70-34
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter70 Configuring Dynamic Access Policies
Configuring DAP Access and Authorization Policy Attributes
File Server Entry—Lets or prohibits a user from entering file server paths and names on the
portal page. When enabled, places the file server entry drawer on the portal page. Users can
enter pathnames to Windows files directly. They can download, edit, delete, rename, and move
files. They can also add files and folders. Shares must also be configured for user access on the
applicable Windows servers. Users might have to be authenticated before accessing files,
depending on network requirements.
HTTP Proxy—Affects the forwarding of an HTTP applet proxy to the client. The proxy is
useful for technologies that interfere with proper content transformation, such as Java, ActiveX,
and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The
forwarded proxy modifies the browser’s old proxy configuration automatically and redirects all
HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side
technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only
browser it supports is Microsoft Internet Explorer.
URL Entry—Allows or prevents a user from entering HTTP/HTTPS URLs on the portal page.
If this feature is enabled, users can enter web addresses in the URL entry box, and use clientless
SSL VPN to access those websites.
Using SSL VPN does not ensure that communication with every site is secure. SSL VPN ensures
the security of data transmission between the remote user PC or workstation and the ASA on the
corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on
the internal network), the communication from the corporate ASA to the destination web server is
not secured.
In a clientless VPN connection, the ASA acts as a proxy between the end user web browser and
target web servers. When a user connects to an SSL-enabled web server, the ASA establishes a
secure connection and validates the server SSL certificate. The end user browser never receives the
presented certificate, so therefore cannot examine and validate the certificate. The current
implementation of SSL VPN does not permit communication with sites that present expired
certificates. Neither does the ASA perform trusted CA certificate validation. Therefore, users cannot
analyze the certificate an SSL-enabled web-server presents before communicating with it.
To limit Internet access for users, choose Disable for the URL Entry field. This prevents SSL VPN
users from surfing the web during a clientless VPN connection.
Unchanged—(default) Click to use values from the group policy that applies to this session.
Enable/Disable—Click to enable or disable the feature.
Auto-start—Click to enable HTTP proxy and to have the DAP record automatically start the
applets associated with these features.
Port Forwarding Lists Tab—Lets you select and configure port forwarding lists for user sessions.
Port Forwarding provides access for remote users in the group to client/server applications that
communicate over known, fixed TCP/IP ports. Remote users can use client applications that are
installed on their local PC and securely access a remote server that supports that application. Cisco
has tested the following applications: Windows Terminal Services, Telnet, Secure FTP (FTP over
SSH), Perforce, Outlook Express, and Lotus Notes. Other TCP-based applications may also work,
but Cisco has not tested them.
Note Port Forwarding does not work with some SSL/TLS versions.
Caution Make sure Sun Microsystems Java Runtime Environment (JRE) 1.4+ is installed on the remote
computers to support port forwarding (application access) and digital certificates.