SSL VPN Setup

kharvey · ‎04-02-2010

I am in the process of rebuilding my ASA 5510 8.0(5) firewall configs and I am up to the point of building the remote-access VPN tunnels.

Now I am not sure if this is possible without a RADIUS or a VPN Concentrator but I figured I would try.

What I am attempting to do is use Active Directory to determine how a user connects in.

So based on the AD group the person belongs to, is what SSL VPN they can connect to.

The 3 connections are going to be:

Full VPN Tunnel

Tunnel into an OWA server

Tunnel into a Terminal Server

For some complicated reasons I am unable to put my Exchange or Terminal Server in the DMZ, so rather than having pin-holes from my External Connection directly to my Exchange and Terminal Server I figured I would just use the ASA and a VPN tunnel to connect to those services, along with the full VPN access.

So far this is as far as I have gotten (hardly anywhere):

aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (internal) host 10.1.1.1
ldap-base-dn dc=test, dc=com
ldap-login-dn cn=LDAPPerson, cn=Service Users OU, cn=Standard Users, dc=test, dc=com
ldap-login-password xxxxxx
ldap-naming-attribute sAMAccountName
ldap-scope subtree
server-type microsoft

ldap attribute-map LDAPSSLMap
map-name memberOf VPN Access Grp
map-value memberOf cn=VPN Access Grp, OU=VPN OU, OU=Security Groups, DC=test, DC=com SSLVPNPolicy
map-value memberOf cn=OWA Access Grp, OU=VPN OU, OU=Security Groups, DC=test, DC=com SSLOWAPolicy
map-value memberOf cn=TS Access Grp, OU=VPN OU, OU=Security Groups, DC=test, DC=com SSLTSPolicy

I started to try to configure the VPN tunnels but I couldn't figure out how to determine which Policy to use based on the authentication the user uses. Hence why I am unsure whether this is even possible.

I have done something similar with SSL where I have the user log in and it sends them directly to a Terminal Server window and asks for an IP address for the server (using AAA). With this setup is there a way to directly send them to the Terminal Server wihtout them having to put in the IP address?

Also is it possible if they belong to both the TS and OWA group that they are prompted for which they want to connect to (either the TS or OWA)?

I will keep playing with this to see if I can figure out what needs to be done. If I find a solution I will post it, but any assistance with this would be greatly appreciated.

kharvey · ‎04-09-2010

Okay I have made it a bit farther but I have a couple more issues that I need to work through.

I have most of the AD permissions setup and working with this:

ldap attribute-map VPNAccessMap
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=OWA Access Grp,OU=VPN OU,OU=Security Groups,DC=test,DC=com" OWAAccessPlc
map-value memberOf "CN=TS Access Grp,OU=VPN OU,OU=Security Groups,DC=test,DC=com" TSAccessPlc
map-value memberOf "CN=VPN Access Grp,OU=VPN OU,OU=Security Groups,DC=test,DC=com" SSLAccessPlc
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (IntNet) host 10.1.2.80
ldap-base-dn DC=ECCOGroup,DC=corp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password xxxxxxxx
ldap-login-dn CN=dude,OU=Service Users OU,OU=Users,DC=test,DC=com
server-type microsoft
ldap-attribute-map VPNAccessMap

I was able to verify that it is working by using different Banners in the Group Policies:

group-policy SSLAccessPlc internal
group-policy SSLAccessPlc attributes
banner value SSL VPN Access Policy
group-policy TSAccessPlc internal
group-policy TSAccessPlc attributes
banner value Terminal Server Access Policy
group-policy OWAAccessPlc internal
group-policy OWAAccessPlc attributes
banner value Outlook Web Access Policy
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP_SRV_GRP

I only have a couple of questions left before this becomes functional:

1. How do I make it to where if a user is not part of any of the 3 AD groups they are denied access?

Right now if they are not part of any of the 3 AD groups they are assigned to the SSLAccessPlc

2. How would I go about auto forwarding users that are using the OWAAccessPlc directly to my Outlook Web Access?

So when a user signs onto the Clientless SSL and they are part of the OWAAccessPlc it forwards them directly to the OWA web address using the tunnel.

3. How do I setup the single sign-on?

When a user signs onto the SSL VPN since they are already using AD credentials, how do I forward those credentials onto either OWA or the Terminal Server?

4. How do I setup a link on the Portal to a Terminal Server and have it include the Terminal Server address?

I have been able to setup a link to the Terminal Server in the past, but the users still needed to enter in the IP address of the Terminal Server once they clicked the link. I would like to automate this to where the users don't have to remember anything but the username and password.

I will keep working on this through out today, and hopefully I can answer some of my own questions. I will continue to post my findings until I am able to get everything working.

kharvey · ‎04-09-2010

I apologize if this becomes annoying, but I just figured out question #1.

Bascially what I had to do was create another AD group called Remote Access Grp, then I created a DAP rule that says that if the user is not part of Remote Access Grp then terminate the connection. So when a user requests access to the VPN I would have to first assign them to the Remote Access Grp, and then assign them to either the OWA, TS, or VPN groups to limit their access.

Here is config that I setup:

dynamic-access-policy-record SSLDenyPlc
user-message "Rejected"
action terminate
webvpn
file-browsing disable
file-entry disable
http-proxy disable
url-entry disable

It appears though that I can only set DAP's through ASDM as there is nothing in the running config that has Remote Access Grp.

I am still working on my other questions.