager Screen(s)

HTTP/HTTPS Proxy

 

Configuration | Tunneling and Security | WebVPN | HTTP/HTTPS Proxy screen

 

WebVPN Access Control Lists (ACLs)

You can use ACLs to deny and permit access to web, file, and e-mail servers on a group basis.

Tip After you construct WebVPN ACLs, be sure to check the Apply ACL box further up on the screen.

Configuration | User Management | Base Group/Groups | WebVPN Tab

WebVPN appearance, including

Page title

Login message

Page colors

Page logo

 

Configuration | Tunneling and Security | WebVPN | Home Page and WebVPN | Logo screens

E-Mail Proxy

POP3S

IMAP4S

SMTPS

 

Configuration | Tunneling and Security | WebVPN | E-Mail Proxy screen

Web E-Mail via Outlook Web Access for Exchange 2000 - no configuration required

 

Client/server application access (port forwarding). Supported applications include:

Windows Terminal Services

Telnet

SSH

Secure FTP (FTP over SSH)

Perforce

Outlook/Outlook Express

Lotus Notes

XDDTS

SameTime Instant Messaging

Other TCP-based applications may also work, but Cisco has not tested them.

Globally: Configuration | User Management | Base Group | WebVPN Tab and Configuration | Tunneling and Security | WebVPN | Port Forwarding | Add or Modify screens

By Group: Configuration | User Management | Groups | WebVPN Tab and Configuration | User Management | Groups | WebVPN Port Forwarding screen

 

Web access, including:

Organization websites

External websites

Web browsing

Webmail

Globally: Configuration | User Management | Base Group | WebVPN Tab and Configuration | Tunneling and Security | WebVPN | Servers and URLs screen

By Group: Configuration | User Management | Groups | WebVPN Tab and Configuration | User Management | Groups | WebVPN Servers and URLs screen

 

File and file server access, including:

Specific files

File servers

File browsing

Globally: Configuration | User Management | Base Group | WebVPN Tab and Configuration | Tunneling and Security | WebVPN | Servers and URLs screen

By Group: Configuration | User Management | Groups | WebVPN Tab and Configuration | User Management | Groups | WebVPN Servers and URLs screen


Note To configure access to client/server applications, web resources, and files and servers:
- Enable access in the Configuration | User Management | Base Group/Groups | WebVPN Tab.
- Identify specific file servers and urls in the WebVPN | Servers and URLs and WebVPN | Port Forwarding screens.

Configuring E-mail

WebVPN supports several ways to access e-mail:

E-mail Proxies: Enable e-mail via Post Office Protocol, Revision 3 (POP3S), Internet Messages Access Protocol, Revision 4 (IMAP4S), and Simple Mail Transfer Protocol (SMTPS) proxies.

Web E-mail: A remote user can acccess Outlook Exchange e-mail without having an Outlook client on the computer they are using.

E-mail Proxies

Configure e-mail proxies in the Configuration | Tunneling and Security | WebVPN | E-Mail Proxy screen. Note the details of configuring delimiters.

Web E-Mail: Outlook Web Access for Exchange 2000

Web E-Mail in Outlook Web Access for Exchange 2000 requires an Outlook Exchange Server 2000 at the central site. It also requires that users:

Enter the url of the mail server in a browser.

When prompted, enter the e-mail server username in the format domain\username.

Enter the e-mail password.

Configuring Access

Files and Servers

Configure access to files and servers in the Configuration | Tunneling and Security | WebVPN | Servers and URLs screen. Remember to select CIFS as Server Type.

Applications

Configure access to TCP/IP applications in the Configuration | Tunneling and Security | WebVPN | Port Forwarding screen.

Web Access

Configure access to URLs in the Configuration | Tunneling and Security | WebVPN | Servers and URLs screen. Remember to select CIFS as Server Type.

Using the WebVPN Capture Tool

The WebVPN CLI includes a capture tool that lets you log information about websites that do not display properly over a WebVPN connection. The data this tool records can help your Cisco customer support representative troubleshoot problems.

WebVPN Capture Tool Output

The output of the WebVPN capture tool consists of two files:

mangled.1, 2,3, 4... and so on, depending on the web page activity. The mangle files record the html actions of the VPN Concentrator transferring these pages on a WebVPN connection.

original.1,2,3,4... and so on, depending on the web page activity. The original files are the files the URL sent to the VPN Concentrator.

Viewing and Using WebVPN Capture Tool Output

To open and view these files, go to Administration | File Management. Zip the output files and send them to your Cisco support representative.

Note Using the WebVPN capture tool does impact VPN Concentrator performance. Be sure to disable the capture tool after you have generated the output files. See Step 5 in the next section for the location of the Enable/Disable parameter.

Activating the WebVPN Capture Tool

To use the WebVPN capture tool:

Step 1 Establish a CLI connection to the VPN Concentrator via Telnet or the console port.

Step 2 At the prompts, enter the administrator login name and password. Entries are case-sensitive. (The CLI does not show your password entry.) 

Login: admin 

Password: admin

The CLI displays the opening welcome message, the main menu, and the Main -> prompt: 

                 Welcome to

                Cisco Systems

        VPN 3000 Concentrator Series

           Command Line Interface

Copyright (C) 1998-2004 Cisco Systems, Inc.


1) Configuration

2) Administration

3) Monitoring

4) Save changes to Config file

5) Help Information

6) Exit


Main -> _

Step 3 Enter 3 to select Monitoring. The system prompts you with the following menu: 


1) Routing Table

2) Event Log

3) System Status

4) Sessions

5) General Statistics

6) Dynamic Filters

7) Back


Monitor ->

Step 4 Enter 2 to select Event Log. The system prompts you with the following menu: 


1) Configure Log viewing parameters

2) View Event Log

3) Save Log

4) Clear Log

5) Configure WebVPN Logging

6) Back


Log ->

Step 5 Enter 5 to select Configure WebVPN Logging. The system prompts you with the following menu: 


WebVPN Logging: OFF

User: "NULL"

Path: "NULL"


1) Set Username

2) Set Path

3) Enable/Disable WebVPN Logging

4) Back


WebVPN Logging -> 1

Step 6 Enter 1 to set the username. The system prompts you with the following menu: 


Enter the name of the user to capture.

> Username to Log


WebVPN Logging ->

Step 7 Enter the username, in this example, janedoe. The system prompts you with the following menu: 


WebVPN Logging: OFF

User: "janedoe"

Path: "NULL"


1) Set Username

2) Set Path

3) Enable/Disable WebVPN Logging

4) Back


WebVPN Logging -> 2

Step 8 Enter 2 to set the path. This is the path to the URL that does not display properly. The system prompts you with the following menu, which includes instruction for configuring the path: 


Enter the path to capture.

Format: 

/http[s]//<port or 0 for default>/<server/<server path>


Use "/http" to capture everything.

Use "/http/0/<server>" to capture HTTP traffic to <server>.

Use "/https/0/<server>" to capture HTTPS traffic to <server>.


> Path Prefix to Log


WebVPN Logging -> /http

Step 9 Enter the path, in this example /http/0/www.yahoo.com.The system prompts you with the following menu: 


WebVPN Logging: OFF

User: "janedoe"

Path: "/http/0/www.yahoo.com"


1) Set Username

2) Set Path

3) Enable/Disable WebVPN Logging

4) Back


WebVPN Logging -> 3

Step 10 Enter 3 to enable WebVPN logging. The system prompts you with the following menu: 


WARNING:-- Enabling this feature will impact performance.


1) Enable WebVPN Logging

2) Disable WebVPN Logging


WebVPN Logging -> [ 2 ] 1

Step 11 Enter 1 to enable WebVPN logging. The system prompts you with the following menu: 


WebVPN Logging: ON

User: "janedoe"

Path: "/http/0/www.yahoo.com"


1) Set Username

2) Set Path

3) Enable/Disable WebVPN Logging

4) Back


WebVPN Logging -> 4

Step 12 At this point you can exit the CLI. Choose the option for Back (in this menu, 4) until a menu displays that includes the option to Exit.