Cisco PIX 500 Series Configuration Manual page 760

Getting Started
Configuring Clientless SSL VPN and ASDM Ports
Beginning with Version 8.0(2), the security appliance supports both clientless SSL VPN sessions and
ASDM administrative sessions simultaneously on Port 443 of the outside interface. You do, however,
have the option to configure these applications on different interfaces.
To change the SSL listening port for clientless SSL VPN, use the port port_number command in webvpn
mode. The following example enables clientless SSL VPN on port 444 of the outside interface. HTTPS
for ASDM is also configured on the outside interface and uses the default port (443). With this
configuration, remote users initiating clientless SSL VPN sessions enter https://<outside_ip>:444 in the
browser.
hostname(config)# http server enable
hostname(config)# http 192.168.3.0 255.255.255.0 outside
hostname(config)# webvpn
hostname(config-webvpn)# port 444
hostname(config-webvpn)# enable outside
To change the listening port for ASDM, use the port argument of the http server enable command in
privileged EXEC mode. The following example specifies that HTTPS ASDM sessions use port 444 on
the outside interface. Clientless SSL VPN is also enabled on the outside interface and uses the default
port (443). With this configuration, remote users initiate ASDM sessions by entering
https://<outside_ip>:444 in the browser.
hostname(config)# http server enable 444
hostname(config)# http 192.168.3.0 255.255.255.0 outside
hostname(config)# webvpn
hostname(config-webvpn)# enable outside
Configuring Support for Proxy Servers
The security appliance can terminate HTTPS connections and forward HTTP and HTTPS requests to
proxy servers. These servers act as intermediaries between users and the Internet. Requiring Internet
access via a server that the organization controls provides another opportunity for filtering to assure
secure Internet access and administrative control.
When configuring support for HTTP and HTTPS proxy services, you can assign preset credentials to
send with each request for basic authentication. You can also specify URLs to exclude from HTTP and
HTTPS requests.
You can specify a proxy autoconfiguration (PAC) file to download from an HTTP proxy server, however,
you may not use proxy authentication when specifying the PAC file.
To configure the security appliance to use an external proxy server to handle HTTP and HTTPS requests,
use the http-proxy and https-proxy commands in webvpn mode.
•
•
•
exclude—(Optional) Enter this keyword to exclude URLs from those that can be sent to the proxy server.
host—Enter the hostname or IP address for the external proxy server.
pac—Proxy autoconfiguration file to download to the browser. Once downloaded, the PAC file uses a
JavaScript function to identify a proxy for each URL.
password—(Optional, and available only if you specify a username) Enter this keyword to accompany
each proxy request with a password to provide basic, proxy authentication.
Cisco Security Appliance Command Line Configuration Guide
37-4
http-proxy host [port] [exclude
https-proxy host [port] [exclude
http-proxy pac
url
] [username username {password password}]
url
] [username username {password password}]
url
Chapter 37 Configuring Clientless SSL VPN
OL-12172-03