SSL VPN RDP Active X Control

Answered Question
May 17th, 2010

This is probably not the right forum for this question, but I'm going to give it a shot.  I've searched around a bit and haven't been able to find a good answer.

I've noticed when first trying to use the Terminal Server function of the SSL VPN via your browser, that installing the Active X control is very buggy.  On just about every machine I've done it on, you must right click and install several times for it to actually work.

Does anybody know of a better way of doing this?  I don't really care for useing the Java option because it lacks full screen capability (at least easily).  Where can I download the actual IE addon from?  Also, how is this control being called and where is it being called from?  I didn't upload anything to flash on our ASA except for the Proper Java RDP plugin.

Thanks for any insight.

I have this problem too.
0 votes
Correct Answer by Jeffrey Schutt about 5 years 3 months ago

Hi Chris,

I haven't seen this same behavior where you must install the RDP plugin ActiveX control multiple times.  Is it possible that you or your IT security admins could be deleting this plugin along with other browser temporary files and objects on a regular basis?  Or maybe your browser is tightly controlled and locked down by an AD GPO.

The best way to get this working is to add the ASA as a trusted site within IE.  By doing this you allow the browser permission to run activex controls and content from the ASA that IE otherwise would classify as a security vulnerability in order to avoid browser exploits.

The ActiveX control is automatically pushed down from the ASA at the time you browse to a url with the format RDP://.  On Windows XP it is saved in C:\WINDOWS\Downloaded Program Files.  You can find all the plugins currently installed in your browser from IE > Tools > Internet Options > General > Browsing History Settings > View objects.

The filename is "CISCO Portforwarder Control".  If you're running a relatively recent ASA image (8.0.5.1,8.2.2, 8.3.1)you should see version 1,0,0,7 pushed down to you.  If you copy the file from an already installed PC you should probably be able to install it on any other PC.  But this shouldn't be necessary as the latest version will be pushed to you upon initiating a webvpn RDP session using the ASA.

The control is called from the ASA software image as opposed to being part of the RDP plugin.  This is why upgrading ASA images gets you past known issues with the using RDP through webvpn such as..

    CSCsx49794 Webvpn: RDP Plugin does not work with ActiveX with large cert chain

and

    CSCtc70548 WebVPN: Cisco Port Forwarder ActiveX does not get updated automatically

Thanks,

Jeff

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Correct Answer
Jeffrey Schutt Mon, 05/17/2010 - 12:06

Hi Chris,

I haven't seen this same behavior where you must install the RDP plugin ActiveX control multiple times.  Is it possible that you or your IT security admins could be deleting this plugin along with other browser temporary files and objects on a regular basis?  Or maybe your browser is tightly controlled and locked down by an AD GPO.

The best way to get this working is to add the ASA as a trusted site within IE.  By doing this you allow the browser permission to run activex controls and content from the ASA that IE otherwise would classify as a security vulnerability in order to avoid browser exploits.

The ActiveX control is automatically pushed down from the ASA at the time you browse to a url with the format RDP://.  On Windows XP it is saved in C:\WINDOWS\Downloaded Program Files.  You can find all the plugins currently installed in your browser from IE > Tools > Internet Options > General > Browsing History Settings > View objects.

The filename is "CISCO Portforwarder Control".  If you're running a relatively recent ASA image (8.0.5.1,8.2.2, 8.3.1)you should see version 1,0,0,7 pushed down to you.  If you copy the file from an already installed PC you should probably be able to install it on any other PC.  But this shouldn't be necessary as the latest version will be pushed to you upon initiating a webvpn RDP session using the ASA.

The control is called from the ASA software image as opposed to being part of the RDP plugin.  This is why upgrading ASA images gets you past known issues with the using RDP through webvpn such as..

    CSCsx49794 Webvpn: RDP Plugin does not work with ActiveX with large cert chain

and

    CSCtc70548 WebVPN: Cisco Port Forwarder ActiveX does not get updated automatically

Thanks,

Jeff

Christopher Bell Tue, 05/18/2010 - 07:55

Five stars and correct answer!  I should have elaborated a bit though about what happens when we try and right click the browser pop-up and allow the active-x control to install.  It doesn't install the first or second time -- it takes about 3 or 4 times of right clicking it and installing to get it to install.  It's not like it installs and we come back later and it's been removed.

You answered what I needed to know though, and that is where the controll is installed from.  If I can grap the control from the programs directory, I can have it pushed out to the laptops it sounds like.  That will make things so much easier.

Thanks a ton!

Actions

This Discussion