About smart tunnels, Why smart tunnels – Cisco ASA 5505 User Manual

Page 1635

Advertising
background image

74-49

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 74 Configuring Clientless SSL VPN

Configuring Application Access

Enabling and Disabling Smart Tunnel Access

About Smart Tunnels

A smart tunnel is a connection between a TCP-based application and a private site, using a clientless
(browser-based) SSL VPN session with the security appliance as the pathway, and the ASA as a proxy
server. You can identify applications to which you want to grant smart tunnel access, and specify the
local path to each application. For applications running on Microsoft Windows, you can also require a
match of the SHA-1 hash of the checksum as a condition for granting smart tunnel access.

Lotus SameTime and Microsoft Outlook are examples of applications to which you might want to grant
smart tunnel access.

Configuring smart tunnels requires one of the following procedures, depending on whether the
application is a client or is a web-enabled application:

Create one or more smart tunnel lists of the client applications, then assign the list to the group
policies or local user policies for whom you want to provide smart tunnel access.

Create one or more bookmark list entries that specify the URLs of the web-enabled applications
eligible for smart tunnel access, then assign the list to the group policies or local user policies for
whom you want to provide smart tunnel access.

You can also list web-enabled applications for which to automate the submission of login credentials in
smart tunnel connections over clientless SSL VPN sessions.

Why Smart Tunnels?

Smart tunnel access lets a client TCP-based application use a browser-based VPN connection to access
a service. It offers the following advantages to users, compared to plug-ins and the legacy technology,
port forwarding:

Smart tunnel offers better performance than plug-ins.

Unlike port forwarding, smart tunnel simplifies the user experience by not requiring the user
connection of the local application to the local port.

Unlike port forwarding, smart tunnel does not require users to have administrator privileges.

The advantage of a plug-in is that it does not require the client application to be installed on the remote
computer.

Prerequisites

See the

Supported VPN Platforms, Cisco ASA 5500 Series

for the platforms and browsers supported by

ASA Release 8.4 smart tunnels.

The following requirements apply to smart tunnel access on Windows:

ActiveX or Sun JRE 5, Update 1.5 or later (JRE 6 or later recommended) on Windows must be
enabled on the browser.

ActiveX pages require that you enter the activex-relay command on the associated group policy. If
you do so or assign a smart tunnel list to the policy, and the browser proxy exception list on the
endpoint specifies a proxy, the user must add a “shutdown.webvpn.relay.” entry to this list.

Advertising