ASA - SSL VPN SMART TUNNEL

Document

Oct 13, 2009 2:45 AM
Oct 13th, 2009

A smart tunnel is a connection between a TCP-based application and a private site, using a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the adaptive security appliance as a proxy server. You can identify applications to which you want to grant smart tunnel access, and specify the local path to each application. For applications running on Microsoft Windows, you can also require a match of the SHA-1 hash of the checksum as a condition for granting smart tunnel access.

Lotus SameTime and Microsoft Outlook Express are examples of applications to which you might want to grant smart tunnel access.

Configuring smart tunnels requires one of the following procedures, depending on whether the application is a client or is a web-enabled application:

Create one or more smart tunnel lists of the client applications, then assign the list to the group policies or local user policies for whom you want to provide smart tunnel access.

Create one or more bookmark list entries that specify the URLs of the web-enabled applications eligible for smart tunnel access, then assign the list to the Dynamic Access Policies (DAPS)or group policies, or local user policies for whom you want to provide smart tunnel access.

You can also list web-enabled applications for which to automate the submission of login credentials in smart tunnel connections over clientless SSL VPN sessions.

The remote host originating the smart tunnel connection must  be running Microsoft Windows Vista, Windows XP, or Windows 2000, and the browser  must be enabled with Java, Microsoft ActiveX, or both. Support for Windows 7 and IE 8.0 and MAC OSX 10.6.x with Safari 4.x will be added in in Release  version 8.3 (to Beta in late fall 2009).a

Please refer to the Smart Tunnel Configuraiton Guide for details on setup and applicability.

I. Smart Tunnel capabilities as of  ASA version 8.2.x:

  • Smart tunnel is an all or nothing operation. Meaning once you turn it on for a specific process or for a specific bookmark, all your traffic for that process (and the browser you used to initiate the Clientless SSL session ) will go through the ASA.

Example: Enable ST option for a process or within bookmark#1 (which hooks IE used to initiate the session). Opening a separate IE browser instance will tunnel all traffic through the ASA, if the new browser window belongs to the same process. All browser tabs traffic of this browser will be smart tunneled, even for those bookmarks( ie. bookmark#2) not specifically smart tunneled. You must use a different browser (ie. FireFox) in this case if you want some of your traffic (ie. bookmark#2) not to be smart tunneled.

Note:Smart-tunnel split-tunnelling capability will be available in the next major ASA rellease 8.3.1 release (to go t oBeta in late fall 2009).

  • Smart Tunnel doesn't require administrative user privileges to be run.
  • Smart tunnel is turned off only when you logout out the Clientless SSL VPN portal page.This is the behavior as of ASA 8.2.1.

From 8.3.1 onwards, on Windows, Smart Tunnel will be turned off once all browser windows

(note: not tabs, but all browser windows) have been closed. Alternatively, in 8.3.1 the admin can choose to provide a log out icon so that the session can survive closing all browsers while the user can still log out from the icon.

  • The browser must have either MS ActiveX (IE environments) or Java (FireFox,IE environments or other Java supported browsers), or both enabled.
  • It tries installing using ActiveX first, and then falls back to Java.
  • Think of Smart-Tunnels as a specialized "port-forwarder", a thin-client. Smart Tunnel uses applications or web bookmarks for the configuration. Port Forwarding uses ports for the configuration.
  • When either the core Clientless SSL VPN (CTE) or the AnyConnect full-tunnel client are not deployment options, Smart-Tunnels should be considered.
  • As of ASA versions 8.1.2 and 8.0.4 and 8.2.x, only supported on Windows 32-bit Win2000/XP/Vista and MAC OS 10.4 and 10.5 . Smart Tunnel will be supported on 64 bit Windows (including Windows 7) and MacOS X 10.6 in ASA 8.3.1

http://www/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1096902

  • Smart Tunnels do not currently support .NET applications (CSCsv29942) By .NET application, we really mean a exe binary that is developed using .NET, we don't mean anything else, especially not a web service developed with .NET
  • Native Microsoft Outlook can connect via Smart Tunnels as of ASA version 8.4
  • Beginning with JRE6 Update 10, Java starts differently from standard practice. Consequently, the user's smart-tunnel enabled browser freezes if they open a website containing a Java applet, and JRE6 Update 10 or later is installed on the user's computer. If you are using JRE update 10 or later, you need ASA image version 8.0.4 22 or later. For to ASA version earlier than 8.3, to make Java applets functional on a smart-tunnel enabled browser, go to Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Smart Tunnels > Smart Tunnels, and add the following processes to the smart tunnel lists:
program, java.exe, jp2launcher.exe 

II.  Smart Tunnel capabilities being introduced in ASA version 8.3.x (to Beta in late fall 2009)

  • Add support for  64-bit Windows (including Windows 7) and 32-bit and 64-bit MacOS X 10.6
  • Logout SSL VPN session (when closing all browser types that initiated the session) or via Logout-icon in task bar/message area
  • Split-tunneling
  • Statistics for the smart-tunnel in the Clientless SSL VPN portal
Average Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Document

Posted October 13, 2009 at 2:45 AM
Stats:
Comments:0 Avg. Rating:0
Views:27626 Contributors:0
Shares:0
Categories: ASA
+

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points
5