74-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Observing Clientless SSL VPN Security Precautions
DSA certificates. The ASA does support RSA certificates.
Remote HTTPS certificates.
Requirements of some domain-based security products. Because the ASA encodes the URL,
requests actually originate from the ASA, which in some cases do not satisfy the requirements of
domain-based security products.
Inspection features under the Modular Policy Framework, inspecting configuration control.
Functionality the filter configuration commands provide, including the vpn-filter command.
VPN connections from hosts with IPv6 addresses. Hosts must use IPv4 addresses to establish
clientless SSL VPN or AnyConnect sessions. However, beginning with ASA 8.0(2), users can use
these sessions to access internal IPv6-enabled resources.
NAT, reducing the need for globally unique IP addresses.
PAT, permitting multiple outbound sessions appear to originate from a single IP address.
QoS, rate limiting using the police command and priority-queue command.
Connection limits, checking either via the static or the Modular Policy Framework set connection
command.
The established command, allowing return connections from a lower security host to a higher
security host if there is already an established connection from the higher level host to the lower
level host.
Single sign-on application integration (such as SiteMinder) because smart tunnel effectively creates
a tunnel between the client and the server, and these applications interfere with ASA working as
expected.
Observing Clientless SSL VPN Security Precautions
Clientless SSL VPN connections on the ASA differ from remote access IPsec connections, particularly
with respect to how they interact with SSL-enabled servers, and precautions to follow to reduce security
risks.
In a clientless SSL VPN connection, the ASA acts as a proxy between the end user web browser and
target web servers. When a user connects to an SSL-enabled web server, the ASA establishes a secure
connection and validates the server SSL certificate. The browser never receives the presented certificate,
so it cannot examine and validate the certificate.
The current implementation of clientless SSL VPN on the ASA does not permit communication with
sites that present expired certificates. Nor does the ASA perform trusted CA certificate validation to
those SSL-enabled sites. Therefore, users do not benefit from certificate validation of pages delivered
from an SSL-enabled web server before they use a web-enabled service.
Restrictions
By default, the ASA permits all portal traffic to all web resources (e.g., HTTPS, CIFS, RDP, and
plug-ins). The ASA clientless service rewrites each URL to one that is meaningful only to itself; the user
cannot use the rewritten URL displayed on the page accessed to confirm that they are on the site they
requested. To avoid placing users at risk, assign a web ACL to the policies configured for clientless
access – group-policies, dynamic access policies, or both – to control traffic flows from the portal. For
example, without such an ACL, users could receive an authentication request from an outside fraudulent
banking or commerce site. Also, we recommend disabling URL Entry on these policies to prevent user
confusion over what is accessible.