Cisco ASA 5505 Configuration Manual page 1504

Configuring Smart Tunnel Access
•
•
Following the configuration of the smart tunnel list, you must assign it to a group policy or a local user
policy for it to become active, as follows:
•
•
Table 67-4 Example Smart Tunnel Entries
Smart Tunnel Support
Mozilla Firefox.
Microsoft Outlook Express.
More restrictive alternative—Microsoft
Outlook Express only if the executable file is in
a predefined path.
Open a new Terminal window on a Mac. (Any
subsequent application launched from within
the same Terminal window fails because of the
one-time-password implementation.)
Cisco ASA 5500 Series Configuration Guide using ASDM
67-40
OS—Click Windows or Mac to specify the host operating system of the application.
Hash—(Optional and applicable only for Windows) To obtain this value, enter the checksum of the
application (that is, the checksum of the executable file) into a utility that calculates a hash using
the SHA-1 algorithm. One example of such a utility is the Microsoft File Checksum Integrity
Verifier (FCIV), which is available at http://support.microsoft.com/kb/841290/. After installing
FCIV, place a temporary copy of the application to be hashed on a path that contains no spaces (for
example, c:/fciv.exe), then enter fciv.exe -sha1 application at the command line (for example,
fciv.exe -sha1 c:\msimn.exe) to display the SHA-1 hash.
The SHA-1 hash is always 40 hexadecimal characters.
Before authorizing an application for smart tunnel access, clientless SSL VPN calculates the hash
of the application matching the Application ID. It qualifies the application for smart tunnel access
if the result matches the value of Hash.
Entering a hash provides a reasonable assurance that SSL VPN does not qualify an illegitimate file
that matches the string you specified in the Application ID. Because the checksum varies with each
version or patch of an application, the Hash you enter can only match one version or patch on the
remote host. To specify a hash for more than one version of an application, create a unique smart
tunnel entry for each Hash value.
You must update the smart tunnel list in the future if you enter Hash values and you want to
Note
support future versions or patches of an application with smart tunnel access. A sudden
problem with smart tunnel access may be an indication that the application list containing
Hash values is not up-to-date with an application upgrade. You can avoid this problem by
not entering a hash.
To assign the list to a group policy, choose Config > Remote Access VPN> Clientless SSL VPN
Access > Group Policies > Add or Edit > Portal and choose the smart tunnel name from the
drop-down list next to the Smart Tunnel List attribute.
To assign the list to a local user policy, choose Config > Remote Access VPN> AAA Setup > Local
Users > Add or Edit > VPN Policy > Clientless SSL VPN and choose the smart tunnel name from
the drop-down list next to the Smart Tunnel List attribute.
Application ID
(Any unique string
is OK.)
firefox
outlook-express
outlook-express
terminal
Process Name
firefox.exe
msimn.exe
\Program Files\Outlook Express\msimn.exe Windows
Terminal
Chapter 67 Clientless SSL VPN
OS
Windows
Windows
Mac
OL-20339-01