02-03-2016 12:41 AM - edited 03-12-2019 12:14 AM
Hello all,
I am posting this in the Firewalling forum since it is related to ASA.
After reading this (http://www.engadget.com/2016/01/27/oracle-java-plug-in-death/) I was wondering when the ASA will go away from using "exotic" plugins/technologies to perform the WebVPN and use more modern technologies like HTML5 instead.
There are nice open-source products like Guacamole (http://guac-dev.org/) to name only one that show how easy it can be. When will Cisco adopt such a solution and modernize the ASA?
Anyone got a roadmap where WebVPN is headed?
Bye,
Marki
Solved! Go to Solution.
09-01-2016 12:12 AM
I tried it and it works pretty well. You have to be aware of bug
though.
02-03-2016 02:17 AM
I agree!!!
03-29-2016 03:54 PM
You should be able to deploy Guacamole directly behind the ASA. In this manner you would just use the ASA for clientless web authentication and then have a URL link to the Guacamole server.
The ASA now supports WebSocket so it can proxy HTML5 just fine. I have tested it with Ericom HTML5 and it works nicely and only took about 15 minutes to set up completely. I will run a test with Guacamole as soon as I have some time and let you know how it works.'
Hope this helps.
Mark
03-29-2016 11:47 PM
I thought about it. However that would be another software stack which would be somewhat exposed and needed to be taken care of separately.
Also I'm not sure what "now" means. Currently we are stuck with ASA software 9.1 and can't go any further than that.
06-24-2016 01:36 PM
Hi Mark,
Were you able to test Guacamole? A few weeks ago our team went looking for a robust clientless access method (for customers who couldn't install the Anyconnect client), and also came across Apache Guacamole as a possible solution. Initial testing is showing disconnects and poor performance (or inability to even load the Guac page). We've tried the normal bookmark, proxy bypass and just tried smart tunnel, without success. While googling, I found this page today. We are still working it, but I'm very interested in if you were able to use Guacamole behind webvpn - and if you could share your relevant ASA webvpn configuration. Thank you.
07-21-2016 02:00 PM
I have the same (non-working) behavior on an ASA 5520 with software 9.1.7(6). I will try 9.1.7(7) tomorrow as I see some WebVPN bugs were fixed. One should note that there are specific instructions when proxying Guacamole here: https://guacamole.incubator.apache.org/doc/gug/proxying-guacamole.html Of course, there is no mention of a Cisco ASA ;-) They mainly write about turning proxy buffering off and setting some headers explicitely. For my part, I see my browser accessing 'ping.html' on the ASA when clicking on a connection. Then it hangs.
Actually, IF the guacamole home page loads correctly, then I can click on a connection and if I reload the current page in the browser then the RDP session actually starts. That's a bit tricky.......
08-31-2016 02:24 PM
Hey Jer0nim0x;
Sorry, I just now saw this. I haven't been able to test Guacamole but plan to soon. I will post my results if I get anywhere. I found Ericom very easy to configure so I was trying to recommend that a customer.
Mark
09-01-2016 12:12 AM
I tried it and it works pretty well. You have to be aware of bug
though.
09-02-2016 01:24 PM
Thanks for the reply Jer0nim0x;
Did you find any type of config guide for how to set it up with the ASA? I am interested in configuring it but there is not much documentation. Ericom sits on the server and really brokers the HTML5 connection, so I only needed a bookmark on my webvpn server. is that the case with Guac?
Thanks in advance
Mark
09-02-2016 01:31 PM
Exactly, you simply use the ASA as a web proxy as you would with any other intranet website that you proxy through the ASA. Except for the mentioned bug, the proxying in principle seems to work ok. Maybe one would need to check on performance, since guac has fallback mechanisms built in (switches from websockets to http tunnel automatically). Maybe using a http tunnel has more performance impact on the ASA I don't know.
09-08-2016 05:19 AM
Hi Mark, jer0nim0x - I've just set-up webvpn with a test Guacamole server for some testing. I found that once the refresh bug has been worked around, the connection drops frequently on the RDP session. Also, the mouse and keyboard didn't work. Did you have to add any additional plug-ins? I assume you have got further in your testing than this? Failing that I might check the MTU in path to ensure nothing is being dropped or blocked. Any pointers or ideas would be gratefully received.
09-08-2016 05:37 AM
I assume that your Guacamole setup works fine when not going through WebVPN? In my case I have problems with the keyboard layout, but that is independent of WebVPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide