Chapter 37 Configuring Webvpn - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Getting Started with WebVPN
WebVPN uses Secure Sockets Layer Protocol and its successor, Transport Layer Security to provide the
secure connection between remote users and specific, supported internal resources that you configure at
a central site. The security appliance recognizes connections that need to be proxied, and the HTTP
server interacts with the authentication subsystem to authenticate users.
The network administrator provides access to WebVPN resources to users on a group basis. Users have
no direct access to resources on the internal network.
The following sections address getting started with the configuration of WebVPN access:
•
•
•
•
•
•
•
•
Observing WebVPN Security Precautions
WebVPN connections on the security appliance are very different from remote access IPSec
connections, particularly with respect to how they interact with SSL-enabled servers, and precautions to
reduce security risks.
In a WebVPN connection, the security appliance acts as a proxy between the end user web browser and
target web servers. When a WebVPN user connects to an SSL-enabled web server, the security appliance
establishes a secure connection and validates the server SSL certificate. The end user browser never
receives the presented certificate, so therefore cannot examine and validate the certificate.
The current implementation of WebVPN on the security appliance does not permit communication with
sites that present expired certificates. Nor does the security appliance perform trusted CA certificate
validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents
before communicating with it.
To minimize the risks involved with SSL certificates:
1.
2.
3.
Understanding Features Not Supported for WebVPN
The security appliance does not support the following features for WebVPN connections:
•
•
Cisco Security Appliance Command Line Configuration Guide
37-2
Observing WebVPN Security Precautions
Understanding Features Not Supported for WebVPN
Using SSL to Access the Central Site
Authenticating with Digital Certificates
Enabling Cookies on Browsers for WebVPN
Managing Passwords
Using Single Sign-on with WebVPN
Authenticating with Digital Certificates
Configure a group policy that consists of all users who need WebVPN access and enable the
WebVPN feature only for that group policy.
Limit Internet access for WebVPN users. One way to do this is to disable URL entry. Then configure
links to specific targets within the private network that you want WebVPN users to be able to access.
Educate users. If an SSL-enabled site is not inside the private network, users should not visit this
site over a WebVPN connection. They should open a separate browser window to visit such sites,
and use that browser to view the presented certificate.
Inspection features under the Modular Policy Framework, inspecting configuration control.
Functionality the filter configuration commands provide, including the vpn-filter command.
Chapter 37
Configuring WebVPN
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
