I am posting this in the Firewalling forum since it is related to ASA.
After reading this (http://www.engadget.com/2016/01/27/oracle-java-plug-in-death/) I was wondering when the ASA will go away from using "exotic" plugins/technologies to perform the WebVPN and use more modern technologies like HTML5 instead.
There are nice open-source products like Guacamole (http://guac-dev.org/) to name only one that show how easy it can be. When will Cisco adopt such a solution and modernize the ASA?
Anyone got a roadmap where WebVPN is headed?
Solved! Go to Solution.
You should be able to deploy Guacamole directly behind the ASA. In this manner you would just use the ASA for clientless web authentication and then have a URL link to the Guacamole server.
The ASA now supports WebSocket so it can proxy HTML5 just fine. I have tested it with Ericom HTML5 and it works nicely and only took about 15 minutes to set up completely. I will run a test with Guacamole as soon as I have some time and let you know how it works.'
Hope this helps.
I thought about it. However that would be another software stack which would be somewhat exposed and needed to be taken care of separately.
Also I'm not sure what "now" means. Currently we are stuck with ASA software 9.1 and can't go any further than that.
Were you able to test Guacamole? A few weeks ago our team went looking for a robust clientless access method (for customers who couldn't install the Anyconnect client), and also came across Apache Guacamole as a possible solution. Initial testing is showing disconnects and poor performance (or inability to even load the Guac page). We've tried the normal bookmark, proxy bypass and just tried smart tunnel, without success. While googling, I found this page today. We are still working it, but I'm very interested in if you were able to use Guacamole behind webvpn - and if you could share your relevant ASA webvpn configuration. Thank you.
I have the same (non-working) behavior on an ASA 5520 with software 9.1.7(6). I will try 9.1.7(7) tomorrow as I see some WebVPN bugs were fixed. One should note that there are specific instructions when proxying Guacamole here: https://guacamole.incubator.apache.org/doc/gug/proxying-guacamole.html Of course, there is no mention of a Cisco ASA ;-) They mainly write about turning proxy buffering off and setting some headers explicitely. For my part, I see my browser accessing 'ping.html' on the ASA when clicking on a connection. Then it hangs.
Actually, IF the guacamole home page loads correctly, then I can click on a connection and if I reload the current page in the browser then the RDP session actually starts. That's a bit tricky.......
Sorry, I just now saw this. I haven't been able to test Guacamole but plan to soon. I will post my results if I get anywhere. I found Ericom very easy to configure so I was trying to recommend that a customer.
Thanks for the reply Jer0nim0x;
Did you find any type of config guide for how to set it up with the ASA? I am interested in configuring it but there is not much documentation. Ericom sits on the server and really brokers the HTML5 connection, so I only needed a bookmark on my webvpn server. is that the case with Guac?
Thanks in advance
Exactly, you simply use the ASA as a web proxy as you would with any other intranet website that you proxy through the ASA. Except for the mentioned bug, the proxying in principle seems to work ok. Maybe one would need to check on performance, since guac has fallback mechanisms built in (switches from websockets to http tunnel automatically). Maybe using a http tunnel has more performance impact on the ASA I don't know.
Hi Mark, jer0nim0x - I've just set-up webvpn with a test Guacamole server for some testing. I found that once the refresh bug has been worked around, the connection drops frequently on the RDP session. Also, the mouse and keyboard didn't work. Did you have to add any additional plug-ins? I assume you have got further in your testing than this? Failing that I might check the MTU in path to ensure nothing is being dropped or blocked. Any pointers or ideas would be gratefully received.