Criteria ID
|
The AAA and endpoint selection attribute names that are available for dynamic access policy use.
|
Content
|
Values of the AAA and endpoint attributes criteria that the security appliance uses for selecting and applying a dynamic access
policy record during session establishment. Attribute values that you configure here override authorization values in the
AAA system, including those in existing group policy, tunnel group, and default group records.
|
Create button
|
Click this button to configure AAA and endpoint attributes as selection criteria for the DAP record. See Add/Edit DAP Entry Dialog Box.
|
Edit button
|
Click this button to edit the selected dynamic access policy. See Add/Edit DAP Entry Dialog Box.
|
Delete button
|
Click this button to delete the selected dynamic access policies.
|
Access Method
|
Specify the type of remote access permitted:
-
Unchanged—Continue with the current remote access method.
-
AnyConnect Client—Connect using the Cisco AnyConnect VPN Client.
-
Web Portal—Connect with clientless VPN.
-
Both default Web Portal—Connect via either clientless or the AnyConnect client, with a default of clientless.
-
Both default AnyConnect Client—Connect via either clientless or the AnyConnect client, with a default of AnyConnect.
|
Network ACL tab—Lets you select and configure network ACLs to apply to this dynamic access policy. An ACL for a dynamic access
policy can contain permit or deny rules, but not both. If an ACL contains both permit and deny rules, the security appliance
rejects it.
|
Network ACL
|
Lists the Access Control Lists (ACLs) that will be used to restrict user access to the SSL†VPN.
Beginning with Security Manager version 4.10, Network ACL supports IPv6 entries. Also IPv6 is supported for devices running
the software version ASA 9.0 or later. This is applicable for both Network ACL and Web Type ACL.
Click the Select button to open the Access Control Lists Selector from which you can make your selection. The ACL contains conditions that
describe a traffic stream of packets, and actions that describe what should occur based on those conditions. Only ACLs having
all permit or all deny rules are eligible.
Network ACL is supported by Security Manager version 4.12 onwards for Multi-Context ASA version 9.6(2) or later devices.
|
AnyConnect tab—Lets you choose if the setting for Always-On VPN on the AnyConnect service profile remains unchanged, is disabled,
or the AnyConnect Profile Setting must be used. Always-On VPN enables AnyConnnect to automatically establish a VPN session
after you log onto the system.
|
Custom Attributes tab—Lists the AnyConnect Custom Attribute Type and Custom Attribute Name. AnyConnect custom attributes allow
for a more expeditious delivery and deployment of new endpoint features by giving the ASA the ability to generically support
the addition of new client controls without the need for an ASA software upgrade. Beginning with version 4.7, Security Manager
enables to add Custom Attribute Data to an existing Custom Attribute Type. This feature is supported for devices that are
running the ASA software version 9.3(1) or later.
|
Attribute Type
|
Select the Attribute Type that you configured in Add/Edit AnyConnect Custom Attribute Dialog Box page.
|
Attribute Name
|
Select the Attribute Name that you configured in Add/Edit AnyConnect Custom Attribute Dialog Box page.
|
WebType ACL tab—Lets you select and configure web-type ACLs to apply to this dynamic access policy. An ACL for a dynamic access
policy can contain only permit or deny rules. If an ACL contains both permit and deny rules, the security appliance rejects
it.
|
Web Type ACL
|
Specifies the WebType access control list that will be used to restrict user access to the SSL†VPN.
Click the Select button to open the Access Control Lists Selector from which you can make your selection. Only ACLs having all permit or all
deny rules are eligible. Beginning with version 4.10, you can enter IPv6 values for the Web Type ACL.
|
Functions tab—Lets you configure file server entry and browsing, HTTP proxy, and URL entry for the dynamic access policy.
|
File Server Browsing
|
Specify the file server browsing setting to be configured on the portal page:
-
Unchanged—Uses values from the group policy that applies to this session.
-
Enable—Enables CIFS browsing for file servers or shared features.
-
Disable—Disables CIFS browsing for file servers or shared features.
Note
|
Browsing requires NBNS (Master Browser or WINS). If that fails or is not configured, we use DNS. The CIFS browse feature
does not support internationalization.
|
|
File Server Entry
|
Specify the file server entry setting to be configured on the portal page:
When enabled, places the file server entry drawer on the portal page. Users can enter pathnames to Windows files directly.
They can download, edit, delete, rename, and move files. They can also add files and folders. Shares must also be configured
for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending
on network requirements.
|
HTTP Proxy
|
Specify how you want to configure the security appliance to terminate HTTPS connections and forward HTTP/HTTPS requests to
HTTP and HTTPS proxy servers:
The proxy is useful for technologies that interfere with proper content transformation, such as Java, ActiveX, and Flash.
It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browser’s
old proxy configuration and redirects all HTTP and HTTPS requests to the new proxy configuration. It supports virtually all
client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser it supports is Microsoft
Internet Explorer.
|
URL Entry
|
Using SSL VPN does not ensure that communication with every site is secure. SSL VPN ensures the security of data transmission
between the remote user’s PC or workstation and the security appliance on the corporate network. If a user then accesses a
non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security
appliance to the destination web server is not secured.
In a clientless VPN connection, the security appliance acts as a proxy between the end user web browser and target web servers.
When a user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the
server SSL certificate. The end user browser never receives the presented certificate, so therefore cannot examine and validate
the certificate. The current implementation of SSL VPN does not permit communication with sites that present expired certificates.
Neither does the security appliance perform trusted CA certificate validation. Therefore, users cannot analyze the certificate
an SSL-enabled web-server presents before communicating with it.
Specify how the URL entry setting must be configured on the portal page:
-
Unchanged—Uses values from the group policy that applies to this session.
-
Enable—Allows a user from entering HTTP/HTTPS URLs on the portal page. If this feature is enabled, users can enter web addresses
in the URL entry box, and use clientless SSL VPN to access those websites.
-
Disable—Disables a user from entering HTTP/HTTPS URLs on the portal page.
Note
|
To limit Internet access for users, select Disable for the URL Entry field. This prevents SSL VPN users from surfing the Web during a clientless VPN connection.
|
|
Port Forwarding tab—Lets you select and configure port forwarding lists for user sessions.
Note
|
Port Forwarding does not work with some SSL/TLS versions.
|
Caution
|
Make sure Sun Microsystems Java Runtime Environment (JRE) 1.4+ is installed on the remote computers to support port forwarding
(application access) and digital certificates.
|
|
Port Forwarding
|
Select an option for the port forwarding lists that apply to this DAP record:
-
Unchanged—Removes the attributes from the running configuration.
-
Enable—Enables port forwarding on the device.
-
Disable—Disables port forwarding on the device.
-
Auto-start—Enables port forwarding, and to have the DAP record automatically start the port forwarding applets associated with its port
forwarding lists.
|
Port Forwarding List
|
The Port Forwarding List, that defines the mapping of the port number on the client machine to the application’s IP address
and port behind the SSL VPN gateway.
You can click Select to open the Port Forwarding List Selector from which you can select the required Port Forwarding List from a list of Port
Forwarding List objects. A Port Forwarding List object defines the mappings of port numbers on the remote client to the application’s
IP address and port behind the SSL VPN gateway.
|
Bookmark tab—Lets you enable and configure SSL VPN bookmarks. When enabled, users who successfully log into the SSL VPN are
presented with the portal page containing the list of defined bookmarks. These bookmarks enable users to access resources
available on SSL VPN websites in Clientless access mode.
|
Enable Bookmarks
|
Specify the file server browsing setting to be configured on the portal page:
-
Unchanged—Uses values from the group policy that applies to this session.
-
Enable—Enables bookmarks on the SSL VPN portal page.
-
Disable—Disables bookmarks on the SSL VPN portal page.
|
Bookmarks
|
A list of websites that will be displayed on the portal page as a bookmark to enable users to access the resources available
on the SSL VPN websites.
You can click Select to open the Bookmarks Selector from which you can select the required bookmark from a list or create a new bookmark, as desired.
|
Action tab—Specifies special processing to apply to a specific connection or session.
Action Tab is supported by Security Manager version 4.12 onwards for Multi-Context ASA version 9.6(2) or later devices.
Select one of the following options from the drop-down list:
|
Continue
|
(Default) When selected, continues the session. By default, the access policy attributes are applied to the session and it
is running.
|
Quarantine
|
When selected, quarantines the session.
By selecting quarantine, you can restrict a particular client who already has an established tunnel through a VPN. Restricted
ACLs are applied to a session to form a restricted group, based on the selected DAP record. When an endpoint is not compliant
with an administratively defined policy, the user can still access services for remediation (such as updating the antivirus
and so on), but restrictions are placed upon the user. After the remediation occurs, the user can reconnect, which invokes
a new posture assessment. If this assessment passes, the user connects.
Note
|
This parameter requires an AnyConnect release that supports AnyConnect Secure Mobility features.
|
|
Terminate
|
When selected, terminates the session. By default, the access policy attributes are applied to the session and it is running.
|
User Message
|
Enter a text message to display on the portal page when this DAP record is selected. Maximum 128 characters. A user message
displays as a yellow orb. When a user logs on it blinks three times to attract attention, and then it is still. If several
DAP records are selected, and each of them has a user message, all user messages display.
Note
|
You can include in such messages URLs or other embedded text, which require that you use the correct HTML tags.For example:
All contractors please read <a href=‘http://wwwin.abc.com/procedure.html’> Instructions</a> for the procedure to upgrade your
antivirus software.
|
Note
|
User Message is supported from Security Manager version 4.12 for ASA devices running version 9.6(2) or later in Multi-context
mode.
|
|