Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505

72-27

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter72 Configuring Clientless SSL VPN

Configuring Browser Access to Plug-ins

A browser plug-in is a separate program that a web browser invokes to perform a dedicated function,

such as connect a client to a server within the browser window. The ASA lets you import plug-ins for

download to remote browsers in clientless SSL VPN sessions. Of course, Cisco tests the plug-ins it

redistributes, and in some cases, tests the connectivity of plug-ins we cannot redistribute. However, we

do not recommend importing plug-ins that support streaming media at this time.

Note Per the GNU General Public License (GPL), Cisco redistributes plug-ins without having

made any changes to them. Per the GPL, Cisco cannot directly enhance these plug-ins.

The ASA does the following when you install a plug-in onto the flash device:

•(Cisco-distributed plug-ins only) Unpacks the jar file specified in the URL.

•Writes the file to the csco-config/97/plugin directory on the ASA file system.

•Populates the drop-down menu next to the URL attributes in ASDM.

•Enables the plug-in for all future clientless SSL VPN sessions, and adds a main menu option and an

option to the drop-down menu next to the Address field of the portal page.

Table72-2 shows the changes to the main menu and address field of the portal page when you add the

plug-ins described in the following sections.

When the user in a clientless SSL VPN session clicks the associated menu option on the portal page, the

portal page displays a window to the interface and displays a help pane. The user can select the protocol

displayed in the drop-down menu and enter the URL in the Address field to establish a connection.Some

Java plug-ins may report a status of connected or online even when a session to the destination service

is not set up. The open-source plug-in reports the status, not the ASA.

The plug-ins support single sign-on (SSO). Refer to the “Configuring SSO with the HTTP Form

Protocol” section on page 72-16 for implementation details.

The minimum access rights required for remote use belong to the guest privilege mode.

Prerequisites

•Clientless SSL VPN must be enabled on the ASA to provide remote access to the plug-ins.

•To configure SSO support for a plug-in, you install the plug-in, add a bookmark entry to display a

link to the server, and specify SSO support when adding the bookmark.

•The minimum access rights required for remote use belong to the guest privilege mode.

•Plug-ins require ActiveX or Sun JRE 5, Update 1.4 or later (JRE 6 or later recommended) to be

enabled on the browser. An ActiveX version of the RDP plug-in is unavailable for 64-bit browsers.

Table72-2 Effects of Plug-ins on the Clientless SSL VPN Portal Page

Plug-in Main Menu Option Added to Portal Page Address Field Option Added to Portal Page

ica Citrix Client ica://

rdp Terminal Servers rdp://

rdp2 Terminal Servers Vista rdp2://

ssh,telnet SSH ssh://

Telnet telnet://

vnc VNC Client vnc://

Cisco Systems - page 1715