Cisco ASA 5505 Configuration Manual page 1499

Chapter 67 Clientless SSL VPN
Why Smart Tunnels?
Smart tunnel access lets a client TCP-based application use a browser-based VPN connection to connect
to a service. It offers the following advantages to users, compared to plug-ins and the legacy technology,
port forwarding:
•
•
•
The advantage of a plug-in is that it does not require the client application to be installed on the remote
computer.
Smart Tunnel Requirements and Limitations
The following sections categorize the smart tunnel requirements and limitations.
General Requirements and Limitations
Smart tunnel has the following general requirements and limitations:
•
•
•
•
•
•
OL-20339-01
Smart tunnel offers better performance than plug-ins.
Unlike port forwarding, smart tunnel simplifies the user experience by not requiring the user
connection of the local application to the local port.
Unlike port forwarding, smart tunnel does not require users to have administrator privileges.
Smart tunnel auto sign-on supports only Microsoft Internet Explorer on Windows.
The browser must be enabled with Java, Microsoft ActiveX, or both.
Smart tunnel supports only proxies placed between computers running Microsoft Windows and the
security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended
for system-wide use in Windows). If the remote computer requires a proxy server to reach the
adaptive security appliance, the URL of the terminating end of the connection must be in the list of
URLs excluded from proxy services. If the proxy configuration specifies that traffic destined for the
ASA goes through a proxy, all smart tunnel traffic goes through the proxy.
In an HTTP-based remote access scenario, sometimes a subnet does not provide user access to the
VPN gateway. In this case, a proxy placed in front of the ASA to route traffic between the web and
the end user's location provides web access. However, only VPN users can configure proxies placed
in front of the ASA. When doing so, they must make sure these proxies support the CONNECT
method. For proxies that require authentication, smart tunnel supports only the basic digest
authentication type.
When smart tunnel starts, the adaptive security appliance by default passes all browser traffic
through the VPN session if the browser process is the same. The adaptive security appliance also
does this if a tunnel-all policy applies. If the user starts another instance of the browser process, it
passes all traffic through the VPN session. If the browser process is the same and the security
appliance does not provide access to a URL, the user cannot open it. As a workaround, assign a
tunnel policy that is not tunnel-all.
A stateful failover does not retain smart tunnel connections. Users must reconnect following a
failover.
If it takes too long for smart tunnel to load, perform the following:
Clear the SSL state (with Internet Explorer, go to Tools > Internet Options > Content).
–
Disable the Check for server certificate revocation check box (with Internet Explorer, go to
–
Tools > Internet Options > Advanced > Security).
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring Smart Tunnel Access
67-35