Similar Questions

• RDP ActiveX clientless SSL VPN on Windows 8.1

  Hi all

  I have A 5510 Sec with a clientless SSL VPN configured. We have a few pre-configured bookmarks and prevented users to open its own URL. We have RDP plugin installed rdp_09.11.2012.jar.

  When a user runs Winodws 8.1 clicks one bookmarks, they receive a message from IE that Java is not installed. In all other scenarios I tested (WinXP + IE8, IE10, IE11 + Win 7 + Windows 7), by clicking on the bookmark starts the ActiveX plugin.

  How to do this work on Win 8.1 + IE11? It feels like a setting of the client.

  Thank you.

  Hello.

  First of all, IE11 is not officially supported by the asa again.

  REF. http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html

  But if you put the 'portal' in a compatibility mode you should be able to use the ActiveX again.

  In Internet Explorer click Tools and search for Compatibility Mode settings.

  In addition, you must use the 'Office' of IE version and not the subway.

  Best regards, Søren.

• (Browser) clientless SSL VPN access is not allowed.

  I'm trying to set up an additional Anyconnect vpn profile.  I have one that is working properly but this news will not.  When I try to log in to download the client or try to connect with a computer that already has the customer I can not.

  The client side receives this error: "access (Browser) Clientless SSL VPN is not allowed."

  On the ASA journal:

  4 May 10, 2010 11:42:17 722050 group user <> IP <10.12.x.x>Session is over: SVC is not enabled for the user
  4 May 10, 2010 11:42:17 group 113019 =, Username =, IP = 0.0.0.0, disconnected Session. Session type:, time: 0 h: 00 m: 00s, xmt bytes: 0, RRs bytes: 0, right: unknown

  He does reference the main our ipsec connection group name.  I think it's very strange.  Here's the part of my config that treats the ssl client.

  tunnel-group type SSL - RDP remote access only
  tunnel-group SSL-RDP-Only general attributes
  address pool SSL_VPN_Users
  authentication-server-group FUN-LDAP
  Group Policy - by default-SSL-RDP
  tunnel-group SSL-RDP-Only webvpn-attributes
  enable VPN_FUN group-alias
  allow group-url https://64.244.9.X/VPN_FUN

  internal SSL - RDP group strategy
  attributes of SSL - RDP group policy
  value of VPN-filter RDP_only
  VPN-tunnel-Protocol svc webvpn
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list RDPonlyVPN_splitTunnelAcl
  WebVPN
  list of URLS no
  SVC request no svc default
  Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
  Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
  Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
  Standard access list RDPonlyVPN_splitTunnelAcl allow 10.12.x.0 255.255.255.0
  RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
  Comment by RDP_only-.x RDP access list
  RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
  Comment by RDP_only-.x RDP access list
  RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389
  Comment by RDP_only-.x RDP access list
  RDP_only list extended access permitted tcp SSLVPN-pool 255.255.255.0 10.12.x.0 255.255.255.0 eq 3389

  mask of local pool SSL_VPN_Users 10.12.20.1 - 10.12.20.100 IP 255.255.255.255

  Post edited by: kyle.southerland

  After reviewing the config, the difference between groups Anyconnect and SSL-RDP-Only is the AAA server.

  AnyConnect group uses the radius for authentication (RAS01) server, while the SSL-RDP-Only group uses an LDAP server for authentication (FUN-LDAP), and the configuration of the FUN-LDAP server, you configure the mapping of LDAP attributes, which is to map the group "An1meR0xs".

  To test, change authentication LDAP aaa RADIUS for the newly created group.

  Hope that helps.

• Problem SSL VPN Portal

  I have 2 Configuration of the SAA for AnyConnect, both are running 8.4 (2) 9. The issue I'm having is one of them opens the SSL Portal when the user passes the URL of the Group and the other does not. I don't want the portal to open the connection.

  I have a group policy configuration that inherits the AnyConnect of DfltGrpPolicy connection parameters. Connection parameter DfltGrpPolicy are

  Connection setting post "do not ask a user to choose" and

  'Download AnyConnect Client' default Post Login selection

  On the page of connection profiles AnyConnect I unchecked "allow the user to select the connection profile...". »

  and under the profile itself, I created a URL group which seems to work.

  When a user accesses the URL the portal opens and the client starts downloading immediately. On the other ASA when a user accesses the URL the gate does not open, but the client still downloads as expected.

  I know I'm missing a setting but I can't.

  Is there one setting other than the Post Login of group policy that would cause the VPN portal open?

  I'm looking at the same question.  I know it is something we are looking.  I had to go into the profiles Clientless and disable all tunneling protocols, except the SSL Client.

  It is under Clientless, group, general policy, more options, tunnelling protocols

• Clientless SSL VPN access to HP iLO

  Equipment:

  ASA5505

  Access without client configured for SSL VPN and it works fine for everything except the connectivity to a HP iLO.  When I go to the http address, I see the redirect page, but as soon as it accesses the https page, I get the following text:

  Failed connection

  Server 192.168.10.252 unavailable.

  It happens on all HP iLO web sites that I'm trying to connect.

  Here is my config for debugging:

  debugging html 255 webvpn

  debugging webvpn request 255

  debugging response 255

  debugging webvpn url 255

  debugging util 255 webvpn

  When I try to reach the site, I get the following:

  #0XCB4DC9C0 (GET). Request line:/+CSCO+0075676763663A2F2F697A7679622E716E79766176662E7962706E79++/login.htm

  #0xcb4dc9c0 hand-off to CTE.

  #0XCB4DC3C0 (GET). Request line:/+CSCOE+/portal.css

  Start #0xcb4dc3c0 (response)

  #0xcb4dc3c0 of the file to run: /+CSCOE+/portal.css

  #0xcb4dc3c0 (answer) Manager open file [/ + CSCOE + / portal.css]

  #0xcb4dc3c0 (answer) page treatment LUA.

  #0xcb4dc3c0 (answer) finished, persistent connection.

  #0XCB4DCCC0 (GET). Request line:/+CSCOU+/gradient.gif

  Start #0xcb4dccc0 (response)

  #0xcb4dccc0 of the file to run: /+CSCOU+/gradient.gif

  #0xcb4dccc0 (answer) Manager open file [/ + CSCOU + / gradient.gif]

  #0xcb4dccc0 (answer) treatment C page.

  #0xcb4dccc0 (answer) finished, persistent connection.

  As you can see, it does not give much information.  I don't really know why it works not only with HP iLO, but it works with everything else.  Any help would be greatly appreciated.  Thank you.

  Gus

  Not exactly how the HP ilo application works, but if it calls java this will cause your question because you are only allowing http or https through the client less portal. Try and activate smart tunnel and allow the java.exe on your local computer to use the smart tunnel. This will force your local java client to be sent through tunnel via ssl (443)

  Sent by Cisco Support technique iPad App

• NSX API: Download ESG SSL VPN Portal logo

  I currently use the NSX API to supply an edge on our device of NSX Manager.  I was able to do everything with the exception of downloading a custom portal logo, I have included the information from the documents below, but it does not contain what the body of the request should look like.  I feel with this information, I would be able to complete the request.  Someone had to work with it before, or anyone is VMware be able to answer this question?

  Would also be nice to see the updated documentation with how to upload files to the REST API a bit more in detail...

  Configure Portal layouts

  You can configure the web page related to the SSL VPN client layout.

  Download Logo Portal

  Download the logo of Portal from the given local path.

  Example 8-150. Download logo Portal

  Request: POST https:///API/4.0/edges//sslvpn/config/layout/images/portallogo/

  Download the Phat banner

  Download the banner of the given local path phat client. Phat banner image should in bmp format.

  Example 8-151. Download the banner phat request: POST https:///api/4.0/edges//sslvpn/config/layout/images/phatbanner

  I have tried different methods... including base64 encoded image as a body and mulipart of form data but all fail with the error below.

  HTTP status 400-

  ---

  type of Status report

  Message

  Description The request sent by the client is syntactically incorrect.

  Sorry for the delay on this one there... replace layoutFile by banner.

• access of entrepreneurs and employees of the web site in-house using clientless ssl vpn.

  We have a layout of web SSL VPN without customer who allow employees and suppliers of connection and internal display web page.  I wonder if possible separate employees and contractors to access internal pages.  The internal web page has no authentication of users.  They would like to see if it is possible that traffic employees get proxy behind interface INSIDE IP de ASA and entrepreneur behind a different IP address proxy traffic.  Thus, the internal web page can check IP to contractor and only give them access to view certain web page, but not all pages.

  Hello

  Creating a group policy for each user group will be a good option, you can also use DAP to assign an ACL web to the user who logs on the portal without client, you can use the Radius, LDAP or Cisco attributes to associate the DAP for the user. For example, if you are using LDAP, you can create 2 groups separated here for employees and entrepreneurs and based on the LDAP user group membership, they will be assigned to specific web acl configured according to their access restrictions.

  You can follow this link to set up an acl of web:

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa83/asdm63/Configura...

  Once the ACL is ready, you can follow this guide to configure the DAP Protocol: "check the web for acls figure10.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  Thank you, please note!

• Question about ASDM by VPN

  Hello again

  I configured ASA 5510 management through the inside interface.  When I'm in the office connected to the LAN I have no problem to launch ASDM.  However, when I'm away from the office and I connect via the Cisco SSL VPN Service I can't manage the ASA5510 even if I can access all the shared resources on the network.

  When I try to run ASDM when connected via VPN, I get the error message...  "Unable to launch the x.x.x.x Device Manager" (inside the ASA5510 address).

  The danger would be if I've already enabled the management through the outside interface?

  Ed

  Hello Edward,.

  Please change the pool to a different subnet of the interface of the ASA... Who will make the ASA a little crazy about communications between the local pool and the local subnet.

  You can add the following command example

  management-access inside

  Kind regards

  Note all useful posts

  Julio

• File shares of some non-visible windows through the clientless ssl vpn

  Hello

  I have an ASA 5505 with the SSC module and were able to get the ssl vpn upward and running, for some reason, some of the shared folders do not appear when I connect. I checked permissions for shared folders which can't be compared to those who do, and they are exactly the same.

  Thank you

  Chauncey

  Don't forget to note the positions that helped you and mark it as resolved if this addressed the issue. Thank you!

• Clientless SSL VPN w / RDP

  I have a SSL VPN configuration without client for a user and try to use the rdp with a bookmark plugin.  I bookmarked configured for rdp: / / , but when the user clicks on it, a Web page opens with an inability to display a message and a url of type https://.plugins./rdp/index.

  HTML? target = rdp: / /? csco_lang = en.  If the user clicks on the button Terminal servers and then manually selects DPR: / / and between the IP address of the server it works fine.
  Any thoughts?

  ASA v8.0 (4)

  Hello

  It seems that you have enabled the option "smart tunnel" for the RDP bookmark. Plug-ins are not supported with smart tunnels and can cause the error you see.

  Could you please make sure that the smart tunnel option is disabled and let us know if you still see this problem?

  Thank you

  Steve.

• Cannot run .jsp page thru WebVPN (Clientless SSL VPN).

  Hello

  I can't access a portal which is a page through the WebVPN .jsp.

  With Internet Explorer, I get the following error: (stop running this script? [...])

  When I say 'No' I get an empty page. Same thing, if I click on 'Yes '.

  

  With FireFox, I get a blank page without any error message.

  VPN is an asa 5510 version 8.0 (4) 39.

  Is this a limitation of the clientless VPN? A Bug? Anyone has an idea on how to solve this problem?

  Thank you!

  Pascal

  If please activate smart tunneling on the bookmark in question and test it again.

• Clientless SSL VPN - Source interface when traffic leaves firewall

  Hi all

  I'm trying to implement rules in my perimeter firewall WAN for all traffic coming from the Internet Firewall VPN.

  If the internet firewall is also the VPN endpoint. The user connects to the internet firewall through WebVPN clientless and undergoes several bookmarks that are the WAN customer servers.

  Now, I have a network firewall that must act as a second layer to filter traffic. I have to so allow rules for all the bookmarks that users access through to the WAN. The question here is what would be the source IP address of the traffic coming from the ASA of the Internet and going to the bookmark/Wan Server? Wouldn't be outside (internet access) interface or the interface inside?

  Thank you!

  Kind regards

  Riou

  Hey riri,.

  Referring to this document , he stated-

  "In a connection WebVPN, the security apparatus is as a proxy between the end user's web browser and web server target."

  This implies that ASA will act in proxy on the request of the WebVPN user to the destination. This proxy request will depend on the accessibility of the destination server. If the resources are available that inside the interface, then the source will be inside interface and same DMZ if the resources are accessed through the DMZ.

  I tested, but for your confirmation, you can run a capture wireshark on the LAN interfaces and you can see HTTP requests being mandated by the ASA LAN interfaces.

  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• Crossed with clientless SSL VPN

  Hello

  I found this

  https://supportforums.Cisco.com/thread/2066799 , but it is never answered so I would like confirmation or a link to a place if this is possible.

  We have a central managed firewall and must be able to access resources on remote sites without needing VPN without end.  I've implemented a number of configurations of crossed, but I don't know how to do this as an IP is not affected.

  Thank you

  Steve

  I seem to have missed to answer this previous forum you found.

  In all cases, you can follow my not written in this post, and also to answer question of Jeremy, no, it will not interfere with the remote talk thinking that communication is for the public because the ACL crypto will tell SAA outside the IP of the interface, the Remote LAN on the ASA, and the remote end say from LAN to the ASA outside intellectual property.

  If the crypto ACL said ASA public IP address to get rid of peer public IP then it will intervene and will not work, but because the acl above comes from public ip address to the Remote LAN, then it's OK.

  Hope that helps.

• SSL VPN Portal Page - frequent disconnects

  Hi all

  I've implemented two firewalls to two DCs - London and Swindon. Now, I'm traffic to these two firewalls by using a URL to load balancing. When users try to connect to the URL (which indeed resolves to the IP address of the two firewalls Internet oriented interface), they faced frequent disconnects. The portal will be open for a few minutes, and as they are by clicking on the bookmarks on the page they get automatically disconnected. It is completely random and there is no model it.

  However, I wrote the following:

  1 if I clear my cache and Temp files and then try to access to the portal by using the URL, it works fine for a little longer (maybe 15-20 minutes) and then the same disconnect start all over again

  2. If I try to access all the IP addresses of the firewall (do not use Uruguay Round), it seems to work fine.

  Can someone let me know what could be causing the problem?

  Thank you!

  Hey riri,.

  You can check the activation of the ASA connects and debugs, a 'see the connection' and ' debug webvpn 255 "will be useful to check if the SAA is disconnect the session.»

  Alternative, you can run wireshark on a computer and make sure the IP reset is coming,

  See you soon,.

  -Randy-

• clientless ssl vpn

  Hi guys,.

  I have a portal to the top and running on one asa 5520 running OS 8.2.5 everything works fine but I would like to use the onscreen keyboard feature, I went to turn on the personalization of the portal but without success, will I need to activate anything else?

  Thank you

  Jonathan

  are you sure that DT does not work? Say you are trying to put the cursor in the user name field and start typing? I tried it, and it does not show the keyboard until you place the cursor in the name of the user or the passwd field.