72-27
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Configuring Browser Access to Plug-ins
A browser plug-in is a separate program that a web browser invokes to perform a dedicated function,
such as connect a client to a server within the browser window. The ASA lets you import plug-ins for
download to remote browsers in clientless SSL VPN sessions. Of course, Cisco tests the plug-ins it
redistributes, and in some cases, tests the connectivity of plug-ins we cannot redistribute. However, we
do not recommend importing plug-ins that support streaming media at this time.
Note Per the GNU General Public License (GPL), Cisco redistributes plug-ins without having
made any changes to them. Per the GPL, Cisco cannot directly enhance these plug-ins.
The ASA does the following when you install a plug-in onto the flash device:
• (Cisco-distributed plug-ins only) Unpacks the jar file specified in the URL.
• Writes the file to the csco-config/97/plugin directory on the ASA file system.
• Populates the drop-down menu next to the URL attributes in ASDM.
• Enables the plug-in for all future clientless SSL VPN sessions, and adds a main menu option and an
option to the drop-down menu next to the Address field of the portal page.
Table 72-2 shows the changes to the main menu and address field of the portal page when you add the
plug-ins described in the following sections.
When the user in a clientless SSL VPN session clicks the associated menu option on the portal page, the
portal page displays a window to the interface and displays a help pane. The user can select the protocol
displayed in the drop-down menu and enter the URL in the Address field to establish a connection.Some
Java plug-ins may report a status of connected or online even when a session to the destination service
is not set up. The open-source plug-in reports the status, not the ASA.
The plug-ins support single sign-on (SSO). Refer to the “Configuring SSO with the HTTP Form
Protocol” section on page 72-16 for implementation details.
The minimum access rights required for remote use belong to the guest privilege mode.
Prerequisites
• Clientless SSL VPN must be enabled on the ASA to provide remote access to the plug-ins.
• To configure SSO support for a plug-in, you install the plug-in, add a bookmark entry to display a
link to the server, and specify SSO support when adding the bookmark.
• The minimum access rights required for remote use belong to the guest privilege mode.
• Plug-ins require ActiveX or Sun JRE 5, Update 1.4 or later (JRE 6 or later recommended) to be
enabled on the browser. An ActiveX version of the RDP plug-in is unavailable for 64-bit browsers.
Table 72-2 Effects of Plug-ins on the Clientless SSL VPN Portal Page
Plug-in Main Menu Option Added to Portal Page Address Field Option Added to Portal Page
ica Citrix Client ica://
rdp Terminal Servers rdp://
rdp2 Terminal Servers Vista rdp2://
ssh,telnet SSH ssh://
Telnet telnet://
vnc VNC Client vnc://
