Cisco ASA 5500 Series Next Generation Firewalls

Introduction

The Remote Desktop Protocol (RDP) plug-in is one of the plug-ins available to Cisco ASA clientless SSLVPN Users among others such as SSH, VNC, Citrix. The RDP plug-in is one of the most used plug-ins in this collection, and is also the one with lot of confusion surrounding.

This document provides answers to a couple of questions and any others that are raised after certain points are made clear. This document does not provide information on how to configure the plug-in, for there is not much other than importing the right plug-in.

Refer to Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

RDP Plug-in

The RDP plug-in has evolved over a period of time from a pure java-based RDP plug-in to something that includes both ActiveX RDP client (Internet Explorer), as well as Java Client (Non-IE browsers).

For Java RDP Client, the Cisco RDP plug-in uses properJava RDP client: http://properjavardp.sourceforge.net/

The RDP plug-in also incorporates ActiveX RDP Client, and it makes a call, whether to use Java or ActiveX client based on the browser. That is:

• If IE users are trying to RDP through Clientless SSLVPN Portal, and the bookmark URL does not contain the "ForceJava=true" argument, then ActiveX client is used.

• If non-IE users are trying to launch a RDP Bookmark or URL, only Java Client is launched.

RDP and RDP-2: Which plug-in to use?

RDP plug-in: This is the original Java RDP Plug-in that was updated to add ActiveX Client.

RDP2 plug-in: This is based on RDP2 protocol supposedly updated properJava RDP client meant for Windows 2003 Terminal Servers and Windows Vista Terminal Servers.

However, the latest RDP plug-in combines both RDP and RDP2, thus making the RDP2 plug-in obsolete. That is, going forward you will only need to use RDP plug-in (for example, rdp-plugin.yymmdd.jar)

Where to download the plug-in from:

Download Software

The current RDP plug-in is "rdp-plugin.120424.jar". This was released on April 27th, 2012.

Browser Compatibility Matrix

The Browser Compatibility matrix exists only for Clientless SSLVPN Implementation and ASA OS version. As long as this matrix is satisfied, plug-ins are automatically supported. For more information on supported VPN Platforms, refer to Cisco ASA 5500 Series.

What to expect and what not to expect?

RDP-ActiveX

• Meant only for Internet Explorer

• Sound is relayed over RDP session

RDP-Java

• Should work on all the supported browsers (from the matrix above) that have Java Enabled.

• Java Client is launched in Internet Explorer only if ActiveX fails to launch or "ForceJava=true" argument is passed in the RDP Bookmark or URL.

• Because RDP-Java implementation is based on properJava RDP project, an open-source initiative, best effort service is provided during the time of plug-in failure.

Troubleshooting RDP Issues

What to Collect?

1. Output of show tech.

2. Output of show import webvpn plug-in detailed.

3. Specify the destination PC's operating system.

4. Specify if RDP version later than 5.2 is used.

5. Whether the activex(only on IE) version or the java version was used.

6. Specify whether it is a load balancing setup.

Using SmartTunnel

Add these processes to the SmartTunnel list:

• svchost.exe

• services.exe

• wininit.exe

• TSWbPrxy.exe

• wksprt.exe

• mstsc.exe

If this does not work, ensure that the ST list is started when testing.

Does the Java RDP Client work directly?

In order to identify if the issue is with the RDP plugin or with webvpn, the best way to test it is use the client directly to RDP to the server in question and check if the same behavior manifests itself. If it does then it is a problem with the client plugin, which is not created by Cisco. Complete these steps:

1. Download this zip file. These are the properjavardp jar files that were used in the RDP plugin (Terminal Service client plugin for ASA).

2. Unzip the file to a folder.

3. Open rdp-applet.html and change the values for the parameters below:

   <param name="server" value="xxxx">
   <param name="username" value="xxxx">
   <param name="password" value="xxxx">

4. Save the file and open in a Java enabled browser.

Known Caveats

ActiveX Client

• ActiveX RDP fails to load from IE 6-9 after upgrading to ASA OS version 8.4.3.

  Refer to Cisco bug ID CSCtx58556 (registered customers only) . The fix is available from 8.4.3.4. However, it is recommended that the upgrade be done to the latest OS available. Workaround (if upgrade of ASA code is not an option):

  • Use Java RDP instead. For example, IE users (does not harm other browser users) need the "ForceJava=true" argument set in the RDP URL.

• Due to the previous bug (CSCtx58556), if the ASA OS downgrade is performed, then beware of Cisco bug ID CSCtx57453 (registered customers only) . In this case, ActiveX RDP will fail for all the returning RDP users (those users who have attempted ActiveX RDP on Clientless SSLVPN on 8.4.3 ASA). This is because ActiveX RDP Plug-in was upgraded in 8.4.3, which is incompatible with the earlier versions.

  What to do:

  • Keep in mind both CSCtx58556 and CSCtx57453 when deploying company-wide ASA based SSLVPN Service. Either use 8.4.3 and later, or 8.4.2 and earlier.

  • If you are a returning RDP user, for example you have used 8.4.3 based ActiveX RDP and now need to use 8.4.2 or earlier ActiveX RDP over the SSLVPN Portal:

    Remove all registry instances of "b8e73359-3422-4384-8d27-4ea1b4c01232? (old ActiveX CLSID) using regedit.

    Note: This must be done after a backup of the registry. This should be done at your own risk. Consult Microsoft support for more information.

• Although ActiveX client allows Network Level Authentication (NLA) to be coded, Cisco's implementation does not include it. Here is the open enhancement request that is requesting NLA to be incorporated within ActiveX RDP plug-in:

  Refer to Cisco bug ID CSCtu63661 (registered customers only) .

  Workaround:

  • Configure RDP Application (mstsc.exe) to be smart-tunnelled.

    Refer to Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x.

• ActiveX RDP fails to load with blank page. A loading message appears when the 3rd Party Certificate Chain is installed on the ASA; for example, the ASA has an identity certificate from a 3rd Party Vendor and the Certificate Chain of the 3rd Party Vendor is installed on the ASA (Sub-CA1, Sub-CA2, Root-CA).

  Refer to Cisco bug ID CSCsx49794 (registered customers only) .

  Workaround (if upgrade of ASA code is not an option):

  • Do not install the large certificate chain on the ASA.

  • Java RDP Plug-in is known to work just fine as opposed to ActiveX Plug-in.

  • Also, RDP works fine when configuring native Windows mstsc.exe with smart tunnels.

• After using ActiveX RDP, if you click the Logout button instead of the usual Logout Page, you will see the 'HTTP 404 - Page Not found' Error. This issue does not occur with the latest RDP Plug-in available on CCO, which is rdp-plugin.120424.jar.

  Refer to the V-Comments in Cisco bug ID CSCtz33266 (registered customers only) .

• If you have two tabs open in IE, one for the RDP Session and another one for a blank or random page, if the RDP tab is closed, IE stops working.

  • Track this in Cisco bug ID CSCua69129 (registered customers only) .

  • The workaround for now is to use the Java RDP Plug-in (Set ForceJava=true).

• Refer to Cisco bug ID CSCua16597 (registered customers only) - RDP ActiveX plug-in causes high cpu with IE

• After installing Windows update KB2695962 the activeX RDP plugin gets into a loop. If you open a new RDP session or click on a bookmark, it will try to install the "Cisco SSL VPN Port Forwarder" (sometimes it does not try to install it) and goes back to the clientless portal. This is due to vulnerability CVE-2012-0358 which was resolved on the client side by Microsoft update.

Microsoft Security Advisory (2695962)

In order to connect you need to upgrade the ASA to one of the fixes in versions, as per Cisco Security Advisory:

Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability

Bug ID

CSCtr00165 (registered customers only) - Port Forwarder ActiveX control contains a Buffer Overflow vulnerability

Java Client

Having established the fact that Cisco RDP-Java Plug-in implementation is based on the properJava RDP project, an open-source initiative, during Java-RDP Failure, best effort service is provided. However, bring any issues to Cisco TAC's notice and a satisfactory answer will be given.

• When running some processor intensive applications through Java RDP Session, you might experience Java RDP crashing on you with the "FATAL net.propero.rdp - javax.net.ssl.SSLException: Connection has been shutdown: ...." error message. This is mainly observed when these processor intensive applications through Java RDP session are continuously switched among themselves.

  Refer to Cisco bug ID CSCtz78693 (registered customers only) .

  • Fixed Plug-in is available on request through Cisco TAC, and the fix is made only to the plug-in and not to ASA OS.

Why some characters are not showing up on the remote RDP session?

The remote computer through the RDP session has a different keyboard map than the local computer, due to this difference the remote computer will not show up or it will disorganize some keys. This behavior has been seen with the Java plugin. ActiveX plugin works fine. In order to resolve this problem you can use the attribute keymap to map the local keymap to the remote PC.

An example, if a German Keyboard mapping is required, then use the following:

rdp://<IP Address of the server>/?keymap=de

The following keymaps are available:

---snip---
ar    de    en-us fi    fr-be it    lt    mk    pl    pt-br sl    tk
da    en-gb es    fr    hr    ja    lv    no    pt    ru    sv    tr
---snip---

Known Bugs:

• CSCth38454 (registered customers only) - Implement Hungarian keymap for RDP plugin

• CSCsu77600 (registered customers only) - WEBVPN RDP plugin window keys are incorrect. Shift (key) .jar

• CSCtt04614 (registered customers only) - webvpn - ES keyboard diacritics incorrectly managed by RDP plugin

• CSCtb07767 (registered customers only) - ASA Plugin - Configure default parameters

Note: Another possible workaround is to use Application Smart Tunnel for mstsc.exe:

smart-tunnel list RDP_List RDP mstsc.exe platform windows

Can the Java RDP plugin support full screen RDP sessions?

As of now, no, there is no native support for this. Enhancement request CSCto87451 (registered customers only) has been filed to get this implemented. There is another bug that was filed for this awhile back, CSCsl26897 (registered customers only) . The workaround for this issue is to use the geometry parameter; for example, geometry =1024x768. Of course this value varies from screen to screen and is not really a great solution. Alternately, if you are using IE and Windows, then the ActiveX Client does support full screen.

Related Information

• Technical Support & Documentation