Catalyst 6500 Series WebVPN Services Module Configuration Guide, 1.1 - WebVPN End User Set-up [Cisco Catalyst 6500 Series Switches]

Table Of Contents

Setting Up WebVPN for the End User

Starting WebVPN

Usernames and Passwords

End User Interface

Page Flow

Initial Connection

Login Page

Certificate Authentication

Logout Page

Portal Page

Remote Servers

DNS and Connection Errors

Session Timeout

TCP Port Forwarding and Application Access

Using Other WebVPN Features

Security Tips

Browser Caching and Security Implications

Application Access—Recovering from Hosts File Errors

How WebVPN Uses the Hosts File

What Happens When the End User Stops Application Access Improperly

What to Do

Setting Up WebVPN for the End User

This appendix is for the system administrator who sets up WebVPN for end users. It summarizes configuration requirements and tasks for the end user's remote system. It also specifies information to communicate to end users to get them started using WebVPN.

Note Before you set up WebVPN for the end user, you should have already configured the WebVPN Services Module.

This appendix contains the following sections:

• Starting WebVPN

• Usernames and Passwords

• End User Interface

• Using Other WebVPN Features

• Security Tips

• Application Access—Recovering from Hosts File Errors

Starting WebVPN

The following are required to start WebVPN on an end user's remote system:

•Connection to the Internet—Any Internet connection is supported, including:

–Home DSL, cable, or dial-ups

–Public kiosks

–Hotel hook-ups

–Airport wireless nodes

–Internet cafes

•WebVPN-supported browser—The following browsers have been verified for WebVPN. Other browsers might not fully support WebVPN features.

On Microsoft Windows:

–Internet Explorer 6.0 SP1 (SP2 required for Windows XP)

–Netscape 7.2

On Linux:

–Netscape version 7.2

•Cookies enabled—Cookies must be enabled on the browser in order to access applications through port forwarding.

•Pop-ups enabled—Pop-ups should be enabled on the browser to allow the browser to display the floating WebVPN toolbar and timeout warnings. If pop-ups are blocked, change the browser setting and click the WebVPN floating toolbar icon on the in-page toolbar to display the floating toolbar.

If pop-ups are disabled on the browser, WebVPN will not warn the end user before disconnecting due to an idle timeout or a maximum connect time.

•URL for WebVPN—An HTTPS address in the following form:

https://address

where address is the IP address or DNS hostname of an interface of the WebVPN module, such as https://10.89.192.163 or https://vpn.company.com.

•WebVPN username and password

•(Optional) Local printer—WebVPN does not support printing from a web browser to a network printer. Printing to a local printer is supported.

Usernames and Passwords

Table A-1 lists the type of usernames and passwords that WebVPN users might need to know.

Table A-1 Usernames and Passwords for WebVPN Users

Login Username/
Password Type

Purpose

Entered When

Computer

Access the computer

Starting the computer

Internet Provider

Access the Internet

Connecting to an Internet provider

WebVPN

Access the remote network

Starting WebVPN

File Server

Access the remote file server

Using the WebVPN file browsing feature to access a remote file server

Corporate Application Login

Access the firewall-protected internal server

Using the WebVPN web browsing feature to access an internal protected website

Mail Server

Access the remote mail server via WebVPN

Sending or receiving e-mail messages

End User Interface

An end user whose enterprise has configured WebVPN can access the enterprise network by launching a browser and connecting to the WebVPN gateway that is hosted by the enterprise network. The end user presents his or her credentials, authenticates, and sees the portal page (home page) of the enterprise site. The portal page displays those functionalities (for example, e-mail and web browsing) to which the end user has access on the basis of his or her credentials. If the end user has access to all functionalities of the WebVPN gateway, the home page provides links to all those functionalities.

Note The end user interface is primarily an HTML interface.

The following sections explain the end user interface in more detail:

• Page Flow

• Initial Connection

• Login Page

• Certificate Authentication

• Logout Page

• Portal Page

• Remote Servers

• DNS and Connection Errors

• Session Timeout

• TCP Port Forwarding and Application Access

Page Flow

This section describes the page flow process (see Figure A-1) for a WebVPN session. When the end user enters the Hypertext Transfer Protocol Secure (HTTPS) URL (https://address) into his or her browser, the end user is then redirected to https://address/index.html, where the login page is located.

Note Depending on the configuration of the browser, this redirection may cause a warning in the browser of the end user indicating that he or she is being redirected to a secure connection.

Figure A-1 Page Flow

Initial Connection

When the HTTPS connection is established, a warning about the SSL/TLS certificate may display. If the warning displays, the end user should install this certificate. If the warning does not display, then the system already has a certificate that the browser trusts.

The end user is then connected to the login page.

Login Page

The login page (see Figure A-2) prompts the end user to enter his or her username and password, which are entered into an HTML form. If an authentication failure occurs, the login page displays an error message.

Figure A-2 Default Login Page

The login page has logos, titles, messages, and colors that may be customized by administrators.

Certificate Authentication

Client certificate authentication is not supported. Only username and password authentication is supported.

Logout Page

The logout page (see Figure A-3) displays if the end user clicks the logout link, or if the session terminates because of an idle timeout or a maximum connection time.

Figure A-3 Logout Page

Portal Page

The portal page (see Figure A-4) is the main page for the WebVPN functionality. You can customize this page to contain the following:

•Custom logo (the default is the Cisco bridge logo

•Custom title (the default is "WebVPN Services")

•Custom banner (the default is an empty string)

•Custom colors (the default is a combination of white and purples)

•List of web server links (customizable)

•URL entry box (always present)

•Application access link (always present)

•Icon links for Help, Home (that is, the portal page), and Logout

•Link to the popup, floating toolbar

Items that you have not configured are not displayed on the portal page.

Note E-mail access is supported by thin-client mode, which is downloaded using the application access link.

Figure A-4 Portal Page

Remote Servers

An end user may enter an address or URL path of a website to which he or she wants to visit either in the text box on the portal page or in the text box on the floating toolbar. Pages from the remote server are displayed in the browser window. The end user can then browse to other links on the page.

Figure A-5 illustrates the portal page of a typical website. By clicking the home icon button on the floating toolbar (see Figure A-6), the end user can go back to the portal page.

Figure A-5 Website with a Toolbar

WebVPN Floating Toolbar

A floating toolbar (see Figure A-6) allows the end user to enter URLs, browse file locations, and choose preconfigured web connections without interfering with the main browser window.

The floating toolbar represents the WebVPN session. If the end user clicks the window's Close button, the WebVPN module prompts the end user to confirm that he or she wants to close the session.

Note Clicking the Home icon when viewing certain web pages, such as Hotmail.com and CNN.com, opens a new browser window because these sites rename the WebVPN browser window as part of how they function.

Tip To paste text into a text field, press Ctrl-V. Right-clicking is disabled in the WebVPN toolbar.

Figure A-6 Floating Toolbar

DNS and Connection Errors

If an end user specifies a remote server to which he or she cannot connect because of domain naming system (DNS) or other connection errors, an error displays (see Figure A-7). Because of TCP timeouts, it may take a while for connection errors to be returned to the end user.

Figure A-7 DNS Errors

Session Timeout

End users receive a warning approximately 1 minute before the session expires due to inactivity, and they receive another warning when the session expires (see Figure A-8). The local time on the workstation is also displayed to indicate when the message was displayed.

The first message will be similar to the following:

•"Your session will expire in x seconds due to inactivity. Click [Close] to reset the inactivity timer. (browser time and date)"

Clicking the [Close] button on the idle warning message resets the inactivity timer.

The last message, as shown below, displays when the time runs out (depending on whether the reason of the session termination is known):

•"Your session has expired due to inactivity."

Figure A-8 Session Inactivity or Timeout Window

TCP Port Forwarding and Application Access

Note This feature requires the Java 1.4 Java Virtual Machine (JVM) to properly support SSL connections.

Note Because this feature requires installing JRE and configuring the local clients, and because doing so requires administrator permissions on the local system, it is unlikely that end users will be able to use applications when they connect from public remote systems.

When the end user clicks the Application Access link, a new window is displayed. This window initiates the downloading of a port-forwarding applet. Another window is then displayed. This window asks the end user to verify the certificate with which this applet is signed. When the end user accepts the certificate, the applet starts running, and port-forwarding entries are displayed (see Figure A-9). The number of active connections and bytes that are sent and received is also listed on this window.

Note When end users launch Application Access, their system may display a dialog box regarding digital certificates, and this dialog box may appear behind other browser windows. If the end user's connection appears hung, tell the end user to minimize the browser windows to check for this dialog box.

You should have configured IP addresses, DNS names, and port numbers for the e-mail servers. The end user can then launch the e-mail client, which is configured to contact the above e-mail servers and send and receive e-mails. Point of Presence3 (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transfer Protocol (SMTP) protocols are supported.

The window attempts to close automatically if the end user is logged out using JavaScript. If the session terminated and a new port forwarding connection is established, the applet displays an error message.

Figure A-9 TCP Port Forwarding Page

Caution You should tell users to always close the Application Access window when they finish using applications by clicking the close icon. Failure to quit the window properly can cause Application Access or the applications to be disabled. See the "Application Access—Recovering from Hosts File Errors" section for details.

Table A-2 lists the requirements for Application Access (Port Forwarding) on an end user's remote system.

Table A-2 WebVPN Remote System Application Access Requirements

Remote System or End User Requirements

Specifications or Use Suggestions

Client applications installed

—

Cookies enabled on browser

—

Administrator privileges

End user must be local administrator on his or her PC.

Sun Microsystems Java Runtime Environment (JRE) version 1.4 or later installed

WebVPN automatically checks for JRE whenever the end user starts Application Access. If it is necessary to install JRE, a pop-up window displays directing end users to a site where it is available.

Client applications configured, if necessary.

Note The Microsoft Outlook client does not require this configuration step.

To configure the client application, use the server's locally mapped IP address and port number. To find this information, do the following:

1. Start WebVPN on the remote system and click the Application Access link on the WebVPN home page. The Application Access window displays.

2. In the Name column, find the name of the server that you want to use, and then identify its corresponding client IP address and port number (in the Local column).

3. Use this IP address and port number to configure the client application. The configuration steps vary for each client application.

Windows XP SP2 patch

End users running Windows XP SP2 must install a patch from Microsoft that is available at the following address:

http://support.microsoft.com/?kbid=884020

This problem is a known Microsoft issue.

Using Other WebVPN Features

Table A-3 lists the requirements for various WebVPN features.

Table A-3 WebVPN Remote System Configuration and End User Requirements

Task

Remote System or End User Requirements

Specifications or Use Suggestions

Web Browsing

Usernames and passwords for protected websites

Using WebVPN does not ensure that communication with every site is secure. See the "Security Tips" section.

The look and feel of web browsing with WebVPN might be different from what end users are accustomed to. For example, when using WebVPN, note the following:

•The WebVPN title bar appears above each web page

•You can access websites as follows:

–Entering the URL in the Enter Web Address field on the WebVPN home page

–Clicking on a preconfigured website link on the WebVPN home page

–Clicking a link on a webpage accessed by one of the previous two methods

Also, depending on how you configured a particular account, the following might have occured:

•Some websites are blocked.

•Only the websites that appear as links on the WebVPN home page are available.

Network Browsing and File Management

File permissions configured for shared remote access

Only shared folders and files are accessible through WebVPN.

Server name and passwords for protected file servers

Domain, workgroup, and server names where folders and files reside

Users might not be familiar with how to locate their files through your organization's network.

Note Do not interrupt the Copy File to Server command or navigate to a different screen while the copying is in progress. Interrupting the operation can cause an incomplete file to be saved on the server.

Using e-mail:
Application Access

Fulfill requirements for Application Access (see the "TCP Port Forwarding and Application Access" section)

To use e-mail, start Application Access from the WebVPN home page. The e-mail client is then available for use.

Note If the end users are using an IMAP client and they lose their e-mail server connection or are unable to make a new connection, end users should close the IMAP application and restart WebVPN.

Other Mail Clients

Cisco has tested Microsoft Outlook Express versions 5.5 and 6.0.

WebVPN should support other SMTPS, POP3S, or IMAP4S e-mail programs, such as Netscape Mail, Lotus Notes, and Eudora, but Cisco has not verified them.

Using e-mail:
Web Access

Web-based e-mail product installed

Supported products are as follows:

•Outlook Web Access (OWA) 5.5, 2000, and 2003

Netscape, Mozilla, and Internet Explorer are supported with OWA 5.5 and 2000.

Internet Explorer 6.0 or higher is required with OWA 2003. Netscape and Mozilla are not supported with OWA 2003.

•Lotus iNotes

Other web-based e-mail products should also work, but Cisco has not verified them.

Using the WebVPN floating toolbar

Most platforms except for PocketPC

To paste text into a text field, press Ctrl-V. Right-clicking is disabled in the floating toolbar.

Using the Cisco SSL VPN Client (SVC)

To retrieve SVC log messages using the Windows Event Viewer, go to Program Files > Administrative Tools > Event Viewer in Windows.

Using Secure Desktop Manager

A Secure Desktop Manager-supported browser

On Microsoft Windows:

•Internet Explorer version 6.0

•Netscape version 7.2

On Linux:

•Netscape version 7.2

Using Cache Cleaner or Secure Desktop

A Cisco Secure Desktop-supported browser

Any browser supported for Secure Desktop Manager.

Security Tips

Advise end users always to log out from the WebVPN session when they are done. (To log out of WebVPN, click on the logout icon on the WebVPN toolbar or quit the browser.)

Advise end users that using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote end user's PC or workstation and the WebVPN module on the corporate network. If the end user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate WebVPN module to the destination web server is not secured.

Browser Caching and Security Implications

If end users use WebVPN through a public or shared Internet system, such as at an Internet cafe or kiosk, to ensure the security of their information after terminating or logging out of the WebVPN session, end users must delete all files that they saved on the PC during the WebVPN session. These files are not removed automatically upon disconnect.

Note WebVPN does not save the content of Web pages viewed during the session. However, for additional security, we recommend that end users also clear their browser's cache. Deleting content from a PC does not ensure that it cannot be recovered; keep this in mind when downloading sensitive data.

Application Access—Recovering from Hosts File Errors

It is very important to tell end users to close the Application Access window properly by clicking the close icon. If they do not close the window properly, the following could occur:

•The next time end users try to start Application Access, it might be disabled; they will receive a "Backup HOSTS File Found" error message

•The applications might be disabled or might malfunction even when the end user is running them locally

These errors can result from end users terminating the Application Access window in any improper way:

•The browser crashes while using Application Access

•A power outage or system shutdown occurs while using Application Access

•End users minimize the Application Access window and then shut down the computer with the window active (but minimized)

How WebVPN Uses the Hosts File

The hosts file on the end user system maps IP addresses to hostnames. When the end user starts Application Access, WebVPN modifies the hosts file by adding WebVPN-specific entries. When the end user stops Application Access by properly closing the Application Access window, WebVPN returns the hosts file to its original state. The hosts file goes through the following states:

•Before invoking Application Access, the hosts file is in its original state.

•When Application Access starts, WebVPN does the following:

a. Copies the hosts file to hosts.webvpn and creates a backup.

b. Edits the hosts file, inserting WebVPN-specific information.

•When Application Access stops, WebVPN does the following:

a. Copies the backup file to the hosts file, which restores the hosts file to its original state.

b. Deletes hosts.webvpn.

•After finishing Application Access, the hosts file is in its original state.

What Happens When the End User Stops Application Access Improperly

If the end user improperly terminates Application Access, the hosts file is left in a WebVPN-customized state. WebVPN checks for this possibility the next time that the end user starts Application Access by searching for a hosts.webvpn file. If WebVPN finds the file, the end user receives a "Backup HOSTS File Found" error message, and Application Access is temporarily disabled.

When end users shut down Application Access improperly, they leave the remote access client/server applications in a suspended state. If end users try to start these applications without using WebVPN, the applications might malfunction. End users might find that hosts that they normally connect to are unavailable. This situation could commonly occur if end users run applications remotely from home, fail to quit the Application Access window before shutting down the computer, and then try to run the applications later from the office.

What to Do

To reenable Application Access or malfunctioning applications, end users should do the following:

•If they canconnect to their remote access server, they should follow the steps in the "Reconfiguring the Hosts File Automatically Using WebVPN" section.

•If they cannot connect to their remote access server from their current location or if they have made custom edits to the hosts file, they should follow the steps in the "Reconfiguring the Hosts File Manually" section.

Reconfiguring the Hosts File Automatically Using WebVPN

If end users are able to connect to their remote access server, they should follow these steps to reconfigure the hosts file and reenable both Application Access and the applications:

Step 1 Start WebVPN and log in. The portal page opens.

Step 2 Click the Applications Access link. A "Backup HOSTS File Found" message displays.

Step 3 Choose one of the following options:

•Restore from backup—WebVPN forces a proper shutdown. WebVPN copies the hosts.webvpn backup file to the hosts file, restoring it to its original state, and then deletes hosts.webvpn. You then have to restart Application Access.

•Do nothing—Application Access does not start. You return to your remote access home page.

•Delete backup—WebVPN deletes the hosts.webvpn file, leaving the hosts file in its WebVPN-customized state. The original hosts file settings are lost. Then Application Access starts, using the WebVPN-customized hosts file as the new original. Choose this option only if you are unconcerned about losing hosts file settings. If you edited the hosts file after Application Access has shut down improperly, choose one of the other options, or edit the hosts file manually. (See the "Reconfiguring the Hosts File Manually" section.)

Reconfiguring the Hosts File Manually

If end users are not able to connect to their remote access server from their current location, or if end users have customized the hosts file and do not want to lose their edits, they should follow these steps to reconfigure the hosts file and reenable both Application Access and the applications:

Step 1 Locate and edit your hosts file.

Step 2 Check if any lines contain the "added by WebVpnPortForward" string.

If any lines contain this string, your hosts file is WebVPN customized. If your hosts file is customized, it looks similar to the following example:
123.0.0.3 server1 # added by WebVpnPortForward
123.0.0.3 server1.example.com vpn3000.com # added by WebVpnPortForward
123.0.0.4 server2 # added by WebVpnPortForward
123.0.0.4 server2.example.com.vpn3000.com # added by WebVpnPortForward
123.0.0.5 server3 # added by WebVpnPortForward
123.0.0.5 server3.example.com vpn3000.com # added by WebVpnPortForward
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
123.0.0.1       localhost
Step 3 Delete the lines that contain the "# added by WebVpnPortForward" string.

Step 4 Save and close the file.

Step 5 Start WebVPN and log in. Your home page appears.

Step 6 Click the Application Access link. The Application Access window appears. Application Access is now enabled.