ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.15

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

• About This Guide
• Site-to-Site and Client VPN
  • VPN Wizards
  • IKE
  • High Availability Options
  • General VPN Setup
  • IP Addresses for VPNs
  • Dynamic Access Policies
  • Email Proxy
  • Monitor VPN
  • SSL Settings
  • Easy VPN
  • Virtual Tunnel Interface
  • Configure an External AAA Server for VPN
  • Clientless SSL VPN Overview
  • Basic Clientless SSL VPN Configuration
  • Advanced Clientless SSL VPN Configuration
  • Policy Groups
  • Clientless SSL VPN Remote Users
  • Clientless SSL VPN Users
  • Clientless SSL VPN with Mobile Devices
  • Customizing Clientless SSL VPN
  • Clientless SSL VPN Troubleshooting
  Find Matches in This Book Log in to Save Content Available Languages Download Options

  Book Title

  ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.15

  Policy Groups

  • PDF - Complete Book (8.98 MB)PDF - This Chapter (1.21 MB) View with Adobe Reader on a variety of devices

  Results

  Updated: November 2, 2020

  Chapter: Policy Groups

  Chapter Contents
  • Policy Groups
  • Smart Tunnel Access
    • About Smart Tunnels
    • Prerequisites for Smart Tunnels
    • Guidelines for Smart Tunnels
    • Configure a Smart Tunnel (Lotus Example)
    • Simplify Configuration of Applications to Tunnel
    • Add Applications to Be Eligible for Smart Tunnel Access
    • About Smart Tunnel Lists
    • Create a Smart Tunnel Auto Sign-On Server List
    • Add Servers to a Smart Tunnel Auto Sign-On Server List
    • Enable and Switch Off Smart Tunnel Access
    • Configure Smart Tunnel Log Off
      • Configure Smart Tunnel Log Off when Its Parent Process Terminates
      • Configure Smart Tunnel Log Off with a Notification Icon
      • Configure Content Transformation
        • Use Proxy Bypass

        Policy Groups

        Smart Tunnel Access

        The following sections describe how to enable smart tunnel access with Clientless SSL VPN sessions, specify the applications to be provided with such access, and provide notes on using it.

        To configure smart tunnel access, you create a smart tunnel list containing one or more applications eligible for smart tunnel access, and the endpoint operating system associated with the list. Because each group policy or local user policy supports one smart tunnel list, you must group the nonbrowser-based applications to be supported into a smart tunnel list. After creating a list, you assign it to one or more group policies or local user policies.

        The following sections describe smart tunnels and how to configure them:

        • About Smart Tunnels
        • Prerequisites for Smart Tunnels
        • Guidelines for Smart Tunnels
        • Configure a Smart Tunnel (Lotus Example)
        • Simplify Configuration of Applications to Tunnel
        • About Smart Tunnel Lists
        • Create a Smart Tunnel Auto Sign-On Server List
        • Add Servers to a Smart Tunnel Auto Sign-On Server List
        • Enable and Switch Off Smart Tunnel Access
        • Configure Smart Tunnel Log Off

        About Smart Tunnels

        A smart tunnel is a connection between a TCP-based application and a private site, using a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the ASA as a proxy server. You can identify applications for which to grant smart tunnel access, and specify the local path to each application. For applications running on Microsoft Windows, you can also require a match of the SHA-1 hash of the checksum as a condition for granting smart tunnel access.

        Lotus SameTime and Microsoft Outlook are examples of applications to which you may want to grant smart tunnel access.

        Configuring smart tunnels requires one of the following procedures, depending on whether the application is a client or is a web-enabled application:

        • Create one or more smart tunnel lists of the client applications, then assign the list to the group policies or local user policies for whom smart tunnel access is required.
        • Create one or more bookmark list entries that specify the URLs of the web-enabled applications eligible for smart tunnel access, then assign the list to the group policies or local user policies for whom smart tunnel access is required.

        You can also list web-enabled applications for which to automate the submission of login credentials in smart tunnel connections over Clientless SSL VPN sessions.

        Benefits of Smart Tunnels

        Smart tunnel access lets a client TCP-based application use a browser-based VPN connection to access a service. It offers the following advantages to users, compared to plug-ins and the legacy technology, port forwarding:

        • Smart tunnel offers better performance than plug-ins.
        • Unlike port forwarding, smart tunnel simplifies the user experience by not requiring the user connection of the local application to the local port.
        • Unlike port forwarding, smart tunnel does not require users to have administrator privileges.

        The advantage of a plug-in is that it does not require the client application to be installed on the remote computer.

        Prerequisites for Smart Tunnels

        See the Supported VPN Platforms, Cisco ASA 5500 Series , for the platforms and browsers supported by smart tunnels.

        The following requirements and limitations apply to smart tunnel access on Windows:

        • ActiveX or Oracle Java Runtime Environment (JRE 6 or later recommended) on Windows must be enabled on the browser.
        • Only Winsock 2, TCP-based applications are eligible for smart tunnel access.
        • For Mac OS X only, Java Web Start must be enabled on the browser.
        • Smart tunnel is incompatible with IE's Enhanced Protected Mode.

        Guidelines for Smart Tunnels

        • Smart tunnel supports only proxies placed between computers running Microsoft Windows and the security appliance. Smart Tunnel uses the Internet Explorer configuration, which sets system-wide parameters in Windows. That configuration may include proxy information:
          • If a Windows computer requires a proxy to access the ASA, then there must be a static proxy entry in the client's browser, and the host to connect to must be in the client's list of proxy exceptions.
          • If a Windows computer does not require a proxy to access the ASA, but does require a proxy to access a host application, then the ASA must be in the client's list of proxy exceptions.

          Proxy systems can be defined the client’s configuration of static proxy entry or automatic configuration, or by a PAC file. Only static proxy configurations are currently supported by Smart Tunnels.

          • Kerberos constrained delegation (KCD) is not supported for smart tunnels.
          • With Windows, to add smart tunnel access to an application started from the command prompt, you must specify “cmd.exe” in the Process Name of one entry in the smart tunnel list, and specify the path to the application itself in another entry, because “cmd.exe” is the parent of the application.
          • With HTTP-based remote access, some subnets may block user access to the VPN gateway. To fix this, place a proxy in front of the ASA to route traffic between the Web and the end user. That proxy must support the CONNECT method. For proxies that require authentication, Smart Tunnel supports only the basic digest authentication type.
          • When smart tunnel starts, the ASA by default passes all browser traffic through the VPN session if the browser process is the same. The ASA only also does this if a tunnel-all policy (the default) applies. If the user starts another instance of the browser process, it passes all traffic through the VPN session. If the browser process is the same and the security appliance does not provide access to a URL, the user cannot open it. As a workaround, assign a tunnel policy that is not tunnel-all.
          • A stateful failover does not retain smart tunnel connections. Users must reconnect following a failover.
          • The Mac version of smart tunnel does not support POST bookmarks, form-based auto sign-on, or POST macro substitution.
          • For macOS users, only those applications started from the portal page can establish smart tunnel connections. This requirement includes smart tunnel support for Firefox. Using Firefox to start another instance of Firefox during the first use of a smart tunnel requires the user profile named csco_st. If this user profile is not present, the session prompts the user to create one.
          • In macOS, applications using TCP that are dynamically linked to the SSL library can work over a smart tunnel.
          • Smart tunnel does not support the following on macOS:
            • Sandboxed applications (verify in Activity Monitor using View > Columns). For that reason, macOS 10.14 and 10.15 do not support smart tunneling.
            • Proxy services.
            • Auto sign-on.
            • Applications that use two-level name spaces.
            • Console-based applications, such as Telnet, SSH, and cURL.
            • Applications using dlopen or dlsym to locate libsocket calls.
            • Statically linked applications to locate libsocket calls.

            Configure a Smart Tunnel (Lotus Example)

            These example instructions provide the minimum instructions required to add smart tunnel support for an application. See the field descriptions in the sections that follow for more information.

            Procedure

            Choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels .

            Double-click the smart tunnel list to add an application to; or click Add to create a list of applications, enter a name for this list in the List Name field, and click Add .

            For example, click Add in the Smart Tunnels pane, enter Lotus in the List Name field, and click Add.

            Click Add in the Add or Edit Smart Tunnel List dialog box.

            Enter a string in the Application ID field to serve as a unique index to the entry within the smart tunnel list.

            Enter the filename and extension of the application into the Process Name dialog box.

            The following table shows example application ID strings and the associated paths required to support Lotus.

            Table 1. Smart Tunnel Example: Lotus 6.0 Thick Client with Domino Server 6.5.5

            Application ID Example

            Minimum Required Process Name

            Select Windows next to OS.

            Repeat for each application to add to the list.

            Click OK in the Add or Edit Smart Tunnel List dialog box.

            Assign the list to the group policies and local user policies to provide smart tunnel access to the associated applications, as follows:

            • To assign the list to a group policy, choose Configuration > Remote Access VPN> Clientless SSL VPN Access > Group Policies > Add or Edit > Portal and choose the smart tunnel name from the Smart Tunnel List drop-down.
            • To assign the list to a local user policy, choose Configuration > Remote Access VPN> AAA Setup > Local Users > Add or Edit > VPN Policy > Clientless SSL VPN and choose the smart tunnel name from the Smart Tunnel List drop-down.

            Simplify Configuration of Applications to Tunnel

            A smart tunnel application list is essentially a filter of what applications are granted access to the tunnel. The default is to allow access for all processes started by the browser. With a Smart Tunnel enabled bookmark, the clientless session grants access only to processes initiated by the Web browser. For non-browser applications, an administrator can choose to tunnel all applications and thus remove the need to know which applications an end user may invoke.

            Note	This configuration is applicable to Windows platforms only.

            The following table shows the situations in which processes are granted access.

            Smart Tunnel Enabled Bookmark

            Smart Tunnel Application Access

            Application list specified

            Any processes that match a process name in the application list are granted access.

            Only processes that match a process name in the application list are granted access.

            Smart tunnel is switched off

            All processes (and their child processes) are granted access.

            No process is granted access.

            Smart Tunnel all Applications check box is checked.

            All processes (and their child processes) are granted access.

            This includes processes initiated by non-Smart Tunnel Web pages if the Web page is served by the same browser process.

            All processes owned by the user who started the browser are granted access but not child processes of those original processes.

            Procedure

            Choose Configuration > Remote Access VPN > AAA/Local Users > Local Users .

            In the User Account window, highlight the username to edit.

            Click Edit . The Edit User Account window appears.

            In the left sidebar of the Edit User Account window, click VPN Policy > Clientless SSL VPN .

            Perform one of the following:

            • Check the smart tunnel_all_applications check box. All applications will be tunneled without making a list or knowing which executables an end user may invoke for external applications.
            • Or choose from the following tunnel policy options:
              • Uncheck the Inherit check box at the Smart Tunnel Policy parameter.
              • Choose from the network list and specify one of the tunnel options: use smart tunnel for the specified network, do not use smart tunnel for the specified network, or use tunnel for all network traffic.

              Add Applications to Be Eligible for Smart Tunnel Access

              The Clientless SSL VPN configuration of each ASA supports smart tunnel lists, each of which identifies one or more applications eligible for smart tunnel access. Because each group policy or username supports only one smart tunnel list, you must group each set of applications to be supported into a smart tunnel list.

              The Add or Edit Smart Tunnel Entry dialog box lets you specify the attributes of an application in a smart tunnel list.

              Procedure

              Navigate to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels , and choose a smart tunnel application list to edit, or add a new one.

              For a new list, enter a unique name for the list of applications or programs. Do not use spaces.

              Following the configuration of the smart tunnel list, the list name appears next to the Smart Tunnel List attribute in the Clientless SSL VPN group policies and local user policies. Assign a name that will help you to distinguish its contents or purpose from other lists that you are likely to configure.

              Click Add and add as many applications as you need to this smart tunnel list. The parameters are described below:

              • Application ID - Enter a string to name the entry in the smart tunnel list. This user-specified name is saved and then returned onto the GUI. The string is unique for the operating system. It typically names the application to be granted smart tunnel access. To support multiple versions of an application for which you choose to specify different paths or hash values, you can use this attribute to differentiate entries, specifying the operating system, and name and version of the application supported by each list entry. The string can be up to 64 characters.
              • Process Name - Enter the filename or path to the application. The string can be up to 128 characters. Windows requires an exact match of this value to the right side of the application path on the remote host to qualify the application for smart tunnel access. If you specify only the filename for Windows, SSL VPN does not enforce a location restriction on the remote host to qualify the application for smart tunnel access. If you specify a path and the user installed the application in another location, that application does not qualify. The application can reside on any path as long as the right side of the string matches the value you enter. To authorize an application for smart tunnel access if it is present on one of several paths on the remote host, either specify only the name and extension of the application in this field; or create a unique smart tunnel entry for each path.

              Note

              A sudden problem with smart tunnel access may be an indication that a Process Name value is not up-to-date with an application upgrade. For example, the default path to an application sometimes changes following the acquisition of the company that produces the application and the next application upgrade.

              Note

              If you enter Hash values and you need to support future versions or patches of an application with smart tunnel access, you must keep the smart tunnel list updated. A sudden problem with smart tunnel access may be an indication that the application list containing Hash values is not up-to-date with an application upgrade. You can avoid this problem by not entering a hash.

              Click OK to save the application, and create how ever many applications you need for this smart tunnel list.

              When you are done creating your smart tunnel list, you must assign it to a group policy or a local user policy for it to become active, as follows:

              • To assign the list to a group policy, choose Config > Remote Access VPN> Clientless SSL VPN Access > Group Policies > Add or Edit > Portal and choose the smart tunnel name from the drop-down list next to the Smart Tunnel List attribute.
              • To assign the list to a local user policy, choose Config > Remote Access VPN> AAA Setup > Local Users > Add or Edit > VPN Policy > Clientless SSL VPN and choose the smart tunnel name from the drop-down list next to the Smart Tunnel List attribute.
              Table 2. Example Smart Tunnel Entries

              Smart Tunnel Support

              Application ID (Any unique string is OK.)