1-53
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Clientless SSL VPN
Configuring Application Access
• Only Winsock 2, TCP-based applications are eligible for smart tunnel access.
• For Mac OS X only, Java Web Start must be enabled on the browser.
Restrictions
• Smart tunnel supports only proxies placed between computers running Microsoft Windows and the
security appliance. Smart Tunnel uses the Internet Explorer configuration, which sets system-wide
parameters in Windows. That configuration may include proxy information:
–
If a Windows computer requires a proxy to access the ASA, then there must be a static proxy
entry in the client's browser, and the host to connect to must be in the client's list of proxy
exceptions.
–
If a Windows computer does not require a proxy to access the ASA, but does require a proxy to
access a host application, then the ASA must be in the client's list of proxy exceptions.
Proxy systems can be defined the client’s configuration of static proxy entry or automatic
configuration, or by a PAC file. Only static proxy configurations are currently supported by Smart
Tunnels.
• Kerberos constrained delegation (KCD) is not supported for smart tunnels.
• For Windows, if you want to add smart tunnel access to an application started from the command
prompt, you must specify “cmd.exe” in the Process Name of one entry in the smart tunnel list, and
specify the path to the application itself in another entry, because “cmd.exe” is the parent of the
application.
• With HTTP-based remote access, some subnets may block user access to the VPN gateway. To fix
this, place a proxy in front of the ASA to route traffic between the web and the end user. That proxy
must support the CONNECT method. For proxies that require authentication, Smart Tunnel supports
only the basic digest authentication type.
• When smart tunnel starts, the ASA by default passes all browser traffic through the VPN session if
the browser process is the same. The ASA only also does this if a tunnel-all policy (the default)
applies. If the user starts another instance of the browser process, it passes all traffic through the
VPN session. If the browser process is the same and the security appliance does not provide access
to a URL, the user cannot open it. As a workaround, assign a tunnel policy that is not tunnel-all.
• A stateful failover does not retain smart tunnel connections. Users must reconnect following a
failover.
• The Mac version of smart tunnel does not support POST bookmarks, form-based auto sign-on, or
POST macro substitution.
• For Mac OS X users, only those applications started from the portal page can establish smart tunnel
connections. This requirement includes smart tunnel support for Firefox. Using Firefox to start
another instance of Firefox during the first use of a smart tunnel requires the user profile named
csco_st. If this user profile is not present, the session prompts the user to create one.
• In Mac OS X, applications using TCP that are dynamically linked to the SSL library can work over
a smart tunnel.
• Smart tunnel does not support the following on Mac OS X:
–
Proxy services.
–
Auto sign-on.
–
Applications that use two-level name spaces.
–
Console-based applications, such as Telnet, SSH, and cURL.
–
Applications using dlopen or dlsym to locate libsocket calls.
To Next Page
Loading...
Need help?
General
