-
RDP ActiveX clientless SSL VPN on Windows 8.1
Hi all
I have A 5510 Sec with a clientless SSL VPN configured. We have a few pre-configured bookmarks and prevented users to open its own URL. We have RDP plugin installed rdp_09.11.2012.jar.
When a user runs Winodws 8.1 clicks one bookmarks, they receive a message from IE that Java is not installed. In all other scenarios I tested (WinXP + IE8, IE10, IE11 + Win 7 + Windows 7), by clicking on the bookmark starts the ActiveX plugin.
How to do this work on Win 8.1 + IE11? It feels like a setting of the client.
Thank you.
Hello.
First of all, IE11 is not officially supported by the asa again.
REF. http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html
But if you put the 'portal' in a compatibility mode you should be able to use the ActiveX again.
In Internet Explorer click Tools and search for Compatibility Mode settings.
In addition, you must use the 'Office' of IE version and not the subway.
Best regards, Søren.
-
(Browser) clientless SSL VPN access is not allowed.
I'm trying to set up an additional Anyconnect vpn profile. I have one that is working properly but this news will not. When I try to log in to download the client or try to connect with a computer that already has the customer I can not.
The client side receives this error: "access (Browser) Clientless SSL VPN is not allowed."
On the ASA journal:
4 May 10, 2010 11:42:17 722050 group user <> IP <10.12.x.x>Session is over: SVC is not enabled for the user
4 May 10, 2010 11:42:17 group 113019 =, Username =, IP = 0.0.0.0, disconnected Session. Session type:, time: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: unknown
He does reference the main our ipsec connection group name. I think it's very strange. Here's the part of my config that treats the ssl client.
tunnel-group type SSL - RDP remote access only
tunnel-group SSL-RDP-Only general attributes
address pool SSL_VPN_Users
authentication-server-group FUN-LDAP
Group Policy - by default-SSL-RDP
tunnel-group SSL-RDP-Only webvpn-attributes
enable VPN_FUN group-alias
allow group-url https://64.244.9.X/VPN_FUN
internal SSL - RDP group strategy
attributes of SSL - RDP group policy
value of VPN-filter RDP_only
VPN-tunnel-Protocol svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list RDPonlyVPN_splitTunnelAcl
WebVPN
list of URLS no
SVC request no svc default
Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
Comment by RDP_only-.x RDP access list
RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
Comment by RDP_only-.x RDP access list
RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
Comment by RDP_only-.x RDP access list
RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
mask of local pool SSL_VPN_Users 10.12.20.1 - 10.12.20.100 IP 255.255.255.255
Post edited by: kyle.southerland
After reviewing the config, the difference between groups Anyconnect and SSL-RDP-Only is the AAA server.
AnyConnect group uses the radius for authentication (RAS01) server, while the SSL-RDP-Only group uses an LDAP server for authentication (FUN-LDAP), and the configuration of the FUN-LDAP server, you configure the mapping of LDAP attributes, which is to map the group "An1meR0xs".
To test, change authentication LDAP aaa RADIUS for the newly created group.
Hope that helps.
10.12.x.x>
-
access of entrepreneurs and employees of the web site in-house using clientless ssl vpn.
We have a layout of web SSL VPN without customer who allow employees and suppliers of connection and internal display web page. I wonder if possible separate employees and contractors to access internal pages. The internal web page has no authentication of users. They would like to see if it is possible that traffic employees get proxy behind interface INSIDE IP de ASA and entrepreneur behind a different IP address proxy traffic. Thus, the internal web page can check IP to contractor and only give them access to view certain web page, but not all pages.
Hello
Creating a group policy for each user group will be a good option, you can also use DAP to assign an ACL web to the user who logs on the portal without client, you can use the Radius, LDAP or Cisco attributes to associate the DAP for the user. For example, if you are using LDAP, you can create 2 groups separated here for employees and entrepreneurs and based on the LDAP user group membership, they will be assigned to specific web acl configured according to their access restrictions.
You can follow this link to set up an acl of web:
http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/Configura...
Once the ACL is ready, you can follow this guide to configure the DAP Protocol: "check the web for acls figure10.
http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...
Thank you, please note!
-
File shares of some non-visible windows through the clientless ssl vpn
Hello
I have an ASA 5505 with the SSC module and were able to get the ssl vpn upward and running, for some reason, some of the shared folders do not appear when I connect. I checked permissions for shared folders which can't be compared to those who do, and they are exactly the same.
Thank you
Chauncey
Don't forget to note the positions that helped you and mark it as resolved if this addressed the issue. Thank you!
-
Clientless SSL VPN access to HP iLO
Equipment:
ASA5505
Access without client configured for SSL VPN and it works fine for everything except the connectivity to a HP iLO. When I go to the http address, I see the redirect page, but as soon as it accesses the https page, I get the following text:
|
Server 192.168.10.252 unavailable. |
|
It happens on all HP iLO web sites that I'm trying to connect.
Here is my config for debugging:
debugging html 255 webvpn
debugging webvpn request 255
debugging response 255
debugging webvpn url 255
debugging util 255 webvpn
When I try to reach the site, I get the following:
#0XCB4DC9C0 (GET). Request line:/+CSCO+0075676763663A2F2F697A7679622E716E79766176662E7962706E79++/login.htm
#0xcb4dc9c0 hand-off to CTE.
#0XCB4DC3C0 (GET). Request line:/+CSCOE+/portal.css
Start #0xcb4dc3c0 (response)
#0xcb4dc3c0 of the file to run: /+CSCOE+/portal.css
#0xcb4dc3c0 (answer) Manager open file [/ + CSCOE + / portal.css]
#0xcb4dc3c0 (answer) page treatment LUA.
#0xcb4dc3c0 (answer) finished, persistent connection.
#0XCB4DCCC0 (GET). Request line:/+CSCOU+/gradient.gif
Start #0xcb4dccc0 (response)
#0xcb4dccc0 of the file to run: /+CSCOU+/gradient.gif
#0xcb4dccc0 (answer) Manager open file [/ + CSCOU + / gradient.gif]
#0xcb4dccc0 (answer) treatment C page.
#0xcb4dccc0 (answer) finished, persistent connection.
As you can see, it does not give much information. I don't really know why it works not only with HP iLO, but it works with everything else. Any help would be greatly appreciated. Thank you.
Gus
Not exactly how the HP ilo application works, but if it calls java this will cause your question because you are only allowing http or https through the client less portal. Try and activate smart tunnel and allow the java.exe on your local computer to use the smart tunnel. This will force your local java client to be sent through tunnel via ssl (443)
Sent by Cisco Support technique iPad App
-
Questions about clientless SSL VPN portals
If you use the portal for RDP Remote Desktop access, you have to use the Remote Desktop plugin that works through your browser, or you can also use a regular Remote Desktop RDP application running on your device once the connection is established?
Allow clientless VPN through the web portal the same client checks membership to the domain, check the mac address, authentication certificate etc. you can do when a customer uses the AnyConnect client?
Make the client control and use of the web portal are based on the client that connects to a Windows operating system and Java or ActiveX?
If you use the portal for RDP Remote Desktop access, you have to use the Remote Desktop plugin that works through your browser, or you can also use a regular Remote Desktop RDP application running on your device once the connection is established?
You will need to use the RDP plugin. If you want to use the normal application of the RDP, then you must use the AnyConnect VPN client.
Allow clientless VPN through the web portal the same client checks membership to the domain, check the mac address, authentication certificate etc. you can do when a customer uses the AnyConnect client?
It supports certificate authentication. Regarding controls field of membership, do you want to say in what concerns the client authentication when you use RADIUS or GANYMEDE +? I don't think the MAC authentication is supported.
Make the client control and use of the web portal are based on the client that connects to a Windows operating system and Java or ActiveX?
For the VPN without client operating system is irrelevant, but the browser is. I think that the supported browser is Internet Explorer, Firefox and Safari. Java is required.
http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/configuration_guide/config/vpn_proc.html
--
Please do not forget to select a correct answer and rate useful posts
-
Clientless SSL VPN - Source interface when traffic leaves firewall
Hi all
I'm trying to implement rules in my perimeter firewall WAN for all traffic coming from the Internet Firewall VPN.
If the internet firewall is also the VPN endpoint. The user connects to the internet firewall through WebVPN clientless and undergoes several bookmarks that are the WAN customer servers.
Now, I have a network firewall that must act as a second layer to filter traffic. I have to so allow rules for all the bookmarks that users access through to the WAN. The question here is what would be the source IP address of the traffic coming from the ASA of the Internet and going to the bookmark/Wan Server? Wouldn't be outside (internet access) interface or the interface inside?
Thank you!
Kind regards
Riou
Hey riri,.
Referring to this document , he stated-
"In a connection WebVPN, the security apparatus is as a proxy between the end user's web browser and web server target."
This implies that ASA will act in proxy on the request of the WebVPN user to the destination. This proxy request will depend on the accessibility of the destination server. If the resources are available that inside the interface, then the source will be inside interface and same DMZ if the resources are accessed through the DMZ.
I tested, but for your confirmation, you can run a capture wireshark on the LAN interfaces and you can see HTTP requests being mandated by the ASA LAN interfaces.
Kind regards
Dinesh Moudgil
PS Please rate helpful messages.
-
Cannot run .jsp page thru WebVPN (Clientless SSL VPN).
Hello
I can't access a portal which is a page through the WebVPN .jsp.
With Internet Explorer, I get the following error: (stop running this script? [...])
When I say 'No' I get an empty page. Same thing, if I click on 'Yes '.
With FireFox, I get a blank page without any error message.
VPN is an asa 5510 version 8.0 (4) 39.
Is this a limitation of the clientless VPN? A Bug? Anyone has an idea on how to solve this problem?
Thank you!
Pascal
If please activate smart tunneling on the bookmark in question and test it again.
-
Crossed with clientless SSL VPN
Hello
I found this
https://supportforums.Cisco.com/thread/2066799 , but it is never answered so I would like confirmation or a link to a place if this is possible.
We have a central managed firewall and must be able to access resources on remote sites without needing VPN without end. I've implemented a number of configurations of crossed, but I don't know how to do this as an IP is not affected.
Thank you
Steve
I seem to have missed to answer this previous forum you found.
In all cases, you can follow my not written in this post, and also to answer question of Jeremy, no, it will not interfere with the remote talk thinking that communication is for the public because the ACL crypto will tell SAA outside the IP of the interface, the Remote LAN on the ASA, and the remote end say from LAN to the ASA outside intellectual property.
If the crypto ACL said ASA public IP address to get rid of peer public IP then it will intervene and will not work, but because the acl above comes from public ip address to the Remote LAN, then it's OK.
Hope that helps.
-
clientless ssl vpn
Hi guys,.
I have a portal to the top and running on one asa 5520 running OS 8.2.5 everything works fine but I would like to use the onscreen keyboard feature, I went to turn on the personalization of the portal but without success, will I need to activate anything else?
Thank you
Jonathan
are you sure that DT does not work? Say you are trying to put the cursor in the user name field and start typing? I tried it, and it does not show the keyboard until you place the cursor in the name of the user or the passwd field.
-
After Windows Update ActiveX RDP through SSL VPN KB2675157 stops working
We have a Cisco ASA 5510 with Clientless SSL VPN portal. I just found out that after installing the latest Microsoft Updates, bookmarks RDP has stopped working. He continues to ask that I should install Cisco Portforwarder control and then returns to the home page. I changed all the security settings, tried to install control manually, but nothing works. Finally, I found that after you uninstall Internet Explorer 8 update KB2675157 it works again.
Is this a known issue?
I just tested it on Windows XP with IE 8, I don't know if the problem occurs in other platforms.
Good afternoon
The issue you are running into is not caused by KB2675157. This behavior was deliberately introduced by KB
2695962.
As stated in:
http://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/Cisco-SA-20120314-AsaClient
The Cisco PSIRT asked Microsoft to set the global Kill Bit for the control of redirector Port Cisco ActiveX on March 14, 2012. Microsoft pushed the bit kill for the vulnerable control in may, 2012 batch of patches Microsoft Tuesday (May 8, 2012).
Clients must go to one of the recommendations listed or such later versions listed below. The recommended versions include fixes for issues disclosed in Cisco Security Advisory: Cisco ASA 5500 series Adaptive Security Appliance Clientless VPN ActiveX control Remote Code execution vulnerability of as well as those identified in the notice to Client of ASA.
Affected version
|
First version fixed
|
Recommended version
|
Cisco ASA 7.0 |
Not vulnerable |
Migrate to 7.2 or later |
Cisco ASA 7.1 |
Vulnerable |
Vulnerable people; Migrate to 7.2 or later |
Cisco ASA 7.2 |
7.2 (5.6) |
7.2 (5.7) |
Cisco ASA 8.0 |
8.0 (5.26) |
Migrate to 8.2 (5.26) or later version |
Cisco ASA 8.1 |
8.1 (2.53) |
Migrate to 8.2 (5.26) or later version |
Cisco ASA 8.2 |
8.2 (5.18) |
8.2 (5.26) |
Cisco ASA 8.3 |
8.3 (2.28) |
Migrate to 8.4 (3.8) or later version |
Cisco ASA 8.4 |
8.4 (2.16) |
8.4 (3.8) |
|
Cisco ASA 8.5 |
Not vulnerable |
8.5 (1.7) |
Cisco ASA 8.6 |
8.6 (1.1) |
8.6 (1.1) |
Once the affected control has been improved by starting a VPN session without client on an ASA that contains the fixed software, it will be used in all sessions. This including those with ASA devices that cannot run the software updated.
See you soon,.
-Troy
-
unexpected behavior with vpn, clientless ssl and smart tunnels on ASA 5510
Hi there, hope someone can help
I am able to set up a smart tunnel for an application and everything works fine, however...
Without smart tunnel, the user must navigate the portal interface (because of how he encapsulates urls and basically acts as a proxy), it is too beautiful and good and expected behavior. If a user does not enter a URL in the portal URL entry (only enters the normal address bar) she takes them outside the clientless ssl vpn portal.
Now too the point to start a smart tunnel, URL, the user types in the normal address bar is not encapsulated in the device URL, although they are still placed through our network (and note, the intelligent application of tunnel is not the browser, which is be IE). How can I know it? sites that would be blocked by a web filter are blocked with smart on but not PVD tunnels with smart tunnel.
I need to know if this is intended behavior or not and how and why this is happening?
Thanks in advance
In my view, this is how it works. If you are referring to this doc:
https://supportforums.Cisco.com/docs/doc-6172
Smart tunnel is functioning all or nothing. Which means once you turn it on for a specific process or a specific bookmark, all your traffic for this process (and the browser you are using to open the SSL Clientless session ) will pass through the ASA.
Example: Enable option ST for a process or bookmark #1 (which connected IE used to login). Opening a separate instance of the IE browser will be all traffic through the ASA, tunnel, if the new browser window belongs to the same process. All tabs on the movement of this browser browser will be smart tunnel, even to Favorites (ie. #2 favorite) are not specifically the chip in the tunnel. You must use a different browser (ie. (FireFox) in this case, if you want some of your traffic (ie. #2 favorite) is not to be smart tunnelees.
I hope this helps.
-
ASA 5510 - SSL VPN without CLIENT - remote desktop
Is it possible to make a desktop connection remote clientless SSL VPN with a browser? I know that I can do with client anyconnect SSL but I can do without a customer?
Yes it is possible, you must first make sure that you have transferred to the ASA RDP plugin. When you are editing you bookmarks, you will see an option for RDP.
-
Order SSL VPN with Cisco Cloud Web Security
We have implemented Cisco Cloud Web Security with the connector of the ASA and transfer all traffic port 80 and 443 to the Tower of the CCW. We have enabled HTTPS inspection, and I was wondering if there was anything, we can add in the configuration that would allow us to control (allow/block) SSL VPN?
#Clientless SSL VPN is not supported with Cloud Security Web; don't forget to exempt all SSL VPN traffic without client service ASA for Cloud Web Security Strategy.
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/gu...