Cisco Systems OL-16647-01

38-39

Cisco ASDM User Guide

OL-16647-01

Chapter 38 Clientless SSL VPN

Configuring Smart Tunnel Access

For Windows, if you want to add smart tunnel access to an application started from the command

prompt, you must specify “cmd.exe” in the Process Name of one entry in the smart tunnel list, and

specify the path to the application itself in another entry, because “cmd.exe” is the parent of the

application.

Mac OS requires the full path to the process, and is case-sensitive. To avoid specifying a path for

each username, insert a tilde (~) before the partial path (e.g., ~/bin/vnc).

• OS—Click Windows or Mac to specify the host OS of the application.

• Hash—(Optional and applicable only for Windows) To obtain this value, enter the checksum of the

application (that is, the checksum of the executable file) into a utility that calculates a hash using

the SHA-1 algorithm. One example of such a utility is the Microsoft File Checksum Integrity

Verifier (FCIV), which is available at http://support.microsoft.com/kb/841290/. After installing

FCIV, place a temporary copy of the application to be hashed on a path that contains no spaces (for

example, c:/fciv.exe), then enter fciv.exe -sha1 application at the command line (for example,

fciv.exe -sha1 c:\msimn.exe) to display the SHA-1 hash.

The SHA-1 hash is always 40 hexadecimal characters.

Before authorizing an application for smart tunnel access, Clientless SSL VPN calculates the hash

of the application matching the Application ID. It qualifies the application for smart tunnel access

if the result matches the value of Hash.

Entering a hash provides a reasonable assurance that SSL VPN does not qualify an illegitimate file

that matches the string you specified in the Application ID. Because the checksum varies with each

version or patch of an application, the Hash you enter can only match one version or patch on the

remote host. To specify a hash for more than one version of an application, create a unique smart

tunnel entry for each Hash value.

Note You must update the smart tunnel list in the future if you enter Hash values and you want to

support future versions or patches of an application with smart tunnel access. A sudden

problem with smart tunnel access may be an indication that the application list containing

Hash values is not up-to-date with an application upgrade. You can avoid this problem by

not entering a hash.

Following the configuration of the smart tunnel list, you must assign it to a group policy or a local user

policy for it to become active, as follows:

• To assign the list to a group policy, choose Config > Remote Access VPN> Clientless SSL VPN

Access > Group Policies > Add or Edit > Portal and choose the smart tunnel name from the

drop-down list next to the Smart Tunnel List attribute.

• To assign the list to a local user policy, choose Config > Remote Access VPN> AAA Setup > Local

Users > Add or Edit > VPN Policy > Clientless SSL VPN and choose the smart tunnel name from

the drop-down list next to the Smart Tunnel List attribute.

Table 38-2 Example Smart Tunnel Entries

Smart Tunnel Support

Application ID

(Any unique

string is OK.) Process Name OS

Mozilla Firefox. firefox firefox.exe Windows

Microsoft Outlook Express. outlook-express msimn.exe Windows