本文转自:https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-remote-user-guide.html

Chapter: Clientless SSL VPN Remote Users

Chapter Contents

This chapter summarizes configuration requirements and tasks for the user remote system. It also helps users get started with Clientless SSL VPN. It includes the following sections:

NoteMake sure that the ASA has been configured for Clientless SSL VPN.

Clientless SSL VPN Remote Users

This chapter summarizes configuration requirements and tasks for the user remote system. It also helps users get started with Clientless SSL VPN. It includes the following sections:

NoteMake sure that the ASA has been configured for Clientless SSL VPN.

Usernames and Passwords

Depending on your network, during a remote session users may have to log on to any or all of the following: the computer itself, an Internet service provider, Clientless SSL VPN, mail or file servers, or corporate applications. Users may have to authenticate in many different contexts, requiring different information, such as a unique username, password, or PIN. Ensure users have the required access.

The following table lists the type of usernames and passwords that Clientless SSL VPN users may need to know.

Login Username/
Password TypeEntered When
ComputerAccess the computerStarting the computer
Internet Service ProviderAccess the InternetConnecting to an Internet service provider
Clientless SSL VPNAccess remote networkStarting a Clientless SSL VPN session
File ServerAccess remote file serverUsing the Clientless SSL VPN file browsing feature to access a remote file server
Corporate Application LoginAccess firewall-protected internal serverUsing the Clientless SSL VPN Web browsing feature to access an internal protected website
Mail ServerAccess remote mail server via Clientless SSL VPNSending or receiving email messages

Communicate Security Tips

Communicate the following security tips:

  • Always log out from a Clientless SSL VPN session, click the logout icon on the Clientless SSL VPN toolbar or close the browser.
  • Using Clientless SSL VPN does not ensure that communication with every site is secure. Clientless SSL VPN ensures the security of data transmission between the remote computer or workstation and the ASA on the corporate network. If a user then accesses a non-HTTPS Web resource (located on the Internet or on the internal network), the communication from the corporate ASA to the destination Web server is not secure.

Configure Remote Systems to Use Clientless SSL VPN Features

The following table includes the tasks involved in setting up remote systems to use Clientless SSL VPN, requirements/prerequisites for the task and recommended usage:

You may have configured user accounts differently, and different features maybe available to each Clientless SSL VPN user. This table also organizes information by user activity.

TaskRemote System or End User RequirementsSpecifications or Use Suggestions
Starting Clientless SSL VPNConnection to the InternetAny Internet connection is supported, including:Home DSL, cable, or dial-upPublic kiosksHotel hook-upsAirport wireless nodesInternet cafes
Clientless SSL VPN-supported browserWe recommend the following browsers for Clientless SSL VPN. Other browsers may not fully support Clientless SSL VPN features.On Microsoft Windows:Internet Explorer 8Firefox 8On Linux:Firefox 8On Mac OS X:Safari 5Firefox 8
Cookies enabled on browserCookies must be enabled on the browser in order to access applications via port forwarding.
URL for Clientless SSL VPNAn HTTPS address in the following form:https://addresswhere address is the IP address or DNS hostname of an interface of the ASA (or load balancing cluster) on which Clientless SSL VPN is enabled. For example: https://10.89.192.163 or https://cisco.example.com.
Clientless SSL VPN username and password
[Optional] Local printerClientless SSL VPN does not support printing from a Web browser to a network printer. Printing to a local printer is supported.
Using the Floating Toolbar in a Clientless SSL VPN ConnectionA floating toolbar is available to simplify the use of Clientless SSL VPN. The toolbar lets you enter URLs, browse file locations, and choose preconfigured Web connections without interfering with the main browser window.If you configure your browser to block popups, the floating toolbar cannot display.The floating toolbar represents the current Clientless SSL VPN session. If you click the Close button, the ASA prompts you to close the Clientless SSL VPN session.Tip To paste text into a text field, use Ctrl-V. (Right-clicking is not enabled on the Clientless SSL VPN toolbar.)
Web BrowsingUsernames and passwords for protected websitesUsing Clientless SSL VPN does not ensure that communication with every site is secure. See “Communicate Security Tips.”
The look and feel of Web browsing with Clientless SSL VPN may be different from what users are accustomed to. For example:The Clientless SSL VPN title bar appears above each Web page.You access websites by:Entering the URL in the Enter Web Address field on the Clientless SSL VPN Home page.Clicking on a preconfigured website link on the Clientless SSL VPN Home page.Clicking a link on a webpage accessed via one of the previous two methods.Also, depending on how you configured a particular account, it may be that:Some websites are blocked.Only the websites that appear as links on the Clientless SSL VPN Home page are available.
Network Browsing and File ManagementFile permissions configured for shared remote accessOnly shared folders and files are accessible via Clientless SSL VPN.
Server name and passwords for protected file servers
Domain, workgroup, and server names where folders and files resideUsers may not be familiar with how to locate their files through your organization network.
Do not interrupt the Copy File to Server command or navigate to a different screen while the copying is in progress. Interrupting the operation can cause an incomplete file to be saved on the server.
Using Applications(called Port Forwarding or Application Access)Note On Mac OS X, only the Safari browser supports this feature.
Note Because this feature requires installing Oracle Java Runtime Environment (JRE) and configuring the local clients, and because doing so requires administrator permissions on the local system, it is unlikely that users will be able to use applications when they connect from public remote systems.
Users should always close the Application Access window when they finish using applications by clicking the Close icon. Failure to close the window properly can cause Application Access or the applications themselves to be inaccessible.
Client applications installed
Cookies enabled on browser
Administrator privilegesUser must have administrator access on the computer if you use DNS names to specify servers because modifying the hosts file requires it.
Oracle Java Runtime Environment (JRE) installed.JavaScript must be enabled on the browser. By default, it is enabled.If JRE is not installed, a pop-up window displays, directing users to a site where it is available.On rare occasions, the port forwarding applet fails with Java exception errors. If this happens, do the following:Clear the browser cache and close the browser.Verify that no Java icons are in the computer task bar. Close all instances of Java.Establish a Clientless SSL VPN session and launch the port forwarding Java applet.
Client applications configured, if necessary.Note The Microsoft Outlook client does not require this configuration step.All non-Windows client applications require configuration.To see if configuration is necessary for a Windows application, check the value of the Remote Server.If the Remote Server contains the server hostname, you do not need to configure the client application.If the Remote Server field contains an IP address, you must configure the client application.To configure the client application, use the server’s locally mapped IP address and port number. To find this information:Start Clientless SSL VPN on the remote system and click the Application Access link on the Clientless SSL VPN Home page. The Application Access window appears.In the Name column, find the name of the server to use, then identify its corresponding client IP address and port number (in the Local column).Use this IP address and port number to configure the client application. Configuration steps vary for each client application.
Note Clicking a URL (such as one in an -email message) in an application running over Clientless SSL VPN does not open the site over Clientless SSL VPN. To open a site over Clientless SSL VPN, cut and paste the URL into the Enter (URL) Address field.
Using email
via Application AccessFulfill requirements for Application Access (See Using Applications)To use mail, start Application Access from the Clientless SSL VPN Home page. The mail client is then available for use.
Note If you are using an IMAP client and you lose your mail server connection or are unable to make a new connection, close the IMAP application and restart Clientless SSL VPN.
Other email clientsWe have tested Microsoft Outlook Express versions 5.5 and 6.0.
Using email via 
Web AccessWeb-based email product installedSupported products include:Outlook Web AccessFor best results, use OWA on Internet Explorer 8.x or higher, or Firefox 8.x.Lotus NotesOther web-based email products should also work, but we have not verified them.
Using email via 
email ProxySSL-enabled mail application installedDo not set the ASA SSL version to TLSv1 Only. Outlook and Outlook Express do not support TLS.Supported mail applications:Microsoft OutlookMicrosoft Outlook Express versions 5.5 and 6.0Other SSL-enabled mail clients should also work, but we have not verified them.
Mail application configured

Capture Clientless SSL VPN Data

The CLI capture command lets you log information about websites that do not display correctly over a Clientless SSL VPN connection. This data can help your Cisco customer support engineer troubleshoot problems. The following sections describe how to use the capture command:

Create a Capture File

Procedure

Step 1Start the Clientless SSL VPN capture utility, to capture packetscapture capture-name type webvpn user csslvpn-usernamecapture-name is a name you assign to the capture, which is also prefixed to the name of the capture files.csslvpn-username is the username to match for capture.Example: hostname# capture hr type webvpn user user2
Step 2Stop the capture by using the no version of the command:no capture capture-nameExample: hostname# no capture hr The capture utility creates a capture-name .zip file, which is encrypted with the password koleso
Step 3Send the .zip file to Cisco, or attach it to a Cisco TAC service request.
Step 4To look at the contents of the .zip file, unzip it using the password koleso.

Use a Browser to Display Capture Data

Procedure

Step 1Start the Clientless SSL VPN capture utility:capture capture-name type webvpn user csslvpn-usernamecapture-name is a name you assign to the capture, which is also prefixed to the name of the capture files.csslvpn-username is the username to match for capture.Example: hostname# capture hr type webvpn user user2
Step 2Open a browser and in the address box enter:https://IP address or hostname of the ASA/webvpn_capture.htmlThe captured content displays in a sniffer format.
Step 3Stop the capture by using the no version of the command:no capture capture-nameExample: hostname# no capture hr