ActiveX pages require that you enable ActiveX Relay or enter
on the associated group policy. If you do so or assign a smart
tunnel list to the policy, and the browser proxy exception list on the endpoint
specifies a proxy, the user must add a “shutdown.webvpn.relay.” entry to that
The ASA does not support clientless access to Windows
Shares (CIFS) Web Folders from Windows 7, Vista, Internet Explorer 8 to 10,
Mac OS X, or Linux.
Certificate authentication, including the DoD Common Access Card
and SmartCard, works with the Safari keychain only.
Even if you install a trusted certificate for clientless
connections, clients might see an untrusted certificate warning.
The ASA does not support DSA certificates for Clientless SSL VPN
connections. RSA certificates are supported.
Some domain-based security products have requirements beyond
those requests that originate from the ASA.
Configuration control inspection and other inspection features
under the Modular Policy Framework are not supported.
vpn-filter command under group policy is
for client-based access and is not supported.
Filter under Clientless SSL VPN mode in
group policy is for clientless-based access only.
Neither NAT or PAT is applicable to the client.
The ASA does not support the use of the QoS rate-limiting
commands, such as
The ASA does not support the use of connection limits, checking
via the static or the Modular Policy Framework
set connection command.
Because AnyConnect works on lower network layers without a dependency to web content, we
recommend that you configure AnyConnect on ASA to access web applications
that seem unsupported with clientless
Some components of Clientless SSL VPN require the Java Runtime Environment (JRE). With Mac OS X v10.7 and later, Java is not
installed by default. For details of how to install Java on Mac OS X, see http://java.com/en/download/faq/java_mac.xml.
When a clientless VPN session is initiated, RADIUS accounting start messaging is generated. The start message will not contain
a Framed-IP-Address because addresses are not assigned to clientless VPN sessions. If a Layer3 VPN connection is subsequently
initiated from the clientless portal page, an address is assigned and is reported to the RADIUS server in an interim-update
accounting message. You can expect similar RADIUS behavior when a Layer3 VPN tunnel is established using the weblaunch feature.
In this case, the accounting start message is sent without a framed IP address after a user is authenticated but before the
Layer3 tunnel is established. This start message is followed by an interim update message once the Layer3 tunnel is established.
HTML pages must abide by RFC 2616. Any empty line after a header is
interpreted as the start of the body. Thus, if you insert empty lines
between headers, some headers might appear in the body, and users might need
to refresh their windows to correct page problems.
The clientless WebVPN Java rewriter, which is used for Java code processing, does not
support Oracle Forms.
Clientless WebVPN does not support spaces between chunk-size and CRLF in the server's responses, as ASA does not expect spaces
in chunk-size and is not able to put chunks together.
Content Security Policy (CSP) is not supported.
Angular custom event listeners and location changes may not work properly using Clientless WebVPN rewriter.
Clientless WebVPN does not have support for Cross-Origin Resource Sharing (CORS) filters on the server-side.
According to the WebVPN architecture, Fetch API is not supported.
Clientless WebVPN doesn't share MDM attributes with a RADIUS server when
When you have several group policies configured for the
clientless portal, they are displayed in a drop-down on the logon page. When
the first group policy in the list requires a certificate, then the user
must have a matching certificate. If some of your group policies do not use
certificates, you must configure the list to display a non-certificate
policy first. Alternatively, you may want to create a dummy group policy
with the name “0-Select-a-group.”
You can control which policy is displayed first by
naming your group polices alphabetically, or prefix them with numbers.
For example, 1-AAA, 2-Certificate.
Links to pages on another server must be routable from the ASA, or the user
might see the following error. Ensure that your links are usable, and are
not blocked by access control rules, SSL configuration, or other firewall
features, and that there is a route to the server.
Connection failed, Server "<DNS name>" unavailable.