72-74
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter72 Configuring Clientless SSL VPN
Configuring Portal Access Rules
Detailed Steps
Step1 Start ASDM and select Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal
> Portal Access Rule.
The Portal Access Rule window opens.
Step2 Click Add to create a portal access rule or select an existing rule and click Edit.
The Add (or Edit) Portal Access Rule dialog box opens.
Step3 Enter a rule number from 1-65535 in the Rule Priority field.
Rules are processed in order of priority from 1-65535.
Step4 In the User Agent field, enter the name of the user agent you want to find in the HTTP header.
Surround the string with wildcards (*) to generalize the string; for example, *Thunderbird*. We
recommend using wildcards in your search string. Without wildcards, the rule may not match any
strings or it may match many fewer strings than you expect.
If your string contains a space, ASDM automatically adds quotes to the beginning and end of the
string when it saves the rule. For example, if you enter my agent, ASDM will save the string as “my
agent”. ASA will then search for matches of my agent.
Do not add quotes to a string with spaces yourself unless you want ASA to match the quotes you
added to the string. For example, if you enter “my agent” ASDM will save the string as "\"my
agent\"" and try to find a match for “my agent” and it will not find my agent.
If you want to use wildcards with a string that contains a space, start and end the entire string with
wildcards, for example, *my agent* and ASDM will automatically surround that string with quotes
when it saves the rule.
Step5 In the Action field, select either Deny or Permit.
The ASA will deny or permit a clientless SSL VPN connection based on this setting.
Step6 Enter an HTTP message code in the Returned HTTP Code field.
The HTTP message number 403 is pre-populated in the field and is the default value for portal access
rules. The allowed range of message codes is 200-599.
Step7 Click OK.
Step8 Click Apply.
Using Proxy Bypass
You can configure the ASA to use proxy bypass when applications and web resources work better with
the special content rewriting this feature provides. Proxy bypass is an alternative method of content
rewriting that makes minimal changes to the original content. It is often useful with custom web
applications.
You can configure multiple proxy bypass entries. The order in which you configure them is unimportant.
The interface and path mask or interface and port uniquely identify a proxy bypass rule.
If you configure proxy bypass using ports rather than path masks, depending on your network
configuration, you might need to change your firewall configuration to allow these ports access to the
ASA. Use path masks to avoid this restriction. Be aware, however, that path masks can change, so you
might need to use multiple pathmask statements to exhaust the possibilities.