Configure Clientless SSL VPN (WebVPN) on a cisco Router with Security Device Manager

Introduction      Requirements      Configure Clientless SSL VPN on a Router           Configure the SSL VPN Gateway           Enable AAA           Configure the Resources Allowed for the Policy Group           Configure the SSL VPN Policy Group and Select the Resources           Configure the User Database and Authentication Method      Next Step      Troubleshoot the Procedure      Related Information

Download PDF   Configure Clientless SSL VPN (WebVPN) on a cisco Router with Security Device Manager

Introduction

This document explains how to configure the Clientless SSL VPN (WebVPN) on a Cisco router and it applies to Cisco 1800, 2800 and 3800 Integrated Services Routers.

Clientless SSL VPN allows a user to securely access resources on the corporate LAN from anywhere with an SSL-enabled Web browser. The user first authenticates with a WebVPN gateway which then allows the user access to pre-configured network resources.

Back to Top

Requirements

To perform the steps described in this document, you need to have these items:

• You must have completed the Configure Your Router with Security Device Manager document.

• You must have completed the Set Up Internet Security on a Cisco Router document.

• Router which runs an advance image of Cisco IOS Software Release 12.3 (6) T or later.

• Cisco Router and Security Device Manager (SDM) - version 2.3.1 or later

• Completed worksheets from the Site Survey:

  • Internet Worksheet

  • LAN Addressing Worksheet

Back to Top

Configure Clientless SSL VPN on a Router

Follow these steps to set up a Clientless SSL VPN on your router:

Configure the SSL VPN Gateway

The SSL VPN gateway provides the IP address and the digital certificate for the SSL VPN contexts that use it. Follow these steps to configure the SSL VPN Gateway:

1. Open a web browser and type http:// router-IP-address in the Address field. Use the IP address that you entered in field L6A of the LAN Addressing Worksheet. Press Enter to launch SDM. For more information about how to launch SDM, refer to Configure your Router with Security Device Manager.

2. Click Configure.

   

3. Click VPN.

   

4. On the VPN Screen, expand SSL VPN and click SSL VPN Gateways.

   

5. On the SSL VPN Gateways screen, click Add.

   

6. The Add SSL VPN Gateway dialog box appears. Enter these details to the defaults:

   1. In the Gateway name field, enter the VPN group name that you entered in field R21 of the Internet Worksheet.

   2. Check the Enable Gateway check box.

   3. Next to IP Address field, enter the IP Address which the SLL VPN clients use to connect to the SSL VPN Gateway.

   4. Next to Hostname field, enter the descriptive name for the SSL VPN Gateway.

   5. Check the Redirect HTTP Traffic (Optional) check box

   6. Click OK.

   

7. On the Commands Delivery Status window, click OK.

   

8. Click Save icon and Press Yes to accept the changes.

Enable AAA

You must enable AAA to configure SSL VPN. Follow these steps to enable AAA:

1. Click Configure.

   

2. Click VPN.

   

3. Click on SSLVPN, and click the Create SSLVPN tab.

   

4. On the Create SSL VPN screen next to Prerequisite Tasks, click on EnableAAA link.

   

5. On the Enable AAA warning window, click Yes.

   

6. On the Commands Delivery Status window, click OK.

   

7. Click OK in the Information window.

   

Configure the Resources Allowed for the Policy Group

In order to make it easier to add resources to a policy group, you can configure the resources before you create the policy group.

Follow these steps to configure the resources allowed for the policy group:

1. Click Configure.

   

2. Click VPN.

   

3. Click on SSL VPN, and click the Edit SSL VPN tab.

   

4. On the Edit SSL VPN screen, click Add.

   

5. The Add SSL VPN Context dialog box appears. Expand SSL VPN Context, and select URL Lists.

   

6. Click Add.

   

7. The Add URL List dialog box appears. Enter values in the URL List Name and Heading fields and click Add and select Website.

   

8. In the Add URL Label: window, enter the URL Label name and enter the IP address of the Web Server. This list contains all the HTTP and HTTPS Web servers that you want to be available for this SSL VPN connection.

   

9. To add access for Outlook Web Access (OWA), click Add, and select E-mail.

   

10. In the Add URL Label: window, enter the URL Label name for OWA and enter the IP address of the Outlook exchange Server. Click OK.

    

11. Click OK.

    

12. To allow Windows file browsing through CIFS, you can designate a NetBIOS Name Service (NBNS) server and configure the appropriate shares in the Windows domain in order.

    1. From the SSL VPN Context list, select NetBIOS Name Server Lists and click Add.

       

    2. The Add NBNS Server List dialog box appears. Enter the descriptive name and click Add.

       

    3. In the NBNS Server window, enter the IP Address of the NBNS Server and click OK.

       

    4. Click OK.

       

Configure the SSL VPN Policy Group and Select the Resources

Follow these steps to configure the SSL VPN policy group and select the resources:

1. Click Configure, and click VPN.

   

2. Click on SSL VPN, and click the Edit SSL VPN tab.

   

3. On the Edit SSL VPN screen, click Add.

   

4. The Add SSL VPN Context dialog box appears. Expand SSLVPN Context, and select Group Policies and click Add. The Add Group Policy dialog box appears.

   

5. In the Add Group Policy window, enter a name for the new policy, and check the Make this the default group policy for context check box.

   

6. Click the Clientless tab located at the top of the Add Group Policy dialog box.

   1. Check the Select check box for the desired URL List.

   2. If your customers use Citrix clients that need access to Citrix servers, check the Enable Citrix check box.

   3. Check the Enable CIFS, Read, and Write check boxes.

   4. Click the NBNS Server List drop-down list, and select the NBNS server list that you created for Windows file browsing in the section Configure the Resources Allowed for the Policy Group.

   5. Click OK.

   

7. In the Add SSL VPN Context window, click SSL VPN Context and enter these values:

   1. Enter a descriptive name for the context.

   2. Click the Associated Gateway drop-down list, and select an associated gateway.

   3. If you intend to create more than one context, enter a unique name in the Domain field to identify this context. If you leave the Domain field blank, users must access the WebVPN with https://IPAddress . If you enter a domain name (for example, Sales), users must connect with https://IPAddress/Sales .

   4. Check the Enable Context check box.

   5. In the Maximum Number of Users field, enter the maximum number of users allowed by the device license.

   6. Click the Default Group policy drop-down list, and select the group policy to associate with this context.

   7. Click OK, and then click OK.

   

Configure the User Database and Authentication Method

You can configure the Clientless SSL VPN (WebVPN) sessions to authenticate with Radius, the Cisco AAA Server, or a local database. This example uses a local database.

Follow these steps to configure the user database and authentication method:

1. Click Configuration, and click Additional Tasks.

   

2. Expand Router Access, and select User Accounts/View.

   

3. Click the Add button. The Add an Account dialog box appears.

   

4. In the Add an Account, enter these values:

   1. Enter a user name in the Username field.

   2. Enter the password in the New Password field and re-enter the same in Confirm New Password field.

   3. Select the Privilege level for the user from the drop-down menu in the Privilege level field.

      

   4. Click OK.

      

5. Click Save, and click Yes to accept the changes.

Back to Top

Next Step

You have completed this procedure.

To make further changes to the router, refer to the Router Support Page.

To configure other devices in your network, refer to the Configuration Overview Page.

Back to Top

Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Back to Top

Related Information

• Router Support Page
• Site Survey
• Cable Descriptions
• Configure an IP Address on Your PC