Filter
Top Products
CHAPTER
38-1
Cisco ASDM User Guide
OL-16647-01
38
Clientless SSL VPN
Clientless SSL VPN lets users establish a secure, remote-access VPN tunnel to the security appliance
using a web browser. There is no need for either a software or hardware client. Clientless SSL VPN
provides easy access to a broad range of web resources and both web-enabled and legacy applications
from almost any computer that can reach HTTPS Internet sites. Clientless SSL VPN uses Secure Socket
Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection
between remote users and specific, supported internal resources that you configure at a central site. The
security appliance recognizes connections that need to be proxied, and the HTTP server interacts with
the authentication subsystem to authenticate users.
The network administrator provides access to Clientless SSL VPN resources on a user or group basis.
Users have no direct access to resources on the internal network.
Clientless SSL VPN works on the platform in single, routed mode.
For information on configuring Clientless SSL VPN for end users, see Clientless SSL VPN End User
Set-up.
Security Precautions
Clientless SSL VPN connections on the security appliance are very different from remote access IPSec
connections, particularly with respect to how they interact with SSL-enabled servers, and precautions to
reduce security risks.
In a Clientless SSL VPN connection, the security appliance acts as a proxy between the end user web
browser and target web servers. When a user of Clientless SSL VPN connects to an SSL-enabled web
server, the security appliance establishes a secure connection and validates the server SSL certificate.
The current implementation of Clientless SSL VPN does not permit communication with sites that
present expired certificates. Nor does the security appliance perform trusted CA certificate validation.
Therefore, users of Clientless SSL VPN cannot analyze the certificate an SSL-enabled web server
presents before communicating with it.
To minimize the risks involved with SSL certificates:
• Configure a group policy for all users who need Clientless SSL VPN access, and enable Clientless
SSL VPN only for that group policy.
• Limit Internet access for users of Clientless SSL VPN. One way to do this is to clear the Enable
URL entry check box on the Configuration > Remote Access VPN > Clientless SSL VPN Access
> Dynamic Access Policies panel, Functions tab. Then configure links to specific targets within the
private network (Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic
Access Policies panel, URL Lists tab).