Hi Marcin,

Thank you for the links.

I use the Wizard "Clientless SSl VPN Wizard" for configuring webvpn on interface outside and i upload the rdp plugin from Cisco.

The SSL VPN web page appear over internet, but, when i try to log in i receive the error "

AnyConnect is not enabled on the VPN server".

Rafael,

I guess you're forcing somewhere Anyconnect startup, check allowed VPN protocols make sure that clientless is allowed.

Make sure also AC is not being forced during startup.

(Those setting are typically in your tunnel group or group policy)

group-policy MY_webvpn attributes
(...)
 vpn-tunnel-protocol ssl-clientless
 webvpn
  anyconnect ask none default anyconnect

The example above starts AC directly.

You can refer to ASA command reference if you need to know what each command does.

M.

Marcin,

The problem still persists.

Configuration:

webvpn

enable outside-gvt

anyconnect enable

group-policy SSLVPNGrpPolicy internal

group-policy SSLVPNGrpPolicy attributes

vpn-tunnel-protocol ssl-clientless

webvpn

  url-list none

  anyconnect ask none default anyconnect

tunnel-group SSLVPN type remote-access

tunnel-group SSLVPN general-attributes

default-group-policy SSLVPNGrpPolicy

Rafael,

You didn't read what I wrote

http://www.cisco.com/en/US/docs/security/asa/command-reference/a2.html#wp1743347

Are you using a group-url or some other means to land on tunnel group SSLVPN?

M.

Now its working.

I testing with a user linked to an group policy, i create a default user(with no group policy linked) and now the authentication is working, i can use the RDP plug-in for access the internal machines.

But, its not totaly clear for me, i have more some questions:

1 - I can disable the other services in the home?

Actualy i have web applications, browsw networks and terminal servers, i need only terminal servers, its possible to exclude or hide the other applications?

2 - I test using a local user, but i need to configure this for authenticate using a AD environment, i have a group "VPNSSL_USERS" and only users in this group can authenticate in SSL VPN portal, its possible?

Thank you for the patience.

Hi Marcin,

unfortunally I've got the same problem but I haven't the correct ASDM for the ASA-OS 9.1(3) version.

I'm not neither able to download the correct ASDM version.

May you post a working configuration example using CLI?

I'm reading this configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_groups.html

but It's very complicated!

thank you very much

giorgio

Giorgio,

      webvpn

        enable "outside interface"

      group-policy "GroupPolicy name" internal

      group-policy "GroupPolicy name" attributes

        vpn-tunnel-protocol ssl-clientless

        webvpn

          url-list none

      exit

      exit

      tunnel-group "tunnel group name" type remote-access

      tunnel-group "tunnel group name" general-attributes

        default-group-policy "GroupPolicy name"

thank you but I forgot to tell you that I need the support for AnyConnect!

my bad!

giorgio

Giorgio,

Can't promise it will answer all your questions, ASDM is definetely a NEED for advanced webvpn config, but have a look at:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

It contains both ASDM and CLI config. Some of the configuration changed since that time, but with a bit of pateince and command reference you will find it.

M.

Hi Marcin,

thank you for your answer.

As I said to Rafael I forgot to tell that I need the support for AnyConnect too.

My My bad!

thank you

giorgio