Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Logging Off Smart Tunnel

72-51

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter72 Configuring Clientless SSL VPN

Configuring Application Access

Step5 (Optional) Click to add the Windows domain to the username if authentication requires it. If you do so,

be sure to specify the domain name when assigning the smart tunnel list to one or more group policies

or local user policies.

Step6 (Optional) Specify a port number for the corresponding hosts. For Firefox, if no port number is specified,

auto sign is performed on HTTP and HTTPS, accessed by default port numbers 80 and 443 respectively.

Following the configuration of the smart tunnel auto sign-on server list, you must assign it to a group

policy or a local user policy for it to become active, as follows:

•To assign the list to a group policy, choose Config > Remote Access VPN > Clientless SSL VPN

Access > Group Policies > Add or Edit > Portal, find the Smart Tunnel area, and choose the list

name from the drop-down list next to the Auto Sign-on Server List attribute.

•To assign the list to a local user policy, choose Config > Remote Access VPN> AAA Setup > Local

Users > Add or Edit > VPN Policy > Clientless SSL VPN, find the Smart Tunnel area, and choose

the list name from the drop-down list next to the Auto Sign-on Server List attribute.

By default, smart tunnels are disabled.

If you enable smart tunnel access, the user will have to start it manually, using the Application Access

> Start Smart Tunnels button on the clientless SSL VPN portal page.

Logging Off Smart Tunnel

This section describes how to ensure that the smart tunnel is properly logged off. Smart tunnel can be

logged off when all browser windows have been closed, or you can right click the notification icon and

confirm log out.

Note We strongly recommend the use of the logout button on the portal. This method pertains to clientless

SSL VPNs and logs off regardless of whether smart tunnel is used or not. The notification icon should

be used only when using standalone applications without the browser.

This practice requires the closing of all browsers to signify log off. The smart tunnel lifetime is now tied

to the starting process lifetime. For example, if you started a smart tunnel from Internet Explorer, the

smart tunnel is turned off when no iexplore.exe is running. Smart tunnel can determine that the VPN

session has ended even if the user closed all browsers without logging out.

Note In some cases, a lingering browser process is unintentional and is strictly a result of an error.

Also, when a Secure Desktop is used, the browser process can run in another desktop even if the

user closed all browsers within the secure desktop. Therefore, smart tunnel declares all browser

instances gone when no more visible windows exist in the current desktop.

Cisco Systems Logging Off Smart Tunnel