Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1364
Views
0
Helpful
0
Replies

Does Anyconnect support multiple user connections hitting ASA from a single source IP due to a corporate proxy?

pattyj
Level 1
Level 1

‎09-09-2010 01:38 PM - edited ‎02-21-2020 04:50 PM

Hi All,

Does Anyconnect support multiple connections hitting ASA from a single source IP due to a corporate proxy?

This seems to be a limitation with a clientless configuration if I understand this link correctly?

============================================================================================

The adaptive security appliance does not support the following features for Clientless SSL VPN connections:

• NAT, reducing the need for globally unique IP addresses.

• PAT, permitting multiple outbound sessions appear to originate from a single IP address.

===================================================================================

Scenario: SSL VPN Clientless Connections

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/web_vpn.html#wpxref65106

Security Considerations for Clientless SSL VPN Connections

Clientless SSL VPN connections on the adaptive security appliance differ from remote access IPsec connections, particularly with respect to how they interact with SSL-enabled servers and the validation of certificates.

In a Clientless SSL VPN connection, the adaptive security appliance acts as a proxy between the end user web browser and target web servers. When a user connects to an SSL-enabled web server, the adaptive security appliance establishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore it cannot examine and validate the certificate.

The current implementation of Clientless SSL VPN on the adaptive security appliance does not permit communication with sites that present expired certificates. Nor does the adaptive security appliance perform trusted CA certificate validation. Therefore, users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.

To minimize the risks involved with SSL certificates:

1. Configure a group policy that consists of all users who need Clientless SSL VPN access and enable it only for that group policy.

2. Limit Internet access for Clientless SSL VPN users, for example, by limiting which resources a user can access using a clientless SSL VPN connection. To do this, you could restrict the user from accessing general content on the Internet. Then, you could configure links to specific targets on the internal network that you want users of Clientless SSL VPN to be able to access.

3. Educate users. If an SSL-enabled site is not inside the private network, users should not visit this site over a Clientless SSL VPN connection. They should open a separate browser window to visit such sites, and use that browser to view the presented certificate.

The adaptive security appliance does not support the following features for Clientless SSL VPN connections:

• NAT, reducing the need for globally unique IP addresses.

• PAT, permitting multiple outbound sessions appear to originate from a single IP address.

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents