All members of the SSL VPN user group can establish the SSL VPN tunnels based on the specified SSL VPN group policy to access your network resources.
Note Up to 32 SSL VPN group policies can be configured on the security appliance.
1. Click VPN > SSL Remote User Access > SSL VPN Group Policies.
The SSL VPN Group Policies window opens. The default and custom SSL VPN group policies are listed in the table.
2. To add a new SSL VPN group policy, click Add.
Other options: To edit an entry, click the Edit (pencil) icon. To delete an entry, click the Delete (x) icon. To delete multiple entries, check them and click Delete. The default SSL VPN group policy (SSLVPNDefaultPolicy) cannot be deleted.
The SSL VPN Group Policy - Add/Edit window opens.
3. In the Basic Settings tab, enter the following information:
• Policy Name: Enter the name for the SSL VPN group policy.
• Primary DNS: Enter the IP address of the primary DNS server.
• Secondary DNS: Enter the IP address of the secondary DNS server.
• Primary WINS: Enter the IP address of the primary WINS server.
• Secondary WINS: Enter the IP address of the secondary WINS server.
4. In the IE Proxy Settings tab, enter the following information:
The SSL VPN gateway can specify several Microsoft Internet Explorer (MSIE) proxies for client PCs. If these settings are enabled, IE on the client PC is automatically configured with these settings.
• IE Proxy Policy: Choose one of the following IE proxy policies:
– None: Allows the browser to use no proxy settings.
– Auto: Allows the browser to automatically detect the proxy settings.
– Bypass-Local: Allows the browser to bypass the proxy settings that are configured on the remote user.
– Disable: Disables the MSIE proxy settings.
• Address: If you choose Bypass-Local or Auto, enter the IP address or domain name of the MSIE proxy server.
• Port: Enter the port number of the MSIE proxy server.
• IE Proxy Exception: You can specify the exception hosts for IE proxy settings. This option allows the browser not to send traffic for the given hostname or IP address through the proxy. To add an entry, enter the IP address or domain name of an exception host and click Add. To delete an entry, select it and click Delete.
5. In the Split Tunneling Settings area, enter the following information:
Split tunneling permits specific traffic to be carried outside of the SSL VPN tunnel. Traffic is either included (resolved in tunnel) or excluded (resolved through the ISP or WAN connection). Tunnel resolution configuration is mutually exclusive. An IP address cannot be both included and excluded at the same time.
• Enable Split Tunneling: By default, all traffic from the host is directed through the VPN tunnel. Check this box to enable the split tunneling feature so that the VPN tunnel is used only for traffic that is specified by the client routes.
• Split Selection: Choose one of the following options:
– Include Traffic: Allows you to add the client routes on the SSL VPN client so that only traffic to the destination networks can be redirected through the VPN tunnel. To add a client route, enter the destination subnet to which a route is added on the SSL VPN client in the Address field and the subnet mask for the destination network in the Netmask field, and then click Add.
– Exclude Traffic: Allows you to exclude the destination networks on the SSL VPN client. Traffic to the destination networks is redirected using the SSL VPN client’s native network interface (resolved through the ISP or WAN connection). To add a destination subnet, enter the destination subnet to which a route is excluded on the SSL VPN client in the Address field and the subnet mask for the excluded destination in the Netmask field, and then click Add.
NOTE: To exclude the destination networks, make sure that the Exclude Local LAN feature is enabled on the Cisco AnyConnect Secure Mobility clients.
– Exclude Local LAN: If you choose Exclude Traffic, check the box to permit remote users to access their local LANs without passing through VPN tunnel, or uncheck the box to deny remote users to access their local LANs without passing through VPN tunnel.
NOTE: To exclude local LANs, make sure that the Exclude Local LAN feature is enabled on both the SSL VPN server and the AnyConnect clients.
• Split DNS: Split DNS can direct DNS packets in clear text over the Internet to domains served through an external DNS (serving your ISP) or through the VPN tunnel to domains served by the corporate DNS.
For example, a query for a packet destined for corporate.com would go through the VPN tunnel to the DNS that serves the private network, while a query for a packet destined for myfavoritesearch.com would be handled by the ISP's DNS. To use Split DNS, you must also have split tunneling configured.
To add a domain for tunneling packets to destinations in the private network, enter the IP address or domain name in the field and click Add. To delete a domain, select it and click Delete.
6. In the Zone-based Firewall Settings area, you can control access from the SSL VPN clients to the zones over the VPN tunnels. Click Permit to permit access, or click Deny to deny access.
NOTE: The VPN firewall rules that are automatically generated by the zone-based firewall settings will be added to the list of firewall rules with the priority higher than the default firewall rules, but lower than the custom firewall rules.
7. Click OK to save your settings.