Filter
Top Products
38-35
Cisco ASDM User Guide
OL-16647-01
Chapter 38 Clientless SSL VPN
Configuring Smart Tunnel Access
• Create one or more smart tunnel lists of the client applications, then assign the list to the group
policies or local user policies for whom you want to provide smart tunnel access.
• Create one or more bookmark list entries that specify the URLs of the web-enabled applications
eligible for smart tunnel access, then assign the list to the DAPs, group policies, or local user
policies for whom you want to provide smart tunnel access.
You can also list web-enabled applications for which to automate the submission of login credentials in
smart tunnel connections over clientless SSL VPN sessions.
Why Smart Tunnels?
Smart tunnel access lets a client TCP-based application use a browser-based VPN connection to connect
to a service. It offers the following advantages to users, compared to plug-ins and the legacy technology,
port forwarding:
• Smart tunnel offers better performance than plug-ins.
• Unlike port forwarding, smart tunnel simplifies the user experience by not requiring the user
connection of the local application to the local port.
• Unlike port forwarding, smart tunnel does not require users to have administrator privileges.
The advantage of a plug-in is that it does not require the client application to be installed on the remote
computer.
Smart Tunnel Requirements and Limitations
The following sections categorize the smart tunnel requirements and limitations.
General Requirements and Limitations
Smart tunnel has the following general requirements and limitations:
• The remote host originating the smart tunnel must be running a 32-bit version of Microsoft
Windows Vista, Windows XP, or Windows 2000; or Mac OS 10.4 or 10.5.
• Smart tunnel auto sign-on supports only Microsoft Internet Explorer on Windows.
• The browser must be enabled with Java, Microsoft ActiveX, or both.
• Smart tunnel supports only proxies placed between computers running Microsoft Windows and the
security appliance. Smart tunnel uses the Internet Explorer configuration (that is, the one intended
for system-wide use in Windows). If the remote computer requires a proxy server to reach the
security appliance, the URL of the terminating end of the connection must be in the list of URLs
excluded from proxy services. If the proxy configuration specifies that traffic destined for the ASA
goes through a proxy, all smart tunnel traffic goes through the proxy.
In an HTTP-based remote access scenario, sometimes a subnet does not provide user access to the
VPN gateway. In this case, a proxy placed in front of the ASA to route traffic between the web and
the end user's location provides web access. However, only VPN users can configure proxies placed
in front of the ASA. When doing so, they must make sure these proxies support the CONNECT
method. For proxies that require authentication, smart tunnel supports only the basic digest
authentication type.