Configuring A Certificate For Signing Rewritten Java Content - Cisco FirePOWER ASA 5500 series Configuration Manual

Optimizing WebVPN Performance
Subject to the requirements of your organization and the web content involved, you might use one of
these features.

Configuring a Certificate for Signing Rewritten Java Content

Java objects which have been transformed by WebVPN can subsequently be signed using a PKCS12
digital certificate associated with a trustpoint. You import and employ the certificate using a combination
of the crypto ca import and java-trustpoint commands.
The following example commands show the creation of a trustpoint named mytrustpoint and its
assignment to signing Java objects:
hostname(config)# crypto ca import mytrustpoint pkcs12 mypassphrase
Enter the base 64 encoded PKCS12.
End with the word "quit" on a line by itself.
[ PKCS12 data omitted ]
quit
INFO: Import PKCS12 operation completed successfully.
hostname(config)# webvpn
hostname(config)# java-trustpoint mytrustpoint
hostname(config)#
Disabling Content Rewrite
You might not want some applications and web resources, for example, public websites, to go through
the security appliance. The security appliance therefore lets you create rewrite rules that let users browse
certain sites and applications without going through the security appliance. This is similar to
split-tunneling in an IPSec VPN connection.
Use the rewrite command with the disable option in webvpn mode to specify applications and resources
to access outside a WebVPN tunnel.
You can use the rewrite command multiple times. The order number of rules is important because the
security appliance searches rewrite rules by order number, starting with the lowest, and applies the first
rule that matches.
Using Proxy Bypass
You can configure the security appliance to use proxy bypass when applications and web resources work
better with the special content rewriting this feature provides. Proxy bypass is an alternative method of
content rewriting that makes minimal changes to the original content. It is often useful with custom web
applications.
You can use this command multiple times. The order in which you configure entries is unimportant. The
interface and path mask or interface and port uniquely identify a proxy bypass rule.
If you configure proxy bypass using ports rather than path masks, depending on your network
configuration, you might need to change your firewall configuration to allow these ports access to the
security appliance. Use path masks to avoid this restriction. Be aware, however, that path masks can
change, so you might need to use multiple pathmask statements to exhaust the possibilities.
A path is everything in a URL after the .com or .org or other types of domain name. For example, in the
URL www.mycompany.com/hrbenefits, hrbenefits is the path. Similarly, for the URL
www.mycompany.com/hrinsurance, hrinsurance is the path. If you want to use proxy bypass for all hr
sites, you can avoid using the command multiple times by using the * wildcard as follows: /hr*.
To configure proxy bypass, use the proxy-bypass command in webvpn mode.
Cisco Security Appliance Command Line Configuration Guide
37-28
Chapter 37 Configuring WebVPN
OL-10088-01