SSL VPN

The SSL VPN feature or WebVPN provides support in the Cisco IOS software for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer (SSL)-enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish a secure VPN tunnel using a web browser. This feature provides a comprehensive solution that allows easy access to a broad range of web resources and web-enabled applications using native HTTP over SSL (HTTPS) browser support. SSL VPN delivers three modes of SSL VPN access: clientless, thin-client, and full-tunnel client support.

This document is primarily for system administrators. If you are a remote user, see the document“SSL VPN Remote User Guide”.

Note

The Cisco AnyConnect VPN Client is introduced in Cisco IOS Release 12.4(15)T. This feature is the next-generation SSL VPN Client. If you are using Cisco software earlier than Cisco IOS Release 12.4(15)T, you should be using the SSL VPN Client and use the GUI for the SSL VPN Client when you are web browsing. However, if you are using Cisco Release 12.4(15)T or a later release, you should be using the Cisco AnyConnect VPN Client and use the GUI for Cisco AnyConnect VPN Client when you are web browsing.

Note

Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for SSL VPN

To securely access resources on a private network behind an SSL VPN gateway, the remote user of an SSL VPN service must have the following:

An account (login name and password)
An SSL-enabled browser (for example, Internet Explorer, Netscape, Mozilla, or Firefox)
Operating system support
“Thin-client” support used for TCP port-forwarding applications requires administrative privileges on the computer of the remote user.
“Tunnel mode” for Cisco SSL VPN requires administrative privileges for initial installation of the full-tunnel client.
The remote user must have local administrative privileges to use thin-client or full-tunnel client features.
The SSL VPN gateway and context configuration must be completed before a remote user can access resources on a private network behind an SSL VPN. For more information, see the “How to Configure SSL VPN Services on a Router” section.
Access control list (ACL) Support—The time range should have already been configured.
Single SignOn Netegrity Cookie Support—A Cisco plug-in must be installed on a Netegrity SiteMinder server.
Licensing—In Cisco IOS Release 15.0(1)M, the SSL VPN gateway is a seat-counted licensing feature on Cisco 880, Cisco 890, Cisco 1900, Cisco 2900, and Cisco 3900 platforms. A valid license is required for a successful SSL VPN session.

SSL VPN-supported browser—The following browsers have been verified for SSL VPN. Other browsers might not fully support SSL VPN features.

Note

Later versions of the following browsers are also supported.

Firefox 2.0 (Windows and Linux)
Internet Explorer 6.0 or 7.0
Linux (Redhat RHEL 3.0 +, FEDORA 5, or FEDORA 6)
Macintosh OS X 10.4.6
Microsoft Windows 2000, Windows XP, or Windows Vista
Safari 2.0.3

Restrictions for SSL VPN

General Restrictions for SSL VPN

URLs referred by the Macromedia Flash player cannot be modified for secure retrieval by the SSL VPN gateway.
Cisco Secure Desktop (CSD) 3.1 and later versions are not supported.
MS Silverlight Plugin is not supported.

PKI AAA Authorization Using the Entire Subject Name

Some AAA servers limit the length of the username (for example, to 64 characters). As a result, the entire certificate subject name cannot be longer than the limitation of the server.
Some AAA servers limit the available character set that may be used for the username (for example, a space [ ] and an equal sign [=] may not be acceptable). This functionality will not work for a AAA server having such a character-set limitation.
The subject-name command in the trust point configuration may not always be the final AAA subject name. If the fully qualified domain name (FQDN), serial number, or IP address of the router are included in a certificate request, the subject name field of the issued certificate will also have these components. To turn off the components, use the fqdn , serial-number , and ip-address commands with the none keyword.
Certificate Authority (CA) servers sometimes change the requested subject name field when they issue a certificate. For example, CA servers of some vendors switch the relative distinguished names (RDNs) in the requested subject names to the following order: CN, OU, O, L, ST, and C. However, another CA server might append the configured Lightweight Directory Access Protocol (LDAP) directory root (for example, O=cisco.com) to the end of the requested subject name.
Depending on the tools you choose for displaying a certificate, the printed order of the RDNs in the subject name could be different. Cisco IOS software always displays the least significant RDN first, but other software, such as Open Source Secure Socket Layer (OpenSSL), does the opposite. Therefore, if you are configuring a AAA server with a full DN (subject name) as the corresponding username, ensure that the Cisco IOS software style (that is, with the least-significant RDN first) is used.

Cisco AnyConnect VPN Client

The Cisco AnyConnect VPN Client is not supported on Windows Mobile when the client connects to a Cisco IOS headend router (supported in Cisco IOS Release 15.0(1)M and later releases). The Cisco AnyConnect VPN Client does not support the following:

Client-side authentication (supported in Cisco IOS Release 15.0(1)M and later releases)
Compression support
IPsec
IPv6 VPN access
Localization
Sequencing
Standalone mode (supported in Cisco IOS Release 12.4(20)T and later releases)

Thin-Client Control List Support

Although there is no limitation on the maximum number of filtering rules that can be applied for each ACL entry, keeping the number below 50 should have no impact on router performance.

HTTP Proxy

The HTTP Proxy feature works only with Microsoft Internet Explorer.

The HTTP Proxy feature will not work if the browser proxy setup cannot be modified because of any security policies that have been placed on the client workstation.

Lightweight Directory Access Protocol

SSL VPN supports Lightweight Directory Access Protocol (LDAP) authentication.

Features Not Supported on the Cisco IOS SSL VPN

The following features are not supported on the Cisco IOS SSL VPN:

Application Profile Customization Framework (APCF): an XML-based rule set for clientless SSL VPN
Cisco Unified Communications Manager (Cisco UCM) 8.0.1 VPN-enabled 7900 series IP phones
Dynamic Access Policies (DAP)
Java and ActiveX Client Server Plugins
On Board Built-in Single Sign On
Portal Page Customization
SharePoint Support
Smart Tunnels
Support for External Statistics Reporting and Monitoring Tools
Using Smartcard for Authentication (supported in Cisco IOS Release 15.0(1)M and later releases)
The following features were introduced in the AnyConnect 2.5.217 release:
- AnyConnect Profile Editor
- Captive Portal Hotspot Detection
- Captive Portal Remediation
- Client Firewall with Local Printer and Tethered Device Support
- Connect Failure Policy
- Optimal Gateway Selection
- Post Log-in Always-on VPN
- Quarantine

Note

The features introduced in AnyConnect 2.5 are not supported although you can connect to a Cisco IOS headend using AnyConnect 2.5. However, features introduced in AnyConnect 2.4 and earlier releases are supported when you are connected to a Cisco IOS headend using AnyConnect 2.5 or AnyConnect 3.0.

Information About SSL VPN

SSL VPN Overview

Cisco IOS SSL VPN provides SSL VPN remote-access connectivity from almost any Internet-enabled location using only a web browser that locally supports SSL encryption. This feature allows your company to extend access to any authorized user/corporate resources to its secure enterprise network by providing remote-access connectivity from any Internet-enabled location.

Cisco IOS SSL VPN can also support access from noncorporate-owned machines, including home computers, Internet kiosks, and wireless hot spots. These locations are difficult places to deploy and manage VPN client software and the remote configuration required to support IPsec VPN connections.

The figure below shows how a mobile worker (For example, a lawyer at the courthouse) can access protected resources from a main office and its branch offices. Site-to-site IPsec connectivity between the main and remote sites is unaltered. The mobile worker needs only Internet access and supported software (web browser and operating system) to securely access the corporate network.

SSL VPN delivers the following modes of SSL VPN access:

Clientless—Clientless mode provides secure access to private web resources and will provide access to web content. This mode is useful for accessing most content that you would expect to access in a web browser, such as Internet access, databases, and online tools that employ a web interface.
Thin client (port-forwarding Java applet)—Thin-client mode extends the capability of the cryptographic functions of the web browser to enable remote access to TCP-based applications such as Post Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Message Access protocol (IMAP), Telnet, and Secure Shell (SSH).
Tunnel mode—Full-tunnel client mode offers extensive application support through its dynamically downloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Full tunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client that provides network layer access to virtually any application.

Note

SSL VPN will not work if ip http secure-server is enabled.

SSL VPN application accessibility is somewhat constrained relative to IPsec VPNs; however, SSL-based VPNs provide access to a growing set of common software applications, including web page access, web-enabled services such as file access, e-mail, and TCP-based applications (by way of a downloadable thin-client applet). SSL-based VPN requires slight changes to user workflow because some applications are presented through a web browser interface, not through their native GUI. The advantage for SSL VPN comes from accessibility from almost any Internet-connected system without the need to install additional desktop software.

Licensing

SSL VPN supports the following types of licenses:

Permanent licenses—No usage period is associated with these licenses. All permanent licenses are node locked and validated during installation and usage.
Evaluation licenses—These are metered licenses that are valid for a limited period. The usage period of a license is based on a system clock. The evaluation licenses are built into the image and are not node locked. The evaluation licenses are used only when there are no permanent, extension or grace period licenses available for a feature. An end-user license agreement (EULA) has to be accepted before using an evaluation license.
Extension licenses—Extension licenses are node-locked metered licenses. These licenses are installed using the management interfaces on the device. A EULA has to be accepted as part of installation.
Grace-rehost licenses—Grace period licenses are node locked metered licenses. These licenses are installed on the device as part of the rehost operation. A EULA has to be accepted as a part of the rehost operation.

For all the license types, except the evaluation license, a EULA has to be accepted during the license installation. This means that all the license types except the evaluation license are activated after installation. In the case of an evaluation license, a EULA is presented during an SSL VPN policy configuration or an SSL VPN profile configuration.

An SSL VPN session corresponds to a successful login of a user to the SSL VPN service. An SSL VPN session is created when a valid license is installed and the user credentials are successfully validated. On a successful user validation, a request is made to the licensing module to get a seat. An SSL VPN session is created only when the request is successful. If a valid license is not installed, the SSL VPN policy configuration and SSL VPN profile configuration can be successful, but the user cannot log in successfully. When multiple policies and profiles are configured, the total number of sessions are equal to the total sessions allowed by the license. A seat count is released when a session is deleted. A session is deleted because of reasons such as log out by the user, session idle timeout or Dead Peer Detection (DPD) failure.

Note

Rarely a few sessions which do not have active connections may appear to be consuming licenses. This typically denotes that this is a transition state and the session will get expired soon.

The same user can create multiple sessions and for each session a seat count is reserved. The seat reservation does not happen in the following cases:

Full-tunnel session creation from a browser session.
Full-tunnel session is up and a crypto rekey is done.

When the total active sessions are equal to the maximum license count of the current active license, no more new sessions are allowed.

The reserved seat count or session is released when the following occurs:

a user logs out.
a DPD failure happens.
a session timeout occurs.
an idle timeout occurs.
a session is cleared administratively using the clear webvpn session command.
a user is disconnected from the tunnel.
a profile is removed even when there are active sessions.

You can use the show webvpn license command to display the available count and the current usage. To display the current license type and time period left in case of a nonpermanent license, use the show license command. To get information related to license operations, events, and errors, use the debug webvpn license command.

New Cisco IOS SSL VPN licenses that are generated are cumulative. Therefore the old licenses become inactive when a new license is applied. For example, when you are upgrading your license from 10 counts to 20 counts (an increase of 10 counts on the current 10 counts), Cisco provides a single 20 count license. The old license for 10 counts is not required when a permanent license for a higher count is available. However, the old license will exist in an inactive state as there is no reliable method to clear the old license.

Licensing in Cisco IOS Release 15.x

Starting in Cisco IOS Release 15.0(1)M, the SSL VPN gateway is a seat-counted licensing feature on the Cisco 880, Cisco 890, Cisco 1900, Cisco 2900, and Cisco 3900 platforms. A license count is associated with each license, and the count indicates the instances of the feature available for use in the system. In the case of SSL VPN, a seat refers to the maximum number of sessions allowed at a time.

You can get the license at http://www.cisco.com/go/license.

For instructions on installing a license using Cisco License Manager (CLM), see the User Guide for Cisco License Manager, Release 2.2 at http://www.cisco.com/en/US/docs/net_mgmt/license_manager/lm_2_2/2.2_user_guide/clm_book.html.

For instructions on installing a license using Cisco CLI, see the “Cisco IOS Software Activation Tasks and Commands” chapter of the Software Activation Configuration Guide at http://www.cisco.com/en/US/docs/ios/csa/configuration/guide/csa_commands_ps6441_TSD_Products_Configuration_Guide_Chapter.html.

For migrating from any Cisco IOS 12.4T release to Cisco IOS 15.x release, use the license migration tool at https://tools.cisco.com/SWIFT/Licensing/LicenseAdminServlet/migrateLicense.

In Cisco IOS Release 15.1(4)M1 and later releases, a Crypto Export Restrictions Manager (CERM) license is reserved only after the user logs in. If you have an Integrated Services Router Generation 2 (ISR G2) router with a CERM license, you must upgrade to Cisco IOS Release 15.1(4)M1 or later releases. Before Cisco IOS Release 15.1(4)M1, a CERM license is reserved for every SSL or Transport Layer Security (TLS) session.

Modes of Remote Access

Remote Access Overview

End-user login and authentication is performed by the web browser to a secure gateway using an HTTP request. This process creates a session that is referenced by a cookie. After authentication, the remote user is shown a portal page that allows access to the SSL VPN networks. All requests sent by the browser include the authentication cookie. The portal page provides all the resources available on the internal networks. For example, the portal page could provide a link to allow the remote user to download and install a thin-client Java applet (for TCP port forwarding) or a tunneling client.

Clientless Mode

In a clientless mode, the remote user accesses the internal or corporate network using the web browser on the client machine. The PC of the remote user must run the Windows 2000, Windows XP or Linux operating systems.

The following applications are supported in a clientless mode:

Web browsing (using HTTP and HTTPS)—provides a URL box and a list of web server links in the portal page that allows the remote user to browse the web.
File sharing [using common Internet file system (CIFS)]—provides a list of file server links in the portal page that allows the remote user to do the following operations:
- Browse a network (listing of domains)
- Browse a domain (listing of servers)
- Browse a server (listing of shares)
- List the files in a share
- Create a new file
- Create a directory
- Rename a directory
- Update a file
- Download a file
- Remove a file
- Rename a file

Note

Linux requires that the Samba application is installed before CIFS file shares can be remotely accessed.

Web-based e-mail, such as Microsoft Outlook Web Access (OWA) 2003 (using HTTP and HTTPS) with Web Distributed Authoring and Versioning (WebDAV) extensions—provides a link that allows the remote user to connect to the exchange server and read web-based e-mail.

Thin-Client Mode

Thin-client mode, also called TCP port forwarding, assumes that the client application uses TCP to connect to a well-known server and port. In thin-client mode, the remote user downloads a Java applet by clicking the link provided on the portal page, or the Java applet is downloaded automatically (see the Options for Configuring HTTP Proxy and the Portal Page and Options for Configuring HTTP Proxy and the Portal Page section). The Java applet acts as a TCP proxy on the client machine for the services that you configure on the gateway.

The applications that are supported in thin-client mode are mainly e-mail-based (SMTP, POP3, and Internet Map Access Protocol version 4 [IMAP4]) applications.

Note

The TCP port-forwarding proxy works only with the Sun Microsystems Java Runtime Environment (JRE) version 1.4 or later versions. A Java applet is loaded through the browser that verifies the JRE version. The Java applet will refuse to run if a compatible JRE version is not detected.

The Java applet initiates an HTTP request from the remote user client to the SSL VPN gateway. The name and port number of the internal e-mail server is included in the HTTP request (POST or CONNECT). The SSL VPN gateway creates a TCP connection to that internal e-mail server and port.

The Java applet starts a new SSL connection for every client connection.

You should observe the following restrictions when using thin-client mode:

The remote user must allow the Java applet to download and install.
You cannot use thin-client mode for applications such as FTP, where the ports are negotiated dynamically. You can use TCP port forwarding only with static ports.

Note

There is a known compatibility issue with the encryption type and Java. If the Java port-forwarding applet does not download properly and the configuration line ssl encryption 3des-sha1 aes-sha1 is present, you should remove the line from the WebVPN gateway subconfiguration.

Options for Configuring HTTP Proxy and the Portal Page

Effective with Cisco IOS Release 12.4(11)T, administrators have more options for configuring the HTTP proxy and the portal page. If HTTP proxy is enabled, the Java applet acts as the proxy for the browser of the user, thereby connecting the client workstation with the gateway. The home page of the user (as defined by the user group) is opened automatically or, if configured by the administrator, the user is directed to a new website.

HTTP proxy supports both HTTP and HTTPS.

Benefits of Configuring HTTP Proxy

HTTP supports all client-side web technologies (including HTML, Cascading Style Sheets [CSS], JavaScript, VBScript, ActiveX, Java, and flash), HTTP Digest authentication, and client certificate authentication. Remote users can use their own bookmarks, and there is no limit on cookies. Because there is no mangling involved and the client can cache the objects, performance is much improved over previous options for configuring the HTTP proxy and portal page.

Illustrations of Port Forwarding with and Without an HTTP Proxy Configuration

The figure below illustrates TCP port forwarding without HTTP proxy configured.

Figure 2. TCP Port Forwarding Without HTTP Proxy Configured

In the figure above, the following steps occur:

User downloads the proxy applet.
Applet updates the registry to add HTTP as a Remote Procedure Call (RPC) transport.
Applet examines the registry to determine the exchange (and local catalog) server and create server entries that refer to those servers.
Applet opens local port 80 and listens for connections.
User starts Outlook, and Outlook connects to 10.0.0.254:80.
Applet opens a connection to the secure gateway and delivers the requests from Outlook.
Secure gateway examines the requests to determine the endpoint exchange server.
Data flows from Outlook, through the applet and the secure gateway, to the exchange server.
User terminates Outlook.
User closes the applet. Before closing, the applet undoes configuration Steps 3 and 4.

The figure below illustrates TCP port forwarding when HTTP proxy is configured.

In the figure above, the following steps occur:

Proxy applet is downloaded automatically.
Applet saves the original proxy configuration of the browser.
Applet updates the proxy configuration of the browser to be the local loopback address with an available local port (by default, port 8080).
Applet opens the available local port and listens for connections.
Applet, if so configured, opens the home page of the user, or the user browses to a new website.
Applet accepts and looks at the HTTP or HTTPS request to determine the destination web server.
Applet opens a connection to the secure gateway and delivers the requests from the browser.
Secure gateway examines the requests to determine the endpoint web server.
Data flows from the browser, through the applet and the secure gateway, to the web server.
User closes applet. Before closing, the applet undoes configuration Steps 2 and 3.

Note

HTTP proxy can also be enabled on an authentication, authorization, and accounting (AAA) server. See the table SSL VPN RADIUS Attribute-Value Pairs in the Configuring RADIUS Attribute Support for SSL VPN section (port-forward-http-proxy and port-forward-http-proxy-url attributes).

Tunnel Mode

In a typical clientless remote access scenario, remote users establish an SSL tunnel to move data to and from the internal networks at the application layer (for example, web and e-mail). In tunnel mode, remote users use an SSL tunnel to move data at the network (IP) layer. Therefore, tunnel mode supports most IP-based applications. Tunnel mode supports many popular corporate applications (for example, Microsoft Outlook, Microsoft Exchange, Lotus Notes E-mail, and Telnet).

The tunnel connection is determined by the group policy configuration. The Cisco AnyConnect VPN Client is downloaded and installed on the remote user PC, and the tunnel connection is established when the remote user logs into the SSL VPN gateway.

By default, the Cisco AnyConnect VPN Client is removed from the client PC after the connection is closed. However, you have the option to keep the Cisco AnyConnect VPN Client installed on the client PC.

SSL VPN Features

Access Control Enhancements

Effective with Cisco IOS Release 12.4(20)T, administrators can configure automatic authentication and authorization for users. Users provide their usernames and passwords via the gateway page URL and do not have to reenter their usernames and passwords from the login page. Authorization is enhanced to support more generic authorization, including local authorization. In previous releases, only RADIUS authorization was supported.

For information about configuring this feature, see the “Configuring Automatic Authentication and Authorization” section.

SSL VPN Client-Side Certificate-Based Authentication

This feature enables SSL VPN to authenticate clients based on the client’s AAA username and password and also supports WebVPN gateway authentication of clients using AAA certificates.

SSL VPN Client-Side Certificate-Based Authentication feature includes the following features:

Certificate-Only Authentication and Authorization Mode

Certificate-only authorization requires the user to provide a authentication, authorization, and accounting (AAA) authentication certificate as part of the WebVPN request, but does not require the username and password for authorization. The user requests WebVPN access with the AAA authentication certificate from the WebVPN gateway. The WebVPN gateway validates the identity of the client using the AAA authentication certificate presented to it. The WebVPN extracts the username from the AAA authentication certificate presented to it and uses it as the username in the AAA request. AAA authentication and AAA authorization are then completed with a hard-coded password. To configure certificate-only authorization use the authentication certificate command.

Users also need to configure public key infrastructure (PKI) AAA authorization using the entire subject name to retrieve the user name from the subject name in the certificate and use it for authorization. When using PKI AAA functionality, users sometimes have attribute-value (AV) pairs that are different from those of every other user. As a result, a unique username is required for each user. The PKI AAA authorization using the entire subject name provides users with the ability to query the AAA server using the entire subject name from the certificate as a unique AAA username.

Users should ensure that the AAA username being used by the device is the same as the username on the AAA server. Users can use the debug crypto pki transactions command to see which username is being used by the device.

Two-Factor Authentication and Authorization Mode

Two-factor authorization requires the user to request WebVPN access and present a AAA authentication certificate. The AAA authentication certificate is validated and the client’s identity is verified. The WebVPN gateway then presents the login page to the user. The user enters their username and password and WebVPN sends AAA authentication and AAA authorization requests to the AAA server. The AAA authentication list and the AAA authorization lists configured on the server are then used for authentication and authorization. To configure two-factor authentication and authorization mode use the authentication certificate aaa command.

Note

If the username-prefill command is configured, the username textbox on the login page will be disabled. The user will be asked only for their password on the login page.

Identification of WebVPN Context at Runtime Using Certificate Map Match Rules

Certificate map match rules are used by SSL VPN to identify the WebVPN context at runtime. The WebVPN context is required for AAA authentication and authorization mode and trustpoint configuration. When the user does not provide the WebVPN context, the identification of the WebVPN context at runtime is possible using certificate map matching by matching the certificate presented by the client with the certificate map match rules. To configure certificate map matching in WebVPN use the match-certificate command.

Support for AnyConnect Client to Implement Certificate Matching Based on Client Profile Attributes

Cisco AnyConnect client has certificate match functionality allowing it to select a suitable certificate while initiating tunnel connection with SSL VPN. In the case of standalone mode, the certificate selection is made based on the certificate match. When selecting a certificate, Cisco AnyConnect client can select the appropriate certificate based on the AnyConnect client profile attributes. This requires SSL VPN to support AnyConnect client profiles. The profile file is imported after modification by the administrator using the svc profile command. To create an AnyConnect client profile use the template that appears after installing Cisco AnyConnect in this location: \Documents and Settings\All Users\Application Data\Cisco\ CiscoAnyConnectVPNClient\Profile\AnyConnectProfile.tmpl.

Note

When an AnyConnect client profile is modified and is uploaded to the router with the same name, the profile on the client is not updated unless the cache is cleared/reset by re-applying the crypto vpn anyconnect profile SSL flash:/SSL.xml command.

The following are the certificate match types available with Cisco AnyConnect client:

Certificate Key Usage Matching

Certificate key usage matching offers a set of constraints based on the broad types of operations that can be performed with a given certificate.

Extended Certificate Key Usage Matching

This matching allows an administrator to limit the certificates that can be used by the client based on the Extended Key Usage fields.

Certificate Distinguished Name Mapping

This certificate matching capability allows an administrator to limit the certificates that can be used by the client to those matching the specified criteria and criteria match conditions. This includes the ability to specify that a certificate must or must not have a specified string and also if wild carding for the string should be allowed.

AnyConnect Client Support

Effective with Cisco IOS Release 12.4(20)T, AnyConnect Client support is added for several client-side platforms, such as Microsoft Windows, Apple-Mac, and Linux. The ability to install AnyConnect in a standalone mode is also added. In addition, the Release 12.4(20)T allows you to install multiple AnyConnect VPN client packages to a gateway. For information on configuring multiple packages, see the “Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files” section.

Note

The IOS WebVPN gateway can randomly generate syslog and debug errors when an AnyConnect connection is established. You can ignore these errors as the client is able to connect and send or receive data traffic successfully.

Application ACL Support

Effective with Cisco IOS Release 12.4(11)T, the Application ACL Support feature provides administrators with the flexibility to fine-tune access control at the application layer level, for example, on the basis of a URL.

For information about configuring this feature, see the “Configuring ACL Rules” section, and “Associating an ACL Attribute with a Policy Group” section.

Automatic Applet Download

Effective with Cisco IOS Release 12.4(9)T, administrators have the option of automatically downloading the port-forwarding Java applet. The Automatic Applet Download feature must be configured on a group policy basis.

Note

Users still have to allow the Java applet to be downloaded. The dialog box appears, asking for permission.

To configure the automatic download, see the “Configuring an SSL VPN Policy Group” section.

Backend HTTP Proxy

The Backend HTTP Proxy feature, added in Cisco IOS Release 12.4(20)T, allows administrators to route user requests through a backend HTTP proxy, providing more flexibility and control than routing requests through internal web servers. This feature adds the following new AAA attributes:


http-proxy-server
http-proxy-server-port

For information about configuring this feature, see the “Configuring a Backend HTTP Proxy” section.

Front-Door VRF Support

Effective with Cisco IOS Release 12.4(15)T, front-door virtual routing and forwarding (FVRF) support, coupled with the already supported internal virtual routing and forwarding (IVRF), provides for increased security. The feature allows the SSL VPN gateway to be fully integrated into a Multiprotocol Label Switching (MPLS) or non-MPLS network (wherever the VRFs are deployed). The virtual gateway can be placed into a VRF that is separate from the Internet to avoid internal MPLS and IP network exposure. This placement reduces the vulnerability of the router by separating the Internet routes or the global routing table. Clients can now reach the gateway by way of the FVRF, which can be separate from the global VRF. The backend, or IVRF, functionality remains the same.

This FVRF feature provides for overlapping IP addresses.

The figure below is a scenario in which FVRF has been applied.

Figure 4. Scenario in Which FVRF Has Been Applied

To configure FVRF, see the “Configuring FVRF” section.

Full-Tunnel Cisco Express Forwarding Support

Effective with Cisco IOS Release 12.4(20)T, Full-Tunnel Cisco Express Forwarding support is added for better throughput performance than in earlier releases. This feature is enabled by default. To turn off full-tunnel Cisco Express Forwarding support, use the no webvpn cef command.

Note

To take full advantage of Cisco Express Forwarding support, the hardware crypto engine is required.

For sample output showing Cisco Express Forwarding-processed packets, see the Example Cisco Express Forwarding-Processed Packets.

Network Address Translation (NAT) configuration is sometimes used to forward TCP port 443 traffic destined to the WAN interface of a router through an internal webserver.

There are two methods of implementing Cisco IOS SSL VPN on a preexisting NAT configuration. The Cisco-recommended method is to use the WebVPN gateway IP address as the secondary address on the WAN interface. This method helps improve the WebVPN throughput performance. The following is a sample configuration of the recommended method on Cisco IOS SSL VPN:


interface GigabitEthernet 0/0
  ip address 10.1.1.1 255.255.255.0
  ip address 10.1.1.2 255.255.255.0 secondary !
webvpn gateway ssl_vpn
  ip address 10.1.1.2 port 443

In the second method the WebVPN gateway uses a private IP address configured on a loopback interface and performs a NAT operation to convert the private IP address to a publically routable address. The following configuration is not supported on Cisco IOS SSL VPN because this configuration causes packets to become process-switched instead of being Cisco Express Forwarding-switched:


interface Loopback 10
  ip address 192.0.2.1 255.255.255.0
!
interface GigabitEthernet 0/0
  description WAN interface
  ip address 10.1.1.1 255.0.0.0
!
ip nat inside source static 192.0.2.1 10.1.1.2 !
webvpn gateway ssl_vpn
  ip address 192.0.2.1 port 443

GUI Enhancements

In Cisco IOS Release 12.4(15)T, ergonomic improvements are made to the GUI of the Cisco IOS SSL VPN gateway. The improved customization of the user interface provides for greater flexibility and the ability to tailor portal pages for individualized views. Enhancements are made to the following web screens:

Login Screen

The figure below is an example of a typical login screen.

Note

The maximum length of the password is 32 characters.

Banner

The banner is a small popup box that appears before the portal page displays and after a user is logged in.

The message in the popup box is configured using the banner command.

Customization of a Login Page

For information about setting various elements of the login page, see also Cisco IOS Security Command Reference: Commands A to C, Cisco IOS Security Command Reference: Commands D to L, and Cisco IOS Security Command Reference: Commands S to Zfor the color , logo , login-message , login-photo , secondary-color , text-color , title , title-color , and text-color commands.

Figure 7. Login Page with Callouts of the Fields that can be Customized

Portal Page

The portal page (see the figure below) is the main page for the SSL VPN functionality. You can customize this page to contain the following:

Custom logo (the default is the Cisco bridge logo)
Custom title (the default is “WebVPN Services”)
Custom banner (the default is an empty string)
Custom colors (the default is a combination of white and greens)
List of web server links (customizable)

Note

The Bookmark links are listed under the Personal folder, and the server links are listed under Network File in the figure below.

URL entry box (may be present or can be hidden using the hide-url-bar command)
Thin Client link (may or may not be present)

Note

The Application Access box allows you to download and install the Tunnel Connection and Thin Client Application.

Links for Help, Home (that is, the portal page), and Logout

Items that you have not configured are not displayed on the portal page.

Note

E-mail access is supported by thin-client mode, which is downloaded using the Thin Client link.

The figure below is an example of a WebVPN portal page.

Note

Time to redirect to the home page is displayed on the WebVPN portal page if you have configured the home page redirect time using the webvpn-homepage command. See the Cisco IOS Security Command Reference: Commands S to Z for information about the webvpn-homepage command. You can click the “Click here to stop homepage redirection” link to stop redirection.

Customization of a Portal Page

Portal pages can be customized by an administrator. The following figure shows various fields, including the fields that can be customized by an administrator. The fields that can be customized by an administrator are as follows:

Title
Logo
Secondary color
Administrator-defined bookmarks
Color

Figure 9. Portal Page with Callouts of Various Fields, Including Those That Can Be customized

The table below provides information about various fields on the portal page. For information about setting elements such as color or titles, see command information in the Cisco IOS Security Command Reference: Commands A to C, Cisco IOS Security Command Reference: Commands D to L,Cisco IOS Security Command Reference: Commands M to R, and Cisco IOS Security Command Reference: Commands S to Z for the color , functions , hide-url-bar , logo , port-forward , title , title-color , secondary-color , secondary-text-color , and url-list commands.

Table 1. Information About Fields on the Portal Page
Field	Description
User-level bookmark add icon	When a user selects this icon, a dialog box is added so that a new bookmark can be added to the Personal folder.
Network File location bar	Allows a user to enter the file server here. The functions file-access and functions file-entry commands must be configured for the input box to display.
Header	Shares the same color value as the title.
Last login	Time stamp of the last login.
Browse network	Allows a user to browse the file network. The functions file-access and functions file-browse commands must be configured for the icon to appear.
Tunnel Connection	Allows a user to choose when to start the tunnel connection by configuring the functions svc-enabled command.
Port forwarding	Downloads the applet and starts port forwarding.
User-level bookmark edit icon	Allows a user to edit or delete an existing bookmark.
User-level bookmarks	Allows a user to add a bookmark by using the plus icon on the bookmark panel or toolbar. See the document “SSL VPN Remote User Guide” for information about the toolbar. A new window displays when the link is clicked.
Administrator-defined bookmarks	Does not allow a user to edit an administrator-defined URL lists.
URL address bar	A new window displays when a user selects Go.

Internationalization

The Internationalization feature provides multilanguage support for messages initiated by the headend for SSL VPN clients, such as Cisco Secure Desktop (CSD) and SSL VPN Client (SVC). With the Internationalization feature, administrators can import their own attribute files in an XML format so that other languages can be imported using an editor that supports multilanguages.

The figure below shows a portal page in English. Users can select any language you have imported for certain SSL VPN web pages (login message, title page, and URL lists).

The figure below shows that an administrator has imported files in Japanese; a user has selected Japanese as the language for certain SSL VPN web pages (login message, title, and URL lists).

For information about configuring this feature, see the “Configuring Internationalization” section. For examples relating to this feature, see the “Examples Internationalization” section.

Max-User Limit Message

A “Max user limit reached” message displays when a user logs in to a Web VPN context that has already reached the maximum users limit.

Netegrity Cookie-Based Single SignOn Support

The Netegrity SiteMinder product provides a Single SignOn feature that allows a user to log in a single time for various web applications. In this feature, a cookie is set in your browser for the first time when you are prompted to log in so that only a one-time login is required to access various web applications.

Effective with Cisco IOS Release 12.4(11)T, Netegrity cookie-based SSO is integrated with SSL VPN. It allows administrators to configure an SSO server that sets a SiteMinder cookie in a user's browser when the user initially logs in. This cookie is validated by a SiteMinder agent on subsequent user requests to resources that are protected by a SiteMinder realm. The agent decrypts the cookie and verifies user authentication.

For information about configuring SSO Netegrity Cookie Support and associating it with a policy group using the CLI, see the “Configuring SSO Netegrity Cookie Support for a Virtual Context” section and “Associating an SSO Server with a Policy Group” section.

The following example shows that an SSO server can also be associated with a policy group using RADIUS attributes:


webvpn:sso-server-name=server1

For a list of RADIUS attribute-value (AV) pairs that support SSL VPN, see the “Configuring RADIUS Attribute Support for SSL VPN” section.

NTLM Authentication

NT LAN Manager (NTLM) is supported for SSL VPN effective with Cisco IOS Release 12.4(9)T. The feature is configured by default.

RADIUS Accounting

Effective with Cisco IOS Release 12.4(9)T, this feature provides for RADIUS accounting of SSL VPN user sessions.

For information about configuring SSL VPN RADIUS accounting for SSL VPN user sessions, see the “Configuring RADIUS Accounting for SSL VPN User Sessions” section.

For more information about configuring RADIUS accounting, see the “Configuring RADIUS” chapter in the Cisco IOS Security Configuration Guide: Securing User Services.

For a list of RADIUS AV pairs that support SSL VPN, see the “Configuring RADIUS Attribute Support for SSL VPN” section.

Stateless High Availability with Hot Standby Router Protocol

Hot Standby Router Protocol (HSRP) provides high network availability by routing IP traffic from hosts on Ethernet networks without having to rely on the availability of any single router. HSRP is particularly useful for hosts that do not support a router discovery protocol, such as ICMP Router Discovery Protocol (IRDP), and that do not have the functionality to switch to a new router when their selected router reloads or loses power. Without this functionality, a router that loses its default gateway because of a router failure is unable to communicate with the network.

HSRP is configurable on LAN interfaces using standby CLI. It is possible to use the standby IP address from an interface as the local IPsec identity, or local tunnel endpoint.

You can use the standby IP address as the SSL VPN gateway address to apply failover to VPN routers by using HSRP. Remote SSL VPN users connect to the local VPN gateway using the standby address that belongs to the active device in the HSRP group. In the event of a failover, the standby device takes over ownership of the standby IP address and begins to service remote VPN users.

Using the Stateless High Availability with Hot Standby Router Protocol feature, the remote user has to be aware of only the HSRP standby address instead of a list of gateway addresses.

The figure below shows the enhanced HSRP functionality topology. Traffic is serviced by the active Router P, the active device in the standby group. In the event of failover, traffic is diverted to Router S, the original standby device. Router S assumes the role of the new active router and takes ownership of the standby IP address.

Figure 12. Stateless High Availability with HSRP for SSL VPN

For information about configuring Stateless High Availability with HSRP, see the “Configuring Stateless High Availability with HSRP for SSL VPN” on section .

Note

In the case of a failover, HSRP does not facilitate SSL VPN state information transfer between VPN gateways. Without this state transfer, existing SSL VPN sessions with the remote users will be deleted, requiring users to reauthenticate and establish SSL VPN sessions with the new active gateway.

TCP Port Forwarding and Thin Client

Note

The TCP Port Forwarding and Thin Client feature requires the Java Runtime Environment (JRE) version 1.4 or later releases to properly support SSL connections.

Note

Because this feature requires installing JRE and configuring the local clients, and because doing so requires administrator permissions on the local system, it is unlikely that remote users will be able to use applications when they connect from public remote systems.

When the remote user clicks the Start button of the Thin Client Application (under “Application Access), a new window is displayed. This window initiates the downloading of a port-forwarding applet. Another window is then displayed. This window asks the remote user to verify the certificate with which this applet is signed. When the remote user accepts the certificate, the applet starts running, and port-forwarding entries are displayed (see the figure below ). The number of active connections and bytes that are sent and received is also listed on this window.

Note

When remote users launch Thin Client, their system may display a dialog box regarding digital certificates, and this dialog box may appear behind other browser windows. If the remote user connection hangs, tell the remote user to minimize the browser windows to check for this dialog box.

You should have configured IP addresses, Domain Name System (DNS) names, and port numbers for the e-mail servers. The remote user can then launch the e-mail client, which is configured to contact the e-mail servers and send and receive e-mails. POP3, IMAP, and SMTP protocols are supported.

The window attempts to close automatically if the remote user is logged out using JavaScript. If the session terminated and a new port forwarding connection is established, the applet displays an error message.

Caution

Users should always close the Thin Client window when finished using applications by clicking the close icon. Failure to quit the window properly can cause Thin Client or the applications to be disabled. See the “Application Access—Recovering from Hosts File Errors” section in the document SSL VPN Remote User Guide.

The table below lists remote system requirements for Thin Client.

Table 2. SSL VPN Remote System Thin-Client Requirements

Remote User System Requirements

Specifications or Use Suggestions

Client applications installed.

Cookies enabled on browser.

Administrator privileges.

You must be the local administrator on your PC.

Sun Microsystems JRE version 1.4 or later installed.

SSL VPN automatically checks for JRE whenever the remote user starts Thin Client. If it is necessary to install JRE, a popup window displays directing remote users to a site where it is available.

Client applications configured, if necessary.

Note

The Microsoft Outlook client does not require this configuration step.

To configure the client application, use the locally mapped IP address and port number of the server. To find this information, do the following:

Start SSL VPN on the remote system and click the Thin-Client link on the SSL VPN home page. The Thin-Client window is displayed.
In the Name column, find the name of the server that you want to use, and then identify its corresponding client IP address and port number (in the Local column).
Use this IP address and port number to configure the client application. The configuration steps vary for each client application.

Windows XP SP2 patch.

If you are running Windows XP SP2, you must install a patch from Microsoft that is available at the following address:

http://support.microsoft.com/?kbid=884020

This is a known Microsoft issue.

URL Obfuscation

The URL Obfuscation feature provides administrators with the ability to obfuscate, or mask, sensitive portions of an enterprise URL, such as IP addresses, hostnames, or part numbers. For example, if URL masking is configured for a user, the URL in the address bar could have the port and hostname portion obfuscated, as in this example:

https://slvpn-gateway.examplecompany.com/http/cF9HxnBjRmSFEzBWpDtfXfigzL559MQo51Qj/cgi-bin/submit.p

For information about configuring this feature, see the “Associating an SSO Server with a Policy Group” section.

URL Rewrite Splitter

Effective with Cisco IOS Release 12.4(20)T, the URL Rewrite Splitter feature allows administrators to mangle selective URLs. Mangling is a CPU-intensive and time-consuming process, so mangling only selective URLs can result in a savings of memory and time.

For information about configuring this feature, see the “Configuring a URL Rewrite Splitter” section.

User-Level Bookmarking

Effective with Cisco IOS Release 12.4(15)T, users can bookmark URLs while connected through an SSL VPN tunnel. Users can access the bookmarked URLs by clicking the URLs.

User-level bookmarking is turned by default. There is no way to turn it off. To set the storage location, administrators can use the user-profile location command. If the user-profile location command is not configured, the location flash:/webvpn/{context name}/ is used.

Virtual Templates

A virtual template enables SSL VPN to interoperate with IP features such as Network Address Translation (NAT), firewall, and policy-based routing.

For information about configuring this feature, see Configuring a_Virtual_Template section.

License String Support for the 7900 VPN Client

The Cisco IOS SSL VPN accepts license strings from Cisco IP Phones. Cisco IOS VPN concentrators support the VPN license type linksys-phone in order to support the Galactica VPN client on 79x 2 and 79x 5 phones.

In the case of a transformer platform, response to the license message (linksys-phone) will succeed if the license requirements are met. However, an Integrated Services Routers (ISR) router must always respond with a success message so that the Galactica VPN client can attempt to establish a VPN connection.

SSL VPN DVTI Support

The SSL VPN DVTI Support feature adds Dynamic Virtual Tunnel Interface (DVTI) support to the Secure Socket Layer Virtual Private Network (SSL VPN) and hence enables seamless interoperability with IP features such as Firewall, Network Address Translation (NAT), access Control Lists (ACLs), and Virtual Routing and Forwarding (VRF). This feature also provides DVTI support, which allows IP feature configuration on a per-tunnel basis.

SSL VPN provides three modes to access a VPN: clientless, thin client, and full tunnel. The full tunnel mode uses an internal virtual interface to route the traffic to and from the SSL VPN tunnel. Before the SSL VPN DVTI Support feature was introduced, the virtual interface was created during the SSL VPN virtual interface configuration and users were not allowed to apply IP features to the SSL VPN traffic.

The SSL VPN DVTI Support feature uses a virtual template infrastructure to provide DVTI support for SSL VPN. IP features are configured in a virtual template that is associated with the SSL VPN or WebVPN context. The IP features configured in the virtual template are used to create a virtual access interface that is internally used to tunnel SSL VPN traffic. Virtual templates in a WebVPN context are applied in two ways: per-context and per-tunnel.

Note

You can configure any IP feature with SSL VPN. However, in the Cisco IOS Release 15.1(1)T, interoperability has been tested only with the firewall, NAT, ACL, policy-based routing (PBR), and VRF IP features.

The SSL VPN DVTI Support feature contains the following:

Prerequisites for SSL VPN DVTI Support

You must have the IP features configured in a virtual template. See the “Configuring a Virtual Template” section for information on configuring a virtual template.
SSL VPN must be able to fetch configurations from the AAA server.
The SSL VPN gateway and context configurations must be enabled and operational.
If VRF is needed, configure it before creating the virtual template.

Restrictions for SSL VPN DVTI Support

In order for a virtual template to work with SSL VPN, the ip unnumbered command must be configured on the virtual template.

Virtual Template Infrastructure

A generic interface template service is required with features such as stackability, Virtual Private Dialup Network (VPDN), Multilink PPP (MLP), and virtual profiles. Virtual template interface service delivers a generic interface template service. The virtual template interface, command buffer, and virtual access interface functions enables you to populate a virtual-access interface using a pre-defined configuration that is stored in a virtual template interface and security servers such as TACACS+ and RADIUS.

For example, in stackability, a virtual template interface is assigned to a stack group. Whenever a stack member needs a virtual interface, the virtual template interface service is called by a member to obtain a virtual access interface cloned with the same configuration as the configuration of the assigned virtual template interface.

In a virtual profile, the per-user configuration can be stored in a security server. That is, when the user dials in, the desired configuration can be cloned into the virtual access interface associated with the user. The virtual template service provides an application programming interface (API) for a virtual profile to clone a buffer of commands to a virtual access interface. The virtual profile does the actual interaction with the security server.

Note

If you do not configure a virtual template, then the default virtual template (VT0) will be used for cloning the virtual access interface.

SSL VPN Phase-4 Features

The SSL VPN Phase-4 Features feature provides the following enhancements to the Cisco IOS Secure Sockets Layer Virtual Private Network (SSL VPN):

ACL support for split tunneling
IP mask for IP pool address assignment
Undoing the renaming of AnyConnect or SSL VPN Client (SVC) Full Tunnel Cisco package during installation on a Cisco IOS router
Adding per-user SSL VPN session statistics
"Start before logon" option for the Cisco IOS SSL VPN headend

The SSL VPN Phase-4 features contains the following:

Prerequisites for SSL VPN Phase-4 Features

You must use a valid K9 image to configure the SSL VPN Phase-4 Features.

Full Tunnel Package

When you install the AnyConnect or SVC full tunnel package using the crypto vpn command on the Cisco IOS headend, the package name gets renamed to svc_pkg_<number>. This renaming omits package information and Base Station Ethernet (BSE) operating system information, and thus makes you difficult to remove or uninstall the package. This functionality was modified in Cisco IOS Release 15.1(1)T to retain the name during installation of the package.

The limit on the filename size on the Cisco IOS file system (IFS) is 120 bytes. Unless the package name is greater than this limit, the package name does not change. If the filename exceeds this limit, then the installation fails. The following error message is displayed on the router console:

Error: Package name exceeds 120 characters

SSL VPN per-User Statistics

Per-user statistics functionality provides an option to filter the cumulative statistics on a per-user basis for the Cisco IOS SSL VPN sessions. Use the show webvpn session user command to enable this functionality. This command is applicable only for user session statistics and tunnel statistics. See Cisco Cisco IOS Security Command Reference for more information on the show webvpn session command.

DTLS Support for IOS SSL VPN

The DTLS Support for IOS SSL VPN feature enables DTLS as a transport protocol for the traffic tunneled through SSL VPN.

An AnyConnect client with a Transport Layer Security (TLS) tunnel can face problems for real-time traffic and the traffic that is not sensitive to data loss, such as VoIP. This happens because of the delay introduced by the TCP channel (AnyConnect client uses TLS over TCP channel). Also, when the TCP sessions are channeled over the TLS tunnel we have TCP in TCP. Here both the TCPs try to control the flow and achieve in-sequence reliable delivery. This causes slow down of the application and also increases the network bandwidth utilization. DTLS solves this problem by hosting TLS over UDP after making the necessary changes to TLS.

The DTLS Support for IOS SSL VPN feature is enabled by default on the Cisco IOS SSL VPN. You can use the no svc dtls command in the WebVPN group policy configuration mode to disable the DTLS support on the SSL VPN.

Prerequisites for DTLS Support for IOS SSL VPN

You must use a valid K9 image to have the DTLS Support for IOS SSL VPN feature.

Restrictions for DTLS Support for IOS SSL VPN

Cisco IOS gateway supports the DTLS Support for IOS SSL VPN feature only with an AnyConnect clients.
The DTLS Support for IOS SSL VPN feature is supported on AnyConnect clients with version 2.x.
The DTLS Support for IOS SSL VPN feature is not supported on SSL VPN Client (SVC) with version 1.x.

Cisco AnyConnect VPN Client Full Tunnel Support

Remote Client Software from the SSL VPN Gateway

The Cisco AnyConnect VPN Client software package is pushed from the SSL VPN gateway to remote clients when support is needed. The remote user (PC or device) must have either the Java Runtime Environment for Windows (version 1.4 later), or the browser must support or be configured to permit Active X controls. In either scenario, the remote user must have local administrative privileges.

Address Pool

The address pool is first defined with the ip local pool command in global configuration mode. The standard configuration assumes that the IP addresses in the pool are reachable from a directly connected network.

Address Pools for Nondirectly Connected Networks

If you need to configure an address pool for IP addresses from a network that is not directly connected, perform the following steps:

Create a local loopback interface and configure it with an IP address and subnet mask from the address pool.
Configure the address pool with the ip local pool command. The range of addresses must fall under the subnet mask configured in Step 1.
Set up the route. If you are using the Routing Information Protocol (RIP), configure the router rip command and then the network command, as usual, to specify a list of networks for the RIP process. If you are using the Open Shortest Path First (OSPF) protocol, configure the ip ospf network point-to-point command in the loopback interface. As a third choice (instead of using the RIP or OSPF protocol), you can set up static routes to the network.
Configure the svc address-pool command with the name configured in Step 2.

Manual Entry to the IP Forwarding Table

If the SSL VPN software client is unable to update the IP forwarding table on the PC of the remote user, the following error message will be displayed in the router console or syslog:

Error : SSL VPN client was unable to Modify the IP forwarding table ......

This error can occur if the remote client does not have a default route. You can work around this error by performing the following steps:

Open a command prompt (DOS shell) on the remote client.
Enter the route print command.
If a default route is not displayed in the output, enter the route command followed by the add and mask keywords. Include the default gateway IP address at the end of the route statement. See the following example:

C:\>route ADD 0.0.0.0 MASK 0.0.0.0 10.1.1.1

Other SSL VPN Features

The following table lists the requirements for various SSL VPN features.

Table 3. SSL VPN Remote User System Requirements

Task

Remote User System Requirements

Additional Information

Web Browsing

Usernames and passwords for protected websites

Users should log out on SSL VPN sessions when they are finished.

The look and feel of web browsing with SSL VPN might be different from what users are accustomed to. For example, when they are using SSL VPN, the following should be noted:

The SSL VPN title bar appears above each web page.
Websites can be accessed as follows:
- Entering the URL in the Enter Web Address field on the SSL VPN home page
- Clicking a preconfigured website link on the SSL VPN home page
- Clicking a link on a webpage accessed by one of the previous two methods

Also, depending on how a particular account was configured, the following might have occurred:

Some websites are blocked.
Only the websites that appear as links on the SSL VPN home page are available.

Network Browsing and File Management

File permissions configured for shared remote access

Server name and passwords are necessary for protected file servers

Domain, workgroup, and server names where folders and files reside

Only shared folders and files are accessible through SSL VPN.

A user might not be familiar with how to locate files through the network of an organization.

Note

You should not interrupt the Copy File to Server operation or navigate to a different window while the copying is in progress. Interrupting this operation can cause an incomplete file to be saved on the server.

Using e-mail:Thin Client

Same requirements as for Thin Client (see the “TCP Port Forwarding and Thin Client” ).

Other Mail Clients

Note

If you use an IMAP client and lose the e-mail server connection or you are unable to make a new connection, you should close the IMAP application and restart SSL VPN.

To use e-mail, users must start Thin Client from the SSL VPN home page. The e-mail client is then available for use.

Microsoft Outlook Express versions 5.5 and 6.0 have been tested.

SSL VPN should support other SMTPS, POP3S, or IMAP4S e-mail programs, such as Netscape Mail, Lotus Notes, and Eudora, but they have not been verified.

Using e-mail: Web Access

Web-based e-mail product installed

Supported products are as follows:

OWA 5.5, 2000, and 2003

Netscape, Mozilla, and Internet Explorer are supported with OWA 5.5 and 2000.

Internet Explorer 6.0 or a later version is required with OWA 2003. Netscape and Mozilla are supported with OWA 2003.

Lotus Notes

Operating system support:

Note

Later versions of the following browsers are also supported.

Microsoft Windows 2000, Windows XP, or Windows Vista
Macintosh OS X 10.4.6
Linux (Redhat RHEL 3.0 +, FEDORA 5, or FEDORA 6)

SSL VPN-supported browser:

The following browsers have been verified for SSL VPN. Other browsers might not fully support SSL VPN features.

Note

Later versions of the following software are also supported.

Internet Explorer 6.0 or 7.0
Firefox 2.0 (Windows and Linux)
Safari 2.0.3

Other web-based e-mail products should also work, but they have not been verified.

Using the Cisco Tunnel Connection

—

To retrieve Tunnel Connection log messages using the Windows Event Viewer, go to Program Files > Administrative Tools > Event Viewer in Windows.

Using Secure Desktop Manager

A Secure Desktop Manager-supported browser

On Microsoft Windows:

Internet Explorer version 6.0 or 7.0
Netscape version 7.2

On Linux:

Netscape version 7.2

Using Cache Cleaner or Secure Desktop

A Cisco Secure Desktop-supported browser

Any browser supported for Secure Desktop Manager.

Platform Support

For information about platform support for the SSL VPN feature, see the Cisco IOS SSL VPN data sheet section.

How to Configure SSL VPN Services on a Router

Configuring an SSL VPN Gateway

The SSL VPN gateway acts as a proxy for connections to protected resources. Protected resources are accessed through an SSL-encrypted connection between the gateway and a web-enabled browser on a remote device, such as a personal computer. Entering the webvpn gateway command places the router in SSL VPN gateway configuration mode. The following configuration are accomplished in this task:

The gateway is configured with an IP address.
A port number is configured to carry HTTPS traffic (443 is default).
A hostname is configured for the gateway.
Crypto encryption and trust points are configured.
The gateway is configured to redirect HTTP traffic (port 80) over HTTPS.
The gateway is enabled.

Note

The SSL VPN provides remote-access connectivity from almost any Internet-enabled location using only a web browser and its native SSL encryption. The ssl encryption command is configured to restrict the encryption algorithms that SSL uses in Cisco IOS software.

Note

The configuration of the ssl trustpoint command is required only if you need to configure a specific certification authority (CA) certificate. A self-signed certificate is automatically generated when an SSL VPN gateway is put in service.

SUMMARY STEPS

enable
configure terminal
webvpn gateway name
hostname name
ip address number [port number ] [standby name ]
http-redirect [port number ]
ssl encryption [aes-sha1 ] [3des-sha1 ] [rc4-md5 ]
ssl trustpoint name
inservice
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	webvpn gateway `name` Example: `Device(config)# webvpn gateway GW_1`	Enters WebVPN gateway configuration mode to configure an SSL VPN gateway. Only one gateway is configured in an SSL VPN-enabled network.
Step 4	hostname `name` Example: `Device(config-webvpn-gateway)# hostname VPN_1`	(Optional) Configures the hostname for an SSL VPN gateway.
Step 5	ip address `number` [port `number` ] [standby `name` ] Example: `Device(config-webvpn-gateway)# ip address 10.1.1.1`	(Optional) Configures a proxy IP address on an SSL VPN gateway.
Step 6	http-redirect [port `number` ] Example: `Device(config-webvpn-gateway)# http-redirect`	(Optional) Configures HTTP traffic to be carried over HTTPS. When this command is enabled, the SSL VPN gateway listens on port 80 and redirects HTTP traffic over port 443 or the port number specified with the port keyword.
Step 7	ssl encryption [aes-sha1 ] [3des-sha1 ] [rc4-md5 ] Example: `Device(config-webvpn-gateway)# ssl encryption aes-sha-1`	(Optional) Specifies the encryption algorithm that the SSL protocol uses for SSL VPN connections. The ordering of the algorithms specifies the preference.
Step 8	ssl trustpoint `name` Example: `Device(config-webvpn-gateway)# ssl trustpoint CA_CERT`	(Optional if a self-signed certificate is to be used.) Configures the certificate trust point on an SSL VPN gateway.
Step 9	inservice Example: `Device(config-webvpn-gateway)# inservice`	(Optional) Enables an SSL VPN gateway. A gateway cannot be enabled or put “in service” until a proxy IP address has been configured.
Step 10	end Example: `Device(config-webvpn-gateway)# end`	Exists the WebVPN gateway configuration mode and enters the privileged EXEC mode.

What to Do Next

SSL VPN context and policy group configurations must be configured before an SSL VPN gateway can be operationally deployed. Proceed to the “Configuring an SSL VPN Context” section to see information on SSL VPN context configuration.

Configuring a Generic SSL VPN Gateway

To configure a generic SSL VPN gateway, perform the following steps in privileged EXEC mode.

Note

The advantage of this configuration over the one in the configuration task in the “Configuring an SSL VPN Gateway” section on section is that basic commands and context can be configured quickly using just the webvpn enable command.

SUMMARY STEPS

enable
webvpn enable gateway-addr ip-address
end

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

webvpn enable gateway-addr ip-address

Example:


Device# webvpn enable gateway-addr 10.1.1.1

Configures a generic SSL VPN gateway.

Step 3

end

Example:


Device(config-webvpn-gateway)# end

Exists the webvpn gateway configuration mode and enters the privileged EXEC mode.

Configuring an SSL VPN Context

The SSL VPN context defines the virtual configuration of the SSL VPN. Entering the webvpn context command places the router in SSL VPN configuration mode. The following configurations are accomplished in this task:

A gateway and domain is associated.
The AAA authentication method is specified.
A group policy is associated.
The remote user portal (web page) is customized.
A limit on the number users sessions is configured.
The context is enabled.

The ssl authenticate verify all command is enabled by default when a context configuration is created. The context cannot be removed from the router configuration while an SSL VPN gateway is in an enabled state (in service).

A virtual hostname is specified when multiple virtual hosts are mapped to the same IP address on the SSL VPN gateway (similar to the operation of a canonical domain name). The virtual hostname differentiates host requests on the gateway. The host header in the HTTP message is modified to direct traffic to the virtual host. The virtual hostname is configured with the gateway command in WebVPN context configuration mode.

Before you begin

The SSL VPN gateway configuration has been completed.

SUMMARY STEPS

enable
configure terminal
webvpn context name
aaa authentication {domain name | list name }
policy group name
exit
default-group-policy name
exit
gateway name [domain name | virtual-host name ]
inservice
login-message [message-string ]
logo [file filename | none ]
max-users number
secondary-color color
secondary-text-color {black | white }
title [title-string ]
title-color color
svc platform {lin | mac | win } seq sequence-number
end

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

webvpn context name

Example:


Device(config)# webvpn context context1

Enters WebVPN context configuration mode to configure the SSL VPN context.

Tip

The context can be optionally named using the domain or virtual hostname. This is recommended as a best practice. It simplifies the management of multiple context configurations.

Step 4

aaa authentication {domain name | list name }

Example:


Device(config-webvpn-context)# aaa authentication domain SERVER_GROUP

(Optional) Specifies a list or method for SSL VPN remote-user authentication.

Tip

If this command is not configured, the SSL VPN gateway will use global AAA parameters (if configured) for remote-user authentication.

Step 5

policy group name

Example:


Device(config-webvpn-context)# policy group ONE

(Optional) Creates a policy group within the SSL VPN context and enters WebVPN group policy configuration mode.

Used to define a policy that can be applied to the user.

Step 6

exit

Example:


Device(config-webvpn-group)# exit

(Optional) Exits WebVPN group policy configuration mode.

Step 7

default-group-policy name

Example:


Device(config-webvpn-context)# default-group-policy ONE

(Optional) Associates a group policy with an SSL VPN context configuration.

This command is configured to attach the policy group to the SSL VPN context when multiple group policies are defined under the context.
This policy will be used as default, unless a AAA server pushes an attribute that specifically requests another group policy.

Step 8

exit

Example:


Device(config-webvpn-context)# exit

(Optional) Exits WebVPN context configuration mode.

Step 9

gateway name [domain name | virtual-host name ]

Example:


Device(config-webvpn-context)# gateway GW_1 domain cisco.com

(Optional) Associates an SSL VPN gateway with an SSL VPN context.

Step 10

inservice

Example:


Device(config-webvpn-gateway)# inservice

(Optional) Enables an SSL VPN context configuration.

The context is put “in service” by entering this command. However, the context is not operational until it is associated with an enabled SSL VPN gateway.

Step 11

Example:


Device(config-webvpn-context)# login-message “Please enter your login credentials”

(Optional) Configures a message for the user login text box displayed on the login page.

Step 12

logo [file filename | none ]

Example:


Device(config-webvpn-context)# logo file flash:/mylogo.gif

(Optional) Configures a custom logo to be displayed on the login and portal pages of an SSL VPN.

The source image file for the logo is a gif, jpg, or png file that is up to 255 characters in length (filename) and up to 100 KB in size.
The file is referenced from a local file system, such as flash memory. An error message will be displayed if the file is not referenced from a local file system.
No logo will be displayed if the image file is removed from the local file system.

Step 13

max-users number

Example:


Device(config-webvpn-context)# max-users 500

(Optional) Limits the number of connections to an SSL VPN that will be permitted.

Step 14

secondary-color color

Example:


Device(config-webvpn-context)# secondary-color darkseagreen

(Optional) Configures the color of the secondary title bars on the login and portal pages of an SSL VPN.

The value for the color argument is entered as a comma-separated red, green, blue (RGB) value, an HTML color value (beginning with a pound sign [#]), or the name of the color that is recognized in HTML (no spaces between words or characters). The value is limited to 32 characters. The value is parsed to ensure that it matches one of the following formats (using Perl regex notation):
- \#/x{6}
- \d{1,3},\d{1,3},\d{1,3} (and each number is from 1 to 255)
- \w+
The default color is purple.

Step 15

secondary-text-color {black | white }

Example:


Device(config-webvpn-context)#  secondary-text-color white

(Optional) Configures the color of the text on the secondary bars of an SSL VPN.

The color of the text on the secondary bars must be aligned with the color of the text on the title bar.
The default color is black.

Step 16

title [title-string ]

Example:


Device(config-webvpn-context)# title “Secure Access: Unauthorized users prohibited”

(Optional) Configures the HTML title string that is shown in the browser title and on the title bar of an SSL VPN.

The optional form of the title command is entered to configure a custom text string. If this command is issued without entering a text string, a title will not be displayed in the browser window. If the no form of this command is used, the default title string “WebVPN Service” is displayed.

Step 17

title-color color

Example:


Device(config-webvpn-context)# title-color darkseagreen

(Optional) Specifies the color of the title bars on the login and portal pages of an SSL VPN.

The value for the color argument is entered as a comma-separated red, green, blue (RGB) value, an HTML color value (beginning with a pound sign [#]), or the name of the color that is recognized in HTML (no spaces between words or characters). The value is limited to 32 characters. The value is parsed to ensure that it matches one of the following formats (using Perl regex notation):
- \#/x{6}
- \d{1,3},\d{1,3},\d{1,3} (and each number is from 1 to 255)
- \w+
The default color is purple.

Step 18

svc platform {lin | mac | win } seq sequence-number

Example:


Device(config-webvpn-context)# svc platform lin seq 1

(Optional) Configures the platform of an AnyConnect version per context.

If the svc platform command is not used, AnyConnect is configured in standalone mode.
The seq keyword assigns a priority number to an AnyConnect client in the same platform. The range of sequence-number argument is from 1 to 10.

Step 19

end

Example:

Device(config-webvpn-context)# end

Exists the WebVPN context configuration mode and enters the privileged EXEC mode.

What to Do Next

An SSL VPN policy group configuration must be defined before an SSL VPN gateway can be operationally deployed. Proceed to the Configuring_an_SSL_VPN_Policy_Group_1054618 section to see information on SSL VPN policy group configuration.

Configuring an SSL VPN Policy Group

The policy group is a container that defines the presentation of the portal and the permissions for resources that are configured for a group of remote users. Entering the policy group command places the router in WebVPN group policy configuration mode. After it is configured, the group policy is attached to the SSL VPN context configuration by configuring the default-group-policy command. The following tasks are accomplished in this configuration:

The presentation of the SSL VPN portal page is configured.
A NetBIOS server list is referenced.
A port-forwarding list is referenced.
The idle and session timers are configured.
A URL list is referenced.

Outlook Web Access (OWA) 2003 is supported by the SSL VPN gateway upon completion of this task. The Outlook Exchange Server must be reachable by the SSL VPN gateway via TCP/IP.

A URL list can be configured under the SSL VPN context configuration and then separately for each individual policy group configuration. Individual URL list configurations must have unique names.

SUMMARY STEPS

enable
configure terminal
webvpn context name
policy group name
banner string
hide-url-bar
nbns-list name
port-forward name [auto-download [http-proxy [proxy-url homepage-url ]] | http-proxy [proxy-url homepage-url ] [auto-download ]]
timeout {idle seconds | session seconds }
url-list name
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	webvpn context `name` Example: `Device(config)# webvpn context context1`	Enters WebVPN context configuration mode to configure the SSL VPN context.
Step 4	policy group `name` Example: `Device(config-webvpn-context)# policy group ONE`	Enters WebVPN group policy configuration mode to configure a group policy.
Step 5	banner `string` Example: `Device(config-webvpn-group)# banner “Login Successful”`	(Optional) Configures a banner to be displayed after a successful login.
Step 6	hide-url-bar Example: `Device(config-webvpn-group)# hide-url-bar`	(Optional) Prevents the URL bar from being displayed on the SSL VPN portal page.
Step 7	nbns-list `name` Example: `Device(config-webvpn-group)# nbns-list SERVER_LIST`	(Optional) Attaches a NetBIOS Name Service (NBNS) server list to a policy group configuration. The NBNS server list is first defined in SSL VPN NBNS list configuration mode.
Step 8	port-forward `name` [auto-download [http-proxy [proxy-url `homepage-url` ]] \| http-proxy [proxy-url `homepage-url` ] [auto-download ]] Example: `Device(config-webvpn-group)# port-forward EMAIL auto-download http-proxy proxy-url "http://www.example.com"`	(Optional) Attaches a port-forwarding list to a policy group configuration. auto-download —(Optional) Allows for automatic download of the port-forwarding Java applet on the portal page of a website. http-proxy —(Optional) Allows the Java applet to act as a proxy for the browser of the user. proxy-url —(Optional) Page at this URL address opens as the portal (home) page of the user. `homepage-url` —URL of the home page.
Step 9	timeout {idle `seconds` \| session `seconds` } Example: `Device(config-webvpn-group)# timeout idle 1800`	(Optional) Configures the length of time that a remote user session can remain idle or the total length of time that the session can remain connected. Upon expiration of either timer, the remote user connection is closed. The remote user must log in (reauthenticate) to access the SSL VPN.
Step 10	url-list `name` Example: `Device(config-webvpn-group)# url-list ACCESS`	(Optional) Attaches a URL list to policy group configuration.
Step 11	end Example: `Device(config-webvpn-group)# end`	Exists the WebVPN group configuration mode and enters the privileged EXEC mode.

What to Do Next

At the completion of this task, the SSL VPN gateway and context configurations are operational and enabled (in service), and the policy group has been defined. The SSL VPN gateway is operational for clientless remote access (HTTPS only). Proceed to the Configuring_Local_AAA_Authentication_for_SSL_VPN_User_Sessions section to see information about configuring AAA for remote-user connections.

Configuring Local AAA Authentication for SSL VPN User Sessions

The steps in this task show how to configure a local AAA database for remote-user authentication. AAA is configured in global configuration mode. In this task, the aaa authentication command is not configured under the SSL VPN context configuration. Omitting this command from the SSL VPN context configuration causes the SSL VPN gateway to use global authentication parameters by default.

Before you begin

SSL VPN gateway and context configurations are enabled and operational.

SUMMARY STEPS

enable
configure terminal
aaa new-model
username name secret {0 user-secret | 5 secret-string | user-secret }
aaa authentication login default local
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	aaa new-model Example: `Device(config)# aaa new-model`	Enables the AAA access control model.
Step 4	username `name` secret {0 `user-secret` \| 5 `secret-string` \| `user-secret` } Example: `Device(config)# username USER1 secret 0 PsW2143`	Establishes a username-based authentication system. Entering 0 configures the password as clear text. Entering 5 encrypts the password.
Step 5	aaa authentication login default local Example: `Device(config)# aaa authentication login default local`	Configures local AAA authentication.
Step 6	end Example: `Device(config-webvpn-group)# end`	Exists the WebVPN group configuration mode and enters the privileged EXEC mode.

What to Do Next

The database that is configured for remote-user authentication on the SSL VPN gateway can be a local database, as shown in this task, or the database can be accessed through any RADIUS or TACACS+ AAA server.

It is recommended that you use a separate AAA server, such as a Cisco ACS. A separate AAA server provides a more robust security solution. It allows you to configure unique passwords for each remote user and accounting and logging for remote-user sessions. Proceed to the “Configuring_AAA_for_SSL_VPN_Users_Using_a_Secure_Access_Control_Server” section to see more information.

Configuring AAA for SSL VPN Users Using a Secure Access Control Server

The steps in this task show how to configure AAA using a separate RADIUS or TACACS+ server. AAA is configured in global configuration mode. The authentication list or method is referenced in the SSL VPN context configuration with the aaa authentication command. The steps in this task configure AAA using a RADIUS server.

Before you begin

SSL VPN gateway and context configurations are enabled and operational.
A RADIUS or TACACS+ AAA server is operational and reachable from the SSL VPN gateway.

SUMMARY STEPS

enable
configure terminal
aaa new-model
aaa group server {radius group-name | tacacs+ group-name }
server ip-address [auth-port port-number ] [acct-port port-number ]
exit
aaa authentication login {default | list-name } method1 [method2 ...]
radius-server host {hostname | ip-address } [auth-port port-number ] [acct-port port-number ] [timeout seconds ] [retransmit retries ] [key string ] [alias {hostname | ip-address }]
webvpn context name
aaa authentication {domain name | list name }
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	aaa new-model Example: `Device(config)# aaa new-model`	Enables the AAA access control model.
Step 4	aaa group server {radius `group-name` \| tacacs+ `group-name` } Example: `Device(config)# aaa group server radius myServer`	Configures a RADIUS or TACACS+ server group and specifies the authentication list or method, and enters server-group configuration mode.
Step 5	server `ip-address` [auth-port `port-number` ] [acct-port `port-number` ] Example: `Device(config-sg-radius)# server 10.1.1.20 auth-port 1645 acct-port 1646`	Configures the IP address of the AAA group server.
Step 6	exit Example: `Device(config-sg-radius)# exit`	Exits server-group configuration mode.
Step 7	aaa authentication login {default \| `list-name` } `method1` [`method2` ...] Example: `Device(config)# aaa authentication login default local group myServer`	Sets AAA login parameters.
Step 8	radius-server host {`hostname` \| `ip-address` } [auth-port `port-number` ] [acct-port `port-number` ] [timeout `seconds` ] [retransmit `retries` ] [key `string` ] [alias {`hostname` \| `ip-address` }] Example: `Device(config)# radius-server host 10.1.1.20 auth-port 1645 acct-port 1646`	Specifies a host as the group server.
Step 9	webvpn context `name` Example: `Device(config)# webvpn context context1`	Enters SSL VPN configuration mode to configure the SSL VPN context.
Step 10	aaa authentication {domain `name` \| list `name` } Example: `Device(config-webvpn-context)# aaa authentication domain myServer`	Configures AAA authentication for SSL VPN sessions.
Step 11	end Example: `Device(config-webvpn-context)# end`	Exists the SSL VPN configuration mode and enters the privileged EXEC mode.

What to Do Next

Proceed to the section “Configuring_RADIUS_Attribute_Support_for_SSL_VPN” section to see RADIUS attribute-value pair information introduced to support this feature.

Configuring PKI Integration with a AAA Server

Perform this task to generate a AAA username from the certificate presented by the peer and specify which fields within a certificate should be used to build the AAA database username.

Note

The following restrictions should be considered when using the all keyword as the subject name for the authorization username command:

Some AAA servers limit the length of the username (for example, to 64 characters). As a result, the entire certificate subject name cannot be longer than the limitation of the server.
Some AAA servers limit the available character set that may be used for the username (for example, a space [ ] and an equal sign [=] may not be acceptable). You cannot use the all keyword for a AAA server having such a character-set limitation.
The subject-name command in the trustpoint configuration may not always be the final AAA subject name. If the fully qualified domain name (FQDN), serial number, or IP address of the router are included in a certificate request, the subject name field of the issued certificate will also have these components. To turn off the components, use the fqdn , serial-number , and ip-address commands with the none keyword.
CA servers sometimes change the requested subject name field when they issue a certificate. For example, CA servers of some vendors switch the relative distinguished names (RDNs) in the requested subject names to the following order: CN, OU, O, L, ST, and C. However, another CA server might append the configured LDAP directory root (for example, O=cisco.com) to the end of the requested subject name.
Depending on the tools you choose for displaying a certificate, the printed order of the RDNs in the subject name could be different. Cisco IOS software always displays the least significant RDN first, but other software, such as Open Source Secure Socket Layer (OpenSSL), does the opposite. Therefore, if you are configuring a AAA server with a full distinguished name (DN) (subject name) as the corresponding username, ensure that the Cisco IOS software style (that is, with the least significant RDN first) is used.

radius-server host hostname [key string ]

SUMMARY STEPS

enable
configure terminal
aaa new-model
aaa authorization network listname [method ]
crypto pki trustpoint name
enrollment [mode] [retry period minutes] [retry count number] url url [pem]
revocation-check method
exit
authorization username subjectname subjectname
authorization list listname
tacacs-server host hostname [key string]

DETAILED STEPS

Command or Action Purpose

Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:


Router(config)# aaa new-model

Enables the AAA access control model.

Step 4

aaa authorization network listname [method ]

Example:


Router (config)# aaa authorization network maxaaa group tacacs+

Sets the parameters that restrict user access to a network.

method --Can be group radius , group tacacs+ , or group group-name .

Step 5

crypto pki trustpoint name

Example:


Route (config)# crypto pki trustpoint msca

Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.

Step 6

enrollment [mode] [retry period minutes] [retry count number] url url [pem]

Example:


Router (ca-trustpoint)# enrollment url http://caserver.myexample.com

- or-


Router (ca-trustpoint)# enrollment url http://[2001:DB8:1:1::1]:80

Specifies the following enrollment parameters of the CA:

(Optional) The mode keyword specifies the registration authority (RA) mode, if your CA system provides an RA. By default, RA mode is disabled.
(Optional) The retry period keyword and minutes argument specifies the period, in minutes, in which the router waits before sending the CA another certificate request. Valid values are from 1 to 60. The default is 1.
(Optional) The retry count keyword and number argument specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. Valid values are from 1 to 100. The default is 10.

The url argument is the URL of the CA to which your router should send certificate requests.

Note

With the introduction of Cisco IOS Release 15.2(1)T, an IPv6 address can be added to the http: enrolment method. For example: http://[ipv6-address]:80. The IPv6 address must be enclosed in brackets in the URL. See the Command Reference document for more information on the other enrollment methods that can be used.

(Optional) The pem keyword adds privacy-enhanced mail (PEM) boundaries to the certificate request.

Step 7

revocation-check method

Example:


Router (ca-trustpoint)# revocation-check crl

(Optional) Checks the revocation status of a certificate.

Step 8

exit

Example:


Router (ca-trustpoint)# exit

Exits ca-trustpoint configuration mode and returns to global configuration mode.

Step 9

authorization username subjectname subjectname

Example:


Router (config)# authorization username subjectname serialnumber

Sets parameters for the different certificate fields that are used to build the AAA username.

The subjectname argument can be any of the following:

all --Entire distinguished name (subject name) of the certificate.
commonname --Certification common name.
country --Certificate country.
email --Certificate e-mail.
ipaddress --Certificate IP address.
locality --Certificate locality.
organization --Certificate organization.
organizationalunit --Certificate organizational unit.
postalcode --Certificate postal code.
serialnumber --Certificate serial number.
state --Certificate state field.
streetaddress --Certificate street address.
title --Certificate title.
unstructuredname --Certificate unstructured name.

Step 10

authorization list listname

Example:


Route (config)# authorization list maxaaa

Specifies the AAA authorization list.

Step 11

tacacs-server host hostname [key string]

Example:


Router(config)# tacacs-server host 192.0.2.2 key a_secret_key

Example:


radius-server host hostname [key string]

Example:


Router(config)# radius-server host 192.0.2.1 key another_secret_key

Specifies a TACACS+ host.

Specifies a RADIUS host.

Configuring RADIUS Accounting for SSL VPN User Sessions

Before you begin

Before configuring RADIUS accounting for SSL VPN user sessions, you should first have configured AAA-related commands (in global configuration mode) and have set the accounting list.

SUMMARY STEPS

enable
configure terminal
aaa new-model
webvpn context context-name
aaa accounting list aaa-list
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	aaa new-model Example: `Device(config)# aaa new-model`	Enables the AAA access control model.
Step 4	webvpn context `context-name` Example: `Device(config)# webvpn context context1`	Enters WebVPN context configuration mode to configure the SSL VPN context.
Step 5	aaa accounting list `aaa-list` Example: `Device(config-webvpn-context)# aaa accounting list list1`	Enables AAA accounting when you are using RADIUS for SSL VPN sessions.
Step 6	end Example: `Device(config-webvpn-context)# end`	Exists the WebVPN context configuration mode and enters the privileged EXEC mode.

Monitoring and Maintaining RADIUS Accounting for an SSL VPN Session

To monitor and maintain your RADIUS accounting configuration, perform the following steps (the debug commands can be used together or individually).

SUMMARY STEPS

enable
debug webvpn aaa
debug aaa accounting
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	debug webvpn aaa Example: `Device# debug webvpn aaa`	Enables SSL VPN session monitoring for AAA.
Step 3	debug aaa accounting Example: `Device# debug aaa accounting`	Displays information on accountable events as they occur.
Step 4	end Example: `Device# end`	Enters the privileged EXEC mode.

Configuring RADIUS Attribute Support for SSL VPN

This section lists RADIUS attribute-value (AV) pair information introduced to support SSL VPN. For information on using RADIUS AV pairs with Cisco IOS software, see the "Configuring RADIUS" chapter in the RADIUS Configuration Guide.

The following table shows information about SSL VPN RADIUS attribute-value pairs. All SSL VPN attributes (except for the standard IETF RADIUS attributes) start with webvpn: as follows:

webvpn:urllist-name=cisco webvpn:nbnslist-name=cifs webvpn:default-domain=cisco.com

Table 4. SSL VPN RADIUS Attribute-Value Pairs
Attribute	Type of Value	Values	Default
addr (Framed-IP-Address¹)	ipaddr	IP_address	—
addr-pool	string	name	—
auto-applet-download	integer	0 (disable) 1 (enable)²	0
banner	string		—
citrix-enabled	integer	0 (disable) 1 (enable)³	0
default-domain	string	--	—
dns-servers	ipaddr	IP_address	—
dpd-client-timeout	integer (seconds)	0 (disabled)-3600	300
dpd-gateway-timeout	integer (seconds)	0 (disabled)-3600	300
file-access	integer	0 (disable) 1 (enable). See the Configuring RADIUS Attribute Support for SSL VPN section.	0
file-browse	integer	0 (disable) 1 (enable). See the Configuring RADIUS Attribute Support for SSL VPN section.	0
file-entry	integer	0 (disable) 1 (enable). See the Configuring RADIUS Attribute Support for SSL VPN section.	0
hide-urlbar	integer	0 (disable) 1 (enable). See the Configuring RADIUS Attribute Support for SSL VPN section.	0
home-page	string	—	—
idletime (Idle-Timeout). See the Configuring RADIUS Attribute Support for SSL VPN section.	integer (seconds)	0-3600	2100
ie-proxy-exception	string	DNS_name	—
ie-proxy-exception	ipaddr	IP_address	—
ie-proxy-server	ipaddr	IP_address	—
inacl	integer	1-199, 1300-2699	—
inacl	string	name	—
keep-svc-installed	integer	0 (disable) 1 (enable). See the Configuring RADIUS Attribute Support for SSL VPN section.	1
nbnslist-name	string	name	—
netmask (Framed-IP-Netmask) Configuring RADIUS Attribute Support for SSL VPN section.	ipaddr	IP_address_mask	—
port-forward-auto	integer	0 (disable) 1 (enable)	If this AV pair is not configured, the default is whatever was configured for the group policy. If this AV pair is configured with an integer of 1, the 1 will override a group policy value of 0.
port-forward-http-proxy	integer	0 (disable) 1 (enable)	HTTP proxy is not enabled. If this AV pair is configured with an integer of 1, the 1 will override a group policy value of 0.
port-forward-http-proxy-url	string	URL address (for example, http://example.com)	—
port-forward-name	string	name	—
primary-dns	ipaddr	IP_address	—
rekey-interval	integer (seconds)	0-43200	21600
secondary-dns	ipaddr	IP_address	—
split-dns	string	—	—
split-exclude⁴	ipaddr ipaddr	IP_address IP_address_mask	—
split-exclude⁴	word	local-lans	—
split-include Configuring RADIUS Attribute Support for SSL VPN section.	ipaddr ipaddr	IP_address IP_address_mask	—
sso-server-name	string	name	—
svc-enabled⁵	integer	0 (disable) 1 (enable). See the Configuring RADIUS Attribute Support for SSL VPN section.	0
svc-ie-proxy-policy	word	none, auto, bypass-local	—
svc-required Configuring RADIUS Attribute Support for SSL VPN section.	integer	0 (disable) 1 (enable). See the Configuring RADIUS Attribute Support for SSL VPN section.	0
timeout (Session-Timeout) Configuring RADIUS Attribute Support for SSL VPN section.	integer (seconds)	1-1209600	43200
urllist-name	string	name	—
user-vpn-group	string	name	—
wins-server-primary	ipaddr	IP_address	—
wins-servers	ipaddr	IP_address	—
wins-server-secondary	ipaddr	IP_address	—

¹ Standard IETF RADIUS attributes.

² Any integer other than 0 enables this feature.

³ Any integer other than 0 enables this feature.

⁴ You can specify either split-include or split-exclude, but you cannot specify both options.

⁵ You can specify either svc-enable or svc-required, but you cannot specify both options.

What to Do Next

See the Configuring_a_URL_List_for_Clientless_Remote_Access section for information about customizing the URL list configured in Step 10 of the Configuring_an_SSL_VPN_Policy_Group section.

Configuring a URL List for Clientless Remote Access

The steps in this configuration task show how to configure a URL list. The URL list, as the name implies, is a list of HTTP URLs that are displayed on the portal page after a successful login. The URL list is configured in WebVPN context configuration and WebVPN group policy configuration modes.

Before you begin

SSL VPN gateway and context configurations are enabled and operational.

SUMMARY STEPS

enable
configure terminal
webvpn context name
url-list name
heading text-string
url-text name url-value url
exit
policy group name
url-list name
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	webvpn context `name` Example: `Device(config)# webvpn context context1`	Enters WebVPN context configuration mode to configure the SSL VPN context.
Step 4	url-list `name` Example: `Device(config-webvpn-context)# url-list ACCESS`	Enters WebVPN URL list configuration mode to configure the list of URLs to which a user has access on the portal page of an SSL VPN.
Step 5	heading `text-string` Example: `Device(config-webvpn-url)# heading “Quick Links”`	Configures the heading that is displayed above URLs listed on the portal page of an SSL VPN. The heading for the URL list is entered as a text string. The heading must be entered inside of quotation marks if it contains spaces.
Step 6	url-text `name` url-value `url` Example: `Device(config-webvpn-url)# url-text “Human Resources” url-value example.com`	Adds an entry to a URL list.
Step 7	exit Example: `Device(config-webvpn-url)# exit`	Exits WebVPN URL list configuration mode, and enters SSL VPN context configuration mode.
Step 8	policy group `name` Example: `Device(config-webvpn-context)# policy group ONE`	Enters WebVPN group policy configuration mode to configure a group policy.
Step 9	url-list `name` Example: `Device(config-webvpn-group)# url-list ACCESS`	Attaches the URL list to the policy group configuration.
Step 10	end Example: `Device(config-webvpn-group)# end`	Exists the WebVPN group policy configuration mode and enters the privileged EXEC mode.

What to Do Next

See the Configuring_Microsoft_File_Shares_for_Clientless_Remote_Access section for information about configuring clientless remote access to file shares.

Configuring Microsoft File Shares for Clientless Remote Access

In clientless remote access mode, files and directories created on Microsoft Windows servers can be accessed by the remote client through the HTTPS-enabled browser. When clientless remote access is enabled, a list of file server and directory links is displayed on the portal page after login. The administrator can customize permissions on the SSL VPN gateway to provide limited read-only access for a single file or full-write access and network browsing capabilities. The following access capabilities can be configured:

Network browse (listing of domains)
Domain browse (listing of servers)
Server browse (listing of shares)
Listing files in a share
Downloading files
Modifying files
Creating new directories
Creating new files
Deleting files

Common Internet File System Support—CIFS is the protocol that provides access to Microsoft file shares and support for common operations that allow shared files to be accessed or modified.

NetBIOS Name Service Resolution—Windows Internet Name Service (WINS) uses NetBIOS name resolution to map and establish connections between Microsoft servers. A single server must be identified by its IP address in this configuration. Up to three servers can be added to the configuration. If multiple servers are added, one server should be configured as the master browser.

Samba Support—Microsoft file shares can be accessed through the browser on a Linux system that is configured to run Samba.

Before you begin

SSL VPN gateway and context configurations are enabled and operational.
A Microsoft file server is operational and reachable from the SSL VPN gateway over TCP/IP.

Note

File shares configured on Windows 2008 is not supported. Only file shares configured on Microsoft Windows 2000, Windows 2003, Windows XP, and Red Hat Linux servers are supported.

SUMMARY STEPS

enable
configure terminal
webvpn context name
nbns-list name
nbns-server ip-address [master ] [timeout seconds ] [retries number ]
exit
policy group name
nbns-list name
functions {file-access | file-browse | file-entry | svc-enabled | svc-required }
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	webvpn context `name` Example: `Device(config)# webvpn context context1`	Enters WebVPN context configuration mode to configure the SSL VPN context.
Step 4	nbns-list `name` Example: `Device(config-webvpn-context)# nbns-list SERVER_LIST`	Enters WebVPN NBNS list configuration mode to configure an NBNS server list for CIFS name resolution.
Step 5	nbns-server `ip-address` [master ] [timeout `seconds` ] [retries `number` ] Example: `Device(config-webvpn-nbnslist)# nbns-server 172.16.1.1 master`	Adds a server to an NBNS server list and enters WebVPN NBNS list configuration mode. The server specified with the `ip-address` argument can be a primary domain controller (PDC) in a Microsoft network. When multiple NBNS servers are specified, a single server is configured as master browser. Up to three NBNS server statements can be configured.
Step 6	exit Example: `Device(config-webvpn-nbnslist)# exit`	Exits WebVPN NBNS list configuration mode and enters WebVPN context configuration mode.
Step 7	policy group `name` Example: `Device(config-webvpn-context)# policy group ONE`	Enters WebVPN group policy configuration mode to configure a group policy.
Step 8	nbns-list `name` Example: `Device(config-webvpn-group)# nbns-list SERVER_LIST`	Attaches an NBNS server list to a policy group configuration.
Step 9	functions {file-access \| file-browse \| file-entry \| svc-enabled \| svc-required } Example: `Device(config-webvpn-group)# functions file-access`	Configures access for Microsoft file shares. Entering the file-access keyword enables network file share access. File servers in the server list are listed on the SSL VPN portal page when this keyword is enabled. Entering the file-browse keyword enables browse permissions for server and file shares. The file-access function must be enabled in order to also use this function. Entering the file-entry keyword enables “modify” permissions for files in the shares listed on the SSL VPN portal page.
Step 10	end Example: `Device(config-webvpn-group)# end`	Exists the WebVPN group policy configuration mode and enters the privileged EXEC mode.

What to Do Next

See the Configuring_Citrix_Application_Support_for_Clientless_Remote_Access section for information about configuring clientless remote access for Citrix- enabled applications.

Configuring Citrix Application Support for Clientless Remote Access

Clientless Citrix support allows the remote user to run Citrix-enabled applications through the SSL VPN as if the application were locally installed (similar to traditional thin-client computing). Citrix applications run on a MetaFrame XP server (or server farm). The SSL VPN gateway provides access to the remote user. The applications run in real time over the SSL VPN. This task shows how to enable Citrix support for policy group remote users.

The Independent Computing Architecture (ICA) client carries keystrokes and mouse clicks from the remote user to the MetaFrame XP server. ICA traffic is carried over TCP port number 1494. This port is opened when a Citrix application is accessed. If multiple application are accessed, the traffic is carried over a single TCP session.

Before you begin

A Citrix MetaFrame XP server is operational and reachable from the SSL VPN gateway over TCP/IP.
SSL VPN gateway and context configurations are enabled and operational.

SUMMARY STEPS

enable
configure terminal
access-list access-list-number {permit | deny } protocol source destination
webvpn context name
policy group name
citrix enabled
filter citrix extended-acl
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	access-list `access-list-number` {permit \| deny } `protocol` `source` `destination` Example: `Device(config)# access-list 100 permit ip 192.168.1.0 0.255.255.255`	Configures the access list mechanism for filtering frames by protocol type or vendor code.
Step 4	webvpn context `name` Example: `Device(config)# webvpn context context1`	Enters WebVPN context configuration mode to configure the SSL VPN context.
Step 5	policy group `name` Example: `Device(config-webvpn-context)# policy group ONE`	Enters WebVPN group policy configuration mode to configure a group policy.
Step 6	citrix enabled Example: `Device(config-webvpn-group)# citrix enabled`	Enables Citrix application support for remote users in a policy group.
Step 7	filter citrix `extended-acl` Example: `Device(config-webvpn-group)# filter citrix 100`	Configures a Citrix Thin Client filter. An extended access list is configured to define the Thin Client filter. This filter is used to control remote user access to Citrix applications.
Step 8	end Example: `Device(config-webvpn-group)# end`	Enters WebVPN group policy configuration mode and enters the privileged EXEC mode.

What to Do Next

Support for standard applications that use well-known port numbers, such as e-mail and Telnet, can be configured using the port forwarding feature. See the Configuring_Application_Port_Forwarding section for more information.

Configuring Application Port Forwarding

Application port forwarding is configured for thin-client mode SSL VPN. Port forwarding extends the cryptographic functions of the SSL-protected browser to provide remote access to TCP and UDP-based applications that use well-known port numbers, such as POP3, SMTP, IMAP, Telnet, and SSH.

When port forwarding is enabled, the hosts file on the SSL VPN client is modified to map the application to the port number configured in the forwarding list. The application port mapping is restored to default when the user terminates the SSL VPN session.

When you are enabling port forwarding, the SSL VPN gateway will modify the hosts file on the PC of the remote user. Some software configurations and software security applications will detect this modification and prompt the remote user to choose “Yes” to permit. To permit the modification, the remote user must have local administrative privileges.

Note

Before you begin

SSL VPN gateway and SSL VPN context configurations are enabled and operational.

SUMMARY STEPS

enable
configure terminal
webvpn context name
port-forward name
local-port number remote-server name remote-port number description text-string
exit
policy group name
port-forward name
exit
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	webvpn context `name` Example: `Device(config)# webvpn context context1`	Enters WebVPN context configuration mode to configure the SSL VPN context.
Step 4	port-forward `name` Example: `Device(config-webvpn-context)# port-forward EMAIL`	Enters WebVPN port-forward list configuration mode to configure a port forwarding list.
Step 5	local-port `number` remote-server `name` remote-port `number` description `text-string` Example: `Device(config-webvpn-port-fwd)# local-port 30016 remote-server example.com remote-port 110 description POP3`	Remaps (forwards) an application port number in a port forwarding list. The remote port number is the well-known port to which the application listens. The local port number is the entry configured in the port forwarding list. A local port number can be configured only once in a given port forwarding list.
Step 6	exit Example: `Device(config-webvpn-port-fwd)# exit`	Exits WebVPN port-forward list configuration mode, and enters WebVPN context configuration mode.
Step 7	policy group `name` Example: `Device(config-webvpn-context)# policy group ONE`	Enters WebVPN group policy configuration mode to configure a group policy.
Step 8	port-forward `name` Example: `Device(config-webvpn-group)# port-forward EMAIL`	Attaches a port forwarding list to a policy group configuration.
Step 9	exit Example: `Device(config-webvpn-context)# exit`	Exits WebVPN port-forward list configuration mode, and enters WebVPN context configuration mode.
Step 10	end Example: `Device(config-webvpn-group)# end`	Exists the WebVPN context configuration mode and enters the privileged EXEC mode.

Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files

The SSL VPN gateway is preconfigured to distribute Cisco Secure Desktop (CSD) or Cisco AnyConnect VPN Client software package files to remote users. The files are distributed only when CSD or Cisco AnyConnect VPN Client support is needed. The administrator performs the following tasks to prepare the gateway:

The current software package is downloaded from www.cisco.com.
The package file is copied to a local file system.
The package file is installed for distribution by configuring the crypto vpn command.

The remote user must have administrative privileges, and the JRE for Windows version 1.4 or later must be installed before the CSD client package can be installed.

For Cisco AnyConnect VPN Client software installation, the remote user must have either the Java Runtime Environment for Windows (version 1.4 or later), or the browser must support or be configured to permit Active X controls.

CSD and Cisco AnyConnect VPN Client software packages should be installed for distribution on the SSL VPN gateway. Download the latest version that supports your device and the image you are using (consult a compatibility matrix for your particular setup).

The CSD software package can be downloaded at the following URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/securedesktop

The Cisco AnyConnect VPN Client software package can be downloaded at the following URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/anyconnect

The Cisco SSL VPN Client software package can be downloaded at the following URL:

http://www.cisco.com/cgi-bin/tablebuild.pl/sslvpnclient

You will be prompted to enter your login name and password to download these files from cisco.com.

Before you begin

SSL VPN gateway and context configurations are enabled and operational.
Software installation packages are copied to a local files system, such as flash memory.

Note

Effective with Cisco IOS Release 12.4(20)T, multiple packages can be downloaded to a gateway.

SUMMARY STEPS

enable
configure terminal
crypto vpn {anyconnect file name sequence sequence-number}
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	crypto vpn {anyconnect `file name` sequence `sequence-number`} Example: `Device(config)# crypto vpn anyconnect filea sequence 5`	Installs a CSD or Cisco AnyConnect VPN Client package file to an SSL VPN gateway for distribution to remote users. The CSD and Cisco AnyConnect VPN Client software packages are pushed to remote users as access is needed. The sequence keyword and `sequence-number` argument are used to install multiple packages to a gateway.
Step 4	end Example: `Device(config)# end`	Exists the global configuration mode and enters the privileged EXEC mode.

What to Do Next

Support for CSD and Cisco AnyConnect VPN Client can be enabled for remote users after the gateway has been prepared to distribute CSD or Cisco AnyConnect VPN Client software.

Configuring Cisco Secure Desktop Support

CSD provides a session-based interface where sensitive data can be shared for the duration of an SSL VPN session. All session information is encrypted. All traces of the session data are removed from the remote client when the session is terminated, even if the connection is terminated abruptly. CSD support for remote clients is enabled in this task.

The remote user (PC or device) must have administrative privileges, and the JRE for Windows version 1.4 or later must be installed before the CSD client packages can be installed.

Note

Compressed Zip file installation is supported.

Before you begin

SSL VPN gateway and context configurations are enabled and operational.
The CSD software package is installed for distribution on the SSL VPN gateway.

See the Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files section if you have not already prepared the SSL VPN gateway to distribute CSD software.

Note

Only Microsoft Windows 2000, Windows XP, Windows Vista, Apple-Mac, and Linux are supported on the remote client.

SUMMARY STEPS

enable
configure terminal
crypto vpn
csd enable
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	crypto vpn Example: `Device(config)# crypto vpn csd bgl12`	Installs the CSD on an SSL VPN gateway.
Step 4	csd enable Example: `Device(config)# csd enable`	Enables CSD support for SSL VPN sessions.
Step 5	end Example: `Device(config)# end`	Exists the global configuration mode and enters the privileged EXEC mode.

What to Do Next

Upon completion of this task, the SSL VPN gateway has been configured to provide clientless and thin-client support for remote users. The SSL VPN feature also has the capability to provide full VPN access (similar to IPsec). Proceed to the Configuring_Cisco_AnyConnect_VPN_Client_Full_Tunnel_Support section to see more information.

Configuring Cisco AnyConnect VPN Client Full Tunnel Support

The Cisco AnyConnect VPN Client is an application that allows a remote user to establish a full VPN connection similar to the type of connection that is established with an IPsec VPN. Cisco AnyConnect VPN Client software is pushed (downloaded) and installed automatically on the PC of the remote user. The Cisco AnyConnect VPN Client uses SSL to provide the security of an IPsec VPN without the complexity required to install IPsec in your network and on remote devices. The following tasks are completed in this configuration:

An access list is applied to the tunnel to restrict VPN access.
Cisco AnyConnect VPN Client tunnel support is enabled.
An address pool is configured for assignment to remote clients.
The default domain is configured.
DNS is configured for Cisco AnyConnect VPN Client tunnel clients.
Dead peer timers are configured for the SSL VPN gateway and remote users.
The login home page is configured.
The Cisco AnyConnect VPN Client software package is configured to remain installed on the remote client.
Tunnel key refresh parameters are defined.

Before you begin

SSL VPN gateway and context configurations are enabled and operational.
The Cisco AnyConnect VPN Client software package is installed for distribution on the SSL VPN gateway.
The remote client has administrative privileges. Administrative privileges are required to download the SSL VPN software client.

See the Configuring the SSL VPN Gateway to Distribute CSD and Cisco AnyConnect VPN Client Package Files section if you have not already prepared the SSL VPN gateway to distribute SSL VPN software.

Note

Only Microsoft Windows 2000, Windows XP, Windows Vista, Apple-Mac, and Linux are supported on the remote client.

SUMMARY STEPS

enable
configure terminal
webvpn context name
policy group name
filter tunnel extended-acl
functions {file-access | file-browse | file-entry | svc-enabled | svc-required }
svc address-pool name netmask ip-netmask
svc default-domain name
svc dns-server {primary | secondary } ip-address
svc dpd-interval {client | gateway } seconds
svc keepalive seconds
svc homepage string
svc keep-client-installed
svc rekey {method {new-tunnel | ssl } | time seconds }
end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: `Device> enable`	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 3	webvpn context `name` Example: `Device(config)# webvpn context context1`	Enters WebVPN context configuration mode to configure the SSL VPN context.
Step 4	policy group `name` Example: `Device(config-webvpn-context)# policy group ONE`	Enters WebVPN group policy configuration mode to configure a group policy.
Step 5	filter tunnel `extended-acl` Example: `Device(config-webvpn-group)# filter tunnel 101`	Configures an SSL VPN tunnel access filter. The tunnel access filter is used to control network and application level access. The tunnel filter is also defined in an extended access list.
Step 6	functions {file-access \| file-browse \| file-entry \| svc-enabled \| svc-required } Example: `Device(config-webvpn-group)# functions svc-enabled`	Configures Cisco AnyConnect VPN Client tunnel mode support. Entering the svc-enabled keyword enables tunnel support for the remote user. If the Cisco AnyConnect VPN Client software package fails to install, the remote user can continue to use clientless mode or thin-client mode. Entering the svc-required keyword enables only tunnel support for the remote user. If the Cisco AnyConnect VPN Client software package fails to install (on the PC of the remote user), the other access modes cannot be used.
Step 7	svc address-pool `name` netmask `ip-netmask` Example: `Device(config-webvpn-group)# svc address-pool ADDRESSES netmask 255.255.255.0`	Configures a pool of IP addresses to assign to remote users in a policy group. The address pool is first defined with the ip local pool command in global configuration mode. If you are configuring an address pool for a network that is not direc tly connected, an address from the pool must be configured on a locally loopback interface. See the third example at the end of this section.
Step 8	svc default-domain `name` Example: `Device(config-webvpn-group)# svc default-domain cisco.com`	Configures the default domain for a policy group.
Step 9	svc dns-server {primary \| secondary } `ip-address` Example: `Device(config-webvpn-group)# svc dns-server primary 192.168.3.1`	Configures DNS servers for policy group remote users.
Step 10	svc dpd-interval {client \| gateway } `seconds` Example: `Device(config-webvpn-group)# svc dpd-interval gateway 30`	Configures the dead peer detection (DPD) timer value for the gateway or client. The DPD timer is reset every time a packet is received over the SSL VPN tunnel from the gateway or remote user.
Step 11	svc keepalive `seconds` Example: `Device(config-webvpn-group)# svc keepalive 300`	(Optional) Enables the SVC to send keepalive messages by default with a frequency of 30 seconds. Use this command to adjust the frequency of keepalive messages to ensure that an SVC connection through a proxy, Cisco IOS firewall, or NAT device remains active, even if the device limits the time that the connection can be idle. Adjusting the frequency also ensures that the SVC does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer. If the svc keepalive command is configured with a value of 0 seconds, then the keepalive function is disabled.
Step 12	svc homepage `string` Example: `Device(config-webvpn-group)# svc homepage www.cisco.com`	Configures the URL of the web page that is displayed upon successful user login. The `string` argument is entered as an HTTP URL. The URL can be up to 255 characters in length.
Step 13	svc keep-client-installed Example: `Device(config-webvpn-group)# svc keep-client-installed`	Configures the remote user to keep Cisco AnyConnect VPN Client software installed when the SSL VPN connection is not enabled.
Step 14	svc rekey {method {new-tunnel \| ssl } \| time `seconds` } Example: `Device(config-webvpn-group)# svc rekey method new-tunnel`	Configures the time and method that a tunnel key is refreshed for policy group remote users. The tunnel key is refreshed by renegotiating the SSL connection or initiating a new tunnel connection. The time interval between tunnel refresh cycles is configured in seconds.
Step 15	end Example: `Device(config-webvpn-group)# end`	Exists the WebVPN group policy configuration mode and enters the privileged EXEC mode.

Examples

Tunnel Filter Configuration

The following example, starting in global configuration mode, configures a deny access filter for any host from the 172.16.2/24 network:


Device(config)# access-list 101 deny ip 172.16.2.0 0.0.0.255 any
Device(config)# webvpn context context1
Device(config-webvpn-context)# policy group ONE
Device(config-webvpn-group)# filter tunnel 101
Device(config-webvpn-group)# end

Address Pool (Directly Connected Network) Configuration

The following example, starting in global configuration mode, configures the 192.168.1/24 network as an address pool:


Device(config)# ip local pool ADDRESSES 192.168.1.1 192.168.1.254 
Device(config)# webvpn context context1 
Device(config-webvpn-context)# policy group ONE 
Device(config-webvpn-group)# svc address-pool ADDRESSES 
Device(config-webvpn-group)# end

Address Pool (Nondirectly Connected Network) Configuration

The following example, starting in global configuration mode, configures the 172.16.1/24 network as an address pool. Because the network is not directly connected, a local loopback interface is configured.


Device(config)# interface loopback 0 
Device(config-int)# ip address 172.16.1.126 255.255.255.0 
Device(config-int)# no shutdown 
Device(config-int)# exit 
Device(config)# ip local pool ADDRESSES 172.16.1.1 172.16.1.254 
Device(config)# webvpn context context1 
Device(config-webvpn-context)# policy group ONE 
Device(config-webvpn-group)# svc address-pool ADDRESSES 
Device(config-webvpn-group)# end

Full Tunnel Configuration

The following example, starting in global configuration mode, configures full Cisco AnyConnect VPN Client tunnel support on an SSL VPN gateway:


Device(config)# webvpn context context1
Device(config-webvpn-context)# policy group ONE
Device(config-webvpn-group)# functions svc-enabled
Device(config-webvpn-group)# functions svc-required
Device(config-webvpn-group)# svc default-domain cisco.com
Device(config-webvpn-group)# svc dns-server primary 192.168.3.1
Device(config-webvpn-group)# svc dns-server secondary 192.168.4.1
Device(config-webvpn-group)# svc dpd-interval gateway 30
Device(config-webvpn-group)# svc dpd-interval client 300
Device(config-webvpn-group)# svc homepage www.cisco.com
Device(config-webvpn-group)# svc keep-client-installed
Device(config-webvpn-group)# svc rekey method new-tunnel
Device(config-webvpn-group)# svc rekey time 3600
Device(config-webvpn-group)# end

What to Do Next

Proceed to the Configuring_Advanced_SSL_VPN_Tunnel_Features section to see advanced Cisco AnyConnect VPN Client tunnel configuration information.

Configuring Advanced SSL VPN Tunnel Features

This section describes advanced Cisco AnyConnect VPN Client tunnel configurations. The following configuration steps are completed in this task:

Split tunnel support and split DNS resolution are enabled on the SSL VPN gateway.
SSL VPN gateway support for Microsoft Internet Explorer proxy settings is configured.
WINS resolution is configured for Cisco AnyConnect VPN Client tunnel clients.

Microsoft Internet Explorer Proxy Configuration—The SSL VPN gateway can be configured to pass or bypass Microsoft Internet Explorer (MSIE) proxy settings. Only HTTP proxy settings are supported by the SSL VPN gateway. MSIE proxy settings have no effect on any other supported browser.

Split Tunneling—Split tunnel support allows you to configure a policy that permits specific traffic to be carried outside of the Cisco AnyConnect VPN Client tunnel. Traffic is either included (resolved in tunnel) or excluded (resolved through the Internet service provider [ISP] or WAN connection). Tunnel resolution configuration is mutually exclusive. An IP address cannot be both included and excluded at the same time. Entering the local-lans keyword permits the remote user to access resources on a local LAN, such as network printer.

Before you begin

SSL VPN gateway and context configurations are enabled and operational.
The Cisco AnyConnect VPN Client software package is installed for distribution on the SSL VPN gateway.

Note

Only Microsoft Windows 2000, Windows XP, Windows Vista, Apple-Mac, and Linux are supported on the remote client.

SUMMARY STEPS

enable
configure terminal
webvpn context name
policy group name
svc split exclude {{ip-address mask | local-lans } | include ip-address mask }
svc split dns

SSL VPN Configuration Guide, Cisco IOS Release 15M&T

Bias-Free Language

Results

Chapter: SSL VPN

SSL VPN

Finding Feature Information

Prerequisites for SSL VPN

Restrictions for SSL VPN

General Restrictions for SSL VPN

PKI AAA Authorization Using the Entire Subject Name

Cisco AnyConnect VPN Client

Thin-Client Control List Support

HTTP Proxy

Lightweight Directory Access Protocol

Features Not Supported on the Cisco IOS SSL VPN

Information About SSL VPN

SSL VPN Overview

Licensing

Licensing in Cisco IOS Release 15.x

Modes of Remote Access

Remote Access Overview

Clientless Mode

Thin-Client Mode

Options for Configuring HTTP Proxy and the Portal Page

Benefits of Configuring HTTP Proxy

Illustrations of Port Forwarding with and Without an HTTP Proxy Configuration

Tunnel Mode

SSL VPN Features

Access Control Enhancements

SSL VPN Client-Side Certificate-Based Authentication

Certificate-Only Authentication and Authorization Mode

Two-Factor Authentication and Authorization Mode

Identification of WebVPN Context at Runtime Using Certificate Map Match Rules

Support for AnyConnect Client to Implement Certificate Matching Based on Client Profile Attributes

Certificate Key Usage Matching

Extended Certificate Key Usage Matching

Certificate Distinguished Name Mapping

AnyConnect Client Support

Application ACL Support

Automatic Applet Download

Backend HTTP Proxy

Front-Door VRF Support

Full-Tunnel Cisco Express Forwarding Support

GUI Enhancements

Login Screen

Banner

Customization of a Login Page

Portal Page

Customization of a Portal Page

Internationalization

Max-User Limit Message

Netegrity Cookie-Based Single SignOn Support

NTLM Authentication

RADIUS Accounting

Stateless High Availability with Hot Standby Router Protocol

TCP Port Forwarding and Thin Client

URL Obfuscation

URL Rewrite Splitter

User-Level Bookmarking

Virtual Templates

License String Support for the 7900 VPN Client

SSL VPN DVTI Support

Prerequisites for SSL VPN DVTI Support

Restrictions for SSL VPN DVTI Support

Virtual Template Infrastructure

SSL VPN Phase-4 Features

Prerequisites for SSL VPN Phase-4 Features

Full Tunnel Package

SSL VPN per-User Statistics

DTLS Support for IOS SSL VPN

Prerequisites for DTLS Support for IOS SSL VPN

Restrictions for DTLS Support for IOS SSL VPN

Cisco AnyConnect VPN Client Full Tunnel Support

Remote Client Software from the SSL VPN Gateway

Address Pool

Address Pools for Nondirectly Connected Networks

Manual Entry to the IP Forwarding Table

Other SSL VPN Features

Platform Support

How to Configure SSL VPN Services on a Router