Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Aamir Waheed about IOS WebVPN/Secure Sockets Layer (SSL) - based VPN which is an emerging technology that provides remote-access connectivity from almost any Internet-enabled location using a Web browser and its native SSL encryption. Aamir is a technical marketing engineer in Cisco's Security technology group in San Jose. He is responsible for bringing advanced security products to market, building technical marketing collateral and presentations, and designing new product introduction training for Cisco SEs and partners on newly introduced IOS security technologies and platforms. He previously worked as a team lead in the Security and VPN Solutions group with the Cisco Technical Assistance Center (TAC).

Remember to use the rating system to let Aamir know if you have received an adequate response.

Aamir might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 24, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

101 REPLIES
New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Aamir,

Thank's for olding this conversation.

My question is related to the PIX/ASA ver.7.x software. Why does the Web/vpn feature is not supported on the PIX-bundle? Only ASA boxes will support this feature.

Mike

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Mike,

Thanks for your question. I am not aware of the reasons behind the PIX/ASA support. I am sure you can contact your local SE/Cisco Partner for a migration plan from PIX to an ASA to activate the SSLVPN functionality.

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

Gold

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hello Aamir,

I have question about IOS webVPN. We would like to use this service only for access to internal websites (no port forwarding etc..). We want to have only portal of enterprise websites. Is there any way how to block Floating toolbar, delete Start Application Access link and delete "Enter Web Address (URL)" search box from webVPN website???

Thx for your answer

Milan

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Milan,

Thanks for your question. You can confgiure your IOS routers to only allow Clientless website access, while not configuring any port-forwarding etc. The Floating toolbar would also provide you specific portal page Internal website access if thats the only thing you have configured. Please look at www.cisco.com/go/ioswebvpn for more details and feel free to ask any followup question in this regard.

Hope this answers your question.

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

hi aamir i have a 3640 with 12.4 (5) secure ios . it supports the webvpn feature. couls u pls tell me that the webvpn feature on the ios router is as robust and has all the features as compared t the webvpn in the asa. i mean is the ios webvpn solution robust and has all features . and is there any advancement in the webvpn feature in 12.4 T i mean is there a vast differnce especially in the ISR routers.pls reply. thank u holding a discussion on a such a important topic.

sebastan

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Sebastan,

The feature set was revamped in 12.4(6)T advanced security images and provides a rich feature set for any SSLVPN based remote access solution including Endpoint Security and all three access modes.

The Cisco IOS SSLVPN is now supported on the Cisco 870, 1800, 2800, 3700, 3800, 7200 and 7301 routers running Advanced security images of Cisco IOS Software Release 12.4(6)T.

Using the Cisco IOS Advanced Security feature set customers can combine the richest VPN feature set available for site-to-site and remote-access VPNs, with state-of-the-art firewall, intrusion prevention, and extensive Cisco IOS Software capabilities, including QoS, NAT, multicast, extensive WAN interface support, wireless support, dial backup, and advanced routing support. Customers who prefer a standalone security device should use the ASA 7.1 appliance-based solution which has additional SSLVPN features available.

The feature set available on the Routers include:

- Web Content Transformation - Allows access to HTML- and JavaScript-based intranet content for those trying to access Web-based services on the company network

- Citrix access - Allows Citrix clients to use applications running on a remote Citrix server as if they were running locally

- OWA 2000 and 2003 - Allows access to Web E-Mail in OWA for Microsoft Exchange 2000 and 2003 at the central site

- Windows File Sharing (CIFS) - Allows file access to Windows file servers

- SSL VPN Client - Supports virtually any application with a transparent "LAN-like" user experience, providing comprehensive application support.

- Java-Based Application Helper - Supplements clientless access by providing connectivity to non-Web applications such as e-mail, Instant Messaging, Microsoft Outlook Calendar, and client-initiated TCP-based applications such as Telnet

- Advanced Endpoint Security - Cisco Secure Desktop as part of WebVPN provides advanced endpoint security, offering data theft prevention even on noncorporate devices.

- WebVPN deployment is simple with Cisco Router and Security Device Manager (SDM) wizards. Cisco SDM 2.3 also does real-time monitoring and management of SSL VPN sessions.

Get more details in the Datasheet & FAQs at www.cisco.com/go/ioswebvpn

Hope this detailed reply helps,

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

hi aamir thanls for the detailed info. so the features u mentioned are also avalable in the asa. for ssl vpns i need a browser which supports ssl right then why should i use the ssl vpn client. what are the benefits i get using the ssl vpn client.in the 1800 series router is there support for statwful hsrp with ipsec vpns. cause in the datasheet it mentioned stateful firewall failover .could u pls explain what does that mean. i am new to ssl vpns .is there a good documentation on the actual working of the ssl vpns.pls help me the above queries. thank u

sebastan

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Sebastan,

Thanks for your questions. I will answer your questions in order. The ASA does have the SSLVPN capability as part of the ASA v7.1 release which will have all of the features I had mentioned and for more detail on that feature set check out: http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_book09186a008054c15c.html

If you are not too familiar with SSLVPN, I would recommend using ASDM which can be downloaded by registered users at: http://www.cisco.com/kobayashi/sw-center/ciscosecure/asa.shtml

Now for users who only need website intranet access like OWA or Clientless Citrix access, we can get that on both ASA & IOS without requiring the SSLVPN Client (SVC). For Power users familiar with IPSec and requiring IPSec-LAN-like access when using SSLVPN would use the SVC client to access their corporate resources just like they were sitting in the office. And the SVC client is downloaded as part of the initial SSLVPN connection using just the web browser so their is no administrative over-head to pre-load the SSLVPN client on the Remote PC's connecting.

The IOS Routers do support Stateful HA for IPSec and IOS FW, get more details on Router based Security at http://www.cisco.com/go/routersecurity

Also to read more on SSLVPNs go to: http://www.cisco.com/go/ioswebvpn

Hope this helps,

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

hi aamir thanks for the info. could u pls tell me as u said the ssl client will be downloaded from the ssl gateway to the browser of the user right. but even though with that ssl vpn can only support applications supported by the browser. then how would that ssl client would help the end user.pls explain.on the cisco website download center there is a ssl vpn client software like the vpn client software. what is that used for and how to use it. thank u all ur time and patience.

sebastan

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Sebastan,

S> Could u pls tell me as u said the ssl client will be downloaded from the ssl gateway to the browser of the user right. but even though with that ssl vpn can only support applications supported by the browser. then how would that ssl client would help the end user.

AW> Actually the Browser would just make the initial connection and if the SSLVPN Gateway is configured for you to use the SSLVPN Client then the client application will be downloaded to your PC and installed. If the gateway policy allows you to keep the client installed then it will remain on your PC and for all the subsequent connections you will only be downloading any new policy the gateway has for you but the actual application will still reside on the PC. you do require Admin rights on the PC for the SSLVPN client download/install to happen.

S> Pls explain.on the cisco website download center there is a ssl vpn client software like the vpn client software. what is that used for and how to use it.

AW> You will be putting the SSLVPN client file on the Router (SSLVPN gateway) flash and then reference it within your sslvpn configuration. This way whenever an end PC tries to connect to the SSLVPN gateway the client will be pushed down to the PC from the gateway.

Please look through the FAQs at www.cisco.com/go/ioswebvpn to get more clarification or feel free to ask additional questions.

Hope this helps,

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

hi aamir thanks a lot.u mean to say without the ssl vpn client software on the ssl gateway. i can only access application which can be accessed via a web browser? with the ssl client u mean to say i can connect to any other applications like telnet also via ssl. i have 3640 with 12.4 secure ios router which supports webvpn. how to load the ssl vpn client in the flash. pls help me with the configuration. thank u once again.

sebastan

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Sebastan,

The newly available Cisco IOS WebVPN/SSLVPN feature set is only supported on the Cisco 870, 1800, 2800, 3700, 3800, 7200, and 7301 routers running Advanced security images of Cisco IOS Software Release 12.4(6)T.

With the SSLVPN client you will have LAN like access which means you can access all applications not just the webified applications.

Hope this helps,

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

hi aamir ok so u mean to say that first i have to install the ssl vpn client on the gateway . then connect via a browser to it. then it would be like ipsec vpn client access that i can access any application , but the security will be ssl encryption right.so it can support the applications that are not running on ssl . is that what u mean to say. the client will have ssl encrypted session till the gateway and then he will access the inside applications in clear text am i right. thank u and sorry to bug u with so many questions causei am totally new to the webvpn thing. thank u once agin . waiting for ur reply.

sebastan

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Sebastan,

You are absolutely right in your understanding. One thing to mention here is once you have the sslvpn client (SVC) loaded on the gateway and you connect using the browser the <250k svc client will be downloaded to your PC and you can then use it for all the applications to communicate through the SSLVPN tunnel just like you would through an IPSec tunnel (LAN-like access). Feel free to ask questions till you get full clarification on how it works.

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hello,

The ios webvpn features sounds fantastic but i need to know how non web based software will be supported.

pls give an insight into what the user experience will be for a non web based application resident on a server behind the ios webvpn router.

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Is there a VPN client for the Macintosh, running O/S 9? Thanks.

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Diane,

We do have an IPSec client available for the Mac OS X, Version 10.2.0 or later for which you can find details at:http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/tsd_products_support_series_home.html

As for the SSLVPN client which works with CVPN3000/ASA & IOS Routers we only support Microsoft Win2k & WinXP OS at this time. You can get more details in the SSLVPN Client FAQs at http://www.cisco.com/go/ioswebvpn.

Hope this helps,

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hello, we are using WebVPN with a Cisco VPN 3005 Concentrator (version 4.7.2E). The users are authenticated with a Radius Server. The VPN concentrator is using PAP for this authentication and I don't find the possibility to change it. With PPTP, IPSec or L2TP you can change to CHAP or MS-CHAPv1 or v2, but with WebVPN I don't find the way to change it.

Do you know if it is possible to change it?

Does IOS WebVPN support MSCHAPv2 to authenticate users with a Radius Server?

Thanks

Thanks

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Prats,

Thanks for your question. I think with PPTP, IPSec & L2TP you can use the PPP based protocol options with Radius. but with SSLVPN CHAP and MSCHAPv1 or v2 are not supported yet and I don't think there is any plan on adding support for these.

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Aamir:

Is there a Howto for configuring WebVPN on ASA devices? How about through the GUI? I've been searching and I'm not not able to find a discrete guide.

Thanks!

Steve

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Steve,

You can find details on the ASA 7.1 feature set which has the SSLVPN capability in it at: http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_book09186a008054c15c.html

Also for all IOS SSLVPN related information you can go to: www.cisco.com/go/ioswebvpn

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Steve,

Additionally for ASA the GUI Device Manager called ASDM does support SSLVPN starting v5.1.1 which can be downloaded by a registered user at: http://www.cisco.com/cgi-bin/tablebuild.pl/asa

For the IOS Routers the GUI Device Manager called SDM will support SSLVPN starting v2.3 which will be available for download in April'06 by a registered user at: http://www.cisco.com/cgi-bin/tablebuild.pl/sdm

Hope this helps,

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

Silver

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Aamir,

What features are available in Cisco IOS Software Release 12.4 (6)T for Cisco IOS WebVPN?

Thanks,

Tom

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

The WebVPN in Cisco IOS Software Release 12.4(6)T supports the two functional modes, clientless access (includes Java applet) and SSL VPN client along with Cisco Secure Desktop and virtualization support:

· Clientless WebVPN—Clientless mode provides secure access to private Web resources and to a company’s intranet sites. This mode is useful for accessing most content that you would expect to use within a Web browser, such as Web browsing, databases, or online tools that employ a Web interface.

[IOS WebVPN feature support in Advanced security 12.4(6)T]

HTTP and HTTPS access

This feature gives access for those trying to access Web-based services (HTTP and HTTPS) on the corporate site.

Clientless Citrix

Citrix support allows a Citrix client to use applications running on a remote Citrix server as if they were running locally.

Outlook Web Access (OWA) 2000 and 2003

Web E-Mail in OWA for Microsoft Exchange 2000 and 2003 requires a Microsoft Outlook Exchange Server 2000/2003 at the central site.

Windows file sharing – Common Internet file system (CIFS) This feature allows file access to Windows file servers.

TCP Application Helper (port-forwarding Java applet)—The application helper extends the capability of the cryptographic functions of the Web browser to enable remote access to TCP-based applications such as Post Office Protocol 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet Mail Access Protocol (IMAP), Telnet, Secure Shell (SSH) Protocol, etc.

· SSL VPN Client (full network client WebVPN)—Full network client mode offers extensive application support through its dynamically downloaded SSL VPN client for WebVPN. With the Full Network Client for WebVPN, Cisco delivers a lightweight, centrally configured and easy-to-support SSL VPN tunneling client (switched virtual circuit [SVC]) that allows network-layer connectivity access to virtually any application.

· Cisco Secure Desktop support—The Cisco Secure Desktop creates a secure vault for user data during the WebVPN session and is later cleaned up from the end-user PC. Transparent to the end user, it automatically creates a secure session under Microsoft Windows 2000 or XP (supported only in Windows).

· Virtualization and VRF support—VPN routing and forwarding (VRF), which creates virtualization, can be used to create various customer or departmental contexts that can have different configuration, while still using overlapping address space.

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

hi aamir can u tell me . if i have a web server running on http and i have a ssl client connectiong to the ssl vpn gateway. the client will have ssl secure connection till the ssl gateway and then after decrypting send the request in clear text to the http server. my question is do we need to have ssl applications or we can have normal applications and have clients connect to a ssl gateway. pls explain . thank u

sebastan

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Sebastan,

Your understanding regarding the functioning of SSLVPN is absolutely correct. Once the packet arrives at the gateway and gets decrypted. Then the decrypted packets will go to the inside server via https or http depending upon how you would like to access it. You donot need to have ssl turned on the inside servers to access them through the WebVPN tunnel. You can safely access even the internal http servers as the packets will already be encrypted till your gateway and once decrypted will become http packets to get to your inside web servers.

Hope this helps,

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

thank u aamir for ur detailed explaination. thanks a lot i am really getting a good hang of it talking to u.

can u pls explain me one mroe thing that the 1800 series ISR routers support HSRP over vpn with stateful failover. and what does the stateful firewall failover feature means in 1800 series router.i know this is off topic but if u can pls explain that will help me a lot.

thank u

sebastan

Cisco Employee

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Sebastan,

As far as I know the Stateful failover capability is supported only on the 3700, 3800 & 7200/7301 Routers. The 1800 Datasheet talks over some other options to attain high availability(failover) with the 1800 for which you can look at: http://www.cisco.com/en/US/partner/products/ps5853/products_data_sheet0900aecd8028a95f.html

I would suggest still getting it clarified on the right forum as I am definately not an expert on this technology

Hope this helps,

Thanks and Regards,

Aamir Waheed

CCIE#8933

Technical Marketing Engr.

IOS SSLVPN/WebVPN

New Member

Re: ASK THE EXPERT – DEPLOYING IOS WEBVPN/SSL VPN

Hi Aamir,

What platforms does Cisco IOS SSL VPN or WebVPN support?

Thanks,

Lisa

276
Views
34
Helpful
101
Replies
CreatePlease to create content