Chapter 10: Designing and Building SSL Remote Access VPNs (WebVPN)

Cisco Press

1 2 3 4 5 6 7 8 Page 3
Page 3 of 8

The certificate that the VPN gateway uses to identify itself is shown under the SSL Certificates heading (public interface) in Administration > Certificate Management (see Figure 10-15).

By default, the SSL certificate for the public interface is self-generated (it is not obtained from a CA). Although it is okay to use this certificate for testing, it is usually a good idea to enroll the VPN 3000 concentrator with a CA and obtain a certificate to use for the SSL handshake.

Obtain the CA's certificate, and then click Enroll under the Actions section under the SSL Certificates heading (public interface) to obtain a certificate for the SSL handshake. Obtaining the CA's certificate and enrolling with the CA can be achieved using the procedures described previously in Chapter 8, "Designing and Implementing L2TPv2 and L2TPv3 Remote Access VPNs," and Chapter 9, "Designing and Deploying IPsec Remote Access and Teleworker VPNs."

figure 10.15

Figure 10-15

SSL Certificate

Note that during the SSL handshake, client web browsers will display a warning concerning the certificate(s) sent by the VPN gateway. Users can bypass this warning simply by clicking in the affirmative when asked whether the certificate should be accepted. If you do not want this warning to display, you can install the certificate of the CA with which the VPN gateway enrolled into the certificate store of the browser.

Step 2: Enable WebVPN for Relevant User Groups

The next step is for WebVPN to be enabled for relevant user groups. As shown in Figure 10-16, this is simply accomplished by going to Configuration > User Management > Groups, choosing the relevant group, clicking Modify Group, choosing the General tab, and checking the WebVPN box under Tunneling Protocols.

Step 3: Specify Acceptable Versions of SSL and Configure Cryptographic Algorithms Associated with SSL Cipher Suites (Optional)

Next, it is a good idea (although optional) to go to Configuration > Tunneling and Security > SSL > Protocols, and specify acceptable versions of SSL as well as cryptographic algorithms associated with SSL cipher suites (see Figure 10-17).

figure 10.16

Figure 10-16

Enabling WebVPN for Relevant User Groups

figure 10.17

Figure 10-17

Specifying Acceptable Versions of SSL, as Well as Cryptographic Algorithms Associated with SSL Cipher Suites

As you can see in Figure 10-17, the encryption (and hashing) algorithms associated with cipher suites that you can enable are 3DES-168/SHA, RC4-128/MD5, DES-56/SHA. By checking or unchecking these, an administrator can control the algorithms associated with the cipher suite that is accepted by the VPN gateway (and sent in the ServerHello message to the client). In Figure 10-17, only 3DES-168/SHA is enabled.

It is also possible to specify which versions of SSL that the VPN gateway will accept or negotiate with clients by choosing the appropriate option in the drop-down box. SSLv2 has a number of well-known vulnerabilities, and so, unsurprising, the VPN 3000 concentrator supports only SSLv3 and TLS.

Note - When deciding which versions of SSL to accept or negotiate, it is important to note that although most recent versions of popular web browsers support both SSLv3 and TLS (and often SSLv2), some browsers do not have TLS enabled by default.

For example, TLS is not enabled by default in Internet Explorer 6.0 (SSLv2 and SSLv3 are). TLS (v1.0) can be enabled in Internet Explorer 6.0 by going to Tools > Internet Options > Advanced and checking it under Security. In Internet Explorer 7.0, on the other hand, SSLv3 and TLS are enabled by default, while SSLv2 is disabled.

Firefox 1.0 supports SSLv2, SSLv3, and TLS (v1.0) by default.

In summary, if possible, it is a good idea to establish which types of browser users will be connecting from. If this is not possible (if users will be connecting from Internet cafes, and so on), it is a good idea to accept or allow the negotiation of SSLv3 (and optionally TLS).

In Figure 10-17, the VPN gateway has been configured to negotiate either SSLv3 or TLS with clients.

Finally, it is possible to configure the interval at which the VPN gateway will rekey (establish new cryptographic keys) with workstation running the Cisco SSL VPN Client. You can find more information on the Cisco SSL VPN Client later in this chapter.

Step 4: Enable SSL on the VPN 3000 Concentrator's Public Interface

The last of the basic steps is enabling SSL on the public interface of the Cisco VPN 3000 concentrator. This can be achieved by going to Configuration > Interfaces, clicking the public interface, and then choosing the WebVPN tab (see Figure 10-18).

As shown in Figure 10-18, it is possible to enable SSL on the public interface by allowing HTTPS, POP3S, IMAP4S, and SMTPS.

figure 10.18

Figure 10-18

Enabling SSL on the Public Interface

To enable SSL for basic features such as access to file and HTTP servers, as well as TCP application access via port forwarding, you must check the Allow WebVPN HTTPS sessions box.

If proxy e-mail access is also required, you must also check the Allow POP3S sessions, Allow IMAP4S, and Allow SMTPS sessions boxes as appropriate. POP3 and IMAP4 can be used for inbound e-mail access, and SMTP is used for outbound e-mail—you should check the boxes according to which protocols are used by your e-mail clients and servers.

Another useful option is Redirect HTTP to HTTPS. If this box is checked, the VPN concentrator will cause the browsers of remote access user who type http://ip_address_or_name_of_VPN_concentrator to instead access the Cisco VPN 3000 concentrator using HTTPS (https://ip_address_or_name_of_VPN_concentrator).

It is also a good idea to navigate to Configuration > Tunneling and Security > SSL > HTTPS and verify that HTTPS is enabled (the default), the TCP port used for HTTPS, and to enable client authentication if desired.

figure 10.19

Figure 10-19

Configuring Additional Basic SSL Options

The HTTPS configuration options shown in Figure 10-19 are as follows:

  • Enable HTTPS—This option, if checked, enables HTTP over SSL (the default).

  • HTTPS Port—This is used to specify the TCP port used for HTTPS (default 443).

  • Client Authentication—This option, if checked, configures client authentication with the RSA handshake.

  • Note that when client authentication is enabled, the client must obtain the certificate of CA and also obtain an identity certificate.

    See the section, "Understanding the SSL RSA Handshake with Client Authentication" earlier in this chapter for more information on this topic.

Configuring File and Web Server Access via SSL Remote Access VPNs

One of the most basic levels of access that you can enable via an SSL remote access VPNs is file and/or web server access.

To enable file server access, it is necessary to complete the following tasks:

Step 1 Configure one or more NetBIOS name servers.

Step 2 Configure WebVPN file servers and shares.

Step 3 Enable file access for the WebVPN user group(s).

Step 1: Configure One or More NetBIOS Name Servers

You can accomplish configuration of a NetBIOS name server by going to Configuration > System > Servers > NBNS (see Figure 10-20).

figure 10.20

Figure 10-20

Configuring NBNS Addresses

The first step is to enable NBNS by checking the Enabled box.

Next, you can choose WINS or Master Browser in the Server Type drop-down box.

The IP addresses of primary, secondary, and tertiary NBNS servers can then be configured in the appropriate boxes.

Finally, you can configure the timeout period in seconds, as well as the number of timeout retries. Unless you have a good reason, it is a good idea to leave these at their defaults (2 and 2).

Step 2: Configure WebVPN File Servers and Shares

To configure server names and shares for users to access, go to Configuration > Tunneling and Security > WebVPN > Servers and URLs > Add.

Figure 10-21 shows the configuration of file access for SSL remote access VPN users.

figure 10.21

Figure 10-21

Configuring File or Web Server Access

You can type a description of the file or web server in the Name box. This description appears on the WebVPN home page when SSL remote access VPN users successfully authenticate on the VPN 3000 concentrator.

In the Server Type drop-down box, you can choose the server type (either Common Internet File System [CIFS], HTTP, or HTTPS). CIFS is based on the Server Message Block (SMB) protocol and can be used to request file and print services from Windows or other servers.

You must then specify the name of the server or share in the Remote Server box. When using CIFS, you must specify the server name or share in the //server/share format.

When all the boxes have been completed, click the Apply box.

Step 3: Enable File and URL Access for the WebVPN User Group(s)

After server names and shares have been configured, the next step is to enable file access under the appropriate group or groups.

Under Configuration > User Management > Groups, choose the appropriate group, click Modify Group, click the WebVPN tab, and you will see the page shown in Figure 10-22.

figure 10.22

Figure 10-22

Enabling File and/or Web Server Access Under Group Settings

Check the Enable File Access box to enable (appropriately enough) file server access.

Checking the Enable File Server Browsing box allows users to browse files and folders on servers (server file and folder permissions permitting).

It may also be a good idea to check the Enable File Server Entry box to place server names or file paths on the home page of SSL remote access VPN users.

When a user connects to the VPN 3000 concentrator and authenticates, he/she will see the share listed in the home page (see Figure 10-23).

Figure 10-23 shows file shares, including in the one created in Figure 10-21. By clicking these links, the remote access VPN user will be able to access those resources (see Figure 10-24).

figure 10.23

Figure 10-23

Accessible File and Web Servers

figure 10.24

Figure 10-24

Accessing Files on a File Server

As shown in Figure 10-24, it is possible (file server and VPN 3000 concentrator configuration permitting) to browse files and folders, open, create, rename, and copy files to the server.

Note - The Java Runtime Environment (JRE) version 1.4 or later must be installed on client workstations for file access to function correctly.

It is also worth noting that it might be necessary to modify local policies on a Windows 2003 domain controller when configuring file access. Specifically, it might be necessary to open the Domain Controller Security Policy (found under Administrative Tools) and under Local Policies > Security Options disable the Microsoft network server: Digitally sign communication (always) policy (right-click and choose Properties).

Figure 10-25 shows modification of the Microsoft network server: Digitally sign communication (always) policy.

figure 10.25

Figure 10-25

Modifying Security Options on a Windows 2003 Domain Controller

Configuration of URL access is similarly configured as follows:

Step 1 Configure HTTP/HTTPS proxy server addresses as required.

Step 2 Configure URLs under Configuration > Tunneling and Security > WebVPN, click Servers and URLs (see Figure 10-21), click Add, and then add a URL. The server type should be specified as HTTP or HTTPS as appropriate.

Step 3 Enable URL entries under Configuration > User Management > Groups, choose the appropriate group, click Modify Group, choose the WebVPN tab (see Figure 10-22), and check Enable URL Entry.

It is possible to control remote users' web access by configuring HTTP/HTTP proxy server addresses on the VPN 3000 concentrator. In this case, HTTP/HTTPS connections from remote users are forwarded from the VPN 3000 concentrator to the proxy server(s).

As shown in Figure 10-26, configuration of HTTP/HTTPS proxy servers is achieved under Configuration > Tunneling and Security > WebVPN > HTTP/HTTPS Proxy.

figure 10.26

Figure 10-26

Configuring HTTP/HTTPS Proxy

Configuration is fairly self-explanatory:

  • HTTP Proxy—This is the IP address of the proxy server to which HTTP WebVPN requests are redirected by the VPN 3000 concentrator.

  • HTTP Proxy Port—The TCP port used by the HTTP proxy server.

  • HTTPS Proxy—The IP address of the proxy server to which HTTPS WebVPN requests are redirected.

  • HTTPS Proxy Port—The TCP port used by the HTTPS proxy server.

  • Default Timeout—The timeout, in minutes, for WebVPN sessions if one is not set in group settings.

Enabling TCP Applications over Clientless SSL Remote Access VPNs

Apart from file and web server access, another form of access via clientless SSL remote access VPNs is that for TCP-based applications. Remote access VPN users can access TCP-based applications via a VPN 3000 concentrator using a mechanism called port forwarding.

One of the most popular applications to enable using port forwarding is Windows Terminal Services, which allows remote access users to remotely access a desktop and applications that are installed on a Windows server, with screen bitmaps transported over the network between the remote users and the server. This method of server desktop and application hosting conforms to the thin-client model.

Note - To enable Citrix MetaFrame support with WebVPN, you must check the Enable Citrix MetaFrame box on the WebVPN tab under Groups.

Note that in this case, an SSL certificate with a fully qualified domain name (not an IP address as the common name) must be installed on the public interface on the VPN 3000 concentrator.

This section covers how to enable Windows Terminal Services for port forwarding over SSL. Other TCP-based applications can be similarly enabled.

1 2 3 4 5 6 7 8 Page 3
Page 3 of 8
SD-WAN buyers guide: Key questions to ask vendors (and yourself)