30-62
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with SSL and IKEv2 IPSec VPN Policies
When you connect to a remote server via a web browser using the HTTPS protocol, the server will
provide a digital certificate signed by a CA to identify itself. Web browsers ship with a collection of CA
certificates which are used to verify the validity of the server certificate. This is a form of public key
infrastructure (PKI).
Just as browsers provide certificate management facilities, so does the ASA in the form of trusted
certificate pool management facility: trustpools. This can be thought of as a special case of trustpoint
representing multiple known CA certificates. The ASA includes a default bundle of certificates, similar
to that provided with web browsers, but it is inactive until activated by the administrator.
Note If you are already familiar with trustpools from Cisco IOS then you should be aware that the ASA
version is similar, but not identical.
This procedure describes how to enable HTTPS server verification for clientless SSL VPN users.
Related Topics
Configuring Other SSL VPN Settings (ASA), page 30-41
Configuring Trusted Pool Settings (ASA), page30-26
Using the Trustpool Manager, page 30-27
Step 1 Do one of the following:
(Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other
Settings from the Policy selector. Click the SSL Server Verification tab.
(Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy
Type selector. Select an existing policy or create a new one. Click the SSL Server Verification tab.
Step 2 Select Enable to enable HTTPS Server Verification for Clientless SSL VPN users.
Step 3 Specify the action you want to be taken if server certificate verification fails:
Disconnect user from Https page – Disconnect if the server could not be verified.
Allow user to continue to Https page – Allow the user to continue the connection, even if the check
failed.
Configuring SSL VPN Shared Licenses (ASA 8.2+)
Use the SSL VPN Shared License page to configure your SSL VPN Shared License.
You can purchase a shared license with a large number of SSL or remote access IKEv2 IPsec VPN
sessions and share the sessions as needed among a group of ASA devices by configuring one of the ASA
devices as a shared license server, and the rest as clients. For the server license, you can share 500-50,000
licenses in increments of 500 and 50,000-1,040,000 licenses in increments of 1000.
A license is consumed by each remote access user that makes an SSL or IKEv2 IPsec connection.
Note The shared license cannot be used at the same time as the AnyConnect Essentials license.
The following topics explain the procedure for configuring shared licenses: