Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

ASA - SSL VPN SMART TUNNEL

Labels:
49079
Views
0
Helpful
0
Comments
Satheshkumar Nallasamy
Beginner
‎10-13-2009 02:45 AM
edited on: ‎10-13-2009 ‎02:45 AM

A smart tunnel is a connection between a TCP-based application and a private site, using a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the adaptive security appliance as a proxy server. You can identify applications to which you want to grant smart tunnel access, and specify the local path to each application. For applications running on Microsoft Windows, you can also require a match of the SHA-1 hash of the checksum as a condition for granting smart tunnel access.

Lotus SameTime and Microsoft Outlook Express are examples of applications to which you might want to grant smart tunnel access.

Configuring smart tunnels requires one of the following procedures, depending on whether the application is a client or is a web-enabled application:

Create one or more smart tunnel lists of the client applications, then assign the list to the group policies or local user policies for whom you want to provide smart tunnel access.

Create one or more bookmark list entries that specify the URLs of the web-enabled applications eligible for smart tunnel access, then assign the list to the Dynamic Access Policies (DAPS)or group policies, or local user policies for whom you want to provide smart tunnel access.

You can also list web-enabled applications for which to automate the submission of login credentials in smart tunnel connections over clientless SSL VPN sessions.

The remote host originating the smart tunnel connection must  be running Microsoft Windows Vista, Windows XP, or Windows 2000, and the browser  must be enabled with Java, Microsoft ActiveX, or both. Support for Windows 7 and IE 8.0 and MAC OSX 10.6.x with Safari 4.x will be added in in Release  version 8.3 (to Beta in late fall 2009).a

Please refer to the Smart Tunnel Configuraiton Guide for details on setup and applicability.

I. Smart Tunnel capabilities as of  ASA version 8.2.x:

  • Smart tunnel is an all or nothing operation. Meaning once you turn it on for a specific process or for a specific bookmark, all your traffic for that process (and the browser you used to initiate the Clientless SSL session ) will go through the ASA.

Example: Enable ST option for a process or within bookmark#1 (which hooks IE used to initiate the session). Opening a separate IE browser instance will tunnel all traffic through the ASA, if the new browser window belongs to the same process. All browser tabs traffic of this browser will be smart tunneled, even for those bookmarks( ie. bookmark#2) not specifically smart tunneled. You must use a different browser (ie. FireFox) in this case if you want some of your traffic (ie. bookmark#2) not to be smart tunneled.

Note:Smart-tunnel split-tunnelling capability will be available in the next major ASA rellease 8.3.1 release (to go t oBeta in late fall 2009).

  • Smart Tunnel doesn't require administrative user privileges to be run.
  • Smart tunnel is turned off only when you logout out the Clientless SSL VPN portal page.This is the behavior as of ASA 8.2.1.

From 8.3.1 onwards, on Windows, Smart Tunnel will be turned off once all browser windows

(note: not tabs, but all browser windows) have been closed. Alternatively, in 8.3.1 the admin can choose to provide a log out icon so that the session can survive closing all browsers while the user can still log out from the icon.

  • The browser must have either MS ActiveX (IE environments) or Java (FireFox,IE environments or other Java supported browsers), or both enabled.
  • It tries installing using ActiveX first, and then falls back to Java.
  • Think of Smart-Tunnels as a specialized "port-forwarder", a thin-client. Smart Tunnel uses applications or web bookmarks for the configuration. Port Forwarding uses ports for the configuration.
  • When either the core Clientless SSL VPN (CTE) or the AnyConnect full-tunnel client are not deployment options, Smart-Tunnels should be considered.
  • As of ASA versions 8.1.2 and 8.0.4 and 8.2.x, only supported on Windows 32-bit Win2000/XP/Vista and MAC OS 10.4 and 10.5 . Smart Tunnel will be supported on 64 bit Windows (including Windows 7) and MacOS X 10.6 in ASA 8.3.1

http://www/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1096902

  • Smart Tunnels do not currently support .NET applications (CSCsv29942) By .NET application, we really mean a exe binary that is developed using .NET, we don't mean anything else, especially not a web service developed with .NET
  • Native Microsoft Outlook can connect via Smart Tunnels as of ASA version 8.4
  • Beginning with JRE6 Update 10, Java starts differently from standard practice. Consequently, the user's smart-tunnel enabled browser freezes if they open a website containing a Java applet, and JRE6 Update 10 or later is installed on the user's computer. If you are using JRE update 10 or later, you need ASA image version 8.0.4 22 or later. For to ASA version earlier than 8.3, to make Java applets functional on a smart-tunnel enabled browser, go to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels > Smart Tunnels, and add the following processes to the smart tunnel lists: 
program, java.exe, jp2launcher.exe

II.  Smart Tunnel capabilities being introduced in ASA version 8.3.x (to Beta in late fall 2009)

  • Add support for  64-bit Windows (including Windows 7) and 32-bit and 64-bit MacOS X 10.6
  • Logout SSL VPN session (when closing all browser types that initiated the session) or via Logout-icon in task bar/message area
  • Split-tunneling
  • Statistics for the smart-tunnel in the Clientless SSL VPN portal
0 Helpful
Latest Contents
Cisco Anyconnect Umbrella does not work anymore
Created by khichdo on 06-26-2022 08:37 PM
1
0
1
0
I work for a company that uses Cisco Anyconnect for our VPN. We also use Umbrella for security when on/off network. Everything was working fine, but recently the following thing started happening. When using WiFI: 1) Roaming Security/Umbrel... view more
ASA Public Server
Created by keithcclark71 on 06-26-2022 07:05 PM
1
0
1
0
Hey all on ASA there is public servers option for like http server access to internal network  to web server. I don't quite understand how it's different than doing an object NAT for the webserver host and then adding the out-In ACE for it? Side... view more
Cisco ASA public servers vs object NAT
Created by keithcclark71 on 06-26-2022 05:48 PM
0
0
0
0
Hey all on ASA there is public servers option for like http server access to internal network  to web server. I don't quite understand how it's different than doing an object NAT for the webserver host and then adding the out-In ACE for it? Side... view more
Can PAK Licensing–enabled FMCv manage smart licensing FTD?
Created by yuanqiao58820 on 06-26-2022 12:38 PM
2
0
2
0
Hi guys   For a Pak enabled FMCv, does it suppose to be able to manage smart licensing FTD? Is there any different between the PAK enabled and smart licensing FMCv?   Yuan
Packet loss in VPN tunnel
Created by laurathaqi45 on 06-26-2022 09:45 AM
3
0
3
0
Dear community,  I have the following question, which am missing a real case scenario, and I would like to ask if someone has had an opportunity to find the following out: If there is a packet loss on one of the underlying links of a VPN tu... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad