Filter
Top Products
36-10
Cisco ASDM User Guide
OL-16647-01
Chapter 36 Configuring Dynamic Access Policies
Understanding VPN Access Policies
–
File Server Browsing—Enables or disables CIFS browsing for file servers or shared features.
Note Browsing requires NBNS (Master Browser or WINS). If that fails or is not configured,
we use DNS.
Note The CIFS browse feature does not support internationalization.
–
File Server Entry—Lets or prohibits a user from entering file server paths and names on the
portal page. When enabled, places the file server entry drawer on the portal page. Users can
enter pathnames to Windows files directly. They can download, edit, delete, rename, and move
files. They can also add files and folders. Shares must also be configured for user access on the
applicable Windows servers. Users might have to be authenticated before accessing files,
depending on network requirements.
–
HTTP Proxy— Affects the forwarding of an HTTP applet proxy to the client. The proxy is
useful for technologies that interfere with proper content transformation, such as Java, ActiveX,
and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The
forwarded proxy modifies the browser’s old proxy configuration automatically and redirects all
HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side
technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only
browser it supports is Microsoft Internet Explorer.
–
URL Entry—Allows or prevents a user from entering HTTP/HTTPS URLs on the portal page.
If this feature is enabled, users can enter web addresses in the URL entry box, and use clientless
SSL VPN to access those websites.
Using SSL VPN does not ensure that communication with every site is secure. SSL VPN ensures
the security of data transmission between the remote user’s PC or workstation and the security
appliance on the corporate network. If a user then accesses a non-HTTPS web resource (located on
the Internet or on the internal network), the communication from the corporate security appliance to
the destination web server is not secured.
In a clientless VPN connection, the security appliance acts as a proxy between the end user web
browser and target web servers. When a user connects to an SSL-enabled web server, the security
appliance establishes a secure connection and validates the server SSL certificate. The end user
browser never receives the presented certificate, so therefore cannot examine and validate the
certificate. The current implementation of SSL VPN does not permit communication with sites that
present expired certificates. Neither does the security appliance perform trusted CA certificate
validation. Therefore, users cannot analyze the certificate an SSL-enabled web-server presents
before communicating with it.
To limit Internet access for users, select Disable for the URL Entry field. This prevents SSL VPN
users from surfing the Web during a clientless VPN connection.
–
Unchanged—(default) Click to use values from the group policy that applies to this session.
–
Enable/Disable—Click to enable or disable the feature.
–
Auto-start—Click to enable HTTP proxy and to have the DAP record automatically start the
applets associated with these features.
• Port Forwarding Lists Tab—Lets you select and configure port forwarding lists for user sessions.
Port Forwarding provides access for remote users in the group to client/server applications that
communicate over known, fixed TCP/IP ports. Remote users can use client applications that are
installed on their local PC and securely access a remote server that supports that application. Cisco