Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring Clientless SSL VPN Access

72-7

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter72 Configuring Clientless SSL VPN

Configuring Clientless SSL VPN Access

Step5 Disable URL entry on the portal page, the page that opens upon the establishment of a browser-based

connection. To do so, click Disable next to URL Entry on both the group policy Portal frame and the

DAP Functions tab. To disable URL entry on a DAP, use ASDM to edit the DAP record, click the

Functions tab, and check Disable next to URL Entry

Step6 Instruct users to enter external URLs in the native browser address field above the portal page or open a

separate browser window to visit external sites.

Configuring Clientless SSL VPN Access

On the Clientless SSL VPN Access pane, you can do the following:

•Enable or disable ASA interfaces for clientless SSL VPN sessions.

•Choose a port for clientless SSL VPN connections.

•Set a global timeout value for clientless SSL VPN sessions.

•Set a maximum number of simultaneous clientless SSL VPN sessions.

•Configure the amount of ASA memory that clientless SSL VPN can use.

Detailed Steps

Step1 Choose the Configuration > VPN > General > Group Policy >Add/Edit >WebVPN pane. Then

choose the Configuration > Properties >Device Administration >User Accounts > VPN Policy

pane to assign the group policy to a user.

Step2 Enable or disable clientless SSL VPN connections on configured ASA interfaces.

The Interface field displays the names of all configured interfaces. The WebVPN Enabled field displays

the current status for clientless SSL VPN on the interface. (A green check next to Yes indicates that

clientless SSL VPN is enabled. A red circle next to No indicates that clientless SSL VPN is disabled.

Step3 Enter the port number that you want to use for clientless SSL VPN sessions. The default port is 443, for

HTTPS traffic; the range is 1 through 65535. If you change the port number, all current clientless SSL

VPN connections terminate, and current users must reconnect. You also lose connectivity to ASDM, and

a prompt displays, inviting you to reconnect.

Step4 Enter the amount of time, in seconds, that a clientless SSL VPN session can be idle before the ASA

terminates it. This value applies only if the Idle Timeout value in the group policy for the user is set to

zero (0), which means there is no timeout value; otherwise the group policy Idle Timeout value takes

precedence over the timeout you configure here. The minimum value you can enter is 1 minute. The

default is 30 minutes (1800 seconds). Maximum is 24 hours (86400 seconds).

We recommend that you set this attribute to a short time period. A browser set to disable cookies (or one

that prompts for cookies and then denies them) can result in a user not connecting but nevertheless

appearing in the sessions database. If the Simultaneous Logins attribute for the group policy is set to one,

the user cannot log back in because the database indicates that the maximum number of connections

already exists. Setting a low idle timeout removes such phantom sessions quickly, and lets a user log in

again.

Step5 Enter the maximum number of clientless SSL VPN sessions you want to allow. Be aware that the

different ASA models support clientless SSL VPN sessions as follows: ASA 5510 supports a maximum

of 250; ASA 5520 maximum is 750; ASA 5540 maximum is 2500; ASA 5550 maximum is 5000.

Cisco Systems Configuring Clientless SSL VPN Access