Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring Application Profile Customization Framework

72-75

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter72 Configuring Clientless SSL VPN

Configuring Portal Access Rules

A path is everything in a URL after the .com or .org or other types of domain name. For example, in the

URL www.example.com/hrbenefits, hrbenefits is the path. Similarly, for the URL

www.example.com/hrinsurance, hrinsurance is the path. If you want to use proxy bypass for all hr sites,

you can avoid using the command multiple times by using the * wildcard as follows: /hr*.

Detailed Steps

You can set rules for when the ASA performs little or no content rewriting:

Step1 Select the VLAN for proxy bypass.

Step2 Specify either a port or a URI for proxy bypass:

•Port—(radio button) Click to use a port for proxy bypass. The valid port numbers are 20000-21000.

•Port (field)—Enter a high-numbered port for the ASA to reserve for proxy bypass.

•Path Mask—(radio button) Click to use a URL for proxy bypass.

•Path Mask—(Field) Enter a URL for proxy bypass. It can contain a regular expression.

Step3 Define target URLs for proxy bypass:

•URL—(drop-down list) Click either http or https as the protocol.

•URL (text field)—Enter a URL to which you want to apply proxy bypass.

Step4 Specify the content to rewrite. The choices are none or a combination of XML, links, and cookies.

•XML—Check to rewrite XML content.

•Hostname—Check to rewrite links.

Configuring Application Profile Customization Framework

An APCF profile for clientless SSL VPN lets the ASA handle non-standard applications and web

resources so that they display correctly over a clientless SSL VPN connection. An APCF profile contains

a script that specifies when (pre, post), where (header, body, request, response), and what data to

transform for a particular application. The script is in XML and uses sed (stream editor) syntax for

string/text transformation. Multiple APCF profiles can run in parallel on an ASA. Within an APCF

profile script, multiple APCF rules can apply. In this case, the ASA processes the oldest rule first (based

on configuration history), then the next oldest rule, and so forth.

You can store APCF profiles on the ASA flash memory, or on an HTTP, HTTPS, or TFTP server.

Restrictions

We recommend that you configure an APCF profile only with the assistance of Cisco personnel.

Step1 Use the following commands to add, edit, and delete APCF packets and put them in priority order:

•APCF File Location—Displays information about the location of the APCF package. This can be on

the ASA flash memory, or on an HTTP, HTTPS, FTP, or TFTP server.

•Add/Edit—Click to add or edit a new or existing APCF profile.

•Delete—Click to remove an existing APCF profile. There is no confirmation or undo.

Cisco Systems Configuring Application Profile Customization Framework