33-70
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 33 Configuring Policy Objects for Remote Access VPNs
Add or Edit User Group Dialog Box
User Group Dialog Box—SSL VPN Split Tunneling
Use the Split Tunneling settings to configure a secure tunnel to the central site and simultaneous clear
text tunnels to the Internet for SSL VPNs.
Use Other Access Modes if
SSL VPN Client Download
Fails
Full Tunnel Only
Whether to allow users to connect to the SSL VPN even if a problem
prevents the client from downloading, installing, and starting correctly
on the user’s system.
If you select Full Tunnel Only, a user cannot connect to the SSL VPN
if the download fails, which locks the user out of the network. Select
Use Other Access Modes to allow clientless or thin client access if
there is a download problem.
Client IP Address Pool The IP address ranges of the address pool that full tunnel clients will
draw from when they log on. The address pool must be in the same
subnet as one of the device’s interface IP addresses.
Enter the address range separating the first and last IP address with a
hyphen, for example, 10.100.10.2-10.100.10.255. If you enter a single
address, the pool has just one address. Do not enter subnet designations.
You can also enter the name of a network/host policy object that defines
the range, or click Select to select the object from a list or to create a
new object. Separate multiple ranges with commas.
Filter ACL The name of an extended access control list (ACL) object that restricts
access to the SSL VPN. Enter the name of the object or click Select to
select it from a list or to create a new object.
Keep SSL VPN Client on
Client Computer
Whether to leave the full client installed on the user’s workstation after
the user disconnects. If you do not allow the client to remain on the
user’s system, the client must be downloaded each time the user
establishes a connection to the SSL VPN gateway.
Home Page URL The web address of the login home page for the full client.
Client Dead Peer Detection
Timeout
The time interval that the Dead Peer Detection (DPD) timer is reset
each time a packet is received over the SSL VPN tunnel from the
remote user. Enter a value in the range 1-3600 seconds.
Gateway Dead Peer
Detection Timeout
The time interval that the Dead Peer Detection (DPD) timer is reset
each time a packet is received over the SSL VPN tunnel from the
gateway. Enter a value in the range 1-3600 seconds.
Key Renegotiation Method The method by which the tunnel key is refreshed for the remote user
group client:
Disabled—Disables the tunnel key refresh.
Create New Tunnel—Initiates a new tunnel connection. Enter the
time interval (in seconds) between the tunnel refresh cycles in the
Interval field.
Table33-53 User Group Dialog Box—Full Tunnel Settings (Continued)
Element Description