69-12
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter69 General VPN Setup
Group Policies
Smart Tunnel Policy—Choose from the network list and specify one of the tunnels options: use
smart tunnel for the specified network, do not use smart tunnel for the specified network, or use
tunnel for all network traffic. Assigning a smart tunnel network to a group policy or username
enables smart tunnel access for all users whose sessions are associated with the group policy or
username but restricts smart tunnel access to the applications specified in the list. To view, add,
modify, or delete a smart tunnel list, click Manage.
Smart Tunnel Application—Choose from the drop-down menu to connect a Winsock 2,
TCP-based application installed on the end station to a server on the intranet. To view, add,
modify, or delete a smart tunnel application, click Manage.
Smart Tunnel all Applications—Check this check box to tunnel all applications. All
applications are tunneled without choosing from the network list or knowing which executables
an end user may invoke for external applications.
Auto Start—Check this check box to start smart tunnel access automatically upon user login.
This option to start smart tunnel access upon user login applies only to Windows. Uncheck the
check box to enable smart tunnel access upon user login but require the user to start it manually,
using the Application Access > Start Smart Tunnels button on the Clientless SSL VPN Portal
Page.
Auto Sign-on Server List—Choose the list name from the drop-down menu if you want to
reissue the user credentials when the user establishes a smart tunnel connection to a server. Each
smart tunnel auto sign-on list entry identifies a server with which to automate the submission
of user credentials. To view, add, modify, or delete a smart tunnel auto sign-on list, click
Manage.
Windows Domain Name (Optional)—Specify the Windows domain to add it to the username
during auto sign-on, if the universal naming convention (domain\username) is required for
authentication. For example, enter CISCO to specify CISCO\qa_team when authenticating for
the username qu_team. You must also check the “Use Windows domain name with user name”
option when configuring associated entries in the auto sign-on server list.
ActiveX Relay—Lets Clientless users launch Microsoft Office applications from the browser. The
applications use the session to download and upload Microsoft Office documents. The ActiveX relay
remains in force until the Clientless SSL VPN session closes.
More Options:
HTTP Proxy—Enables or disables the forwarding of an HTTP applet proxy to the client. The proxy
is useful for technologies that interfere with proper content transformation, such as Java, ActiveX,
and Flash. It bypasses mangling while ensuring the continued use of the security appliance.
The forwarded proxy automatically modifies the old browser proxy configuration and redirects all
HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side
technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser it
supports is Microsoft Internet Explorer.
Auto Start (HTTP Proxy)—Check to enable HTTP Proxy automatically upon user login. Uncheck
to enable smart tunnel access upon user login, but require the user to start it manually.
HTTP Compression—Enables compression of HTTP data over the Clientless SSL VPN session.
Modes
The following table shows the modes in which this feature is available: