I configured my ASAv running version 9.6.2 with clientless ssl vpn. I imported the plugin rdp02.24.2014.jar
My ssl vpn portal can be accessed publically with a trusted cert from a trusted CA (A valid certificate showing secured connection).
However, when I tried to access my machines through RDP, java blocked it with the error "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
So the Java applet (RDP in this case) is signed by Cisco, but this usually expires unless you get a Java code signing cert and sign the applet again. This is not the public certificate that you have for the external fqdn. More info here:
Now, since these plugins were released in 2014, the certs are most likely expired. So a workaround would be to add the ASA ip address/fqdn into the Java exception list, so that you can bypass the error that the Java creates when it sees an expired cert.
Thanks for the explanation. I tried replacing the java code signing certificate with the one I got from CA but I received another error from java, "Extended key usage does not permit use for code signing"
Usually the SSL certificates received from public CA's do not contain the Extended Key usage (EKU) for code signing. This field defines what purposes the certificates can be used for. For a typical SSL certificate, the EKU field is set to "Server Authentication".
Now as given in the document I pasted earlier, you would have to generate a new Certificate Signing Request (CSR) with EKU set to code-signer (last line):
hostname(config)# crypto key generate rsa label CodeSigner
INFO: The name for the keys will be: CodeSigner
Keypair generation process begin. Please wait...
hostname(config)# crypto ca trustpoint CodeSigner
hostname(config-ca-trustpoint)# enrollment terminal
hostname(config-ca-trustpoint)# subject-name CN=ASA-Code-Signer,O=Companyname
hostname(config-ca-trustpoint)# keypair CodeSigner
hostname(config-ca-trustpoint)# id-usage code-signer
Once you generate the CSR, send this to your CA to get a new certificate with the right EKU and apply that as the code signing cert. If the CA adds its own EKU, then you can get a certificate with EKU set to Server Auth and Code signing, which should allow you to use it for both purposes. Would be best to check with your CA on that before the process.
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 18.104.22.168Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 22.214.171.124R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...