Pages

Friday, December 4, 2015

Smart Tunnels and Plug-ins


Extending the Clienteles SSL VPN Features
-Plugins for remote access
-Smart Tunnel specific programs

To restrict clienteles users, we can filter using webType ACLs.
If a user want FTP, CIFS and HTTPS, clienteles SSL VPN is great.

If a user want to access specific server and want Remote desktop RDP to it.  This is not possible with native Clientless SSL vpn.

To achieve this, we can install plugin in ASA and this plugin allow additional functionality so that we can use RDP.
Assign this ASA to the group for which user is member of, so that when client connects with SSL VPN user will have option of RDP.

If user want a SSH connection to some server on internal network, we can install SSH plugin on ASA. This also support telnet by default.
SSH and telnet should not be allowed to everyone. We should provide such access only to admins.

For browsing easiness, we can create bookmarks

Navigate to below path on ASDM to install plugin

Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Portal -> client server plugin

To install plugins we need not to have admin rights

We also can restrict the users from accessing all these protocols. We can disable the address bar for them and we can provide specific bookmarks for them. We can also create web ACL for certain group.


Smart Tunnel :

what if user want to install an application like RDP locally on hard disk and want to communicate with internal network
Solution is Port Forwarding which is old way and Smart Tunneling.
When user want to communicate to internal server using RDP the traffic will flow through tunnel.

Navigate to below path on ASDM for Smart Tunnel


Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Portal -> Smart Tunnel

How to create message digest for certain process in window

open cmd
fciv -sha1 c:\windows\system32\mstsc.exe

Now we need to apply smart tunnel to certain group
group-policy Sales-Group attributes
webvpn
 smart-tunnel enable RDP-local
exit










No comments:

Post a Comment