Configuring Group-Policy Attributes For Clientless Ssl Vpn Sessions - Cisco PIX 500 Series Configuration Manual

Group Policies
Table 30-3
Parameter
deny
none
permit
priority
type type
version version
The following example shows how to create client access rules for the group policy named FirstGroup.
These rules permit Cisco VPN clients running software version 4.x, while denying all Windows NT
clients:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# client-access-rule 1 deny type WinNT version *
hostname(config-group-policy)# client-access-rule 2 permit "Cisco VPN Client" version 4.*
Note

Configuring Group-Policy Attributes for Clientless SSL VPN Sessions

Clientless SSL VPN lets users establish a secure, remote-access VPN tunnel to the security appliance
using a web browser. There is no need for either a software or hardware client. Clientless SSL VPN
provides easy access to a broad range of web resources and web-enabled applications from almost any
computer that can reach HTTPS Internet sites. Clientless SSL VPN uses SSL and its successor, TLS1,
to provide a secure connection between remote users and specific, supported internal resources that you
configure at a central site. The security appliance recognizes connections that need to be proxied, and
the HTTP server interacts with the authentication subsystem to authenticate users. By default, clientless
SSL VPN is disabled.
You can customize a configuration of clientless SSL VPN for specific internal group policies.
Note The webvpn mode that you enter from global configuration mode lets you configure global settings for
clientless SSL VPN sessions. The webvpn mode described in this section, which you enter from
group-policy configuration mode, lets you customize a configuration of group policies specifically for
clientless SSL VPN sessions.
Cisco Security Appliance Command Line Configuration Guide
30-62
client-access rule Command Keywords and Variables
Description
Denies connections for devices of a particular type and/or version.
Allows no client access rules. Sets client-access-rule to a null value, thereby
allowing no restriction. Prevents inheriting a value from a default or
specified group policy.
Permits connections for devices of a particular type and/or version.
Determines the priority of the rule. The rule with the lowest integer has the
highest priority. Therefore, the rule with the lowest integer that matches a
client type and/or version is the rule that applies. If a lower priority rule
contradicts, the security appliance ignores it.
Identifies device types via free-form strings, for example VPN 3002. A
string must match exactly its appearance in the show vpn-sessiondb
remote display, except that you can enter the * character as a wildcard.
Identifies the device version via free-form strings, for example 7.0. A string
must match exactly its appearance in the show vpn-sessiondb remote
display, except that you can enter the * character as a wildcard.
The "type" field is a free-form string that allows any value, but that value must match the fixed
value that the client sends to the security appliance at connect time.
Chapter 30 Configuring Connection Profiles, Group Policies, and Users
OL-12172-03