Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2224
Views
0
Helpful
1
Replies

SSL VPN URL obfuscation ( url masking) using ASA

ehdf_infra
Level 1
Level 1

‎08-12-2010 01:07 AM

Hi All,

I am using SSL VPN (clientless) for one of my customer's. Its working perfectly fine and it is incorporated with OutlookWebaccess, and customer's applications etc.

Problem now i am facing is when ever i login to the SSL page from customer's portal page. URL changes as follows.

https://abcd.com/+CSCOE+/logon.html

then after login it changes to

https://abcd.com/+CSCO+c0756767633A2F2F74766E2E7462692E6E72++/user/test.user/home

Customer is not accepting this LOOOOONG url which getting append with the root. How can I mask the ASA related URL entries for example the cookie CSCO************ . Is it doable

Please assist.

with regards,

Parvees M

Labels:
0 Helpful
1 Reply 1

Paul Carco
Level 1
Level 1

‎08-15-2010 07:46 AM

Hello,

As you probably know that long url is the result of the ASA's content transformation engine.  I am not sure you can mask this output but you can create 'rewrite rules' which essentially allow the resource to be accessed but bypasses the ASA's rewrite engine.   I do this for resources that are external to our network - no sense burdening the ASA with the links a user could always access just by opening another browser to access anyway's..

Content Rewrite

The Content Rewrite pane lists all applications for which content rewrite is enabled or disabled.

Clientless SSL VPN processes application traffic through a content transformation/rewriting engine that includes advanced elements such as JavaScript, VBScript, Java, and multi-byte characters to proxy HTTP traffic which may have different semantics and access control rules depending on whether the user is using an application within or independently of an SSL VPN device.

By default, the security appliance rewrites, or transforms, all clientless traffic. You might not want some applications and web resources (for example, public websites) to go through the security appliance. The security appliance therefore lets you create rewrite rules that let users browse certain sites and applications without going through the security appliance. This is similar to split-tunneling in an IPSec VPN connection.

You can create multiple rewrite rules. The rule number is important  because the security appliance searches rewrite rules by order number,  starting with the lowest, and applies the first rule that matches.

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/vpn_web.html#wp1001030

Best regards,

Paul

0 Helpful
Customers Also Viewed These Support Documents