06-20-2012 07:30 AM
Hello,
we configured our ASA 5510 to serve intranet contents via the clientless VPN feature.
We're trying to give our users the possibility to access our ticketing system, Atlassian Jira, and our corporate wiki, Atlassian Confluence.
With Confluence everything appears to be working fine but when editing/creating a new page the rich content editor is not usable. The editor's buttons are there but it's impossible to interact with it (the main text window is not clickable)
Jira is instead completely unusable: the login form appears to be loaded in an Iframe through some script, but the iframe source is pointing at the untranslated url.
I tried to look at the source code of the generated page and indeed there are parts of it with untranslated URLs. I'm pasting some bits of the code with my company url obfuscated:
<fieldset >
...CUT...
<input type="hidden" title="baseURL" value="https://jira.<mycompany>.com:443" >
...CUT...
<script type="text/javascript" charset="utf-8" >
AG.DashboardManager.setup({
params: {
"pipeDelimitedHelp" : "(pipe-delimited)",
"editLayout" : "Choose dashboard layout",
"move" : "move",
"layoutAction" : "https:\/\/jira.<mycompany>.com\/rest\/dashboards\/1.0\/10000\/layout",
"staticResourceUrlPrefix" : "$js.escape($staticResourceUrlPrefix)",
"blankSearchText" : "Search",
...CUT...
"maxGadgets" : "20",
"dashboardUrl" : "https:\/\/jira.<mycompany>.com\/rest\/dashboards\/1.0\/10000",
"dashboardDirectoryResourceUrl" : "https:\/\/jira.<mycompany>.com\/rest\/config\/1.0\/directory",
"dashboardSubscribedGadgetFeedsUrl" : "https:\/\/jira.<mycompany>.com\/rest\/config\/1.0\/directory\/subscribed-gadget-feeds",
"dashboardResourceUrl" : "https:\/\/jira.<mycompany>.com\/rest\/dashboards\/1.0\/10000",
"dashboardDirectoryUrl" : "https:\/\/jira.<mycompany>.com\/rest\/dashboards\/1.0\/\/directory\/10000",
"dashboardDirectoryBaseUrl" : "https:\/\/jira.<mycompany>.com\/",
"dashboardDiagnosticsUrl" : "\/plugins\/servlet\/gadgets\/dashboard-diagnostics",
...CUT...
</script>
It seems like the content rewriter skipped the javascript part alltogether.
I'm using an ASA 5510 with ASA version 8.4(2).
Any hint?
Thanks!
06-25-2012 01:42 AM
Update: the ios has just been upgraded to version 8.4(4)1. While confluence is now working well, Jira is still having the same problems with the urls not being rewritten to the cisco url.
10-18-2012 02:47 AM
Hi again. I've been playing around with the content rewriter and the proxy bypass without any success.
Does anyone have a suggestion on how to tackle this?
Thanks
10-18-2012 05:45 AM
Hi Nicola,
Have you tried with smart-tunneling?
ASA: Smart Tunnel using ASDM Configuration Example
Let me know.
Please rate any helpful posts
10-18-2012 05:48 AM
Hi Javier!
I was looking into that feature but, as far as I understand, it requires the vpn client to be windows, right?
I would also like to support other platforms such as Linux and Mac OSX. Did I get it correctly?
Thanks
10-18-2012 06:02 AM
Hi Nicola,
Smart tunnel supports all applications not supported by the core rewriter.
•Smart tunnel supports the following Windows platforms:
–Windows 7 x86 (32-bit) and x64 (64-bit) via Internet Explorer 8.x and Firefox 3.x.
–Windows Vista x64 via Internet Explorer 7.x/8.x, or Firefox 3.x.
–Windows Vista x86 SP2 via Internet Explorer 7.x, or Firefox 3.x.
–Windows XP x64 via Internet Explorer 6.x/7.x/8.x and Firefox 3.x.
–Windows XP x86 SP2 or later via Internet Explorer 6.x/7.x, or Firefox 3.x.
•Mac OS X 10.5 running on an Intel processor only, and Mac OS X 10.6.
•Smart tunnel does not support Linux.
Hope to help.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez
10-19-2012 12:43 AM
No linux. Then this is not solving my problem, unfortunately.
Thanks anyway for your help.
10-19-2012 08:59 AM
Dear Nicola,
In that case, I would suggest AnyConnect instead.
Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1
Portu.
10-22-2012 12:27 AM
We're already using AnyConnect for company's laptop.
The portal is available to our users when they're in front of a public pc (internet cafè or private pc), therefore Jira and Confluence should be accessible exclusively via the webportal without any intervention on the client (no AnyConnec, no smart proxy) and it has to be cross platform.
The only solution to this issue is to make the content rewriter work as expected
11-15-2012 04:30 PM
Hi Nicola, I'm having the same issue with JIRA. Were you able to get the content rewriter to work?
11-16-2012 12:43 AM
Hi Tom, unfortunately not. I'm planning to upgrade the ASA to the latest version to see if this improves the situation. I'm not too confident.
I'll keep you posted
12-07-2012 11:39 AM
I upgraded to 8.4(5) and still have the same issue. Opened a support case and asked them to look at using an application helper (APCF) file to rewrite the java variables. It was like pulling teeth to get them to even mention APCF!! The main workaround for Cisco is a SmartTunnel, which works on some PCs, but I have others that are locked down so tight the Cisco SSL VPN Relay java applet won't run (seems to require admin rights on the PC). To date, I have sent them HTTPWATCH files and screenshots. Hope to have an answer soon.
12-10-2012 12:48 AM
Hi Tom,
thanks for the follow up. I was scared of that option (APCF), but I'm not surprised. It would probably be nice to have a light version of jira and confluence with the basic set of javascript
01-18-2013 02:28 AM
Hi Tom!
How did it go in the end? Did they provide the requested fix?
Thanks
01-18-2013 09:48 AM
Hi Nicola,
Unfortunately I do not have an answer yet. The last update from the TAC engineer was Monday... said he found some interesting info in the captures I sent and was working with another engineer on it. Will let you know if they find a fix.
Thanks,
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide