Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Anyone using the SSL/VPN features? 3

Status
Not open for further replies.

snootalope

IS-IT--Management
Jun 28, 2001
1,706
US
We're going to be leaving our PIX 515 and going with the ASA 5510 with the SSL/VPN feature.

From what I'm reading from the admin/install guides, it says the feature is entirely clientless.. anyone know if this is true? No activeX to install, no extra java stuff, entirely clientless..

How's it's speed? Our home users will be using this feature to access our internal Terminal Servers.

From what I can tell, all they (the external clients) need is a trusted certificate.

Just looking for advice or opinions from anyone who's used this feature.

Thanks!
 
The SSL Features on the ASA are pretty great. I have configured it a bunch of times, though I'll admit I didn't necessarily run it in production, so I can't promise perfection.

The SSL solution doesn't have to be clientless. If you upgrade to ASA 8.0 (a must!) then you can use the full-client AnyConnect Client that installs via ActiveX or Java. AnyConnect gives your users a full-tunnel experience like the traditional IPSec client.

In ASA 8.0, if you're after terminal services, you can even get by with just a clientless setup. You can install a java remote desktop plugin on the ASA that allows your users to launch a remote desktop session by clicking on a link once they login to webvpn. I've used this and it works well.

In the clientless setup, the only certificate you might want to get is on the ASA itself. While the ASA can generate its own self-signed SSL Certificate, your users' browsers will not trust it unless you install that cert on their PCs. If you buy an SSL cert from Verisign or GoDaddy, your users' browsers will trust the ASA right away because they have those roots already installed.

In the AnyConnect setup, you can use normal client certificates if you want, but they are not required.

Here's a link to Cisco's SSL Config Examples:

This one specifically deals with the RDP plugin:

This one deals with the SSL certs I described:

Matt
CCSP
 
Excellent info...thanks!

So, the AnyConnect client, it isn't entirely clientless then beings they still have to install an activex or java plugin. That's ok I guess, but if one of our users are at a library or something with a public PC, it may not work since they probably couldn't install a plugin.

And, with the ASA, if they don't have the self signed cert installed on their machines, there's no way to connect? It won't allow them to accept the certificate on a temporary basis and continue?

I'll be sure to get the 8.x version, which it might even come with by now.

For terminal services, this "java remote desktop plugin" you refer to. Is that a Cisco piece of software?
 
duh...didn't see your links at the bottom first.
 
No worries.

I'm pretty sure you need administrator rights to install the AnyConnect client, so in a Library setting, you might have to go clientless.

Sorry, I wasn't clear on the certs. If the user's PC does not have the ASA's self-signed cert in its store, the user will get a popup alerting them that the certificate is valid, but not necessarily trusted. They will be able to click OK and connect with no problem, like you indicate. I mentioned the commercial cert because I know popups like that freak users out. :p

The plugin is actually from a third party, but Cisco provides a download of it in the Software Center.



Matt
CCSP
 
So, the WebVPN - when a users wants to connect to it, I'm guessing they just open internet explorer, or whatever, and type in a specific URL that points to the ASA correct? So the ASA actually has a web interface that they log into and have options from there...like open an rdp session to a term server. Is that right?
 
That's correct. A user will just https to the ip address or dns name of the outside interface of the ASA. They will then be presented with a login page.

Jim W MCSE CCNA
Network Manager
 
One thing I noticed with our setup: If you have persistent routes set on the client machine, you may get an error that says "Could not write to IP table".

Remove the persistent routs and it starts working again.

John
<lots of meaningless certifications here>
 
So.... I've got demo ASA 5510 in here and got the thing setup to give remote access. Works well.

However, one thing I noticed with the rdp plugin, is that you can't specify the session to be full screen! Maybe I'm just missing something, but from what I can tell you can only specify screen size in WxH (width x height). there isn't an option just for Full Screen or 100%, whatever.

Also, where's the single sign on that I was told about. The only thing I see that can do a single sign on is the SiteMinder product that looks to be yet another third party plugin.

Gotta say, the Cisco reps trying to sell me this thing sure got me excited by saying it could everything we have now and then some.. well, I'm not so sure they were correct. Sure, it may do ALMOST everything, we just gotta fork out the $$$ to get it.

Oh well. If I can get that RDP deal to do a full screen, I'd be happy. anyone done this yet?
 
Glad to hear it's going well.

I don't think you can make it do full screen. According to the plugin site, you can use '-f', but I think I tried that once and the ASA would not pass it.


The single signon that you were told about is probably the "auto-signon" feature. Auto-signon tells the ASA to pass on to other servers (outlook, CIFS, etc) the credentials that the user logged into the ASA with.

In the ASDM, auto-signon is found in the Group Policy under More Options > Single Signon. Here's the CLI:


"internal password" might also be of interest to you. If your user logs in to webvpn with a password that is not the same as, say, his outlook password, then auto-signon won't work. What you can do is add a second password field to the login page. The "internal password" is the user's outlook (or whatever) password. Used in conjunction with auto-signon, this second password is passed on to the internal servers.

In the ASDM, I think the checkbox to display the internal password shows up on the Connection Profiles screen. Here is the CLI:





Matt
CCIE Security
 
Thanks for the info..

See, I've went into the group policy and unchecked "Auto Signon Servers" and setup our subnet and what not. Still, when I sign in to the vpn access and select a terminal server bookmark I've setup, it still prompts for the username and password.

I left the option "Single Signon Serer" mark checked.. because I don't have an internal SiteMinder server (or a SAML POST, whatever that is).

Am I missing something here?
 
No, I don't think you're missing something. I just whipped this up myself, and RDP does not appear work with auto-signon. It works with my CIFS share, but when I click on my RDP bookmark it still prompts me to login, like you.

That's a bummer. Guess it's an enhancement request you can make to your Cisco account team. [neutral]

Matt
CCIE Security
 
yeah, SSO doesn't work with the RDP or the ICA plugins. neat. And neither do the full screen commands. arg!

I gotta tell ya, i'm a little disappointed with the results of the remote access vpn by Cisco. Coming from Cisco (aka $$), I'd have thought it'd be a little more command and feature rich than what it is.
 
The RDP and SSO are exactly what they are, plugins. These plugins are not made by Cisco. Which command dont work for you?

"And neither do the full screen commands."

What exactly are you disappointed with? Not looking for a rolling thread but am interested in what root of the problem is. I often find there are alot of features that may not be documented as well as they could be.

 
There is an ActiveX RDP plugin (not the java) which allows for full screen access. However, it does require the user first allow the ActiveX module to be installed which requires a bit of help from a support perspective to the end user.

I have this setup on 3 different ASA's ... I'm using SSL everywhere these days. Port forwarding goes off w/o a hitch also. Again, requires maybe a little bit of education to the end user on your part, but this avoids any and all ActiveX and allows the user to use a simple 'preconfigured' RDP shortcut on their destkop.

I've had experiences with a few different SSL VPN products and while most all require something here and there, the CISCO thus far seems to be very well supported and quite easy to get the hang of regading different groups and users.

I would recommend this even if you're having initial difficulties now.
 
Tekmazter

You state that you are using SSL and port forwarding with your ASA?

Are you using port forwarding with the SSL clientless vpn? We just installed an ASA5505 this week and have the clientless VPN installed, but I was told that we could not do port forwarding with this setup.

We would like to be able to have our users login to their SSL VPN via the webpage and then be able to open client applications on their machine and port forward through that VPN connection. Is this possible?

thanks in advance.
 
asanchez, just a guess on my part, but I'd think you'd need to use the anyconnect client and configure the local machine's apps accordingly.
 
asanchev4

I am not using any client at all. My clients login directly thru the site and click on Applications, then a button which launches a window (using java).

Inside this window, there is a local and remote collumn. The user should already have positioned on their desktop a shortcut configured to use the local collumn's information. e.g. User is utilizing a custom emulation package. Their shorcut while eventually connecting to the host on port 23 on my LAN would have its configuration pointed to 127.0.0.1 and some port above 1023 that I setup on the ASA. The ASA then does the rest.

I also use the ActiveX RDP plugin, ActiveX SSH and Telnet plugins and finally sFTP which avoids the user needing anything as far as shorcuts on their PC goes. They just click on a link to utilize these plug-ins.

I do this incredibly successful with many, many clients.
 
Correction to my last post, I need to confirm, but I do not believe the SSH, Telnet, VNC, and CITRIX plugins are all ActiveX. I know for sure the RDP plug-in requires your browser to both support ActiveX, allow popups, and be trusted. At least in IE.
 
Hi Guys

Can anyone tell me how to set up the SSL VPN to work with RDP? All I want is for people to log in through the website and click a bookmark which opens the Terminal Server session. All I have in the bookmarks is HTTP, HTTPS, FTP and CIFS. Which do I use?

Also what's the best RDP client to use and how do you upload it to the ASA so it can download to the clients?

Many thanks
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top