Authenticating with digital certificates, Configuring application helper – Cisco ASA 5505 User Manual
Page 1597
74-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 74 Configuring Clientless SSL VPN
Configuring Application Helper
•
(Optional) Click Find to search for a web ACL. Start typing in the field, and the tool searches the
beginning characters of every field for a match. You can use wild cards to expand your search. For
example, typing sal in the Find field matches a web ACL named sales but not a customization object
named wholesalers. If you type *sal in the Find field, the search finds the first instance of either
sales or wholesalers in the table.
Use the up and down arrows to skip up or down to the next string match. Check the Match Case
checkbox to make your search case sensitive.
•
(Optional) Highlight a web ACL and click Assign to assign the selected web ACL to one or more
VPN group policies, dynamic access policies, or user policies.
•
Authenticating with Digital Certificates
SSL uses digital certificates for authentication. The ASA creates a self-signed SSL server certificate
when it boots; or you can install in the ASA an SSL certificate that has been issued in a PKI context. For
HTTPS, this certificate must then be installed on the client. You need to install the certificate from a
given ASA only once.
Restrictions
•
Application Access does not work for users of clientless SSL VPN who authenticate using digital
certificates. JRE does not have the ability to access the web browser keystore. Therefore JAVA
cannot use a certificate that the browser uses to authenticate a user, so it cannot start.
•
E-mail clients such as MS Outlook, MS Outlook Express, and Eudora lack the ability to access the
certificate store.
For more information on authentication and authorization using digital certificates, see the
Certificates and User Login Credentials” section on page 35-9
Enabling Cookies on Browsers for Clientless SSL VPN
When cookies are disabled on the web browser, the links from the web portal home page open a new
window prompting the user to log in once more.
Configuring Application Helper
Clientless SSL VPN includes an Application Profile Customization Framework option that lets the ASA
handle non-standard applications and web resources so they display correctly over a clientless SSL VPN
connection. An APCF profile contains a script that specifies when (pre, post), where (header, body,
request, response), and what data to transform for a particular application. The script is in XML and uses
sed (stream editor) syntax to transform strings/text.
You can configure multiple APCF profiles on an ASA to run in parallel. Within an APCF profile script,
multiple APCF rules can apply. In this case, the ASA processes the oldest rule first, based on
configuration history, the next oldest rule next, and so forth.