72-6
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Observing Clientless SSL VPN Security Precautions
The current implementation of clientless SSL VPN on the ASA does not permit communication with
sites that present expired certificates. Nor does the ASA perform trusted CA certificate validation to
those SSL-enabled sites. Therefore, users do not benefit from certificate validation of pages delivered
from an SSL-enabled web server before they use a web-enabled service.
Restrictions
By default, the ASA permits all portal traffic to all web resources (e.g., HTTPS, CIFS, RDP, and
plug-ins). The ASA clientless service rewrites each URL to one that is meaningful only to itself; the user
cannot use the rewritten URL displayed on the page accessed to confirm that they are on the site they
requested. To avoid placing users at risk, assign a web ACL to the policies configured for clientless
access – group-policies, dynamic access policies, or both – to control traffic flows from the portal. For
example, without such an ACL, users could receive an authentication request from an outside fraudulent
banking or commerce site. Also, we recommend disabling URL Entry on these policies to prevent user
confusion over what is accessible.
Figure 72-1 Example URL Typed by User
Figure 72-2 Same URL Rewritten by Security Appliance and displayed on the Browser Window
Detailed Steps
We recommend that you do the following to minimize risks posed by clientless SSL VPN access:
Step 1 Configure a group policy for all users who need clientless SSL VPN access, and enable clientless SSL
VPN only for that group policy.
Step 2 With the group policy open, choose General > More Options > Web ACL and click Manage.
Step 3 Create a web ACL to do one of the following: permit access only to specific targets within the private
network, permit access only to the private network, deny Internet access, or permit access only to
reputable sites.
Step 4 Assign the web ACL to any policies (group policies, dynamic access policies, or both) that you have
configured for clientless access. To assign a web ACL to a DAP, edit the DAP record, and select the web
ACL on the Network ACL Filters tab.