Saturday, May 17, 2014

Clientless SSL VPN Smart Tunnels

Smart tunnels are the next in the evolution of application access. With smart tunnels, the requirement for a local user to have administrative rights on the client machine has now gone. The user no longer has to configure his local application settings to forward sessions to local loopback and pre-configured port, and the list of applications supported is more extensive.

Essentially, the operation of forwarding application traffic through the SSL VPN tunnel remains the same as with port forwarding and client-server plug-ins: Upon receiving the client application traffic, the ASA performs a proxy condition, and after creating a local TCP connection between itself and the application server, forwards the information to it.

The noticeable advantage smart tunnels have over client-server plug-ins is the speed in which the application operates over the tunnel (it is primarily a Java thing), and the client can make use of the full feature list available for the application. However, as with port forwarding, the drawback is that the application has to be locally installed on the remote user's PC. Therefore (and also for security reasons), smart tunnels are generally deployed to users on company- or employee-owned PCs/laptops and not those connecting from a public machine.

I prepared my ASA 5505 to allow RDP (TCP 3389) and VNC (TCP 590x) from outside network 192.168.1.0 /24 to my inside network 172.16.1.0 /24. There's a handy ping tcp command to verify if it's working.





I created a banner under Configuration > Remote Access > Clientless SSL VPN Access > Group Policies to inform outside users on which SSL VPN portal they're accesing.











1 comment:

  1. Hello...

    Do you mind posting the full configuration to get this to work. I cant get my smart tunnel to work. I also used VNC but no luck

    Thanks in advance

    ReplyDelete