30-25
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Understanding SSL VPN Server Verification (ASA)
Step 8 To configure the user group for an SSL VPN, from the SSL VPN folder in the Settings pane:
a. Select Clientless to configure the Clientless mode of access to the corporate network in an SSL
VPN. For a description of these settings, see ASA Group Policies SSL VPN Clientless Settings,
page 33-10.
b. Select Full Client to configure the Full Client mode of access to the corporate network in an SSL
VPN. For a description of these settings, see ASA Group Policies SSL VPN Full Client Settings,
page 33-13.
c. Select Settings to configure the general settings that are required for clientless and thin client (port
forwarding) access modes in an SSL VPN. For a description of these settings, see ASA Group
Policies SSL VPN Settings, page 33-17.
Step 9 Specify the following settings for an ASA user group in an Easy VPN/IPSec IKEv1 or IKEv2 VPN and
SSL VPN configuration, in the Settings pane:
a. Select DNS/WINS to define the DNS and WINS servers and the domain name that should be pushed
to clients associated with the ASA user group. For a description of these settings, see ASA Group
Policies DNS/WINS Settings, page 33-20.
b. Select Split Tunneling to allow a remote client to conditionally direct encrypted packets through a
secure tunnel to the central site and simultaneously allow clear text tunnels to the Internet through
a network interface. For a description of these settings, see ASA Group Policies Split Tunneling
Settings, page 33-21.
c. Select Connection Settings to configure the SSL VPN connection settings for the ASA user group,
such as the session and idle timeouts, including the banner text. For a description of these settings,
see ASA Group Policies Connection Settings, page 33-22.
Step 10 Click OK.
Step 11 Select the ASA user group from the list and click OK.
Understanding SSL VPN Server Verification (ASA)
When connecting to a remote SSL-enabled server through clientless SSL VPN, it is important to know
that you can trust the remote server, and that it is in fact the server you are trying to connect to. ASA 9.0
introduces support for SSL server certificate verification against a list of trusted certificate authority
(CA) certificates for clientless SSL VPN.
When you connect to a remote server via a web browser using the HTTPS protocol, the server will
provide a digital certificate signed by a CA to identify itself. Web browsers ship with a collection of CA
certificates which are used to verify the validity of the server certificate. This is a form of public key
infrastructure (PKI).
Just as browsers provide certificate management facilities, so does the ASA in the form of trusted
certificate pool management facility: trustpools. This can be thought of as a special case of trustpoint
representing multiple known CA certificates. The ASA includes a default bundle of certificates, similar
to that provided with web browsers, but it is inactive until activated by the administrator.
Note If you are already familiar with trustpools from Cisco IOS then you should be aware that the ASA
version is similar, but not identical.
For more information on managing trusted certificates, see the following topics: