CISCO ASA - WebVPN Polices
Creating and applying WebVPN PoliciesCreating and applying WevVPN policies that govern access to resources at the central site include :
- creating Port Forwarding , URL and Access List in global configuration mode (use port forward, url-list and access-list commands )
- assigning lists to Group Policies and Users in Group-Policy or User mode
- enabling features for Group Policies and Users (use functions command)
- Assigning Users to Group Policies (you can use internal authentication server or Radius server to assign users to groups)
WebVPN support specific tunnel group attributes, in addition to the common tunnel group attributes. In the same time we have WebVPN attributes for group policies and users.
Port Forwarding Applet
To run a remote application over WebVPN, a user clicks Start Application Access on the WebVPN homepage to download and start a port-forwarding Java applet. To simplify application access you can configure WebVPN to automatically download the port-forwarding applet -> In the WebVPN enter the functions command and use the auto-download option.
Note : Close the application access window properly when finishing using Application Access. When you start Application Access, WebVPN modifies the hosts file, adding WebVPN specific entries. Stopping Application Access by properly closing the Application Access window returns the file to its original state.
File Access
The CIFS protocol provides users with network access to files, printers and other machine resources. WebVPN serves remote users with https portal pages that interface with a proxy CIFS client running on the security appliance. Using this client, WebVPN provide users with network access to the files on the network. This client is transparent; the portal page delivered by WebVPN provide the appearance of the direct access to the file system. When a client requests a list of files, WebVPN queries the server designated as the master browser for the IP address of the server containing the files list. The security appliance gets the lists and delivers it to the remote user on a portal page.
Note : the security appliance requires a master browser or WINS server, typically on the same network as the security appliance or reachable from that network, to query the network for a list of servers when the remote user clicks Browse Network on the WebVPN homepage or toolbar. If you don’t specify a master browser, you have an alternative by using the url-list command in global configuration mode or in webvpn mode :
url-list listname displayname cifs://ServerA/ShareX/
If you need to allow the Browse Network, you need to follow the following steps :
Step 1 – use the nbns-server command in the tunnel-group webvpn configuration mode once for each NetBIOS Name Server (NBNS)
nbns-server {IPaddress hostname} [master] [timeout timeout] [retry retries]
(config-tunnel-webvpn) nbns-server 192.168.1.20 master
(config-tunnel-webvpn) nbns-server 192.168.1.30
(config-tunnel-webvpn) nbns-server 192.168.1.40
Step 2 – to configure the security appliance support for file access, file browsing, and file server entry, use the following functions command in webvpn mode :
function file-access file-browsing file-entry
Citrix MetaFrameServices
WevVPN users ca use a connection to the security appliance to access Citrix MetaFrame services. In this onfiguration, the security appliance functions as the Citrix secure gateway.
WebVPN with PDA
You can access WevVPN from your Pocket PC or other PDA. Neither the security appliance administrator nor the WebVPN user need do anything special to use WevVPN with certified PDA.
Warning : Some differences in the PDA version of WebVPN exist.
Using E-Mail over WebVPN
WebVPN support several ways to access E-Mail :
- E-Mail proxy
- MAPI – MS Outlook Exchange
- Web E-Mail – MS Outlook Web Access
To use the MS Outlook Exchange Proxy you must enable the MS Outlook Echange Proxy on the Security Appliance, through the functions command, which is a group-policy webvpn command :
(config) group-policy group-policy-name attributes
(config-group-policy) webvpn
(config-group-webvpn) functions mapi
Customizing WeVPN Pages
You can change the appareance of WebVPN pages displayed ti WebVPN users. This includes the Login page displayed to users when they connect to the security appliance, the Home page displayed to users after the security appliance authenticate them, the Appliication Access window displayed when users launch an application, and the Logout page displayed when users logout of WebVPN service.
After you customize the WebVPN pages, you can save your customization and apply it to specific tunnel group, group, or user. You can create and save many customizations, enabling the security appliance to change the appearance of WebVPN pages for individual users, or group of users.
To access to the customizing feature, you need to access to the webvpn mode and select a customizing profile :
(config) webvpn
(config-webvpn) customization profile_name
(config-webvpn-custom)
For example you can define an other logo in the logon page, with the :
(config-webvpn-custom) logo file disk0:/xxxx.xxx
Note 1 : Many WebVPN customization commands contain the style option. The value is expressed as any valid Cascading Style Sheet (CSS) parameters.
Note 2 : To easily customize the WebVPN pages , we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.
After you create a customization, you can apply the customization to a tunnel group, a group, or a user, with the customization command. The options displayed with this command are different depending on the mode you are in.
To apply a customization to a group :
(config) group-policy group_name attributes
(config-group-policy) webvpn
(config-group-webvpn) customization value customization_profile_name
To apply a customization to a user :
(config) username user_name attributes
(config-username) webvpn
(config-username-webvpn) customization value customization_profile_name
Notes :
A Tunnel Group consists of a set of records that determines tunnel connections policies. These records identify the servers to which the tunnel user is authenticated, as well as the accounting servers, if any, to which connections information is sent.
posted by Hervé SCHLECHT @ 4:58 PM
<< Home