Cisco ASA Series Cli Configuration Manual page 1847

Chapter 1 Configuring Clientless SSL VPN
Restrictions
Note
•
•
•
Preparing the Security Appliance for a Plug-in
Before installing a plug-in, prepare the ASA as follows:
Prerequisites
Make sure clientless SSL VPN ("webvpn") is enabled on an ASA interface.
Restrictions
Do not specify an IP address as the common name (CN) for the SSL certificate. The remote user attempts
to use the FQDN to communicate with the ASA. The remote PC must be able to use DNS or an entry in
the System32\drivers\etc\hosts file to resolve the FQDN.
Detailed Steps
Command
Step 1
show running-config
Step 2
Install an SSL certificate onto the ASA interface
Go to the section that identifies the type of plug-in you want to provide for clientless SSL VPN access.
•
•
The remote desktop protocol plug-in does not support load balancing with a session broker.
Because of the way the protocol handles the redirect from the session broker, the connection
fails. If a session broker is not used, the plug-in works.
The plug-ins support single sign-on (SSO). They use the same credentials entered to open the
clientless SSL VPN session. Because the plug-ins do not support macro substitution, you do not
have the options to perform SSO on different fields such as the internal domain password or on an
attribute on a RADIUS or LDAP server.
A stateful failover does not retain sessions established using plug-ins. Users must reconnect
following a failover.
If you use stateless failover instead of stateful failover, clientless features such as bookmarks,
customization, and dynamic access-policies are not synchronized between the failover ASA pairs.
In the event of a failover, these features do not work.
Installing Plug-ins Redistributed By Cisco, page 1-40
Providing Access to a Citrix XenApp Server, page 1-42
Configuring Browser Access to Plug-ins
Purpose
Shows whether webvpn is enabled on the ASA.
Provides a fully-qualified domain name (FQDN) for
remote user connection.
Cisco ASA Series CLI Configuration Guide
1-39