67-40
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 67 Clientless SSL VPN
Configuring Smart Tunnel Access
• OS—Click Windows or Mac to specify the host operating system of the application.
• Hash—(Optional and applicable only for Windows) To obtain this value, enter the checksum of the
application (that is, the checksum of the executable file) into a utility that calculates a hash using
the SHA-1 algorithm. One example of such a utility is the Microsoft File Checksum Integrity
Verifier (FCIV), which is available at http://support.microsoft.com/kb/841290/. After installing
FCIV, place a temporary copy of the application to be hashed on a path that contains no spaces (for
example, c:/fciv.exe), then enter fciv.exe -sha1 application at the command line (for example,
fciv.exe -sha1 c:\msimn.exe) to display the SHA-1 hash.
The SHA-1 hash is always 40 hexadecimal characters.
Before authorizing an application for smart tunnel access, clientless SSL VPN calculates the hash
of the application matching the Application ID. It qualifies the application for smart tunnel access
if the result matches the value of Hash.
Entering a hash provides a reasonable assurance that SSL VPN does not qualify an illegitimate file
that matches the string you specified in the Application ID. Because the checksum varies with each
version or patch of an application, the Hash you enter can only match one version or patch on the
remote host. To specify a hash for more than one version of an application, create a unique smart
tunnel entry for each Hash value.
Note You must update the smart tunnel list in the future if you enter Hash values and you want to
support future versions or patches of an application with smart tunnel access. A sudden
problem with smart tunnel access may be an indication that the application list containing
Hash values is not up-to-date with an application upgrade. You can avoid this problem by
not entering a hash.
Following the configuration of the smart tunnel list, you must assign it to a group policy or a local user
policy for it to become active, as follows:
• To assign the list to a group policy, choose Config > Remote Access VPN> Clientless SSL VPN
Access > Group Policies > Add or Edit > Portal and choose the smart tunnel name from the
drop-down list next to the Smart Tunnel List attribute.
• To assign the list to a local user policy, choose Config > Remote Access VPN> AAA Setup > Local
Users > Add or Edit > VPN Policy > Clientless SSL VPN and choose the smart tunnel name from
the drop-down list next to the Smart Tunnel List attribute.
Ta b l e 6 7- 4 E x a m p l e S m a rt Tu n n e l E n t r i e s
Smart Tunnel Support
Application ID
(Any unique string
is OK.) Process Name OS
Mozilla Firefox. firefox firefox.exe Windows
Microsoft Outlook Express. outlook-express msimn.exe Windows
More restrictive alternative—Microsoft
Outlook Express only if the executable file is in
a predefined path.
outlook-express \Program Files\Outlook Express\msimn.exe Windows
Open a new Terminal window on a Mac. (Any
subsequent application launched from within
the same Terminal window fails because of the
one-time-password implementation.)
terminal Terminal Mac
To Next Page
Loading...
Need help?
General
