Cisco PIX 500 Series Configuration Manual page 793

Chapter 37 Configuring Clientless SSL VPN
hash (Optional) To obtain this value, enter the checksum of the application (that is, the checksum of
•
the executable file) into a utility that calculates a hash using the SHA-1 algorithm. One example of
such a utility is the Microsoft File Checksum Integrity Verifier (FCIV), which is available at
http://support.microsoft.com/kb/841290/. After installing FCIV, place a temporary copy of the
application to be hashed on a path that contains no spaces (for example, c:/fciv.exe), then enter
fciv.exe -sha1 application at the command line (for example, fciv.exe -sha1 c:\msimn.exe) to
display the SHA-1 hash.
The SHA-1 hash is always 40 hexadecimal characters.
Before authorizing an application for smart tunnel access, clientless SSL VPN calculates the hash
of the application matching the path. It qualifies the application for smart tunnel access if the result
matches the value of hash.
Entering a hash provides a reasonable assurance that SSL VPN does not qualify an illegitimate file
that matches the string you specified in the path. Because the checksum varies with each version or
patch of an application, the hash you enter can only match one version or patch on the remote host.
To specify a hash for more than one version of an application, enter the smart-tunnel list command
once for each version, entering the same list string, but specifying a unique application string and a
unique hash value.
Note
If you want to add smart tunnel access to an application started from the command prompt, you must add
"cmd.exe" to the smart tunnel list, in addition to the application itself, because "cmd.exe" is the parent.
For example,
hostname(config-webvpn)# smart-tunnel list apps1 CommandPrompt cmd.exe
For example, to provide smart tunnel access to the Lotus 6.0 thick client with Domino Server 6.5.5, enter
the following commands:
hostname(config-webvpn)# smart-tunnel list lotus lotusnotes "notes.exe"
hostname(config-webvpn)# smart-tunnel list lotus lotusnlnotes "nlnotes.exe"
hostname(config-webvpn)# smart-tunnel list lotus lotusntaskldr "ntaskldr.exe"
hostname(config-webvpn)# smart-tunnel list lotus lotusnfileret "nfileret.exe"
The following command adds the application that matches msimn.exe to a smart tunnel list named apps1,
and requires that the hash of the application on the remote host match the last string entered to qualify
for smart tunnel access:
hostname(config-webvpn)# smart-tunnel list apps1 OutlookExpress msimn.exe
4739647b255d3ea865554e27c3f96b9476e75061
Following the configuration of a smart tunnel list, assign the list to group policies or usernames, as
described in the next section.
OL-12172-03
You must maintain the smart tunnel list in the future if you enter hash values and you want
to support future versions or patches of an application with smart tunnel access. A sudden
problem with smart tunnel access may be an indication that the application list containing
hash values is not up-to-date with an application upgrade. You can avoid this problem by not
entering a hash.
Cisco Security Appliance Command Line Configuration Guide
Configuring Application Access
37-37