67-33
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 67 Clientless SSL VPN
Configuring Smart Tunnel Access
Add/Edit SSO Servers
This SSO method uses CA SiteMinder and SAML Browser Post Profile. You can also set up SSO using
the HTTP Form protocol, or Basic HTML and NTLM authentication. To use the HTTP Form protocol,
see Configuring Session Settings. To set use basic HTML or NTLM authentication, use the auto-signon
command at the command line interface.
Fields
• Server Name—If adding a server, enter the name of the new SSO server. If editing a server, this field
is display only; it displays the name of the selected SSO server.
• Authentication Type—Display only. Displays the type of SSO server. The types currently supported
by the adaptive security appliance are SiteMinder and SAML Browser Post Profile.
• URL—Enter the SSO server URL to which the adaptive security appliance makes SSO
authentication requests.
• Secret Key—Enter a secret key used to encrypt authentication requests to the SSO server. Key
characters can be any regular or shifted alphanumeric characters. There is no minimum or maximum
number of characters. The secret key is similar to a password: you create it, save it, and configure
it. It is configured on the adaptive security appliance, the SSO server, and the SiteMinder Policy
Server using the Cisco Java plug-in authentication scheme.
• Maximum Retries—Enter the number of times the adaptive security appliance retries a failed SSO
authentication attempt before the authentication times-out. The range is from 1 to 5 retries inclusive,
and the default is 3 retries.
• Request Timeout—Enter the number of seconds before a failed SSO authentication attempt times
out. The range is from1 to 30 seconds inclusive, and the default is 5 seconds.
Modes
The following table shows the modes in which this feature is available:
Configuring Smart Tunnel Access
The Smart Tunnels table displays the smart tunnel lists, each of which identifies one or more applications
eligible for smart tunnel access, and its associated operating system. Because each group policy or local
user policy supports one smart tunnel list, you must group the nonbrowser-based applications to be
supported into a smart tunnel list. You can also specify which group policy homepage can use smart
tunnel (with the use-smart-tunnel CLI command or on the Configuration > Remote Access VPN >
Clientless SSL VPN Access > Group Policies > Edit > Edit Internal Group Policy of the GUI). Following
the configuration of a list, you can assign it to one or more group policies or local user policies. The
internal company resources are accessed through the VPN gateway, but smart tunnel allows direct
Internet access without going through the VPN gateway.
The Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels
window lets you do the following:
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——
To Next Page
Loading...
