Chapter 11 Scenario: SSL VPN Clientless Connections
About Clientless SSL VPN
11-2
Cisco ASA 5500 Series Getting Started Guide
78-19186-01
• MS Outlook Web Access
• MAPI
• Application Access (that is, port forwarding for access to other TCP-based
applications) and Smart Tunnels
Clientless SSL VPN uses the Secure Sockets Layer (SSL) Protocol and its
successor, Transport Layer Security (TLSI), to provide the secure connection
between remote users and specific, supported internal resources that you
configure at a central site. The adaptive security appliance recognizes connections
that need to be proxied, and the HTTP server interacts with the authentication
subsystem to authenticate users.
The network administrator provides access to resources by users of Clientless
SSL VPN on a group basis.
Security Considerations for Clientless SSL VPN Connections
Clientless SSL VPN connections on the adaptive security appliance differ from
remote access IPsec connections, particularly with respect to how they interact
with SSL-enabled servers and the validation of certificates.
In a Clientless SSL VPN connection, the adaptive security appliance acts as a
proxy between the end user web browser and target web servers. When a user
connects to an SSL-enabled web server, the adaptive security appliance
establishes a secure connection and validates the server SSL certificate. The end
user browser never receives the presented certificate, so therefore it cannot
examine and validate the certificate.
The current implementation of Clientless SSL VPN on the adaptive security
appliance does not permit communication with sites that present expired
certificates. Nor does the adaptive security appliance perform trusted CA
certificate validation. Therefore, users cannot analyze the certificate an
SSL-enabled web-server presents before communicating with it.
To Next Page
Loading...
Need help?
General
