06-17-2012 08:35 AM - edited 08-29-2017 12:26 AM
An updated version of this document has been published on cisco website:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bca517.shtml
RDP Plug-in is one of the plugins available to Cisco ASA clientless SSLVPN Users among others such as SSH, VNC, Citrix. RDP Plugin is one of the most used plugins in this collection, and is also the one with lot of confusion surrounding. This document hopes to answer couple of those questions and any others that raise after certain points are made clear.
This doc will not get into how to configure the plug-in, for there is not much apart from importing the right plug-in:
Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x - Cisco Systems - http://goo.gl/jq2gA
RDP plug-in is something that has evolved over a period of time, from something that used to be pure java based RDP plug-in to something that includes both ActiveX RDP client (Internet Explorer) as well as Java Client (Non-IE browsers).
For Java RDP Client Cisco RDP plug-in uses properJava RDP client:
http://properjavardp.sourceforge.net/
RDP Plug-in also incorporates ActiveX RDP Client, and it makes a call, whether to use Java or ActiveX client based on the browser. That is:
This is the original Java RDP Plug-in, which then updated to add ActiveX Client.
This is based on rdp2 protocol supposedly updated properJava RDP client meant for Windows 2003 Terminal Servers and Windows Vista Terminal Servers.
However the latest RDP Plugin combines both rdp and rdp2, making RDP2 plug-in obsolete. That is, going forward you will only need to use RDP Plug-in (i.e. rdp-plugin.yymmdd.jar)
Download Path:
Downloads Home
--> Products
--> Security
--> Firewalls
--> Firewall Appliances
--> Cisco ASA 5500 Series Adaptive Security Appliances
--> Cisco ASA 55x0 Adaptive Security Appliance (You can choose any 55x0 model)
--> Remote Access Plugins for Adaptive Security Appliance (ASA)-1.1.1
Download Software - Cisco Systems - http://goo.gl/qhc0W
The latest RDP plugin at the time of this writing is:
rdp-plugin.120424.jar
> Released on 24th April 2012 (yymmdd)
Browser Compatibility matrix exists only for Clientless SSLVPN Implementation and ASA OS Version. As long as this matrix is satisfied, plug-ins are automatically supported:
Supported VPN Platforms, Cisco ASA 5500 Series - Cisco Systems - http://goo.gl/hsU5c
Fix is available from 8.4.3.4, however it is recommended that the upgrade be done to the latest OS available.
Workaround (if upgrade of ASA code is not an option):
- Use Java RDP instead. i.e. IE users (Does not harm other browser users) need "ForceJava=true" argument set in RDP URL.
What to do:
- Keep in mind both CSCtx58556 and CSCtx57453 , while deploying company-wide ASA based SSLVPN Service. Either use 8.4.3 and above or 8.4.2 and below
- If you are a returning RDP user i.e. You have used 8.4.3 based ActiveX RDP and now need to use 8.4.2 or below ActiveX RDP over the SSLVPN Portal:
- Remove all registry instances of "b8e73359-3422-4384-8d27-4ea1b4c01232? (old activex CLSID) using regedit
Note: this should be only done after a backup of the registry. Should be done at your own risk and consult Microsoft support for further information.
Workaround:
- Configure RDP Application (mstsc.exe) to be smart-tunnelled.
Details: Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x - Cisco Systems - http://goo.gl/TX6b5
Workaround (if upgrade of ASA code is not an option):
- Don't install the large certificate chain on the ASA
- Java RDP Plug-in is known to work just fine as opposed to ActiveX plug-in.
- Also, RDP will work fine when configuring native Windows mstsc.exe with smart tunnels.
- Track this in bug ID CSCua69129
- Workaround for Now is to use Java RDP plugin i.e Set ForceJava=true
Having established the fact that Cisco RDP-Java plug-in implementation is based on properJava RDP project, an open-source initiative, during Java-RDP Failure, best effort service is provided. However plese do bring any issues to Cisco TAC's notice and a satisfactory answer will be given.
- Fixed Plugin is avalable on request through Cisco TAC, and the fix is made only to the plug-in not to ASA OS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: