Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss implementation of Web VPNs on Cisco VPN3000 Concentrator with Cisco expert Afaq Khan. Afaq Khan is a customer support engineer at the Technical Assistance Center (TAC) at Cisco Systems Inc. He specializes on VPN involving VPN3000, IOS, PIX FW and third party products. Afaq has represented Cisco in many virtual Security/VPN seminars. He is a CCIE (#9070) in Routing & Switching, Security and is Cisco SAFE certified. Remember to use the rating system to let Afaq know if you have received an adequate response.

Afaq might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 26. Visit this forum often to view responses to your questions and the questions of other community members.

38 REPLIES
New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

I have encountered a issue when I connect through the WebVPN tunnel to my Microsoft Exchange 2003 Http page. Im able to connect to my other web servers perfectly but unable to get the entire Exchange 2003 Window displayed. I have spoken to a person at cisco and they mentioned it was due to a active X issue with the WEBVpn. Is there any workaround as my firm is keen to enable this function?

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

From my understanding OWA 2003 is not supported in the current version of WebVPN.

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi ,

Unfortunately, OWA 2003 is not supported over WebVPN yet, you're right that reason being the ActiveX/Java (WebDAV), which is not supported at this point.

This is CSCec65416.

My suggestion would be to use CCO bug toolkit, and use the email update option to get a notification when this gets fixed.

best regards,

Afaq

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi, I have tried to authenticate WebVPN users to Windows 2003 Radius (IAS) and don't work. Did you know if it's compatible? Any suggestion to connect it? At the same time this authentication is working with PPTP users so, it's necesseray modify anything?

I would know, too, in terms of security, SSL VPN is better, worse, at the same level than PPTP, IPSec, L2TP?

Thank you very much

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

You should be able to use any RADIUS server that can return class attribute (OU=group-name;), as VPN3K would use to find out which group a WebVPN user belongs to, and apply the properties related to that group.

Other important thing that you would need to make sure is, that particular RADIUS server must be on top under : Configuration->Authentication ->Servers.

using class attribute is outlined here:

http://cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00801f1dd5.html#1002793

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Citrix access.

I have a question regarding access to Citrix servers via WebVPN. It seems that direct access is possible if you use a pre-installed Citrix client on the PC but access via a Nfuse server isn't.

What is Cisco position regarding Citrix support for WebVPN ? I have been unable to find any reference regarding Citrix support from Cisco documentation.

Can we expect support for Nfuse in the near future ?

Regards

Nils Johansson

CCIE #9122

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

Citrix is not supported at this point, reason being that it uses higher ports numbers randomly, at this time we support applications that use static ports.

Thanks,

Afaq

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

I have setup the webvpn and I have one issue with firewall admins accessing the netscreen web interface through the vpn. Either through the webvpn or ssl vpn the webinterface on the netscreens does not open, it authenticates but doesn't open. From inside the company it works fine. I have worked with this issue with a brand new netscreen firewall without anying other then an ip address and still the same result. Does the vpn concentrator remove something from the webcontent?

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

We dont support java applets/activex (WebDAV) at the moment, if that page has active contents, you may have problem, there are some known incompatiblies with javascripts as well, all is documented here:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/41con3k.htm#409393

(scroll down a bit)

thx

Afaq

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

I have a 3030 running 4.1.2 and I am having problems getting exchange 2000 OWA to work. I get prompted for a username/password then I get the OWA screen but a blank middle with "loading..." in it ( but the left and top boarders are normal).

It then tells me on the bottom left that it was done but with errors.

line:222 Char:1 Error:'xml' is not an object

Code:0 URL: https://*********

Here is the event log:

2 03/11/2004 16:21:42.020 SEV=5 WEBVPN/1 RPT=114 *.*.*.*

Group [group1] User [user1]

WebVPN session started.

3 03/11/2004 16:21:57.170 SEV=4 HTTP/37 RPT=207

Closing socket 8 for invalid connection 0x9C44540.

4 03/11/2004 16:21:58.750 SEV=4 HTTP/37 RPT=208

Closing socket 7 for invalid connection 0x9C45538.

5 03/11/2004 16:22:13.060 SEV=4 HTTP/37 RPT=209

Closing socket 7 for invalid connection 0x9C4B3E4.

6 03/11/2004 16:23:55.870 SEV=4 HTTP/37 RPT=210

Closing socket 8 for invalid connection 0x9C52DF0.

7 03/11/2004 16:24:25.950 SEV=4 HTTP/37 RPT=211

Closing socket 8 for invalid connection 0x9C5FB40.

8 03/11/2004 16:27:27.430 SEV=4 HTTP/37 RPT=212

Closing socket 8 for invalid connection 0x9C69F80.

Any ideas what is wronge with this?

Thanks,

-Dave

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi Dave,

please attach all the information, and open up a TAC case to drive this issue to resolution:

1- Have the customer enable Script debugging on the browser then attempt to send mail. If debug messages from the browser are generated, have the customer send a screenshot of the debug output along with the 3000 capture output.

2- Use Capture tool on the VPN3K, and send information for the above tool(basically two files generated by VPN3K, namely, mangled.1 (.2, .3, .4)

-and- original.1 (.2, .3, .4), more info at:

http://cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_gui

de_chapter09186a00801f1dd5.html#1012613

2- Can they send mail if they are not going through WebVPN?

3- What is the size of the mail message(s) that is being sent?

4- Are there attachments associated with the sent mail?

thanks,

afaq

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

First off, the WebVPN feature is very nice... we are testing it with kerberos authentication and it is working flawlessly. One issue though, we are using something called pubcookie (http://www.pubcookie.org/docs/how-pubcookie-works.html) to provide authenticated access to secure websites. We train our users not to enter their passwords into any other webpages. Using the WebVPN would break this model. Is there any development work to open up the authentication methods for the webVPN?

Client certs would allow us to get around this limitation, but would be suboptimal when using the service from a public kiosk. We all think that your product has matured very well.

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

Unfortunately as of now, this feature is not going to work with our WebVPNs, I will try and run it by our development folks for future consideration.

Thanks

Afaq

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

The vpn concentrator (acting as a proxy for the browsing feature) seems to be not able of proxying the authentication request while browsing an internal web resource.

The autenthication form is not prompted (proxied) by the concentrator and the client can only browse internal web resource not provided with user authentication.

the message error displayed is the following:

401.2 Unauthorized: Logon Failed due to server configuration

any hint?

thank you

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

are you using ISS windows ntlm authentication on your web server, if yes, IIS with windows authentiation uses NTLM and it is not supported with WebVPN. This feature has not made it into the 4.1 release but it should make it into the 4.5 release.

thanks

Afaq

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi Afaq,

Can we use RADIUS authentication for WebVPN client users on VPN3K? If we can, how can we do that?

Thank you.

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

you can use RADIUS and Local authentication for WebVPn client users, primarily you need to make sure 2 things:

1 - radius server is on top of the list on 'authentication servers list'

2 - you have configured RADIUS server to return "class" attribute with Group name value (OU=)

this way vpn3k knows, which group to apply to the authentication user.

details are below:

http://www.cisco.com/warp/public/471/altigagroup.html

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

HiMr Khan

My name is sukrut and I am a network administrator and I would like to ask you some question regarding VPN as we have one Enterprise network having branch offices in entire gulf and Africa.

I would like to know how my clients from branch office will access my HO network via VPN when they are connected to internet by ADSL connection because on HO we have cisco 3600 Series router and on the branches we have ADSL connection to access our Centralised ERP application installed at HO.

I will be thankful to you if you guide me to solve this issue.

Regards

Sukrut

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi sukrut,

From your Q, I conclude that you're talking abt cisoc vpn client to your Cisco 36xx router vpn connections, my answer is, it depends, let me tell you why:

1 ) it depends what else you're doing on your router?, ie other than IPSec

2 ) if you have a HW accelerator card in your router (like AIM-VPN/BP, HP etc.)

It would be difficult to come up with an exact answer as to how many vpn client tunnels that your router can support, but you can estimate this in terms of encrypted throughput, as to how much your router can deliver, see here:

http://www.cisco.com/en/US/products/hw/routers/ps259/products_data_sheet09186a0080088750.htmlhttp://www.cisco.com/en/US/products/hw/routers/ps259/products_data_sheet09186a0080088750.html

hope that helps.

thanks,

Afaq

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

We have a VPN 3030,version 4.1 with Webvpn features enabled.

I would like to use Microsoft outlook client through Application process(port forwarding).I am able to use some other application like Remote desktop connection through port forwarding feature.Could you pls give me a solution on implementing outlook client through application process.

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

I have only found the following reference on CCO for outlook client:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00801f1dd5.html#1012415

I bit further down it says: "Client/server application access (port forwarding). Supported applications include:" and then "Outlook/Outlook Express" is listed.

How this is accomplished will be interesting to see...

Regards

Nils Johansson

CCIE #9122

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

What is not supported is "OE to Exchange" using MAPI, as it involves NetBios, which can't be run on Port forwarding.

email proxy and OWA work fine.

thx

Afaq

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

Unfortunately, Outlook (Exchange) is not supported currently over WebVPNs, only way to do this is to configure OWA(Outlook Web Access), OWA 2000 is tested by us, and it seems to work fine.

Thanks,

Afaq

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

On a VPN 3030 with one SEP (not a SEP-E), increasing the RAM from 128MB to 256MB do not allow more WebVPN sessions (limited to 75). Is there any reason or do I need a SEP-E installed to increase this limit ?

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

To increase the WEbVPN sessions on a VPN3030, you would need a SEP-E module, we support 200 sessions (256MB) and 500(512MB) with one SEP-E installed in this chassis.

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/412con3k.htm#wp344307

Thanks

Afaq, CCIE

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Since some issues, f.e. NTLM web authentication, will be solved with newer releases of the Cisco VPN Concentrator IOS, is it possible to know the WebVPN road map?

thank you

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

There is no defined roadmap, mostly its driven by what our customer wants, and what competitor are supporting.

1 - Full support for OWA 2003

2 - RADIUS /w Expiry

3 - Java/WebDAV support

4 - More applications (tcp port forwarding support)

etc.

The best way to find out whats new, is to read the release notes.

Best Regards,

Afaq

New Member

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Can you point to a specific reference on how/why to configure the port forwarding piece. Not looking for how to get to and fill out the screen but what the options actually mean. Do I need different ports inside and outside?

Also, is there a projected date when Java might be supported? This is a real show stopper for my environment, and this piece of news wasn't mentioned in the announcements.

Bronze

Re: ASK THE EXPERT-Implementing WebVPNs on VPN3000 Concentrator

Hi,

For good description of those fields, you should go to:

Configuration | Tunneling and Security | WebVPN | Port Forwarding | Add

and click on "help" on the top of the screen, this pretty much sums up what the field really mean.

Resolving java issues is going to take time, but common apps that require java/java-script/WebDAV, will see a quicker resolution, as we are working on several java issues (many DDTS-bugs are in the system), you can point to release notes to have a look.

thx

Afaq

Thanks,

Afaq

30
Views
0
Helpful
38
Replies
CreatePlease to create content