30-43
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with SSL and IKEv2 IPSec VPN Policies
(Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other
Settings from the Policy selector. Click the Performance tab if it is not already selected.
(Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy
Type selector. Select an existing policy or create a new one. Click the Performance tab if it is not
already selected.
Step 2 Select Enable to enable caching on the security appliance.
If you deselect this option, the cache settings configured on the security appliance do not take effect.
Step 3 Configure the following options:
Minimum Object Size—The minimum size of an HTTP object that can be stored in the cache on
the security appliance, in kilobytes. The range is 0-10,000 KB. The default is 0 KB.
Maximum Object Size—The maximum size of an HTTP object that can be stored in the cache on
the security appliance, in kilobytes. The range is 0-10,000 KB. The default is 1000 KB. The
maximum size must be larger than the minimum size.
Last Modified Factor—An integer to set a revalidation policy for caching objects that have only
the last-modified timestamp, and no other server-set expiration values. The range is 1-100. The
default is 20.
The Expires response from the origin web server to the security appliance request, which indicates
the time that the response expires, also affects caching. This response header indicates the time that
the response becomes stale and should not be sent to the client without an up-to-date check (using
a conditional GET operation).
The security appliance can also calculate an expiration time for each web object before it is written
to disk. The algorithm to calculate an object’s cache expiration date is as follows:
Expiration date = (Today’s date - Objects last modified date) * Freshness factor
After the expiration date has passed, the object is considered stale and subsequent requests causes a
fresh retrieval of the content by the security appliance. Setting the last modified factor to zero is
equivalent to forcing an immediate revalidation, while setting it to 100 results in the longest
allowable time until revalidation.
Expiration Time—The amount of time (in minutes) that the security appliance caches objects
without revalidating them. The range is 0-900 minutes. The default is one minute.
Revalidation consists of rejecting the objects from the origin server before serving the requested
content to the client browser when the age of the cached object has exceeded its freshness lifetime.
The age of a cached object is the time that the object has been stored in the security appliance’s
cache without the security appliance explicitly contacting the origin server to check if the object is
still fresh.
Cache Static Content—Whether to cache static content on the security appliance. Each web page
can include static and dynamic objects. The security appliance caches individual static objects, such
as image files (*.gif, *.jpeg), java applets (.js), and cascading style sheets (*.css).
Configuring SSL VPN Content Rewrite Rules (ASA)
SSL VPN processes application traffic through a content transformation/rewriting engine that includes
advanced elements (such as, JavaScript, VBScript, Java, and multi-byte characters) to proxy HTTP
traffic depending on whether the user is using an application within or independently of an SSL VPN
device.