Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Why Smart Tunnels?

72-43

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter72 Configuring Clientless SSL VPN

Configuring Application Access

Configuring smart tunnels requires one of the following procedures, depending on whether the

application is a client or is a web-enabled application:

•Create one or more smart tunnel lists of the client applications, then assign the list to the group

policies or local user policies for whom you want to provide smart tunnel access.

•Create one or more bookmark list entries that specify the URLs of the web-enabled applications

eligible for smart tunnel access, then assign the list to the group policies or local user policies for

whom you want to provide smart tunnel access.

You can also list web-enabled applications for which to automate the submission of login credentials in

smart tunnel connections over clientless SSL VPN sessions.

Why Smart Tunnels?

Smart tunnel access lets a client TCP-based application use a browser-based VPN connection to access

a service. It offers the following advantages to users, compared to plug-ins and the legacy technology,

port forwarding:

•Smart tunnel offers better performance than plug-ins.

•Unlike port forwarding, smart tunnel simplifies the user experience by not requiring the user

connection of the local application to the local port.

•Unlike port forwarding, smart tunnel does not require users to have administrator privileges.

The advantage of a plug-in is that it does not require the client application to be installed on the remote

computer.

Prerequisites

See the Supported VPN Platforms, Cisco ASA 5500 Series for the platforms and browsers supported by

ASA Release 8.4 smart tunnels.

The following requirements apply to smart tunnel access on Windows:

•ActiveX or Sun JRE 5, Update 1.5 or later (JRE 6 or later recommended) on Windows must be

enabled on the browser.

ActiveX pages require that you enter the activex-relay command on the associated group policy. If

you do so or assign a smart tunnel list to the policy, and the browser proxy exception list on the

endpoint specifies a proxy, the user must add a “shutdown.webvpn.relay.” entry to this list.

Note Browser-based VPN access does not support Windows Shares (CIFS) Web Folders on

Windows 7, Vista, Internet Explorer 8, Mac OS, and Linux. Windows XP SP2 requires a

Microsoft hotfix to support Web Folders.

•Only Winsock 2, TCP-based applications are eligible for smart tunnel access.

•Smart tunnel supports Mac OS running on an Intel processor only.

•Java Web Start must be enabled on the browser.

Cisco Systems Why Smart Tunnels?