Filter
Top Products
72-48
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Configuring Application Access
For Windows, if you want to add smart tunnel access to an application started from the command prompt,
you must specify “cmd.exe” in the Process Name of one entry in the smart tunnel list, and specify the
path to the application itself in another entry, because “cmd.exe” is the parent of the application.
Step 4 Click Windows or Mac to specify the host operating system of the application.
Step 5 (Optional and applicable only for Windows) To obtain this value, enter the checksum of the application
(that is, the checksum of the executable file) into a utility that calculates a hash using the SHA-1
algorithm. One example of such a utility is the Microsoft File Checksum Integrity Verifier (FCIV), which
is available at http://support.microsoft.com/kb/841290/. After installing FCIV, place a temporary copy
of the application to be hashed on a path that contains no spaces (for example, c:/fciv.exe), then enter
fciv.exe -sha1 application at the command line (for example, fciv.exe -sha1 c:\msimn.exe) to display
the SHA-1 hash.
The SHA-1 hash is always 40 hexadecimal characters.
Before authorizing an application for smart tunnel access, clientless SSL VPN calculates the hash of the
application matching the Application ID. It qualifies the application for smart tunnel access if the result
matches the value of Hash.
Entering a hash provides a reasonable assurance that SSL VPN does not qualify an illegitimate file that
matches the string you specified in the Application ID. Because the checksum varies with each version
or patch of an application, the Hash you enter can only match one version or patch on the remote host.
To specify a hash for more than one version of an application, create a unique smart tunnel entry for each
Hash value.
Note You must update the smart tunnel list in the future if you enter Hash values and you want to
support future versions or patches of an application with smart tunnel access. A sudden problem
with smart tunnel access may be an indication that the application list containing Hash values is
not up-to-date with an application upgrade. You can avoid this problem by not entering a hash.
Following the configuration of the smart tunnel list, you must assign it to a group policy or a local user
policy for it to become active, as follows:
• To assign the list to a group policy, choose Config > Remote Access VPN> Clientless SSL VPN
Access > Group Policies > Add or Edit > Portal and choose the smart tunnel name from the
drop-down list next to the Smart Tunnel List attribute.
• To assign the list to a local user policy, choose Config > Remote Access VPN> AAA Setup > Local
Users > Add or Edit > VPN Policy > Clientless SSL VPN and choose the smart tunnel name from
the drop-down list next to the Smart Tunnel List attribute.
Table 72-6 Example Smart Tunnel Entries
Smart Tunnel Support
Application ID
(Any unique string
is OK.) Process Name OS
Mozilla Firefox. firefox firefox.exe Windows
Microsoft Outlook Express. outlook-express msimn.exe Windows
More restrictive alternative—Microsoft
Outlook Express only if the executable file is in
a predefined path.
outlook-express \Program Files\Outlook Express\msimn.exe Windows