72-50
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Configuring Application Access
Detailed Steps
Step 1 Enter a unique name for the list of remote servers. The string can be up to 64 characters. Do not use
spaces.
Following the configuration of the smart tunnel auto sign-on list, the list name appears next to the Auto
Sign-on Server List attribute under Smart Tunnel in the clientless SSL VPN group policy and local user
policy configurations. Assign a name that will help you to distinguish its contents or purpose from other
lists that you are likely to configure.
Adding or Editing a Smart Tunnel Auto Sign-on Server Entry
The Add or Edit Smart Tunnel Entry dialog box lets you identify a server to be added to a smart tunnel
auto sign-on list. You can identify it by its hostname, or IP address and subnet mask. You can also elect
to have auto-sign on support for form-based authentication or for Internet Explorer or Firefox.
This section describes how to list the servers for which to provide auto sign-on in smart tunnel
connections and assign the lists to group policies or usernames.
Use the address format used in the source code of the web pages on the intranet. If you are configuring
smart tunnel auto sign-on for browser access and some web pages use host names and others use IP
addresses, or you do not know, specify both in different smart tunnel auto sign-on entries. Otherwise, if
a link on a web page uses a different format than the one you specify, it fails when the user clicks it.
Step 1 Enter a hostname or wildcard mask to auto-authenticate to. You can use the following wildcard
characters:
• * to match any number of characters or zero characters
• ? to match any single character
• [] to match any single character in the range expressed inside the brackets
For example, enter *.example.com. Using this option protects the configuration from dynamic
changes to IP addresses.
Note Firefox requires the administrator to specify hosts using an exact host name or IP address
(instead of a host mask with wild cards, a subnet using IP addresses, or a netmask). For
example, within Firefox, you cannot enter *.cisco.com and expect auto sign-on to host
email.cisco.com.
Step 2 Enter an IP address to auto-authenticate to.
Step 3 (Optional) Specify a realm. Realm is associated with the protected area of the website and passed back
to the browser either in the authentication prompt or in the HTTP headers during authentication. Once
auto-sign is configured here and a realm string is specified, users can configure the realm string on a web
application (such as Outlook Web Access) and access web applications without signing on.
Note If administrators do not know the corresponding realm, they should perform logon once and get
the string from the prompt dialog.
Step 4 Enter the sub-network of hosts associated with the IP address.