Re: ASA 8.3 WebVPN - Bookmark to HTTPS device with cert warning

sez sharp · ‎04-15-2011

I seem to remember reading something about how/if the ASA 8.x WebVPN proxy supports proxy connection to an internal server with certificate error (untrusted CA because self signed). Now I need it of course I can not find the doc....

On ASA 8.2 WebVPN set up the HTTP/HTTPS proxy function works to an internal server with certificate error - i.e. the remote client can access thru the ASA 8.2 WebVPN bookmark and get browser screen from the internal server with self signed cert

However, same set up on ASA 8.3 WebVPN does not work - i.e. the remote client tires to access the thru ASA 8.3 WebVPN bookmark but straight away gets a "Connection failed" msg saying "Server x.x.x.x unavailable". This looks to be becuase 8.3 proxy function does not accept connection to HTTPS server with untrusted cert?

Is there a way of enforcing 8.2 type behaviour with 8.3 WebVPN - i.e. it can proxy to HTTPS server with untrusted cert?

-Sez

sez sharp · ‎04-15-2011

Found that the problem lay in the ASA WebVPN client HTTPS negotiation with the internal server

Default ASA 8.3 setting for SSL client is auto i.e. use SSLv3 or TLSv1 for such client connection from ASA acting in proxy (client) role

Forcing ASA WebVPN to only use TLSv1 fixed the problem

ssl client-version tlsv1-only

For reference;

The internal HTTPS server thet ASA was having problems with was an HP ILO

The self signed cert / error was a red herring

-Sez

Jason Jenkins · ‎08-10-2017

The cert error is because you have a feature to verify the ssl cert. This feature is enabled under the webvpn configuration causing the clientless VPN to show the certificate error You can turn this feature off by going into the cli and entering the following:

ASA# conf t
ASA(config)# webvpn
ASA(config-webvpn)# no ssl-server-check