Cisco ASA 5505 Configuration Manual page 1437

Chapter 65 Configuring Dynamic Access Policies
–
–
–
–
–
Functions Tab—Lets you configure file server entry and browsing, HTTP proxy, and URL entry for
•
the DAP record.
–
–
–
–
Using SSL VPN does not ensure that communication with every site is secure. SSL VPN ensures
the security of data transmission between the remote user PC or workstation and the adaptive
security appliance on the corporate network. If a user then accesses a non-HTTPS web resource
(located on the Internet or on the internal network), the communication from the corporate adaptive
security appliance to the destination web server is not secured.
In a clientless VPN connection, the adaptive security appliance acts as a proxy between the end user
web browser and target web servers. When a user connects to an SSL-enabled web server, the
adaptive security appliance establishes a secure connection and validates the server SSL certificate.
The end user browser never receives the presented certificate, so therefore cannot examine and
validate the certificate. The current implementation of SSL VPN does not permit communication
with sites that present expired certificates. Neither does the adaptive security appliance perform
trusted CA certificate validation. Therefore, users cannot analyze the certificate an SSL-enabled
web-server presents before communicating with it.
OL-20339-01
Web-Type ACL drop-down list—Select already configured web-type ACLs to add to this DAP
record. Only ACLs having all permit or all deny rules are eligible, and these are the only ACLs
that display here.
Manage...—Click to add, edit, and delete web-type ACLs.
Web-Type ACL list—Displays the web-type ACLs for this DAP record.
Add—Click to add the selected web-type ACL from the drop-down list to the Web-Type ACLs
list on the right.
Delete—Click to delete a web-type ACL from the Web-Type ACLs list. You cannot delete an
ACL from the adaptive security appliance unless you first delete it from DAP records.
File Server Browsing—Enables or disables CIFS browsing for file servers or shared features.
Browsing requires NBNS (Master Browser or WINS). If that fails or is not configured,
Note
we use DNS.
The CIFS browse feature does not support internationalization.
File Server Entry—Lets or prohibits a user from entering file server paths and names on the
portal page. When enabled, places the file server entry drawer on the portal page. Users can
enter pathnames to Windows files directly. They can download, edit, delete, rename, and move
files. They can also add files and folders. Shares must also be configured for user access on the
applicable Windows servers. Users might have to be authenticated before accessing files,
depending on network requirements.
HTTP Proxy—Affects the forwarding of an HTTP applet proxy to the client. The proxy is useful
for technologies that interfere with proper content transformation, such as Java, ActiveX, and
Flash. It bypasses mangling while ensuring the continued use of the security appliance. The
forwarded proxy modifies the browser's old proxy configuration automatically and redirects all
HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side
technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only
browser it supports is Microsoft Internet Explorer.
URL Entry—Allows or prevents a user from entering HTTP/HTTPS URLs on the portal page.
If this feature is enabled, users can enter web addresses in the URL entry box, and use clientless
SSL VPN to access those websites.
Understanding VPN Access Policies
Cisco ASA 5500 Series Configuration Guide using ASDM
65-13