A smart tunnel is a connection between a TCP-based application and a private site, using a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the adaptive security appliance as a proxy server. You can identify applications to which you want to grant smart tunnel access, and specify the local path to each application. For applications running on Microsoft Windows, you can also require a match of the SHA-1 hash of the checksum as a condition for granting smart tunnel access.
Lotus SameTime and Microsoft Outlook Express are examples of applications to which you might want to grant smart tunnel access.
Configuring smart tunnels requires one of the following procedures, depending on whether the application is a client or is a web-enabled application:
•Create one or more smart tunnel lists of the client applications, then assign the list to the group policies or local user policies for whom you want to provide smart tunnel access.
•Create one or more bookmark list entries that specify the URLs of the web-enabled applications eligible for smart tunnel access, then assign the list to the Dynamic Access Policies (DAPS)or group policies, or local user policies for whom you want to provide smart tunnel access.
You can also list web-enabled applications for which to automate the submission of login credentials in smart tunnel connections over clientless SSL VPN sessions.
The remote host originating the smart tunnel connection must be running Microsoft Windows Vista, Windows XP, or Windows 2000, and the browser must be enabled with Java, Microsoft ActiveX, or both. Support for Windows 7 and IE 8.0 and MAC OSX 10.6.x with Safari 4.x will be added in in Release version 8.3 (to Beta in late fall 2009).a
I. Smart Tunnel capabilities as of ASA version 8.2.x:
Smart tunnel is an all or nothing operation. Meaning once you turn it on for a specific process or for a specific bookmark, all your traffic for that process (and the browser you used to initiate the Clientless SSL session ) will go through the ASA.
Example: Enable ST option for a process or within bookmark#1 (which hooks IE used to initiate the session). Opening a separate IE browser instance will tunnel all traffic through the ASA, if the new browser window belongs to the same process. All browser tabs traffic of this browser will be smart tunneled, even for those bookmarks( ie. bookmark#2) not specifically smart tunneled. You must use a different browser (ie. FireFox) in this case if you want some of your traffic (ie. bookmark#2) not to be smart tunneled.
Note:Smart-tunnel split-tunnelling capability will be available in the next major ASA rellease 8.3.1 release (to go t oBeta in late fall 2009).
Smart Tunnel doesn't require administrative user privileges to be run.
Smart tunnel is turned off only when you logout out the Clientless SSL VPN portal page.This is the behavior as of ASA 8.2.1.
From 8.3.1 onwards, on Windows, Smart Tunnel will be turned off once all browser windows
(note: not tabs, but all browser windows) have been closed. Alternatively, in 8.3.1 the admin can choose to provide a log out icon so that the session can survive closing all browsers while the user can still log out from the icon.
The browser must have either MS ActiveX (IE environments) or Java (FireFox,IE environments or other Java supported browsers), or both enabled.
It tries installing using ActiveX first, and then falls back to Java.
Think of Smart-Tunnels as a specialized "port-forwarder", a thin-client. Smart Tunnel uses applications or web bookmarks for the configuration. Port Forwarding uses ports for the configuration.
When either the core Clientless SSL VPN (CTE) or the AnyConnect full-tunnel client are not deployment options, Smart-Tunnels should be considered.
As of ASA versions 8.1.2 and 8.0.4 and 8.2.x, only supported on Windows 32-bit Win2000/XP/Vista and MAC OS 10.4 and 10.5 . Smart Tunnel will be supported on 64 bit Windows (including Windows 7) and MacOS X 10.6 in ASA 8.3.1
Smart Tunnels do not currently support .NET applications (CSCsv29942) By .NET application, we really mean a exe binary that is developed using .NET, we don't mean anything else, especially not a web service developed with .NET
Native Microsoft Outlook can connect via Smart Tunnels as of ASA version 8.4
Beginning with JRE6 Update 10, Java starts differently from standard practice. Consequently, the user's smart-tunnel enabled browser freezes if they open a website containing a Java applet, and JRE6 Update 10 or later is installed on the user's computer. If you are using JRE update 10 or later, you need ASA image version 8.0.4 22 or later. For to ASA version earlier than 8.3, to make Java applets functional on a smart-tunnel enabled browser, go to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels > Smart Tunnels, and add the following processes to the smart tunnel lists:
program, java.exe, jp2launcher.exe
II. Smart Tunnel capabilities being introduced in ASA version 8.3.x (to Beta in late fall 2009)
Add support for 64-bit Windows (including Windows 7) and 32-bit and 64-bit MacOS X 10.6
Logout SSL VPN session (when closing all browser types that initiated the session) or via Logout-icon in task bar/message area
Statistics for the smart-tunnel in the Clientless SSL VPN portal
Hi. Will try and make this short Have been tasked with finding a solution to set up a streaming camera at one of our trails. It has power and possibly a pole so it can be mounted. No Wifi from ISP but can purchase a ZTE LTE router and install that. Would...
Hi,I have to connect to different customers and they all have a different vpn method. So what i am doing now is starting Windows Sandbox, install the vpn client there, and connect to the client. After i am finished. I close the sandbox and everything is d...
Hello. I recently added a Network Condition to my Device Admin Policy set. The idea is to only allow TACACS login from specific networks. This worked great, but now I cannot authenticate using Console (login authentication failed). ...
Hi,I can't install Cisco Anyconnect Secure Mobility Client in my computer with Debian 10. I have tried to install Anyconnect client with a file called anyconnect-linux64-4.4.03034-core-vpn-webdeploy-k9.sh provided for a server of my university.I run the f...