72-51
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Configuring Application Access
Step 5 (Optional) Click to add the Windows domain to the username if authentication requires it. If you do so,
be sure to specify the domain name when assigning the smart tunnel list to one or more group policies
or local user policies.
Step 6 (Optional) Specify a port number for the corresponding hosts. For Firefox, if no port number is specified,
auto sign is performed on HTTP and HTTPS, accessed by default port numbers 80 and 443 respectively.
Following the configuration of the smart tunnel auto sign-on server list, you must assign it to a group
policy or a local user policy for it to become active, as follows:
• To assign the list to a group policy, choose Config > Remote Access VPN > Clientless SSL VPN
Access > Group Policies > Add or Edit > Portal, find the Smart Tunnel area, and choose the list
name from the drop-down list next to the Auto Sign-on Server List attribute.
• To assign the list to a local user policy, choose Config > Remote Access VPN> AAA Setup > Local
Users > Add or Edit > VPN Policy > Clientless SSL VPN, find the Smart Tunnel area, and choose
the list name from the drop-down list next to the Auto Sign-on Server List attribute.
Enabling and Disabling Smart Tunnel Access
By default, smart tunnels are disabled.
If you enable smart tunnel access, the user will have to start it manually, using the Application Access
> Start Smart Tunnels button on the clientless SSL VPN portal page.
Logging Off Smart Tunnel
This section describes how to ensure that the smart tunnel is properly logged off. Smart tunnel can be
logged off when all browser windows have been closed, or you can right click the notification icon and
confirm log out.
Note We strongly recommend the use of the logout button on the portal. This method pertains to clientless
SSL VPNs and logs off regardless of whether smart tunnel is used or not. The notification icon should
be used only when using standalone applications without the browser.
When Its Parent Process Terminates
This practice requires the closing of all browsers to signify log off. The smart tunnel lifetime is now tied
to the starting process lifetime. For example, if you started a smart tunnel from Internet Explorer, the
smart tunnel is turned off when no iexplore.exe is running. Smart tunnel can determine that the VPN
session has ended even if the user closed all browsers without logging out.
Note In some cases, a lingering browser process is unintentional and is strictly a result of an error.
Also, when a Secure Desktop is used, the browser process can run in another desktop even if the
user closed all browsers within the secure desktop. Therefore, smart tunnel declares all browser
instances gone when no more visible windows exist in the current desktop.