Configuring SSL VPN Group Policy
8. Use the Group Policy page to configure the SSL VPN group policies.
NOTE: Up to 32 SSL VPN group policies can be configured on the security appliance.
9. Click Add to add a new SSL VPN group policy.
Other options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click the Delete (x) icon. To delete multiple entries, check them and click Delete.
10. In the Basic Settings tab, enter the following information:
• Policy Name: Enter the name for the SSL VPN group policy.
• Primary DNS: Optionally, enter the IP address of the primary DNS server.
• Secondary DNS: Optionally, enter the IP address of the secondary DNS server.
• Primary WINS: Optionally, enter the IP address of the primary WINS server.
• Secondary WINS: Optionally, enter the IP address of the secondary WINS server.
11. In the IE Proxy Settings tab, enter the following information:
The SSL VPN gateway can specify several Microsoft Internet Explorer (MSIE) proxies for client PCs. If these settings are enabled, IE on the client PC is automatically configured with these settings.
• IE Proxy Policy: Choose one of the following options:
– None: Allows the browser to use no proxy settings.
– Auto: Allows the browser to automatically detect the proxy settings.
– Bypass-Local: Allows the browser to bypass the proxy settings that are configured on the remote user.
– Disable: Disables the MSIE proxy settings.
• Address: If you choose Bypass-Local or Auto, enter the IP address or domain name of the MSIE proxy server.
• Port: Enter the port number of the MSIE proxy server.
• IE Proxy Exception: You can specify the exception hosts for IE proxy settings. This option allows the browser to not send traffic for the given hostname or IP address through the proxy. To add an entry, enter the IP address or domain name of an exception host and click Add.
12. In the Split Tunneling Settings area, enter the following information:
Split tunneling permits specific traffic to be carried outside of the SSL VPN tunnel. Traffic is either included (resolved in tunnel) or excluded (resolved through the ISP or WAN connection). Tunnel resolution configuration is mutually exclusive. An IP address cannot be both included and excluded at the same time.
• Enable Split Tunneling: By default, all of traffic from the host is directed through the tunnel. Check this box to enable the split tunneling feature so that the tunnel is used only for traffic that is specified by the client routes.
• Split Selection: If you enable split tunneling, choose one of the following options:
– Include Traffic: Allows you to add the client routes on the SSL VPN client so that only traffic to the destination networks can be redirected through the SSL VPN tunnels. To add a client route, enter the destination subnet to which a route is added on the SSL VPN client in the Address field and the subnet mask for the destination network in the Netmask field, and then click Add.
– Exclude Traffic: Allows you to exclude the destination networks on the SSL VPN client. Traffic to the destination networks is redirected using the SSL VPN client’s native network interface (resolved through the ISP or WAN connection). To add a destination subnet, enter the destination subnet to which a route is excluded on the SSL VPN client in the Address field and the subnet mask for the excluded destination in the Netmask field, and then click Add.
NOTE: To exclude the destination networks, make sure that the Exclude Local LANs feature is enabled on the Cisco AnyConnect Secure Mobility clients.
– Exclude Local LANs: If you choose Exclude Traffic, check the box to permit remote users to access their local LANs without passing through VPN tunnel, or uncheck the box to deny remote users to access their local LANs without passing through VPN tunnel.
NOTE: To exclude local LANs, make sure that the Exclude Local LANs feature is enabled on both the SSL VPN server and the Cisco AnyConnect Secure Mobility clients.
• Split DNS: Split DNS can direct DNS packets in clear text over the Internet for domains served through an external DNS (serving your ISP) or through a SSL VPN tunnel to domains served by the corporate DNS. To add a domain for tunneling DNS requests to destinations in the private network, enter the IP address or domain name in the field and click Add. To delete a domain, select it from the list and click Delete.
13. In the Zone-based Firewall Settings area, you can control access from the SSL VPN clients to the zones over the SSL VPN tunnels. Click Permit to permit access, or click Deny to deny access.
NOTE: The VPN firewall rules that are automatically generated by the zone-based firewall settings will be added to the list of firewall rules with the priority higher than the default firewall rules, but lower than the custom firewall rules.