Configure Thin-Client SSL VPN (WebVPN) on a Cisco Router with Security Device Manager
|
|
|
|
Introduction
This document explains how to configure the Thin-Client SSL VPN
(WebVPN) on a Cisco router and it applies to Cisco 1800, 2800 and 3800
Integrated Services Routers.
Thin-Client SSL VPN technology is used to allow secure access for
applications that uses static ports. The Thin-Client can be a user-driven,
policy-driven, or both. Access can be configured on a user-by-user basis, or
group policies can be created that include one or more users.
For example Internet Mail Access Protocol (IMAP) or Simple Mail
Transfer Protocol (SMTP) servers requires workstations to run client
applications in order to send and receive e-mail. The Thin-Client feature, also
known as port forwarding, allows a small applet to be downloaded along with the
portal so that a remote workstation can communicate with the intranet
server.
Back to Top
Requirements
To perform the steps described in this document, you need to have these
items:
-
You must have completed the
Configure
Your Router with Security Device Manager document.
-
You must have completed the
Set Up
Internet Security on a Cisco Router document.
-
Router which runs an advance image of Cisco IOS Software Release
12.4 (6) T or later and Security Device Manager (SDM) - version 2.3.1 or
later
-
Completed worksheets from the
Site
Survey:
-
Internet Worksheet
-
LAN Addressing Worksheet
-
Requirements for Client computers:
-
Remote clients must have a local administrative privileges. It is
not required, but it is highly suggested.
-
Remote clients must have Java Runtime Environment (JRE) Version
1.4 or higher.
-
Remote client browsers: Internet Explorer 6.0, Netscape 7.1,
Mozilla 1.7, Safari 1.2.2, or Firefox 1.0
-
Cookies enabled and popup allowed on remote
clients
Back to Top
Configure Thin-Client SSL VPN on a Router
Follow these steps to configure a Thin-Client SSL VPN on your
router:
The SSL VPN gateway provides the IP address and the digital certificate
for the SSL VPN contexts that use it. Follow these steps to configure the SSL
VPN Gateway:
-
Open a web browser and type
http://
router-IP-address
in the Address
field. Use the IP address that you entered in field L6A of the LAN Addressing
Worksheet. Press Enter to launch SDM. For more information
about how to launch SDM, refer to
Configure
your Router with Security Device Manager.
-
Click Configure.
-
Click VPN.
-
On the VPN Screen, click SSL VPN.
-
On the Create SSL VPN screen under Prerequisite Tasks, click on
EnableAAA link.
-
On the Enable AAA warning window, click
Yes.
-
On the Commands Delivery Status window, click
OK.
-
Click OK in the Information
window.
-
On the Create SSL VPN screen, select the radio button next to
Create a new SSL VPN and click on Launch the selected task box at the bottom of
the screen.
-
On the Welcome to the Create SSL VPN Wizard screen, click
Next.
-
On the IP address and Name wizard, enter these values:
-
Next to IP Address field, enter the IP Address which the SSL VPN
clients use to connect to the SSL VPN Gateway or portal page.
-
Next to Name field, enter the descriptive name for the SSL VPN
Gateway.
-
In the Domain field, enter your domain name.
-
Click
Next.
-
On the User Authentication screen, select the radio button Locally
on this router and click Add to add a new user.
Note: You can also use an External Authentication, Authorization, and
Accounting (AAA) server. Contact
SMB
TAC for further assistance.
-
In the Add an Account window, enter these
values:
-
Enter a user name in the Username field.
-
Enter the password in the New Password field and re-enter the
same in Confirm New Password field.
-
Select the Privilege level for the user from the drop-down menu
in the Privilege level field.
-
Click
OK.
-
Click Next.
-
On the Configure Intranet Websites screen, click
Next.
-
Uncheck Enable Full Tunnel. Click
Next.
-
Customize the appearance of the WebVPN portal page or accept the
default appearance. Click Next.
-
On the Summary of the Configuration screen, click
Finish.
-
On the Commands Delivery Status window, click
OK.
Back to Top
Configure the Thin-Client ports
You have created a WebVPN Gateway and a WebVPN Context with a linked
Group Policy.
Follow these steps to configure the Thin-Client ports, which are made
available when clients connect to the WebVPN:
-
Click Configure, and click
VPN.
-
Click on SSL VPN, and click the Create SSL VPN tab.
-
On the Create SSL VPN screen, select the radio button next to
Configure advance features for an existing SSL VPN and click on Launch the
selected task box at the bottom of the screen.
-
On the Welcome to the Advance SSL VPN Wizard screen, click
Next.
-
Choose the SSL VPN context name and user group name from the
drop-down menus. Click Next.
-
Choose Thin Client (Port Forwarding) and click
Next.
-
On the Thin Client (Port Forwarding) screen, click
Add.
-
In the Add Port Forwarding Server window, enter
the resources that you want to make available through Port Forwarding. The
service port must be a static port, but you can accept the default port on the
client PC assigned by the Wizard.
-
In the Server IP Address field, enter the IP Address Email
Server
-
In the Server port on which service is listening field, enter
port number 25 for Email service.
-
In the description field, enter the descriptive word for the
Email service.
-
Click
OK.
-
Click Next.
-
On the Summary of the Configuration screen, click
Finish.
-
On the Commands Delivery Status window, click
OK.
-
Click Save, and click Yes to
accept the changes.
Back to Top
Next Step
You have completed this procedure.
To make further changes to the router, refer to the
Router Support
Page.
To configure other devices in your network, refer to the
Configuration
Overview Page.
Back to Top
Troubleshoot the Procedure
This section provides information about common problems that you may
encounter. If this information does not solve your problem, contact the
SMB
Technical Assistance Center (SMB TAC) for assistance.
Back to Top
Related Information
