74-10
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Using SSL to Access the Central Site
The ASA clientless SSL VPN configuration supports only one http-proxy and one http-proxy
command each. For example, if one instance of the http-proxy command is already present in the
running configuration and you enter another, the CLI overwrites the previous instance.
Note Proxy NTLM authentication is not supported in http-proxy. Only proxy without authentication and
basic authentication are supported.
Configuring SSL/TLS Encryption Protocols
Prerequisites
TCP Port Forwarding requires Sun Microsystems Java Runtime Environment (JRE) version 1.4.x and
1.5.x. Port forwarding does not work when a user of clientless SSL VPN connects with some SSL
versions, as follows:
Negotiate SSLv3—Java downloads
Negotiate SSLv3/TLSv1—Java downloads
Negotiate TLSv1—Java does NOT download
TLSv1 Only—Java does NOT download
SSLv3Only—Java does NOT download
Restrictions
When you set SSL/TLS encryption protocols, be aware of the following:
Make sure that the ASA and the browser you use allow the same SSL/TLS encryption protocols.
If you configure e-mail proxy, do not set the ASA SSL version to TLSv1 Only. Microsoft Outlook
and Microsoft Outlook Express do not support TLS.
Prerequisites
Browser cookies are required for the proper operation of clientless SSL VPN.
Step16 Example:
hostname(config-webvpn)# http-proxy 209.165.201.1
user jsmith password mysecretdonttell
hostname(config-webvpn)
Shows how to configure use of an HTTP proxy
server with an IP address o f 209.165. 201.1 using the
default port, sending a username and password with
each HTTP request.
Step17 Example:
hostname(config-webvpn)# http-proxy 209.165.201.1
exclude www.example.com username jsmith password
mysecretdonttell
hostname(config-webvpn)
Shows the same command, except when the ASA
receives the specific URL www.example.com in an
HTTP request, it resolves the request instead of
passing it on to the proxy server.
Step18 Example:
hostname(config-webvpn)# http-proxy pac
http://www.example.com/pac
hostname(config-webvpn)
Shows how to specify a URL to serve a proxy
autoconfiguration file to the browser.
Command Purpose