Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
1
Replies

Cut Through Proxy

John Johnson
Level 1
Level 1

‎09-29-2011 08:20 AM - last edited on ‎03-25-2019 05:47 PM by Community Manager

Hello everyone and thankyou for taking the time to read this question.

My company is bringing up a new accounting/Time and Attendance suite in November and the question of access as been asked over and over again.  They do not want to expose the webserver that employees enter time and expense to the outside world yet they do not want to force all users to vpn into the network just to enter time sheet data. 

The application performs authentication against AD, but it will not allow users to change passwords once theirs has expired.  So we are considering ways to allow the firewall to authenticate since it can request password change at logon.

So I have two questions.

When considering your answer please keep in mind that I have an ASA 5510 as my firewall

1. I have read about the cut through proxy that is available on the ASA, but this does not appear to be a single signon option.  It appears you login to the proxy and then it passes you to the application where you will have to authenticate against the application.  Is this assumption correct?

2. Can anyone think of another way to access an application behind the firewall that is not exposed to the internet?

If you have any questions or need a further explanation please do not hesitate asking.

Thanks

John

Labels:
0 Helpful
1 Reply 1

mirober2
Cisco Employee
Cisco Employee

‎10-01-2011 09:45 AM

Hi John,

The best way to achieve this would probably be to setup a clientless SSL VPN portal and use the ASA's password-management feature:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1000458

This way, your users can simply browse to the SSL VPN portal page, login, and launch the time sheet application within the browser. If their password is about to expire, the ASA will give them an opportunity to change it. Also, you don't have to have them load up a full VPN client just to run your single application.

The VPN community can help you if you run into any configuration questions with this:

https://supportforums.cisco.com/community/netpro/security/vpn

Hope that helps.

-Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card