cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4535
Views
10
Helpful
11
Replies

ASA WebVPN: when will Java and ActiveX be gone and HTML5 be used?

jer0nim0x
Level 1
Level 1

Hello all,

I am posting this in the Firewalling forum since it is related to ASA.

After reading this (http://www.engadget.com/2016/01/27/oracle-java-plug-in-death/) I was wondering when the ASA will go away from using "exotic" plugins/technologies to perform the WebVPN and use more modern technologies like HTML5 instead.

There are nice open-source products like Guacamole (http://guac-dev.org/) to name only one that show how easy it can be. When will Cisco adopt such a solution and modernize the ASA?

Anyone got a roadmap where WebVPN is headed?

Bye,

Marki

1 Accepted Solution

Accepted Solutions

I tried it and it works pretty well. You have to be aware of bug

Cisco Bug: CSCva86626 - HTML5: Guacamole server requires page refresh

though.

View solution in original post

11 Replies 11

Philip D'Ath
VIP Alumni
VIP Alumni

I agree!!!

mabernar
Cisco Employee
Cisco Employee

You should be able to deploy Guacamole directly behind the ASA. In this manner you would just use the ASA for clientless  web authentication and then have a URL link to the Guacamole server.

The ASA now supports WebSocket so it can proxy HTML5 just fine. I have tested it with Ericom HTML5 and it works nicely and only took about 15 minutes to set up completely. I will run a test with Guacamole as soon as I have some time and let you know how it works.'

Hope this helps.

Mark

I thought about it. However that would be another software stack which would be somewhat exposed and needed to be taken care of separately.

Also I'm not sure what "now" means. Currently we are stuck with ASA software 9.1 and can't go any further than that.

Hi Mark,

Were you able to test Guacamole? A few weeks ago our team went looking for a robust clientless access method (for customers who couldn't install the Anyconnect client), and also came across Apache Guacamole as a possible solution. Initial testing is showing disconnects and poor performance (or inability to even load the Guac page). We've tried the normal bookmark, proxy bypass and just tried smart tunnel, without success. While googling, I found this page today. We are still working it, but I'm very interested in if you were able to use Guacamole behind webvpn - and if you could share your relevant ASA webvpn configuration. Thank you.

I have the same (non-working) behavior on an ASA 5520 with software 9.1.7(6). I will try 9.1.7(7) tomorrow as I see some WebVPN bugs were fixed. One should note that there are specific instructions when proxying Guacamole here: https://guacamole.incubator.apache.org/doc/gug/proxying-guacamole.html Of course, there is no mention of a Cisco ASA ;-) They mainly write about turning proxy buffering off and setting some headers explicitely. For my part, I see my browser accessing 'ping.html' on the ASA when clicking on a connection. Then it hangs.

Actually, IF the guacamole home page loads correctly, then I can click on a connection and if I reload the current page in the browser then the RDP session actually starts. That's a bit tricky.......

Hey Jer0nim0x;

 Sorry, I just now saw this. I haven't been able to test Guacamole but plan to soon. I will post my results if I get anywhere. I found Ericom very easy to configure so I was trying to recommend that a customer.

Mark

I tried it and it works pretty well. You have to be aware of bug

Cisco Bug: CSCva86626 - HTML5: Guacamole server requires page refresh

though.

Thanks for the reply Jer0nim0x;

 Did you find any type of config guide for how to set it up with the ASA? I am interested in configuring it but there is not much documentation. Ericom sits on the server and really brokers the HTML5 connection, so I only needed a bookmark on my webvpn server. is that the case with Guac?

Thanks in advance

Mark

Exactly, you simply use the ASA as a web proxy as you would with any other intranet website that you proxy through the ASA. Except for the mentioned bug, the proxying in principle seems to work ok. Maybe one would need to check on performance, since guac has fallback mechanisms built in (switches from websockets to http tunnel automatically). Maybe using a http tunnel has more performance impact on the ASA I don't know.

Hi Mark, jer0nim0x - I've just set-up webvpn with a test Guacamole server for some testing. I found that once the refresh bug has been worked around, the connection drops frequently on the RDP session. Also, the mouse and keyboard didn't work. Did you have to add any additional plug-ins? I assume you have got further in your testing than this? Failing that I might check the MTU in path to ensure nothing is being dropped or blocked. Any pointers or ideas would be gratefully received.

I assume that your Guacamole setup works fine when not going through WebVPN? In my case I have problems with the keyboard layout, but that is independent of WebVPN.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: