72-5
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter72 Configuring Clientless SSL VPN
Prerequisites for Clientless SSL VPN
Prerequisites for Clientless SSL VPN
See the Supported VPN Platforms, Cisco ASA 5500 Series for the platforms and browsers supported by
ASA Release 8.4.
Guidelines and Limitations
This section includes the guidelines and limitations of this feature.
ActiveX pages require that you enable ActiveX Relay or enter activex-relay on the associated group
policy. If you do so or assign a smart tunnel list to the policy, and the browser proxy exception list on
the endpoint specifies a proxy, the user must add a “shutdown.webvpn.relay.” entry to that list.
The ASA supports clientless access to Lotus iNotes 8.5.
The ASA does not support clientless access to Windows Shares (CIFS) Web Folders from Windows 7,
Vista, Internet Explorer 8, Mac OS, and Linux. Windows XP SP2 requires a Microsoft hotfix to support
Web Fo lde rs.
The ASA does not support the following features for clientless SSL VPN connections:
DSA certificates. The ASA does support RSA certificates.
Remote HTTPS certificates.
Requirements of some domain-based security products. Because the ASA encodes the URL,
requests actually originate from the ASA, which in some cases do not satisfy the requirements of
domain-based security products.
Inspection features under the Modular Policy Framework, inspecting configuration control.
VPN connections from hosts with IPv6 addresses. Hosts must use IPv4 addresses to establish
clientless SSL VPN or AnyConnect sessions. However, beginning with ASA 8.0(2), users can use
these sessions to access internal IPv6-enabled resources.
NAT, reducing the need for globally unique IP addresses.
PAT, permitting multiple outbound sessions appear to originate from a single IP address.
QoS, rate limiting using the police command and priority-queue command.
Connection limits, checking either via the static or the Modular Policy Framework set connection
command.Single sign-on application integration (such as SiteMinder) because smart tunnel
effectively creates a tunnel between the client and the server, and these applications interfere with
ASA working as expected.
Observing Clientless SSL VPN Security Precautions
Clientless SSL VPN connections on the ASA differ from remote access IPsec connections, particularly
with respect to how they interact with SSL-enabled servers, and precautions to follow to reduce security
risks.
In a clientless SSL VPN connection, the ASA acts as a proxy between the end user web browser and
target web servers. When a user connects to an SSL-enabled web server, the ASA establishes a secure
connection and validates the server SSL certificate. The browser never receives the presented certificate,
so it cannot examine and validate the certificate.