Configuring ssl/tls encryption protocols – Cisco ASA 5505 User Manual

Page 1596

Advertising
background image

74-10

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 74 Configuring Clientless SSL VPN

Using SSL to Access the Central Site

The ASA clientless SSL VPN configuration supports only one http-proxy and one http-proxy
command each. For example, if one instance of the http-proxy command is already present in the
running configuration and you enter another, the CLI overwrites the previous instance.

Note

Proxy NTLM authentication is not supported in http-proxy. Only proxy without authentication and
basic authentication are supported.

Configuring SSL/TLS Encryption Protocols

Prerequisites

TCP Port Forwarding requires Sun Microsystems Java Runtime Environment (JRE) version 1.4.x and
1.5.x. Port forwarding does not work when a user of clientless SSL VPN connects with some SSL
versions, as follows:

Negotiate SSLv3—Java downloads

Negotiate SSLv3/TLSv1—Java downloads

Negotiate TLSv1—Java does NOT download

TLSv1 Only—Java does NOT download

SSLv3Only—Java does NOT download

Restrictions

When you set SSL/TLS encryption protocols, be aware of the following:

Make sure that the ASA and the browser you use allow the same SSL/TLS encryption protocols.

If you configure e-mail proxy, do not set the ASA SSL version to TLSv1 Only. Microsoft Outlook
and Microsoft Outlook Express do not support TLS.

Prerequisites

Browser cookies are required for the proper operation of clientless SSL VPN.

Step 16

Example:

hostname(config-webvpn)# http-proxy 209.165.201.1

user jsmith password mysecretdonttell

hostname(config-webvpn)

Shows how to configure use of an HTTP proxy
server with an IP address of 209.165. 201.1 using the
default port, sending a username and password with
each HTTP request.

Step 17

Example:

hostname(config-webvpn)# http-proxy 209.165.201.1

exclude www.example.com username jsmith password

mysecretdonttell

hostname(config-webvpn)

Shows the same command, except when the ASA
receives the specific URL www.example.com in an
HTTP request, it resolves the request instead of
passing it on to the proxy server.

Step 18

Example:

hostname(config-webvpn)# http-proxy pac

http://www.example.com/pac

hostname(config-webvpn)

Shows how to specify a URL to serve a proxy
autoconfiguration file to the browser.

Command

Purpose

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals