Clientless SSL ASA - What traffic gets through?

Unanswered Question
May 15th, 2009


I am working on the best option to set up remote access to our LAN. I have SSL via AnyConnect running now and I set up rules to only allow RDP traffic to certain systems. That's all I need and want for them, but I started fooling around with the clientless SSL feature and like the possibilities of the web bookmarks!

So what I was wondering is how it works basically, with smart tunnels or even just the basic portal apps. If I set up a portal page for a user that has links for RDP and a web page, does the ASA drop ALL other packets from the client ie virii, keyloggers/worms by default or do I need to rule all other traffic out as I have done for my AnyConnect set up? I noted that when looking at adding a smart tunnel link it states that all web traffic from a client will go over the SSL tunnel to our lan and then out? ie kind of like a non split-tunnel set up.

In short, I want to ensure that only traffic gets sent to LAN via a clientless SSL session for the specified apps and nothing else, and preferably maintain my split tunnel type set up that the full SSL setup has.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Thu, 05/21/2009 - 13:13

In a clientless SSL VPN connection, the security appliance acts as a proxy between the end user web browser and target web servers. When a user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore cannot examine and validate the certificate.


This Discussion