Saturday, May 24, 2014

Customizing the Clientless SSL VPN Portal

An important part of deploying an SSL VPN solution is customization. After all, businesses often have a logo or color scheme used throughout the company on various pieces of documentation, assets, or even their buildings. It is not only pleasing to the eye but important for the company's image to be able to extend this scheme to your VPN portal. It can also help remote users to identify who they are connected to and the portal resources they require.

You can modify the look and feel of the following pages for your users:

* Logon page

* Portal page

* Logout page

The customization option you choose will depend on the level of granularity and customization you require. Customization through the ASDM is based on predefined areas and sections of the profile pages that you easily modify by changing the color and text and uploading logos. If you choose to fully customize the portal without the use of the ASDM, you can upload your own XML files and code; however, you are restricted to use only those items supported by the ASA.

I took out my ASA 5505 just to be able to create customized clientless SSL VPN portal. For some reason, it doesn't let me emulate it in GNS3.

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual      //  CLIENTLESS SSL VPN
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual  // REMOTE ACCESS AND SITE-TO-SITE VPN
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.









The Preview button (beside OK) is available on every customization page option and it opens on a Microsoft Word file. It will also prompt for a username and password prior to viewing. You can always preview any changes made before applying them to the ASA.


The onscreen keyboard is a Java-based keyboard that you can use to prevent potential keylogger software access to any credentials the user might be required to enter. This is a useful feature if your remote users are known to operate from publicly available computers or devices that you have no control over.




Saturday, May 17, 2014

Clientless SSL VPN Smart Tunnels

Smart tunnels are the next in the evolution of application access. With smart tunnels, the requirement for a local user to have administrative rights on the client machine has now gone. The user no longer has to configure his local application settings to forward sessions to local loopback and pre-configured port, and the list of applications supported is more extensive.

Essentially, the operation of forwarding application traffic through the SSL VPN tunnel remains the same as with port forwarding and client-server plug-ins: Upon receiving the client application traffic, the ASA performs a proxy condition, and after creating a local TCP connection between itself and the application server, forwards the information to it.

The noticeable advantage smart tunnels have over client-server plug-ins is the speed in which the application operates over the tunnel (it is primarily a Java thing), and the client can make use of the full feature list available for the application. However, as with port forwarding, the drawback is that the application has to be locally installed on the remote user's PC. Therefore (and also for security reasons), smart tunnels are generally deployed to users on company- or employee-owned PCs/laptops and not those connecting from a public machine.

I prepared my ASA 5505 to allow RDP (TCP 3389) and VNC (TCP 590x) from outside network 192.168.1.0 /24 to my inside network 172.16.1.0 /24. There's a handy ping tcp command to verify if it's working.





I created a banner under Configuration > Remote Access > Clientless SSL VPN Access > Group Policies to inform outside users on which SSL VPN portal they're accesing.











Thursday, May 1, 2014

Clientless SSL VPN Client-Server Plug-ins

One of the most robust and convenient way to allow application access to users is through the use of client-server plug-ins. The greatest benefit of using client-server plug-ins over the smart tunnel or port forwarding solution is connecting from anywhere using anything. This is a great benefit to users who are always out and connecting from different machines (for example, from an Internet cafe).

Because access is through a plug-in, the user does not need the full client (fat) version of the application. It operates directly within the remote user's browser, and the application traffic is sent and received through the SSL VPN tunnel to the ASA. There is also no requirement for the remote user to have administrative rights on the local PC. The ASA carries out the same action as it does for port forwarding (creates a TCP connection between itself and the application server), and then sends and receives application traffic from the server to the remote user and vice versa.

The main drawback with the plug-in solution is the lack of supported plug-ins available. The following plug-ins are currently available for download (at the time of this writing) at Cisco.com and can be imported the ASA flash:

* SSH/Telnet Client

* Citrix ICA Client

* RDP Client (used for Windows 2000 Pro, Server, and XP)

* RDP2 Client (used for Windows Vista, 7, and Server 2003 and 2008)

* VNC Client

ciscoasa(config)# import webvpn ?

exec mode commands/options:
  AnyConnect-customization  AnyConnect-customization
  customization             Configure customization file
  mst-translation           Configure MST component
  plug-in                   Configure plug-in options
  translation-table         Configure translation table
  url-list                  Configure a list of URLs for use with WebVPN
  webcontent                Configure webcontent
ciscoasa(config)# import webvpn plug-in ?

exec mode commands/options:
  protocol  Configure plug-in protocol
ciscoasa(config)# import webvpn plug-in protocol ssh ?

exec mode commands/options:
  WORD < 256 char  The URL containing data being imported
  stdin            Specifies that the data will be provided from stdin. If the
                   number of charcters is not specified after 'stdin' then the
                   data read from standard input is expected to be
                   base64-encoded followed by "\nquit\n".
ciscoasa(config)# import webvpn plug-in protocol ssh tftp://200.1.1.2/ssh.12.21.2013.jar
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!