Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
72-25
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Content Rewrite
Maximum Object Size—Enter the maximum size in KB of a document that the ASA can cache. The
ASA measures the original content length of the object, not rewritten or compressed content. The
range is 0 to 10,000 KB; the default is 1000 KB
Minimum Object Size—Enter the minimum size in KB of a document that the ASA can cache. The
ASA measures the original content length of the object, not rewritten or compressed content. The
range is 0 to 10,000 KB; the default is 0 KB.
Note The Maximum Object Size must be greater than the Minimum Object Size.
Expiration Time—Enter an integer between 0 and 900 to set the number of minutes to cache objects
without revalidating them. The default is one minute.
LM Factor—Enter an integer between 1 and 100; the default is 20.
The LM factor sets the policy for caching objects which have only the last-modified timestamp. This
revalidates objects that have no server-set change values. The ASA estimates the length of time since
the object has changed, also called the expiration time. The estimated expiration time equals the time
elapsed since the last change multiplied by the LM factor. Setting the LM factor to 0 forces
immediate revalidation, while setting it to 100 results in the longest allowable time until
revalidation.
The expiration time sets the amount of time to for the ASA to cache objects that have neither a
last-modified time stamp nor an explicit server-set expiry time.
Cache static content—Click to cache all content that is not subject to rewrite, for example, PDF files
and images.
Restore Cache Default—Click to restore default values for all cache parameters.
Content Rewrite
The Content Rewrite pane lists all applications for which content rewrite is enabled or disabled.
Clientless SSL VPN processes application traffic through a content transformation/rewriting engine that
includes advanced elements such as JavaScript, VBScript, Java, and multi-byte characters to proxy
HTTP traffic which may have different semantics and access control rules depending on whether the user
is using an application within or independently of an SSL VPN device.
By default, the security appliance rewrites, or transforms, all clientless traffic. You might not want some
applications and web resources (for example, public websites) to go through the ASA. The ASA
therefore lets you create rewrite rules that let users browse certain sites and applications without going
through the ASA. This is similar to split-tunneling in an IPSec VPN connection.
You can create multiple rewrite rules. The rule number is important because the security appliance
searches rewrite rules by order number, starting with the lowest, and applies the first rule that matches.
“Configuration Example for Content Rewrite Rules” shows example content rewrite rules.
Note In ASA 8.4.4.1, The clientless SSL VPN rewriter engines were significantly improved to provide better
quality and efficacy. As a result, you can expect a better end-user experience for clientless SSL VPN
users.