Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Community November 2020 Spotlight Award Winners

ASA - SSL VPN SMART TUNNEL

Labels:
48101
Views
0
Helpful
0
Comments
Satheshkumar Nallasamy
Beginner
‎10-13-2009 02:45 AM
edited on: ‎10-13-2009 ‎02:45 AM

A smart tunnel is a connection between a TCP-based application and a private site, using a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the adaptive security appliance as a proxy server. You can identify applications to which you want to grant smart tunnel access, and specify the local path to each application. For applications running on Microsoft Windows, you can also require a match of the SHA-1 hash of the checksum as a condition for granting smart tunnel access.

Lotus SameTime and Microsoft Outlook Express are examples of applications to which you might want to grant smart tunnel access.

Configuring smart tunnels requires one of the following procedures, depending on whether the application is a client or is a web-enabled application:

Create one or more smart tunnel lists of the client applications, then assign the list to the group policies or local user policies for whom you want to provide smart tunnel access.

Create one or more bookmark list entries that specify the URLs of the web-enabled applications eligible for smart tunnel access, then assign the list to the Dynamic Access Policies (DAPS)or group policies, or local user policies for whom you want to provide smart tunnel access.

You can also list web-enabled applications for which to automate the submission of login credentials in smart tunnel connections over clientless SSL VPN sessions.

The remote host originating the smart tunnel connection must  be running Microsoft Windows Vista, Windows XP, or Windows 2000, and the browser  must be enabled with Java, Microsoft ActiveX, or both. Support for Windows 7 and IE 8.0 and MAC OSX 10.6.x with Safari 4.x will be added in in Release  version 8.3 (to Beta in late fall 2009).a

Please refer to the Smart Tunnel Configuraiton Guide for details on setup and applicability.

I. Smart Tunnel capabilities as of  ASA version 8.2.x:

  • Smart tunnel is an all or nothing operation. Meaning once you turn it on for a specific process or for a specific bookmark, all your traffic for that process (and the browser you used to initiate the Clientless SSL session ) will go through the ASA.

Example: Enable ST option for a process or within bookmark#1 (which hooks IE used to initiate the session). Opening a separate IE browser instance will tunnel all traffic through the ASA, if the new browser window belongs to the same process. All browser tabs traffic of this browser will be smart tunneled, even for those bookmarks( ie. bookmark#2) not specifically smart tunneled. You must use a different browser (ie. FireFox) in this case if you want some of your traffic (ie. bookmark#2) not to be smart tunneled.

Note:Smart-tunnel split-tunnelling capability will be available in the next major ASA rellease 8.3.1 release (to go t oBeta in late fall 2009).

  • Smart Tunnel doesn't require administrative user privileges to be run.
  • Smart tunnel is turned off only when you logout out the Clientless SSL VPN portal page.This is the behavior as of ASA 8.2.1.

From 8.3.1 onwards, on Windows, Smart Tunnel will be turned off once all browser windows

(note: not tabs, but all browser windows) have been closed. Alternatively, in 8.3.1 the admin can choose to provide a log out icon so that the session can survive closing all browsers while the user can still log out from the icon.

  • The browser must have either MS ActiveX (IE environments) or Java (FireFox,IE environments or other Java supported browsers), or both enabled.
  • It tries installing using ActiveX first, and then falls back to Java.
  • Think of Smart-Tunnels as a specialized "port-forwarder", a thin-client. Smart Tunnel uses applications or web bookmarks for the configuration. Port Forwarding uses ports for the configuration.
  • When either the core Clientless SSL VPN (CTE) or the AnyConnect full-tunnel client are not deployment options, Smart-Tunnels should be considered.
  • As of ASA versions 8.1.2 and 8.0.4 and 8.2.x, only supported on Windows 32-bit Win2000/XP/Vista and MAC OS 10.4 and 10.5 . Smart Tunnel will be supported on 64 bit Windows (including Windows 7) and MacOS X 10.6 in ASA 8.3.1

http://www/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1096902

  • Smart Tunnels do not currently support .NET applications (CSCsv29942) By .NET application, we really mean a exe binary that is developed using .NET, we don't mean anything else, especially not a web service developed with .NET
  • Native Microsoft Outlook can connect via Smart Tunnels as of ASA version 8.4
  • Beginning with JRE6 Update 10, Java starts differently from standard practice. Consequently, the user's smart-tunnel enabled browser freezes if they open a website containing a Java applet, and JRE6 Update 10 or later is installed on the user's computer. If you are using JRE update 10 or later, you need ASA image version 8.0.4 22 or later. For to ASA version earlier than 8.3, to make Java applets functional on a smart-tunnel enabled browser, go to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels > Smart Tunnels, and add the following processes to the smart tunnel lists: 
program, java.exe, jp2launcher.exe

II.  Smart Tunnel capabilities being introduced in ASA version 8.3.x (to Beta in late fall 2009)

  • Add support for  64-bit Windows (including Windows 7) and 32-bit and 64-bit MacOS X 10.6
  • Logout SSL VPN session (when closing all browser types that initiated the session) or via Logout-icon in task bar/message area
  • Split-tunneling
  • Statistics for the smart-tunnel in the Clientless SSL VPN portal
0 Helpful
Latest Contents
ISE posture for Palo ALto Globalprotect user
Created by charleseapen on 02-27-2021 02:43 AM
2
0
2
0
Have anyone got Globalprotect agent working with Cisco ISE posture module. ie when Remote VPN user connects via Globalprotect ISE posture module kicks and send posture info to Cisco ISE.
Remote location stream of IP based camera
Created by aadeshpandey40881 on 02-27-2021 01:50 AM
0
0
0
0
Hi. Will try and make this short Have been tasked with finding a solution to set up a streaming camera at one of our trails. It has power and possibly a pole so it can be mounted. No Wifi from ISP but can purchase a ZTE LTE router and install that. Would... view more
Running cisco Anyconnect from Sandbox
Created by JanJansen40394 on 02-26-2021 09:28 PM
1
0
1
0
Hi,I have to connect to different customers and they all have a different vpn method. So what i am doing now is starting Windows Sandbox, install the vpn client there, and connect to the client. After i am finished. I close the sandbox and everything is d... view more
ISE 2.7 - Console TACACS login being blocked after adding Ne...
Created by Hyperion0000 on 02-26-2021 08:29 PM
1
5
1
5
Hello.  I recently added a Network Condition to my Device Admin Policy set.  The idea is to only allow TACACS login from specific networks.  This worked great, but now I cannot authenticate using Console (login authentication failed). ... view more
AnyConnect Linux client installation issue
Created by DaGarzon01128 on 02-26-2021 04:56 PM
1
0
1
0
Hi,I can't install Cisco Anyconnect Secure Mobility Client in my computer with Debian 10. I have tried to install Anyconnect client with a file called anyconnect-linux64-4.4.03034-core-vpn-webdeploy-k9.sh provided for a server of my university.I run the f... view more
Content for Community-Ad