Clientless SSL VPN enables end users to securely access
resources on the corporate network from anywhere using an SSL-enabled Web
browser. The user first authenticates with a Clientless SSL VPN gateway, which
then allows the user to access pre-configured network resources.
Security contexts (also called firewall multimode) and
Active/Active stateful failover are not supported when Clientless SSL VPN is
Clientless SSL VPN creates a
secure, remote-access VPN tunnel to an ASA using a web browser without
requiring a software or hardware client. It provides secure and easy access to
a broad range of web resources and both web-enabled and legacy applications
from almost any device that can connect to the Internet via HTTP. They include:
NT/Active Directory file shares.
email proxies, including POP3S, IMAP4S, and SMTPS.
Microsoft Outlook Web Access Exchange Server 2000, 2003, and
Microsoft Web App to Exchange Server 2010 in 8.4(2) and later.
Application Access (smart tunnel or port forwarding access to
other TCP-based applications).
Clientless SSL VPN uses Secure Sockets Layer Protocol and its
successor, Transport Layer Security (SSL/TLS1) to provide the secure connection
between remote users and specific, supported internal resources that you
configure as an internal server. The ASA recognizes connections that must be
proxied, and the HTTP server interacts with the authentication subsystem to
The network administrator provides access to resources by users
of Clientless SSL VPN sessions on a group basis. Users have no direct access to
resources on the internal network.
ActiveX pages require that you enable ActiveX Relay or enter
on the associated group policy. If you do so or assign a smart
tunnel list to the policy, and the browser proxy exception list on the endpoint
specifies a proxy, the user must add a “shutdown.webvpn.relay.” entry to that
The ASA does not support clientless access to Windows Shares
(CIFS) Web Folders from Windows 7, Vista, Internet Explorer 8 to 10, Mac OS X,
Certificate authentication, including the DoD Common Access Card
and SmartCard, works with the Safari keychain only.
Even if you install a trusted certificate for clientless
connections, clients might see an untrusted certificate warning.
The ASA does not support DSA certificates for Clientless SSL VPN
connections. RSA certificates are supported.
Some domain-based security products have requirements beyond
those requests that originate from the ASA.
Configuration control inspection and other inspection features
under the Modular Policy Framework are not supported.
vpn-filter command under group policy is
for client-based access and is not supported.
Filter under Clientless SSL VPN mode in
group policy is for clientless-based access only.
Neither NAT or PAT is applicable to the client.
The ASA does not support the use of the QoS rate-limiting
commands, such as
The ASA does not support the use of connection limits, checking
via the static or the Modular Policy Framework
set connection command.
When a clientless
VPN session is initiated, RADIUS accounting start messaging is generated. The
start message will not contain a Framed-IP-Address because addresses are not
assigned to clientless VPN sessions. If a Layer3 VPN connection is subsequently
initiated from the clientless portal page, an address is assigned and is
reported to the RADIUS server in an interim-update accounting message. You can
expect similar RADIUS behavior when a Layer3 VPN tunnel is established using
the weblaunch feature. In this case, the accounting start message is sent
without a framed IP address after a user is authenticated but before the Layer3
tunnel is established. This start message is followed by an interim update
message once the Layer3 tunnel is established.
When you have several group policies configured for the
clientless portal, they are displayed in a drop-down on the logon page. When
the first group policy in the list requires a certificate, then the user must
have a matching certificate. If some of your group policies do not use
certificates, you must configure the list to display a non-certificate policy
first. Alternatively, you may want to create a dummy group policy with the name
You can control which policy is displayed first by naming your
group polices alphabetically, or prefix them with numbers. For example, 1-AAA,
Licensing for Clientless SSL VPN
Use of the AnyConnect Secure Mobility Client requires that you purchase either an AnyConnect Plus and Apex license. The license(s) required depends on the AnyConnect VPN Client and Secure Mobility features that you plan to use, and the number of sessions that you want to support. These user-based licences include access to support and software updates to align with general BYOD trends.
AnyConnect 4.4 licenses are used with ASA (and also ISR, CSR, and ASR), as well as other non-VPN headends such as Identity Services Engine (ISE), Cloud Web Security (CWS), and Web Security Appliance (WSA). A consistent model is used regardless of the headend, so there is no impact when headend migrations occur.