74-50
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Configuring Application Access
Note Browser-based VPN access does not support Windows Shares (CIFS) Web Folders on
Windows 7, Vista, Internet Explorer 8, Mac OS, and Linux. Windows XP SP2 requires a
Microsoft hotfix to support Web Folders.
Only Winsock 2, TCP-based applications are eligible for smart tunnel access.
Smart tunnel supports Mac OS running on an Intel processor only.
Java Web Start must be enabled on the browser.
Restrictions
For users of Microsoft Windows Vista who use smart tunnel or port forwarding, we recommend that
you add the URL of the ASA to the Trusted Site zone. To access the Trusted Site zone, they must
start Internet Explorer and choose the Tools > Internet Options > Security tab. Vista users can also
disable Protected Mode to facilitate smart tunnel access; however, we recommend against this
method because it increases vulnerability to attack.
Smart tunnel supports only proxies placed between computers running Microsoft Windows and the
security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended
for system-wide use in Windows). If the remote computer requires a proxy server to reach the ASA,
the URL of the terminating end of the connection must be in the list of URLs excluded from proxy
services. If the proxy configuration specifies that traffic destined for the ASA goes through a proxy,
all smart tunnel traffic goes through the proxy.
In an HTTP-based remote access scenario, sometimes a subnet does not provide user access to the
VPN gateway. In this case, a proxy placed in front of the ASA to route traffic between the web and
the end user's location provides web access. However, only VPN users can configure proxies placed
in front of the ASA. When doing so, they must make sure these proxies support the CONNECT
method. For proxies that require authentication, smart tunnel supports only the basic digest
authentication type.
When smart tunnel starts, the ASA by default passes all browser traffic through the VPN session if
the browser process is the same. The ASA also does this if a tunnel-all policy applies. If the user
starts another instance of the browser process, it passes all traffic through the VPN session. If the
browser process is the same and the security appliance does not provide access to a URL, the user
cannot open it. As a workaround, assign a tunnel policy that is not tunnel-all.
A stateful failover does not retain smart tunnel connections. Users must reconnect following a
failover.
If it takes too long for smart tunnel to load, perform the following:
Clear the SSL state (with Internet Explorer, go to Tools > Internet Options > Content).
Disable the Check for server certificate revocation check box (with Internet Explorer, go to
Tools > Internet Options > Advanced > Security).
Delete cookies (with Internet Explorer, go to Tools > Internet Options > General).
The Mac version of smart tunnel does not support POST bookmarks, form-based auto sign-on, or
POST macro substitution.
Only applications started from the portal page can establish smart tunnel connections. This
requirement includes smart tunnel support for Firefox. Using Firefox to start another instance of
Firefox during the first use of a smart tunnel requires the user profile named csco_st. If this user
profile is not present, the session prompts the user to create one.