Chapter 10: Designing and Building SSL Remote Access VPNs (WebVPN)

Cisco Press

1 2 3 4 5 6 7 8 Page 6
Page 6 of 8

Having configured the location criteria, it is important to specify which Cisco Secure Desktop suite module or function will be applied on a user workstation according to its location. The modules and functions are as follows:

  • Cache Cleaner—As the name suggests, this module deletes and disables information including browser caches, temporary files, and autocompletion information, including passwords.

  • VPN Feature Policy—This module provides selective WebVPN access depending on the presence of components such as antivirus software, operating system type and service pack level, firewall software, and other Secure Desktop components.

  • Secure Desktop—This module provides a secure, encrypted space (desktop) on Windows XP and Windows 2000. The user session is then created within this secure desktop.

The particular module that is used on a workstation at a particular location depends on the selection specified at the bottom of the Identification pane (see Figure 10-44).

It is possible to choose either Secure Desktop or Cache Cleaner for a particular location by checking the appropriate box next to Use Module. If you do not choose Secure Desktop or Cache Cleaner, the VPN Feature Policy is used for a location.

Configuring the Windows Cache Cleaner

The Cache Cleaner settings for a particular location can be configured by clicking Cache Cleaner in the subtree of that location on the left side of the Cisco Secure Desktop Manager.

Figure 10-45 shows the configuration settings for the Cache Cleaner.

figure 10.45

Figure 10-45

Configuration Settings for the Cache Cleaner

Specific settings for Cache Cleaner include the following:

  • Launch hidden URL after installation—If this setting is checked, a URL can be entered which is launched after the installation of the Cache Cleaner.

  • Show message at the end of successful installation—If this setting is checked, a message displays on the user workstation confirming the successful installation of the Cache Cleaner.

  • Launch cleanup upon inactivity timeout—When this option is checked, the Cache Cleaner begins operation after a period of inactivity on the user workstation.

  • Launch cleanup upon closing of all browser instances—This setting, if checked, causes the Cache Cleaner to begin operation when all browser windows are closed.

  • Disable cancellation of cleaning—This prevents user cancellation of cache cleaning.

  • Clean the whole cache in addition to the current session cache (IE only)—Checking this setting ensures that the Internet Explorer cache is cleaned when the Cache Cleaner starts.

Configuring VPN Feature Policy Settings

To configure VPN Feature Policy settings for a location, click the VPN Feature Policy on the subtree of the location; the screen shown in Figure 10-46 will appear.

figure 10.46

Figure 10-46

Configuring VPN Feature Policy Settings

Settings for the VPN Feature Policy include Web Browsing, File Access, Port Forwarding, and Full Tunneling.

These settings (levels of access) can be enabled, enabled if certain conditions are fulfilled, or be disabled from a user workstation by choosing ON, ON if criteria are matched, or OFF, respectively, in the corresponding drop-down boxes.

If you choose the ON if criteria are matched option, the criteria that must be fulfilled for a particular level of access to be enabled can be specified by clicking on the ellipsis (. . .) button.

The criteria that can be matched include the presence of antivirus software, firewall software, operating system and service pack, and other Secure Desktop features on the user workstation.

Configuring Secure Desktop Options

When the Secure Desktop is specified for a particular location, you can configure the associated options by clicking Secure Desktop General, Secure Desktop Settings, and Secure Desktop Browser in location subtree.

Figure 10-47 shows the options associated with Secure Desktop General.

figure 10.47

Figure 10-47

Configuring Options Associated with Secure Desktop General

Secure Desktop General settings include the following:

  • Automatically switch to Secure Desktop after installation—When checked, this setting causes the Secure Desktop to load immediately after installation.

  • Check for keystroke logger before Secure Desktop creation—This setting, if checked, causes a check for a keystroke logger to run before the creation of the Secure Desktop on the user workstation.

  • This setting only works if the user has administrator privileges on the workstation.

  • Enable switching between Secure Desktop and Local Desktop (recommended)—If this option is checked, the user can switch between the secure desktop and the regular desktop on the workstation.

  • It is a very good idea to check this option so that users can respond to any application prompts.

  • Enable Vault Reuse (User chooses a password)—If checked, a Secure Desktop vault can be reused (and not overwritten between sessions).

  • The user selects a password to allow access to this Secure Desktop.

  • Enable Secure Desktop inactivity timeout—When checked, this option causes the Secure Desktop to automatically close after a period of inactivity.

  • Open following web page after Secure Desktop closes—This setting, if checked, causes a URL to be opened after the Secure Desktop closes.

  • Suggest application uninstall upon Secure Desktop closes—When this setting is checked, the user is asked whether he/she wants the Secure Desktop uninstalled after it closes.

  • Force application uninstall upon Secure Desktop closing—The Secure Desktop is forcibly uninstalled after the Secure Desktop closes when checked.

Clicking Secure Desktop Settings in the subtree allows further Secure Desktop options to be configured (see Figure 10-48).

The further four options contained under Secure Desktop Settings are as follows:

  • Put Secure Desktop in restricted mode—When this setting is checked, only the browser that was originally used to start the Secure Desktop can be used in the Secure Desktop itself.

  • Restrict Registry tools on Secure Desktop—If checked, this option ensures that a user cannot modify the registry within the Secure Desktop.

  • Restrict DOS-CMD tools on Secure Desktop—This setting, if checked, prevents the use of the DOS prompt within the Secure Desktop.

  • Restrict Printing on Secure Desktop—When this option is checked, users cannot print from within the Secure Desktop.

figure 10.48

Figure 10-48

Configuring Secure Desktop Settings

The options under Secure Desktop Settings can be chosen to ensure the highest level of security for the Secure Desktop.

Configuring Cache Cleaner Options for Mac and Linux Users

The Mac and Linux Cache Cleaner heading under the subtree in the Secure Desktop Manager allows the configuration of options associated with the Cache Cleaner for Mac and Linux users.

Figure 10-49 shows the configuration options for the Mac and Linux Cache Cleaner.

Mac and Linux Cache Cleaner options are as follows:

  • Launch cleanup upon global timeout—When checked, this option causes the Cache Cleaner to run after a period of inactivity on the user workstation.

  • Let user reset timeout—If this setting is checked, a user can reset the timeout time period.

  • Launch cleanup upon exiting of browser—This option, if checked, causes the Cache Cleaner to start when all browser instances are closed.

  • Enable Cancel button of cleaning—When this box is checked, users are able to cancel cache cleaning.

  • Enable web browsing if Mac or Linux installation fails—This option ensures that web browsing is allowed if the installation of the Cache Cleaner fails.

figure 10.49

Figure 10-49

Configuration Options for the Mac and Linux Cache Cleaner

The Successful Installation Policy options allow the configuration of VPN Feature Policy settings for Mac and Linux users:

  • Web browsing—If ON is chosen, web browsing is allowed from Mac and Linux workstations.

  • File Access—Allow (ON) or disallow (OFF) file access.

  • Port Forwarding—Allow or disallow port forwarding.

Note that VPN Feature Policy settings on Mac and Linux workstations do not depend on criteria such as the presence of antivirus software or access from a particular location (unlike Windows VPN Feature Policy settings).

Note - Having configured Cisco Secure Desktop, make sure that you save the configuration within the Cisco Secure Desktop—the configuration is independent of that for the VPN 3000 concentrator as a whole.

Enabling the Cisco Secure Desktop

After all the relevant settings have been configured within the Cisco Secure Desktop Manager, it is time to enable the Cisco Secure Desktop. You can accomplish this under Configuration > Tunneling and Security > WebVPN > Secure Desktop > Setup (Figure 10-50).

figure 10.50

Figure 10-50

Enabling the Secure Desktop

Choose Enable Secure Desktop and click Apply. The Secure Desktop is now enabled.

Enabling SSL VPNs (WebVPN) on Cisco IOS Devices

Enabling SSL VPNs on Cisco IOS Software is relatively straightforward and consists of eight basic steps:

Step 1 Configure domain name and name server addresses.

Step 2 Configure remote AAA for remote access user login authentication.

Step 3 Enroll with a CA and obtain an identity certificate.

Step 4 Enable WebVPN.

Step 5 Configure basic SSL parameters.

Step 6 Customize login and home pages (optional).

Step 7 Specify URLs.

Step 8 Configure port forwarding.

These steps are described in detail in the sections that follow.

Step 1: Configure Domain Name and Name Server Addresses

The first step in configuring a Cisco IOS SSL remote access VPN gateway is to configure the default domain name and name server IP addresses. Example 10-1 shows the configuration of the default domain name and name server IP address.

Example 10-1 Configuration of the Default Domain Name and DNS Server IP Address

ip domain name
ip name-server

The ip domain name name command is used to configure the default domain name that the router uses to complete any unqualified host names.

The ip name-server server-address1 [server-address2_serveraddress6] command configures the IP addresses of up to six name servers.

Step 2: Configure Remote AAA for Remote Access User Login Authentication

Example 10-2 shows the configuration of remote AAA for remote access user authentication.

Example 10-2 Configuration of Remote AAA for Remote Access User Authentication

aaa new-model (line 1)
aaa group server radius sslauth (line 2)
 server auth-port 1645 acct-port 1646 (line 3)
aaa authentication login default group sslauth (line 4)
radius-server key mjlnetkey (line 5)

The aaa new-model command (line 1) enables authentication, authorization, and accounting.

The aaa group server radius group-name command in line 2 is then used to configure a group of RADIUS servers. In this case, the name of the group of servers is sslauth.

In line 3, the server ip-address [auth-port port-number] [acct-port port-number] command is then used to specify the IP addresses of RADIUS servers in the group, along with the ports used for authentication/authorization (auth-port) and accounting (acct-port). In this case, there is only one server in the group (, and the ports used for AAA are the defaults (1645 and 1646).

The aaa authentication login [default | method-list-name] group group-name command (line 4) configures login authentication using the default method list and the (previously created) RADIUS server group called sslauth. Login authentication is required for SSL remote access VPN users.

Note that it is possible to configure local authentication for SSL remote access VPN users using the aaa authentication login [default | method-list-name] local command in conjunction with a local username/password database configured using the username username password password command.

In a practical sense, however, a local username/password database is much more difficult to administer than a local user database on a VPN 3000 concentrator—this is why RADIUS is recommended when configuring SSL remote access VPNs using Cisco IOS Software. RADIUS can also be used for WebVPN on the VPN 3000 concentrator.

Finally, the radius-server key {0 string | 7 string | string} command in line 5 configures the key that is used to authenticate communications between the router and the RADIUS server (as well as encrypting user passwords sent to the server).

Step 3: Enroll the IOS Router with a CA and Obtain an Identity Certificate

Enrolling the Cisco IOS router with a CA and obtaining an identity certificate consists of the following:

  • Setting the time on the Cisco IOS router

  • Configuring the router's host name and IP domain name

  • Generating RSA keys on the router

  • Declaring the CA

  • Authenticating the CA

  • Enrolling the router with the CA

These tasks are described in detail in the section "IKE Digital Signature Authentication," starting on page 448 in Chapter 6, "Deploying Site-to-Site IPsec VPNs."

Step 4: Enable WebVPN

As shown in Example 10-3, the webvpn enable global configuration mode command is used to enable SSL remote access VPNs (WebVPN).

Example 10-3 Enabling SSL Remote Access VPNs (WebVPN) t
Enter configuration commands, one per line. End with CNTL/Z. enable

It is worth noting that if the Cisco IOS device is configured as a HTTP secure (HTTPS) server, it is necessary to add the gateway-addr ip-address parameter along with the webvpn enable command (webvpn enable gateway-addr ip-address). This parameter causes WebVPN to be only enabled on the (interface) IP address specified.

Step 5: Configure Basic SSL Parameters

Having enabled WebVPN, the next step is to configure basic SSL parameters, including cryptographic algorithms (and associated cipher suites), and specify the SSL trustpoint.

Example 10-4 shows the configuration of basic SSL parameters.

Example 10-4 Configuration of Basic SSL Parameters

 ssl encryption 3des-sha1
 ssl trustpoint sslcert
1 2 3 4 5 6 7 8 Page 6
Page 6 of 8
SD-WAN buyers guide: Key questions to ask vendors (and yourself)