About Smart Tunnels; Why Smart Tunnels; Smart Tunnel Requirements And Restrictions - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 37
Configuring Clientless SSL VPN
About Smart Tunnels
A smart tunnel is a connection between a Winsock 2, TCP-based application and a private site, using a
clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the security
appliance as a proxy server. You can identify applications to which you want to grant smart tunnel
access, and specify the local path to each application and the SHA-1 hash of its checksum to check
before granting it access. Lotus SameTime, Microsoft Outlook, and Microsoft Outlook Express are
examples of applications to which you might want to grant smart tunnel access.
Why Smart Tunnels?
With Release 8.0(2), Cisco added two alternative technologies for supporting Winsock 2, TCP-based
applications: smart tunnel access and plug-ins. Plug-ins offer better performance and do not require the
client application to be installed on the remote computer. Therefore, configure smart tunnel access only
if a plug-in for the application you want to support is unavailable.
Compared to the legacy technology, port forwarding, smart tunnel access simplifies the remote user
experience by not requiring the user connection of the local application to the local port. Therefore,
smart tunnels do not require users to have administrator privileges.
Smart Tunnel Requirements and Restrictions
Smart tunnels have the following requirements:
•
•
Smart tunnels also have the following restrictions:
•
•
•
•
Note: Some open-source, Java applet plug-ins display a status of connected and online, even if a session
Note
to the destination service is not set up. The applet displays the incorrect status, not the security appliance.
OL-12172-03
The remote host originating the smart tunnel connection must be running a 32-bit version of
Microsoft Windows 2000 or Microsoft Windows XP.
The browser must be enabled with Java, Microsoft ActiveX, or both.
Only Winsock 2, TCP-based applications are eligible.
If the remote computer requires a proxy server to reach the security appliance, the URL of the
terminating end of the connection must be in the list of URLs excluded from proxy services (See
OK). In this configuration, smart tunnels support only basic authentication.
Smart tunnels do not support MAPI, also called Microsoft Outlook Exchange proxy. For
Note
MAPI proxy access, remote users must use AnyConnect.
A group policy or username supports no more than one list of applications eligible for smart tunnel
access.
A stateful failover does not retain smart tunnel connections. Users must reconnect following a
failover.
Cisco Security Appliance Command Line Configuration Guide
Configuring Application Access
37-35
Advertisement
Table of Contents
Troubleshooting
