cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6533
Views
39
Helpful
24
Replies

ASA 5510 clientless VPN content rewriter brakes Jira and Confluence

Nicola Volpini
Level 1
Level 1

Hello,

we configured our ASA 5510 to serve intranet contents via the clientless VPN feature.

We're trying to give our users the possibility to access our ticketing system, Atlassian Jira, and our corporate wiki, Atlassian Confluence.

With Confluence everything appears to be working fine but when editing/creating a new page the rich content editor is not usable. The editor's buttons are there but it's impossible to interact with it (the main text window is not clickable)

Jira is instead completely unusable: the login form appears to be loaded in an Iframe through some script, but the iframe source is pointing at the untranslated url.

I tried to look at the source code of the generated page and indeed there are parts of it with untranslated URLs. I'm pasting some bits of the code with my company url obfuscated:

<fieldset >

...CUT...

<input type="hidden" title="baseURL" value="https://jira.<mycompany>.com:443" >

...CUT...

<script type="text/javascript" charset="utf-8" >
        AG.DashboardManager.setup({
            params: {
                "pipeDelimitedHelp" : "(pipe-delimited)",
                "editLayout" : "Choose dashboard layout",
                "move" : "move",
                "layoutAction" : "https:\/\/jira.<mycompany>.com\/rest\/dashboards\/1.0\/10000\/layout",
                "staticResourceUrlPrefix" : "$js.escape($staticResourceUrlPrefix)",
                "blankSearchText" : "Search",


...CUT...


"maxGadgets" : "20",
                "dashboardUrl" : "https:\/\/jira.<mycompany>.com\/rest\/dashboards\/1.0\/10000",
                "dashboardDirectoryResourceUrl" : "https:\/\/jira.<mycompany>.com\/rest\/config\/1.0\/directory",
                "dashboardSubscribedGadgetFeedsUrl" : "https:\/\/jira.<mycompany>.com\/rest\/config\/1.0\/directory\/subscribed-gadget-feeds",
                "dashboardResourceUrl" : "https:\/\/jira.<mycompany>.com\/rest\/dashboards\/1.0\/10000",
                "dashboardDirectoryUrl" : "https:\/\/jira.<mycompany>.com\/rest\/dashboards\/1.0\/\/directory\/10000",
                "dashboardDirectoryBaseUrl" : "https:\/\/jira.<mycompany>.com\/",
                "dashboardDiagnosticsUrl" : "\/plugins\/servlet\/gadgets\/dashboard-diagnostics",

...CUT...

</script>

It seems like the content rewriter skipped the javascript part alltogether.

I'm using an ASA 5510 with ASA version 8.4(2).

Any hint?
Thanks!

24 Replies 24

Nicola Volpini
Level 1
Level 1

Update:  the ios has just been upgraded to version 8.4(4)1. While confluence is now working well, Jira is still having the same problems with the urls not being rewritten to the cisco url.

Nicola Volpini
Level 1
Level 1

Hi again. I've been playing around with the content rewriter and the proxy bypass without any success.

Does anyone have a suggestion on how to tackle this?

Thanks

Hi Nicola,

Have you tried with smart-tunneling?

ASA: Smart Tunnel using ASDM Configuration Example

Let me know.

Please rate any helpful posts

Hi Javier!
I was looking into that feature but, as far as I understand, it requires the vpn client to be windows, right?

I would also like to support other platforms such as Linux and Mac OSX. Did I get it correctly?
Thanks

Hi Nicola,

Smart tunnel supports all applications not supported by the core rewriter.

Smart tunnel supports the following Windows platforms:

Windows 7 x86 (32-bit) and x64 (64-bit) via Internet Explorer 8.x and Firefox 3.x.

Windows Vista x64 via Internet Explorer 7.x/8.x, or Firefox 3.x.

Windows Vista x86 SP2 via Internet Explorer 7.x, or Firefox 3.x.

Windows XP x64 via Internet Explorer 6.x/7.x/8.x and Firefox 3.x.

Windows XP x86 SP2 or later via Internet Explorer 6.x/7.x, or Firefox 3.x.

Mac OS X 10.5 running on an Intel processor only, and Mac OS X 10.6.

Smart tunnel does not support Linux.

Smart Tunnel

Hope to help.

Portu.

Please rate any helpful posts

Message was edited by: Javier Portuguez

No linux. Then this is not solving my problem, unfortunately.

Thanks anyway for your help.

Dear Nicola,

In that case, I would suggest AnyConnect instead.

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1

Portu.

We're already using AnyConnect for company's laptop.

The portal is available to our users when they're in front of a public pc (internet cafè or private pc), therefore Jira and Confluence should be accessible exclusively via the webportal without any intervention on the client (no AnyConnec, no smart proxy) and it has to be cross platform.

The only solution to this issue is to make the content rewriter work as expected

Hi Nicola, I'm having the same issue with JIRA. Were you able to get the content rewriter to work?

Hi Tom, unfortunately not. I'm planning to upgrade the ASA to the latest version to see if this improves the situation. I'm not too confident.
I'll keep you posted

I upgraded to 8.4(5) and still have the same issue. Opened a support case and asked them to look at using an application helper (APCF) file to rewrite the java variables. It was like pulling teeth to get them to even mention APCF!! The main workaround for Cisco is a SmartTunnel, which works on some PCs, but I have others that are locked down so tight the Cisco SSL VPN Relay java applet won't run (seems to require admin rights on the PC). To date, I have sent them HTTPWATCH files and screenshots. Hope to have an answer soon.

Hi Tom,

thanks for the follow up. I was scared of that option (APCF), but I'm not surprised. It would probably be nice to have a light version of jira and confluence with the basic set of javascript

Hi Tom!
How did it go in the end? Did they provide the requested fix?
Thanks

Hi Nicola,

Unfortunately I do not have an answer yet. The last update from the TAC engineer was Monday... said he found some interesting info in the captures I sent and was working with another engineer on it. Will let you know if they find a fix.

Thanks,

Tom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: