User Guide for CiscoView Device Manager for the Cisco WebVPN Services Module 1.1 - Using Wizards [CiscoWorks CiscoView]

Table Of Contents

Using Wizards

Using the WebVPNSM Service Setup Wizard

Setting Up a Virtual Gateway

Selecting a Virtual Gateway

Selecting a Certificate Trustpoint

Specifying the SSL Certificate and Private Key

Configuring a Virtual Context

Configuring Authentication and NAT

Selecting an Authentication List

Creating a AAA Server Group

Editing RADIUS Settings

Configuring Network Settings

Configuring a Group Policy

Configuring Clientless Mode

Configuring Thin-Client Mode

WebVPN Access Setup Wizard Summary

Using the Group Policy Setup Wizard

Configuring a Group Policy

Selecting a Virtual Context

Configuring Clientless Mode

Configuring Thin-Client Mode

Configuring Tunnel Mode

Group Policy Setup Wizard Summary

Using the Certificate Trustpoint Setup Wizard

Generating a CSR

Specifying a Trustpoint and RSA Key Pair

Configuring SSL Certificate Attributes

Configuring the Enrollment Method

Authenticating a CA and Importing an SSL Certificate

Using the Copy-and-Paste Method

Using the TFTP Method

Importing a CA Certificate or CA Certificate Chain

Specifying a CA Certificate Source

Specifying the CA Certificate

Specifying the SSL Certificate

Specifying the Certificate File

Importing a CA Certificate Chain

Renewing an SSL Certificate

Regenerating a CSR

Importing a Renewed SSL Certificate

Certificate Trustpoint Setup Wizard Summary

Viewing Trustpoint Configuration Status

Using the Certificate Import Wizard

Specifying Certificate Format and Source

Specifying Certificate and Private Key

Specifying Certificate and Private Key (X.509 PEM - Local Hard Disk)

Specifying Certificates and Private Key (X.509 PEM - Remote System)

Specifying Certificate and Private Key (X.509 PEM - Copy and Paste)

Certificate Import Wizard Summary

Viewing Certificate Import Status

Using the Certificate Export Wizard

Selecting Certificates and Format (PEM, PKCS#12)

Specifying the Destination

Specifying the Destination (X.509 PEM)

Specifying the Destination (PKCS#12)

Specifying Destination Details

Specifying Destination Details (X.509 PEM)

Specifying Destination Details (PKCS#12)

Certificate Export Wizard Summary

Viewing Certificate Export Status

Using Wizards

CVDM-WebVPNSM 1.1 allows you to set up WebVPN Services Module (WebVPNSM) features with the help of wizards, which simplifies complex configuration tasks. To access the Wizards page, click Setup at the top of the window and then click Wizards (see Figure 2-1).

Figure 2-1 Wizards Page

CVDM-WebVPNSM provides the following Setup wizards:

•WebVPN Service Setup wizard—This wizard allows you to configure both clientless and thin-client access to the WebVPNSM. See Using the WebVPNSM Service Setup Wizard.

•Group Policy Setup wizard—This wizard allows you to configure the default group policy for users accessing the WebVPNSM. See Using the Group Policy Setup Wizard.

•Certificate Trustpoint Setup wizard—This wizard allows you to enroll and install an SSL certificate onto the WebVPNSM. See Using the Certificate Trustpoint Setup Wizard.

•Certificate Import wizard—This wizard allows you to import both certificates and private keys to the WebVPNSM from an external public-key infrastructure (PKI). See Using the Certificate Import Wizard.

•Certificate Export wizard—This wizard allows you to export certificates and private keys to an external system or another WebVPNSM. See Using the Certificate Export Wizard.

Using the WebVPNSM Service Setup Wizard

The WebVPNSM Service Setup wizard allows you to set up both clientless and thin-client access to this WebVPN Services Module. This wizard consists of the following tasks:

•Setting Up a Virtual Gateway

•Specifying the SSL Certificate and Private Key

•Configuring a Virtual Context

•Configuring Authentication and NAT

•Configuring Network Settings

•Configuring a Group Policy

•Configuring Clientless Mode

•Configuring Thin-Client Mode

Note the following:

•If you launch CVDM-WebVPNSM as a Level 15 user without first setting the enable password for this module, you will not be able to launch this wizard.

•If you have not already configured the AAA new-model on this module, you will be prompted to do so after you launch this wizard.

Step 1 Click Setup at the top of the window and click Wizards in the left-most pane. The main CVDM-WebVPNSM wizard page appears.

Step 2 Select the Set Up Clientless and/or Thin-Client Access radio button.

Step 3 Click Launch the Selected Task.

Setting Up a Virtual Gateway

GUI Element

Action/Description

Set Up a New Virtual Gateway radio button

Click to configure a new virtual gateway.

Use an Existing Virtual Gateway radio button

Click to select this radio button to select an existing virtual gateway.

Name field

If you selected the Set Up a New Virtual Gateway radio button, enter the name of the new virtual gateway.

If you selected the Use an Existing Virtual Gateway radio button:

a. Click to launch the Virtual Gateways dialog box. See Selecting a Virtual Gateway for more information.

b. Select a gateway from the table and then click OK.

IP Address field

Enter the IP address of the virtual gateway to be configured.

Secondary check box

Select to specify that the IP address defined in the previous field is not on a network with a direct connection.

Note When selected, the fields in the WebVPN Interface pane are not available for configuration.

Port (1-65535) field

Specify the port to be used by the virtual gateway. The default is 443.

Admin Status list

Specify whether the virtual gateway is currently up or down.

WebVPN Interface pane

If the IP address you specified for the virtual gateway is the primary IP address, you must configure the corresponding WebVPN interface.

VLAN ID (2-4094) field

Enter the VLAN for the WebVPN interface the virtual gateway belongs to.

IP Address field

Enter the IP address of the WebVPN interface the virtual gateway belongs to.

Subnet Mask list

Either select a subnet mask from the list or enter an appropriate value.

SSL Certificate pane

Select a Certificate Installed on WebVPNSM radio button

Select this radio button to select from a list of SSL certificates that have been installed on the WebVPNSM.

Certificate Trustpoint Name list

Name of the selected certificate Trustpoint.

a. Click to launch the Certificate Trustpoint Selector dialog box. See Selecting a Certificate Trustpoint for more information.

b. Select a Trustpoint from the table and then click OK.

Import an SSL Certificate and Private Key for Virtual Gateway radio button

Select to import the corresponding SSL certificate and private key for the virtual gateway being configured.

Certificate Trustpoint Name field

Name of the certificate Trustpoint to be imported.

If this field in not already populated, enter the name of the appropriate Trustpoint.

Selecting a Virtual Gateway

Note Since virtual gateways associated with only one virtual context cannot be shared, they are not displayed in this dialog box.

Column

Description

Gateway Name

Name of a virtual gateway configured on the WebVPNSM.

Used by Any Context

Indicates whether a virtual gateway is currently used by a virtual context.

Selecting a Certificate Trustpoint

Column

Description

Trustpoint Name

Name of a certificate Trustpoint.

Subject Name

Description of a Trustpoint.

CA Name

Name of the CA associated with this Trustpoint.

Specifying the SSL Certificate and Private Key

Step 1 Select either the X.509 PEM or PKCS#12 radio button.

Step 2 Enter the information specified in the appropriate table.

X.509 PEM

GUI Element

Action/Description

CA Name list

Do one of the following:

•If you are specifying a CA certificate that is available on the WebVPNSM, select the corresponding CA name from the list.

•If you are specifying a CA certificate that is not already available on the WebVPNSM, select the default value <New>.

CA Certificate File list

Click Browse... and navigate to the appropriate CA certificate file.

Private Key File list

Click Browse... and navigate to the appropriate private key file.

Private Key Passphrase field

Enter the passphrase for the private key.

Allow Private Key Export check box

Select to allow the export of private keys.

SSL Certificate File list

Click Browse... and navigate to the appropriate SSL certificate file.

PKCS#12

GUI Element

Action/Description

Protocol list

Select one of the following file transfer protocols:

•TFTP

•FTP

•RCP

•SCP

IP Address field

Enter the IP address of the certificate source.

Username field

Enter the username for the remote system.

Password field

Enter the password to be used for the remote system.

PKCS#12 File field

Enter the appropriate PKCS#12 filename, specifying the absolute path and the filename.

Example: d:/tftpboot/certs/cert.p12

Passphrase field

Enter the passphrase used to decrypt the key.

Create Trustpoints for CA Certificates in Certificate Chain check box

Select to create Trustpoints for certificates higher in the hierarchy.

Configuring a Virtual Context

GUI Element

Action/Description

Name field

Enter the name of the new virtual context.

Admin Status list

Specify whether the virtual context is currently up or down.

Title field

Enter the HTML title string that will be displayed in the browser title and on the title bar. The string is limited to 255 characters. The default string is "WebVPN Service."

Logo File list

Custom logo image that is displayed on the login and portal pages.

Click and then select one of the following:

•Select Logo File—Launches the Logo File Selector dialog box. Select a logo and then click OK.

•Clear Logo File—Clears the logo file that is currently selected.

Note You can only select from graphics that are present in the flash memory of the device. The following file formats are supported: .gif, .jpeg, and .png.

User-Context Mapping check box

Select to enable user mapping for this virtual context.

Domain radio button

Select to associate a domain with the virtual gateway configured in step 1 of the WebVPN Access Setup wizard.

Enter the name of the appropriate domain in the provided field.

Virtual Host radio button

Select to associate a virtual host with the virtual gateway configured in step 1 of the WebVPN Access Setup wizard.

Enter the name of the appropriate virtual host in the provided field.

VRF Aware check box

Select to make the virtual context VRF-aware.

A VPN routing and forwarding (VRF) instance consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine the information that goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a Provider Edge router.

Create VRF radio button

Select to create a new VRF instance.

Enter the name for this VRF instance in the provided field.

Route Designator field

Enter the corresponding route designator for the new VRF instance.

Select VRF radio button

Select this radio button to select an existing VRF instance.

1. Click to launch the Select VRFs dialog box.

2. Click OK.

Configuring Authentication and NAT

GUI Element

Action/Description

User Authentication pane

Use Default Authentication (Local) radio button

Select to specify that the local username database is used for authentication.

Note the following:

•If the aaa authentication login default <radius, local, none> command has been entered, then the default method list is used.

•If a default method list is not configured, then the local method list is used.

Select an Authentication Method List radio button

Select this radio button to select an authentication method list that has already been configured on the WebVPNSM.

Method List Name list

Select the authentication method to be used.

1. Click to launch the Select Authentication List dialog box. See Selecting an Authentication List for more information.

2. Select a list from the table and then click OK.

Configure a RADIUS Authentication Method List radio button

Select this radio button to configure a RADIUS authentication method list.

Method List name field

Enter the name of the RADIUS authentication method list you are about to create.

RADIUS Server Group list

Specify the authentication, authorization, and accounting (AAA) server group associated with this method list.

Click and then select one of the following:

•Create and Use a New Server Group—Launches the Create AAA Server Group dialog box. See Creating a AAA Server Group for more information.

•Select an Existing Server Group—Launches the Select Server Group dialog box. Select a group and then click OK.

•Clear the Server Group—Clears the server group that is currently selected.

Note If you created a new VRF instance or selected an existing one in the previous wizard step, then only the server groups configured for that VRF instance are displayed. Otherwise, all configured server groups are displayed.

RADIUS Parameters... button

Click to launch the Edit RADIUS Settings dialog box. See Editing RADIUS Settings for more information.

Configure an Authentication Domain check box

Select to enable the use of an authentication domain.

Authentication Domain Name field

Enter the domain name to be appended to a username during authentication.

This feature allows identical usernames in different virtual contexts to use the same service provider AAA server. These usernames are differentiated by the domain name (which is unique across all virtual contexts) specified in this field. When this feature is configured, all usernames in the AAA server must include this domain name. Otherwise, authentication will fail.

NAT pane

The NAT range you specify should be six consecutive IP addresses. If more than six are set, then the first six IP addresses will be used.

Start IP Address field

Enter the first address in the NAT range used by the WebVPNSM to open a server connection.

Subnet Mask list

Either select a subnet mask from the list or enter the appropriate value.

End IP Address field

Enter the last address in the NAT range used by the WebVPNSM to open a server connection.

Selecting an Authentication List

Column

Description

Name

Name of the authentication list.

Type

Type of authentication list.

Method 1

The name of the method that the device will attempt to use first for authentication. Authentication services identify users before they are permitted access to the network or network services. Authentication provides the method for identifying users, including username and password, challenge and response, messaging support, and, depending on the security protocol selected, encryption.

A method is a configured server group used for authenticating users. You can configure up to four methods and specify the order in which you want the device to query them. The device attempts to communicate with the first method. If one of the servers in this method authenticates the user, then authentication is successful. If authentication fails, then the router uses the next method in the list.

Method 2

The name of the method that the device will attempt to use for authentication if the servers referenced in method 1 do not respond.

Method 3

The name of the method that the device will attempt to use for authentication if the servers referenced in method 1 and method 2 do not respond.

Method 4

The name of the method that the device will attempt to use for authentication if the servers referenced in method 1, method 2, and
method 3 do not respond.

Creating a AAA Server Group

GUI Element

Action/Description

Server Group Name field

Enter the name of the new AAA server group.

Private Server check box

Select to make the servers in this group local (unavailable outside of the group).

IP Address field

Enter the IP address of the server.

Type field

The type of server.

This field cannot be edited. Only the RADIUS option is supported.

Authentication Port field

Enter the server port used for authentication requests.

The default is 1645.

Accounting Port field

Enter the server port used for accounting requests.

The default is 1646.

Key field

Enter the key used when contacting the server.

Confirm Key field

Re-enter the key used when contacting the server.

Timeout (sec) field

Enter the number of seconds that the router should attempt to contact this server before going on to the next server in the group list.

The default is 5 seconds. Valid values range from 1 to 1000 seconds.

Editing RADIUS Settings

GUI Element

Action/Description

Timeout (sec) field

Enter the number of seconds that the router should attempt to contact this server before going on to another server.

The default is 5 seconds. Valid values range from 1 to 1000 seconds.

Key field

Enter the key used when contacting the RADIUS server.

Confirm Key field

Re-enter the key used when contacting the RADIUS server.

Configuring Network Settings

Note If you configured a VRF instance in the virtual context configuration page of this wizard, then the settings you specify here apply to that VRF instance. Otherwise, the settings will apply to the default VRF instance.

GUI Element

Action/Description

DNS pane

A list of the name servers already configured on this WebVPNSM is displayed at the bottom of this pane.

Domain Name field

Enter the default domain name that the Cisco IOS software uses to complete unqualified hostnames.

Name Server IP Address field

Specify one or more hosts (up to six) that can function as a name server to supply name information for the DNS.

Note the following:

•If no name servers have already been configured, you must configure at least one in order to proceed.

•This field is not available if the maximum of six name servers have already been configured.

Static Route check box

Select to configure the static route used to access the network.

IP Address field

Enter the destination network address of a static route.

Next Hop field

Enter the IP address of the next hop device.

Mask list

Subnet mask to which the network address configured for the static route belongs. Either select a value from the list or enter the appropriate value.

Metric (1-255) field

Specify the route metric configured for the static route.

WebVPN Interface pane

If an interface already exists within the NAT range you specified in the previous wizard page, you will not be able to modify the following fields. The fields will display the values configured for that interface.

VLAN ID (2-4094) field

Specify the VLAN associated with this WebVPN interface.

IP Address field

Enter the IP address for this WebVPN interface

Mask list

Subnet mask to which the IP address belongs. Either select a value from the list or enter the appropriate value.

Note Make sure to specify the same subnet configured in the NAT pane of the previous wizard page.

Configuring a Group Policy

GUI Element

Action/Description

Policy Name field

Enter the name for this group policy.

Modes

Clientless (supports web-enabled and SSL-enabled applications) check box

Select to enable clientless mode for this group policy. See Configuring Clientless Mode for more information.

Thin-Client (supports nonweb-enabled and non-SSL-enabled applications) check box

Select to enable thin-client mode for this group policy. See Configuring Thin-Client Mode for more information.

Configuring Clientless Mode

GUI Element

Action/Description

Hide URL bar on portal check box

Select to disable the URL bar on the portal page.

URL List Name field

Enter a name for the new URL list (group of URLs).

Heading field

Enter the heading text for the new URL list.

URL Label field

Enter the text displayed for a particular URL.

Link list

Enter the URL that corresponds to the label.

Add button

Click to add a new URL label to the table of existing labels.

URL Label column

Text displayed for a particular URL.

Link column

URL that corresponds to that label.

Remove button

Click to remove the selected URL label from the table.

NBNS Server List Name list

Specify a NetBIOS name service (NBNS) list for common Internet file system (CIFS) name resolution.

CVDM-WebVPNSM requires NetBIOS to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server that you specify corresponds to a specific NetBIOS name that identifies a resource on the network.

IP Address field

Enter the IP address of the NBNS server.

Is Master check box

Select to designate this server as a master browser. Do not select this option for a WINS server.

Configuring Thin-Client Mode

GUI Element

Action/Description

Port Forward List Name field

Enter a name for the list of forwarded ports. The maximum length of the list name is 63 characters.

Add Port Forward Entry pane

Local Port (1024-65535) field

Specify the local TCP port to be used for listening.

Note Since ports 1 through 1024 are reserved, do not specify a port that falls within this range.

Remote Port (1-65535) field

Specify the TCP port used to connect to the remote server.

Remote Server field

Enter the hostname or IP address of the remote server.

Description field

Enter a short description of the application to be forwarded.

Add button

Click to add to the port forwarding lists table.

Local Port column

Local TCP port used for listening.

Remote Server column

Hostname or IP address of the remote server.

Remote Port column

TCP port used for connecting to the remote server.

Description column

Short description of a port forwarding list.

Remove button

Click to remove the selected port forwarding entry from the port forwarding list.

WebVPN Access Setup Wizard Summary

The summary page of the wizard shows you the information that you entered.

Click Finish to send the commands to the device. The Deliver Configuration to Switch/Module(s) dialog box appears if you have configured CVDM-WebVPNSM to display the accumulated CLI commands after you have completed a wizard (for information on configuring this option, see Editing Preferences).

Note For more information on the Deliver Configuration to Switch/Module(s) dialog box, see Delivering CLI Commands to the Device.

Using the Group Policy Setup Wizard

The Group Policy Setup wizard consists of the following tasks:

•Entering the general group policy settings for the selected virtual context. See Configuring a Group Policy for more information.

•Entering the settings for at least one of the three modes supported by CVDM-WebVPNSM:

–Clientless mode—See Configuring Clientless Mode for more information.

–Thin-Client mode—See Configuring Thin-Client Mode for more information.

–Tunnel mode—See Configuring Tunnel Mode for more information.

Step 1 Click Setup at the top of the window and click Wizards in the left-most pane. The main CVDM-WebVPNSM wizard page appears.

Step 2 Select the Set Up a WebVPN User Group Policy radio button.

Step 3 Click Launch the Selected Task.

Configuring a Group Policy

GUI Element

Action/Description

Context list

Click to launch the Available Virtual Contexts dialog box. See Selecting a Virtual Context for more information.

Group Policy Name field

Enter the name for this group policy.

Set Policy as Default for Context check box

Select to make this the default group policy.

Modes pane

Clientless (supports web-enabled and SSL-enabled applications) check box

Select to configure clientless mode for this group policy. See Configuring Clientless Mode for more information.

Thin-Client (supports nonweb-enabled and non-SSL-enabled applications) check box

Select to configure thin-client mode for this group policy. See Configuring Thin-Client Mode for more information.

Tunnel (supports all IP applications) check box

Select to configure tunnel mode for this group policy. See Configuring Tunnel Mode for more information.

Do Not Mandate Tunnel radio button

Select to specify that tunnel mode is not required by this group policy.

Note When selected, all configured modes are operational.

Mandate Tunnel radio button

Select to specify that tunnel mode is required by this group policy.

Note When selected, you can also configure clientless and thin-client modes. However, only tunnel mode will be operational.

Selecting a Virtual Context

Column

Description

Context

Name of a virtual context.

Default Group Policy

Default group policy configured for this virtual context, if available.

Gateway Service

Gateway service configured for this virtual context, if available.

Configuring Clientless Mode

GUI Element

Action/Description

Hide URL Bar on Portal check box

Select to disable the URL bar on the portal page.

Setup a New URL List radio pane

URL List Name field

Enter a name for the new URL list (group of URLs).

Heading field

Enter the heading text for the URL list.

URL Label field

Enter the text displayed for a particular URL.

Link list

Enter the URL that corresponds to the label.

Note If this link will be used for Microsoft Outlook Web Access (OWA), append it with /exchange.

Add button

Click to add a new URL label to the table of existing labels.

URL Label column

Text displayed for a particular URL.

Link column

URL that corresponds to that label.

Remove button

Click to remove the selected URL label from the table.

Use an Existing URL List radio pane

URL List Name list

1. Click to launch the Select URL List dialog box.

2. Select a list and then click OK.

The table is populated with the entries configured for the selected URL list.

Heading field

Heading text for a URL list.

URL Label column

Text displayed for a particular URL.

Link column

URL that corresponds to that label.

NBNS Server List Name list

Specify a NetBIOS name service (NBNS) list for common Internet file system (CIFS) name resolution.

Click and then select one of the following:

•Create and Use a New NBNS List—Launches the Enter NBNS Server List Name dialog box. Enter the name for the new list and then click OK.

•Select an Existing NBNS List—Launches the Select NBNS list dialog box. Select a list and then click OK.

•Clear the NBNS List—Clears the NBNS server list that is currently selected/entered.

CVDM-WebVPNSM requires NetBIOS to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server that you specify corresponds to a specific NetBIOS name that identifies a resource on the network.

IP Address field

Enter the IP address of the NBNS server.

Is Master check box

Select to designate this server as a master browser. Do not select this option for a WINS server.

Configuring Thin-Client Mode

GUI Element

Action/Description

Set Up a New Port Forward List radio button

Select this radio button to create a new port forwarding list. Enter the following information:

•Port Forward List Name field—Enter a name for the list of forwarded ports. The maximum length of the listname is 63 characters.

•Local Port (1024-65535) field—Specify the local TCP port to be used for listening.

Since ports 1 through 1024 are reserved, do not specify a port that falls within this range.

•Remote Port (1-65535) field—Specify the TCP port used to connect to the remote server.

•Remote Server field—Enter the hostname or IP address of the remote server.

•Description field—Enter a short description of the application to be forwarded.

•Add button—Click to add to the port forwarding lists table.

Use an Existing Port Forward List radio button

Select this radio button to select from a list of existing port forwarding lists.

The values configured for the selected list are populated.

Local Port column

Local TCP port used for listening.

Remote Server column

Hostname or IP address of the remote server.

Remote Port column

TCP port used for connecting to the remote server.

Description column

Short description of a port forwarding list.

Remove button

Click to remove the selected port forwarding entry from the port forwarding list.

Note This button is not available when the Use an Existing Port Forward List radio button is selected.

Configuring Tunnel Mode

In tunnel mode, the gateway supplies an SSL-VPN client (SVC) IP address to each of the end users that are logged into the gateway.

GUI Element

Action/Description

Tunnel Client Settings pane

Keep Tunnel Client Installed check box

Select to ensure that the SVC remains installed on the end user client PC after the connection is closed. When the SVC remains installed on the end user PC, the end user does not have to download the SVC again when a new connection is established.

Home Page field

Enter the URL of the web page that is displayed when a user logs in. The maximum length for the URL is 255 characters. This setting is disabled by default.

Named Servers pane

Primary WINS field

Specify the primary WINS server.

Default Domain field

Specify the default domain used by the group.

Primary DNS field

Specify the primary DNS server.

Address Pool pane

Set Up a New Pool radio button

Select to create a new address pool by entering its name in the Address Pool Name field.

Select from an Existing Pool radio button

Select this radio button to select from a list of existing address pools.

Address Pool Name field

Do one of the following:

•If you selected the Set Up a New Pool radio button, enter the name of the new address pool.

•If you selected the Select from an Existing Pool radio button:

1. Click to launch the Select Address Pool dialog box.

2. Select the appropriate pool and then click OK.

IP Address Range fields

In the fields provided, enter the first and last IP address in this address range.

Note These fields are not available when the Select from an Existing Pool radio button is selected. The address range configured for the selected address pool is used.

Group Policy Setup Wizard Summary

The summary page of the wizard shows you the information that you entered.

Click Finish to send the commands to the device. The Deliver Configuration to Switch/Module(s) dialog box appears if you have configured CVDM-WebVPNSM to display the accumulated CLI commands after you have completed a wizard (for information on configuring this option, see Editing Preferences).

Note For more information on the Deliver Configuration to Switch/Module(s) dialog box, see Delivering CLI Commands to the Device.

After the group policy has been configured, the virtual context tree is refreshed and displays the new group policy.

Using the Certificate Trustpoint Setup Wizard

The Certificate Trustpoint Setup wizard allows you to enroll an SSL certificate and install it onto the WebVPNSM. Using the wizard, you can do the following:

•Generate a Certificate Signing Request (CSR)—See Generating a CSR.

•Authenticate a CA certificate and import an SSL certificate—See Authenticating a CA and Importing an SSL Certificate.

•Import a CA Certificate or CA Certificate Chain—See Importing a CA Certificate or CA Certificate Chain.

Note If the CA issuing your certificate is a subordinate CA, then you must first install all of the CA certificates in the certification path.

Step 1 Click Setup at the top of the window and click Wizards in the left-most pane. The main CVDM-WebVPNSM wizard page appears.

Step 2 Select the Generate Certificate Signing Request (CSR) and Enroll with CA radio button.

Step 3 Click Launch the Selected Task. The main page of the Certificate Trustpoint Setup wizard appears.

Generating a CSR

To generate a CSR, you first configure a Certificate Trustpoint. You then specify the attributes and enrollment method for the corresponding SSL certificate.

Do the following:

1. Specify a Trustpoint and RSA key pair—See Specifying a Trustpoint and RSA Key Pair.

2. Configure the SSL certificate's attributes—See Configuring SSL Certificate Attributes.

3. Configure the SSL certificate's enrollment method—See Configuring the Enrollment Method.

Specifying a Trustpoint and RSA Key Pair

The Specify Trustpoint and RSA Key Pair wizard page allows you to set up a CA Trustpoint. You can either use an existing key pair for the Trustpoint or generate a new key pair.

Enter the following information and then click Next.

GUI Element

Action/Description

Trustpoint Name list

Either enter the name of a new Trustpoint or select an existing one.

To select an existing Trustpoint:

1. Click to launch the Certificate Trustpoint Selector dialog box (see Selecting a Certificate Trustpoint for more information).

2. Select a Trustpoint and then click OK.

Task pane

Generate Certificate Signing Request (CSR) radio button

Select this option to generate a CSR.

Authenticate CA and Import SSL Certificate Obtained using CSR radio button

Select this option to import the SSL certificate obtained using the CSR.

Install CA Certificate Chain or CA Certificate radio button

Select this option to install CA certificates in order to complete a certificate chain (SSL termination) or authenticate servers/clients.

RSA Key Pair pane

Generate a New Key Pair radio button

Select to generate a new key pair.

Key Pair Name field

Enter the name of the key pair.

We recommend that you use a key pair name that matches the Trustpoint name.

Key Size list

Specify the size of the key, in bits.

Valid key sizes are 512, 768, 1024, 1536, and 2048.

Allow Private Key Export check box

Select to make the new key exportable.

You must select this option to enable you to export the private key later in the wizard.

Use an Existing Key Pair radio button

Select this radio button to select an existing key pair.

Key Pair Name list

1. Click to launch the Key Pair Selector dialog box (see Selecting a Key Pair for more information).

2. Select a key pair and then click OK.

Selecting a Key Pair

Column

Description

Key Pair Name

Name of a key pair.

Key Size

Size of a key pair.

Configuring SSL Certificate Attributes

The SSL Certificate Attributes wizard page allows you to enter the SSL certificate attributes for the certificate Trustpoint. Even though it is not mandatory to fill in any of these fields, you should at minimum fill in the common name (CN) field.

The following fields appear in the SSL certificate attributes dialog box.

GUI Element

Action/Description

Subject Distinguished Name (DN) pane

Common Name (CN) field

Common name to be used.

Example: server.domain.com, where server is the name of the SSL server that appears in the URL.

Email Address (EA) field

E-mail address.

Organization Unit (OU) field

Organization unit name.

Example: Marketing

Organization (O) field

Organization/business name.

Example: Cisco

Locality or City (L) field

Name of the city the organization is located in.

Example: San Jose

State or Province (ST) field

Name of the state/province the organization is located in.

Example: California

Country Code (C) field

Name of the country the organization is located in.

Example: US

Include WebVPNSM Serial Number check box

Select to include the serial number of the WebVPNSM in the certificate.

Unstructured (Optional) pane

Unstructured Name field

(Optional) Enter the Fully Qualified Domain Name (FQDN) of the virtual gateway that will use this certificate.

Example: server5.domain.com

Subject IP Address field

(Optional) Enter the IP address of the virtual gateway that will use this certificate.

Other (Optional) field

Certificate Purpose list

Select one of three options:

•Blank (no purpose selected)

•SSL Server

•SSL Client

Configuring the Enrollment Method

The Configure Enrollment Method page of the wizard allows you to specify the enrollment parameters for your certificate authority.

Enter the following information and then click Next.

GUI Element

Action/Description

CA list

Specify the name of the certificate authority (CA):

•If you are configuring enrollment parameters for a new CA, choose the field display as <NEW>.

•If you want to enroll with a CA already configured, select the CA from the list and modify the parameters.

Copy and Paste radio button

Select to copy and paste an SSL certificate.

Simple Certificate Enrollment Protocol (SCEP) radio button

Select to use this enrollment method.

CA Server URL field

Enter the URL of the CA server.

Challenge Password field

Enter a challenge password.

This password is necessary in the event that you need to revoke your certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.

Confirm Password field

Re-enter the challenge password to confirm it.

Retry Count (0-100) field

Enter the number of attempts to make to establish enrollment.

Auto Renewal and Enrollment check box

Select to enable auto-enrollment.

Retry Period (1-60 min field)

Enter the time interval that elapses before the next enrollment retry takes place.

HTTP Proxy field

Enter the URL of the HTTP proxy to be used for enrollment.

Port field

Enter the port to be used for enrollment.

TFTP radio button

Select to use TFTP for enrollment.

CA Server URL field

Enter the URL of the CA server.

Example: tftp://ipaddress/Certificates/filename

The WebVPN Services Module adds the following extensions to the filename you specify:

•CA certificate—.ca

•CSR—.req

•SSL certificate—.crt

The TFTP and cut-and-paste feature allows you to generate a certificate request and accept certification authority certificates as well as router certificates. These tasks are accomplished with a TFTP server or manual cut-and-paste operations.

You may want to use TFTP or manual cut-and-paste enrollment in the following situations:

•Your certificate authority does not support Simple Certificate Enrollment Protocol (SCEP).

•A network connection between the router and certificate authority is not possible. The router running Cisco IOS software obtains its certificates using a network connection between the router and the certificate authority.

Saving a CSR

After you have completed the steps necessary to generate a CSR, the Certificate Signing Request (CSR) dialog box appears, displaying the text of the request.

Step 1 Click Save to File....

Step 2 Enter a filename for the request.

Step 3 Navigate to the directory where you want to save the request and click OK.

Authenticating a CA and Importing an SSL Certificate

This task is applicable only to manual enrollment methods, such as the copy-and-paste and TFTP methods. For Simple Certificate Enrollment Protocol (SCEP), an automatic enrollment method, the CA certificate is authenticated when the certificate request is generated. As soon as the certificate request has been issued, the device automatically installs the SSL certificate you want to import.

See the following sections for more information:

•Using the Copy-and-Paste Method

•Using the TFTP Method

Using the Copy-and-Paste Method

To import the SSL certificate obtained using the CSR via the copy-and-paste method, you first select the Trustpoint used to generate the CSR. You then specify the corresponding CA certificate for that Trustpoint as well as the appropriate SSL certificate.

Note The authentication of a CA involves the manual verification of the CA certificate's fingerprint.

Do the following:

1. Specify a Trustpoint and RSA key pair—See Specifying a Trustpoint and RSA Key Pair.

2. Specify the CA certificate configured for that Trustpoint—See Specifying the CA Certificate.

3. Specify the appropriate SSL certificate—See Specifying the SSL Certificate.

Using the TFTP Method

To import the SSL certificate obtained using the CSR via the TFTP method, first select the Trustpoint used to generate that CSR and then specify the appropriate certificates.

1. Specify a Trustpoint and RSA key pair—See Specifying a Trustpoint and RSA Key Pair.

2. Specify the appropriate certificate file—See Specifying the Certificate File.

Note the following:

•You will specify the same filename for both the CA and SSL certificates.

•When specifying a filename, do not include an extension. The WebVPN Services Module will add the extensions .ca and .crt to the filename you specify when importing the certificates.

•The extension .ca will be appended to the CA certificate filename and the extension .crt will be appended to SSL certificate filename.

Importing a CA Certificate or CA Certificate Chain

To install either a CA certificate chain or CA certificate, select the Install CA Certificate Chain or CA Certificate radio button from the Specify Trustpoint and RSA Key Pair wizard page. When installing a chain, you need to set up a Trustpoint for each of the CA certificates in that chain. For each of these Trustpoints, the Trustpoint name you specify will be used as the prefix. Optionally, you can modify each of these Trustpoint names when specifying the CA certificates.