Filter
Top Products
38-33
Cisco ASDM User Guide
OL-16647-01
Chapter 38 Clientless SSL VPN
Clientless SSL VPN Access
• Configure the amount of security appliance memory that Clientless SSL VPN can use.
To configure Clientless SSL VPN services for individual users, the best practice is to use the
Configuration > VPN > General > Group Policy >Add/Edit >WebVPN panel. Then use the
Configuration > Properties >Device Administration >User Accounts > VPN Policy panel to assign
the group policy to a user.
Fields
• Configure access parameters for WebVPN—Lets you enable or disable Clientless SSL VPN
connections on configured security appliance interfaces.
–
Interface—Displays names of all configured interfaces.
–
WebVPN Enabled—Displays current status for Clientless SSL VPN on the interface.
A green check next to Yes indicates that Clientless SSL VPN is enabled.
A red circle next to No indicates that Clientless SSL VPN is disabled.
–
Enable/Disable—Click to enable or disable Clientless SSL VPN on the highlighted interface.
• Port Number—Enter the port number that you want to use for Clientless SSL VPN sessions. The
default port is 443, for HTTPS traffic; the range is 1 through 65535. If you change the port number,
All current Clientless SSL VPN connections terminate, and current users must reconnect. You also
lose connectivity to ASDM, and a prompt displays, inviting you to reconnect.
• Default Idle Timeout—Enter the amount of time, in seconds, that a Clientless SSL VPN session can
be idle before the security appliance terminates it. This value applies only if the Idle Timeout value
in the group policy for the user is set to zero (0), which means there is no timeout value; otherwise
the group policy Idle Timeout value takes precedence over the timeout you configure here. The
minimum value you can enter is 1 minute. The default is 30 minutes (1800 seconds). Maximum is
24 hours (86400 seconds).
We recommend that you set this attribute to a short time period. This is because a browser set to
disable cookies (or one that prompts for cookies and then denies them) can result in a user not
connecting but nevertheless appearing in the sessions database. If the Simultaneous Logins attribute
for the group policy is set to one, the user cannot log back in because the database indicates that the
maximum number of connections already exists. Setting a low idle timeout removes such phantom
sessions quickly, and lets a user log in again.
• Max. Sessions Limit—Enter the maximum number of Clientless SSL VPN sessions you want to
allow. Be aware that the different ASA models support Clientless SSL VPN sessions as follows:
ASA 5510 supports a maximum of 250; ASA 5520 maximum is 750; ASA 5540 maximum is 2500;
ASA 5550 maximum is 5000.
• WebVPN Memory Size—Enter the percent of total memory or the amount of memory in kilobytes
that you want to allocate to Clientless SSL VPN processes. The default is 50% of memory. Be aware
that the different ASA models have different total amounts of memory as follows: ASA 5510—256
MB; ASA5520 —512 MB: ASA 5540—1GB, ASA 5550—4G. When you change the memory size,
the new setting takes effect only after the system reboots.
• WebVPN Memory (unlabeled)—Choose to allocate memory for Clientless SSL VPN either as a
percentage of total memory or as an amount of memory in kilobytes.
• Enable Tunnel Group Drop-down List on WebVPN Login— Check to include a drop-down list of
configured tunnel groups on the Clientless SSL VPN end-user interface. Users select a tunnel group
from this list when they log on. This field is checked by default. If you uncheck it, the user cannot
select a tunnel group at logon.