Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
51820
Views
15
Helpful
0
Comments

Cisco ASA Clientless SSLVPN: RDP Plug-in

Praveena Shanubhogue
Level 1
Level 1

‎06-17-2012 08:35 AM - edited ‎08-29-2017 12:26 AM

     

    CCO Document

    An updated version of this document has been published on cisco website:

    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bca517.shtml

     

    What is this doc for?

    RDP Plug-in is one of the plugins available to Cisco ASA clientless SSLVPN Users among others such as SSH, VNC, Citrix. RDP Plugin is one of the most used plugins in this collection, and is also the one with lot of confusion surrounding. This document hopes to answer couple of those questions and any others that raise after certain points are made clear.

     

    This doc will not get into how to configure the plug-in, for there is not much apart from importing the right plug-in:

    Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x - Cisco Systems - http://goo.gl/jq2gA

     

     

    RDP Plugin

    RDP plug-in is something that has evolved over a period of time, from something that used to be pure java based RDP plug-in to something that includes both ActiveX RDP client (Internet Explorer) as well as Java Client (Non-IE browsers).

     

    For Java RDP Client Cisco RDP plug-in uses properJava RDP client:

    http://properjavardp.sourceforge.net/

     

    RDP Plug-in also incorporates ActiveX RDP Client, and it makes a call, whether to use Java or ActiveX client based on the browser. That is:

    • If IE users are trying to RDP through Clientless SSLVPN Portal, and the bookmark URL does not contain "ForceJava=true" argument, then ActiveX client comes into picture
    • If Non-IE users are trying to launch RDP Bookmark or URL, only Java Client is launched.

     

    RDP and RDP-2: Which plug-in to use?

    RDP plug-in:

    This is the original Java RDP Plug-in, which then updated to add ActiveX Client.

     

    RDP2 plug-in:

    This is based on rdp2 protocol supposedly updated properJava RDP client meant for Windows 2003 Terminal Servers and Windows Vista Terminal Servers.

     

    However the latest RDP Plugin combines both rdp and rdp2, making RDP2 plug-in obsolete. That is, going forward you will only need to use RDP Plug-in (i.e. rdp-plugin.yymmdd.jar)

     

    Where to Download the plug-in from:

    Download Path:

    Downloads Home

    --> Products

    --> Security

    --> Firewalls

    --> Firewall Appliances

    --> Cisco ASA 5500 Series Adaptive Security Appliances

    --> Cisco ASA 55x0 Adaptive Security Appliance (You can choose any 55x0 model)

    --> Remote Access Plugins for Adaptive Security Appliance (ASA)-1.1.1

     

    Download Software - Cisco Systems - http://goo.gl/qhc0W

     

    The latest RDP plugin at the time of this writing is:

    rdp-plugin.120424.jar

    > Released on 24th April 2012 (yymmdd)

     

    Browser Compatibility Matrix

    Browser Compatibility matrix exists only for Clientless SSLVPN Implementation and ASA OS Version. As long as this matrix is satisfied, plug-ins are automatically supported:

    Supported VPN Platforms, Cisco ASA 5500 Series - Cisco Systems - http://goo.gl/hsU5c

     

     

    RDP Plug-in. What to expect and what not to expect?

    RDP-ActiveX

    • Meant only for Internet Explorer.
    • Sound is relayed over RDP session

     

    RDP-Java

    • Should work on all the supported browsers from the matrix above, that has Java Enabled.
    • Java Client is launched in Internet Explorer only if ActiveX fails to launch or "ForceJava=true" argument is passed in RDP Bookmark or URL.
    • Since RDP-Java implementation is based on properJava RDP project, an open-source initiative, best effort service is provided during the time of plug-in failure.

     

    RDP ActiveX: Issues and Limitations

    • ActiveX RDP Fails to load from IE 6-9 after upgrding to ASA OS version 8.4.3.

    CSCtx58556

    Fix is available from 8.4.3.4, however it is recommended that the upgrade be done to the latest OS available.

    Workaround (if upgrade of ASA code is not an option):

    - Use Java RDP instead. i.e. IE users (Does not harm other browser users) need "ForceJava=true" argument set in RDP URL.

     

    • Due to the last bug (CSCtx58556), if ASA OS downgrade is performed beware of CSCtx57453, in which case ActiveX RDP will fail for all the returning RDP Users (i.e. those users who have attempted ActiveX RDP on Clientless SSLVPN on 8.4.3 ASA). This is because ActiveX RDP Plug-in was upgraded in 8.4.3, which is incompatible with the Older versions.

    What to do:

    - Keep in mind both CSCtx58556 and CSCtx57453 , while deploying company-wide ASA based SSLVPN Service. Either use 8.4.3 and above or 8.4.2 and below

    - If you are a returning RDP user i.e. You have used 8.4.3 based ActiveX RDP and now need to use 8.4.2 or below ActiveX RDP over the SSLVPN Portal:

    - Remove all registry instances of "b8e73359-3422-4384-8d27-4ea1b4c01232? (old activex CLSID) using regedit

    Note: this should be only done after a backup of the registry. Should be done at your own risk and consult Microsoft support for further information.

     

    • Although ActveX client allows NLA (Network Level Authentication) to be coded, Cisco's implementation does not include it. Here is the enhancement request that is open requesting NLA to be incorporated within ActiveX RDP plug-in:

    CSCtu63661

    Workaround:

    - Configure RDP Application (mstsc.exe) to be smart-tunnelled.

    Details: Cisco ASA 5500 SSL VPN Deployment Guide, Version 8.x - Cisco Systems - http://goo.gl/TX6b5

     

    • ActiveX RDP Fails to load with blank page and a 'loading' message, when 3rd Party Certificate Chain is installed on the ASA i.e. ASA has an identity certificate from 3rd Part Vendor and the Certificate Chain of the 3rd Party Vendor is installed on the ASA (Sub-CA1, Sub-CA2, Root-CA)

    CSCsx49794

    Workaround (if upgrade of ASA code is not an option):

    - Don't install the large certificate chain on the ASA

    - Java RDP Plug-in is known to work just fine as opposed to ActiveX plug-in.

    - Also, RDP will work fine when configuring native Windows mstsc.exe with smart tunnels.

     

    • After using ActiveX RDP, if you click on the Logout button, instead of the usual Logout Page, you will see 'HTTP 404 - Page Not found' Error. Issue is not seen with the latest RDP Plugin available on CCO. i.e. rdp-plugin.120424.jar

    - CSCtz33266

     

    • If you have two (or more) tabs open in IE, one for ActiveX RDP Session through SSLVPN portal , and another one either blank or some random page, if the RDP tab is closed, IE stops working

    - Track this in bug ID CSCua69129

    - Workaround for Now is to use Java RDP plugin i.e Set ForceJava=true

     

    RDP Java: Issues and Limitations

    Having established the fact that Cisco RDP-Java plug-in implementation is based on properJava RDP project, an open-source initiative, during Java-RDP Failure, best effort service is provided. However plese do bring any issues to Cisco TAC's notice and a satisfactory answer will be given.

     

    • When running some processor intensive applications through Java RDP Session, you might experience Java RDP crashing on you with "FATAL net.propero.rdp - javax.net.ssl.SSLException: Connection has been shutdown: ...." error. This is mainly observed when these processor intensive applications through Java RDP session are continuously switched amongst themselves.

    CSCtz78693

    - Fixed Plugin is avalable on request through Cisco TAC, and the fix is made only to the plug-in not to ASA OS.

    Labels:
    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

    Customers Also Viewed These Support Documents