Cisco ASA 5505 Configuration Manual page 1466
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Security Precautions
By default, the adaptive security appliance permits all portal traffic to all web resources (e.g., HTTPS,
CIFS, RDP, and plug-ins). The adaptive security appliance clientless service rewrites each URL to one
that is meaningful only to the adaptive security appliance; the user cannot use the rewritten URL
displayed on the page accessed to confirm that they are on the site they requested (see example Figures
67-1
and 67-2).
Figure 67-1
Figure 67-2
To avoid placing users at risk, please assign a web ACL to the policies configured for clientless access
Caution
– group-policies, dynamic access policies, or both – to control traffic flows from the portal. For example,
without such an ACL, users could receive an authentication request from an outside fraudulent banking
or commerce site. Also, we recommend disabling URL Entry on these policies to prevent user confusion
over what is accessible. The procedure that follows steps you through the recommendations in this
statement.
We recommend that you do the following to minimize risks posed by clientless SSL VPN access:
Configure a group policy for all users who need clientless SSL VPN access, and enable clientless SSL
Step 1
VPN only for that group policy.
With the group policy open, choose General > More Options > Web ACL and click Manage. Create a
Step 2
web ACL to do one of the following: permit access only to specific targets within the private network,
permit access only to the private network, deny Internet access, or permit access only to reputable sites.
Assign the web ACL to any policies (group policies, dynamic access policies, or both) that you have
configured for clientless access. To assign a web ACL to a DAP, edit the DAP record, and select the web
ACL on the Network ACL Filters tab.
Disable URL entry on the portal page, the page that opens upon the establishment of a browser-based
Step 3
connection. To do so, click Disable next to URL Entry on both the group policy Portal frame and the
DAP Functions tab.
Instruct users to enter external URLs in the native browser address field above the portal page or open a
Step 4
separate browser window to visit external sites.
Cisco ASA 5500 Series Configuration Guide using ASDM
67-2
Example URL Typed by User
Same URL Rewritten by Security Appliance and displayed on the Browser Window
Chapter 67
Clientless SSL VPN
OL-20339-01
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
