-
Cisco Router and Security Device Manager 2.5 User Guide
-
About Cisco SDM
-
Creating New Connections
-
Configuring LAN Connections
-
802.1x Authentication
-
WAN Connections
-
Edit Interfaces and Connections
-
Wide Area Application Services
-
Create Firewall Wizard
-
Firewall Policy
-
Application Security
-
Site-to-Site VPN
-
Easy VPN Remote
-
Easy VPN Server
-
Enhanced Easy VPN
-
Dynamic Multipoint VPN
-
VPN Global Settings
-
IP Security
-
Internet Key Exchange
-
Public Key Infrastructure
-
Certificate Authority Server
-
Cisco IOS SSL VPN
-
VPN Troubleshooting
-
Extended Cisco IOS SSL VPN
-
Security Audit
-
Routing
-
Network Address Translation
-
Intrusion Prevention System
-
Network Module Management
-
Quality of Service
-
Network Admission Control
-
Router Properties
-
Editing Access Lists
-
Port-to-Application Mapping
-
Zone-Based Policy Firewall
-
Authentication, Authorization, and Accounting
-
Configuration Management
-
Edit Menu
-
Glossary
-
Table Of Contents
Cisco IOS SSL VPN links on Cisco.com
Creating an SSL VPN Connection
Create an SSL VPN Connection Reference
Persistent Self-Signed Certificate
SSL VPN Passthrough Configuration
Details of SSL VPN Group Policy: Policyname
Locating the Install Bundle for Cisco SDM
Editing SSL VPN Connection Reference
Designate Inside and Outside Interfaces
Group Policy: SSL VPN Client (Full Tunnel) Tab
Context: NetBIOS Name Server Lists
Add or Edit a NBNS Server List
Add or Edit a Port Forward List
Cisco IOS SSL VPN Contexts, Gateways, and Policies
Learn More about Port Forwarding Servers
Learn More About Group Policies
Learn More About Split Tunneling
How do I verify that my Cisco IOS SSL VPN is working?
How do I configure a Cisco IOS SSL VPN after I have configured a firewall?
How do I associate a VRF instance with a Cisco IOS SSL VPN context?
Cisco IOS SSL VPN
Cisco IOS SSL VPN provides Secure Socket Layer (SSL) VPN remote-access connectivity from almost any Internet-enabled location using only a web browser and its native SSL encryption. This enables companies to extend their secure enterprise networks to any authorized user by providing remote-access connectivity to corporate resources from any Internet-enabled location.
Cisco IOS SSL VPN also enables access from noncorporate-owned machines, including home computers, Internet kiosks, and wireless hotspots, where an IT department cannot easily deploy and manage the VPN client software necessary for IPsec VPN connections.
There are three modes of SSL VPN access: clientless, thin-client and full-tunnel client. Cisco SDM supports all three. Each mode is described below:
•
Clientless SSL VPN—Clientless mode provides secure access to private web resources and will provide access to web content. This mode is useful for accessing most content that you would expect to use within a web browser, such as intranet access, and online tools that employ a web interface.
•
•
Cisco IOS SSL VPN Contexts, Gateways, and Policies describes how the components of a Cisco IOS SSL VPN configuration work together.
Click Cisco IOS SSL VPN links on Cisco.com for links to Cisco IOS SSL VPN documents.
This chapter contains the following sections:
•
•
Cisco IOS SSL VPN links on Cisco.com
This help topic lists the current links that provide the most useful information on Cisco IOS SSL VPN.
The following link provides access to documents that describe Cisco IOS SSL VPN. Return to this link from time to time for the latest information.
The following link explains how to configure a AAA server using the RADIUS protocol for Cisco IOS SSL VPN.
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00805eeaea.html#wp1396461
Creating an SSL VPN Connection
To create an SSL VPN connection, complete the following tasks:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Create an SSL VPN Connection Reference describes the screens that you use to complete this task.
Create an SSL VPN Connection Reference
The topics in this section describe the Create SSL VPN screens.
•
•
•
•
•
•
Create SSL VPN
You can use Cisco IOS SSL VPN wizards to create a new Cisco IOS SSL VPN or to add new policies or features to an existing Cisco IOS SSL VPN.
Click Cisco IOS SSL VPN to get an overview of the features that Cisco SDM supports. Cisco IOS SSL VPN Contexts, Gateways, and Policies describes how the components of a Cisco IOS SSL VPN configuration work together.
Click Cisco IOS SSL VPN links on Cisco.com for links to Cisco IOS SSL VPN documents.
Prerequisite Tasks
AAA and certificates must be configured on the router before you can begin a Cisco IOS SSL VPN configuration. If either or both of these configurations are missing, a notification appears in this area of the window, and a link is provided that enables you to complete the missing configuration. When all prerequisite configurations are complete, you can return to this window and start configuring Cisco IOS SSL VPN.
Cisco SDM enables AAA without user input. Cisco SDM can help you generate public and private keys for the router, and enroll them with a certification authority to obtain digital certificates. See Public Key Infrastructure for more information. Alternatively, you can configure a persistent self-signed certificate that does not require approval by a CA. For more information on the persistent self-signed certificate feature, see the information at this link:
Make sure that the entire URL is present in the link field in your browser.
Create a new SSL VPN
Select this option to create a new Cisco IOS SSL VPN configuration. This wizard enables you to create a Cisco IOS SSL VPN with one user policy and a limited set of features. After you complete this wizard, you can use the other wizards to configure addition policies and features for the Cisco IOS SSL VPN. You can return to this wizard to create additional Cisco IOS SSL VPN configurations.
When you use Cisco SDM to create the first Cisco IOS SSL VPN configuration on a router, you create a Cisco IOS SSL VPN context, configure a gateway, and create a group policy. After you complete the wizard, click Edit SSL VPN to view the configuration and familiarize yourself with how Cisco IOS SSL VPN components work together. For information that will help you understand what you see, click Cisco IOS SSL VPN Contexts, Gateways, and Policies.
Add a new policy to an existing SSL VPN for a new group of users
Select this option to add a new policy to an existing Cisco IOS SSL VPN configuration for a new group of users. Multiple policies allow you to define separate sets of capabilities for different groups of users. For example, you might define a policy for engineering, and a separate policy for sales.
Configure advanced features for an existing SSL VPN
Select this option to configure additional features for an existing Cisco IOS SSL VPN policy. You must specify the context under which this policy is configured.
Launch the selected task button
Click to begin the configuration that you selected. You will receive a warning message if you cannot complete the task that you chose. If there is a prerequisite task that you need to complete, you will be told what it is and how to complete it.
Persistent Self-Signed Certificate
You can provide the information for a persistent self-signed certificate in this dialog. Using the information that you provide, the HTTPS server will generate a certificate that will be used in the SSL handshake. Persistent self-signed certificates remain in the configuration even if the router is reloaded, and are presented during the SSL handshake process. New users must manually accept these certificates, but users who have previously done so do not have to accept them again if the router was reloaded.
For more information on the persistent self-signed certificate feature, see the information at this link:
Make sure that the entire URL is present in the link field in your browser.
Name
Cisco SDM places the name Router_Certificate in this field. You can change the name if you want to do so. This corresponds to the subject name that would be used in a certificate request.
Length of RSA Key
Cisco SDM places the value 512 in this field. You can specify a longer key, such as 1024, if you want to do so. The key length should be a multiple of 64.
Subject
Provide the information for the fields in the subject area. For more information on these fields, see the information in Other Subject Attributes.
Generate Button
After providing the information in this window, click Generate to have the router create the persistent self-signed certificate.
Welcome
The Welcome window for each wizard lists the tasks that the wizard enables you to complete. Use this information to ensure that you are using the correct wizard. If you are not, click Cancel to return to the Create SSL VPN window and choose the wizard that you want to use.
When you provide all the information asked for by the wizard, the Summary window displays the information that you provided. To see the Cisco IOS CLI commands that you are delivering to the router, click Cancel to leave the wizard, and go to Edit > Preferences, and check Preview commands before delivering to router. Then restart the wizard and provide the information that it asks for. When you deliver the configuration to the router, an additional window is displayed that allows you to view the Cisco IOS CLI commands you are delivering.
SSL VPN Gateways
A Cisco IOS SSL VPN gateway provides the IP address and the digital certificate for the SSL VPN contexts that use it. You can provide the information for a gateway in this window, and the information that will allow users to access a portal.
IP Address and Name Fields
Use these fields to create the URL that users will enter to access the Cisco IOS SSL VPN portal. The IP address list contains the IP addresses of all configured router interfaces, and all existing Cisco IOS SSL VPN gateways. You can use the IP address of a router interface if it is a public address that the intended clients can reach, or you can use another public IP address that the clients can reach.
If you use an IP address that has not already been used for a gateway, you create a new gateway.
Allow Cisco SDM access through IP Address Checkbox
Check if you want to continue to access Cisco SDM from this IP address. This checkbox appears if you entered the IP address you are currently using to access Cisco SDM.
Note
Digital certificate
If you are creating a new gateway, select the digital certificate that you want the router to present to clients when they log in to the gateway. If you chose the IP address of an existing gateway, the router will use the digital certificate configured for that gateway, and this field is disabled.
Information area
When you provide the information in the IP Address and Name fields, this area contains the URL that users will enter. You must provide this URL to the users for whom you are creating this Cisco IOS SSL VPN.
If you checked Allow Cisco SDM access through IP address, the URL that you must use in the future to access Cisco SDM is shown in this area. Cisco SDM places a shortcut to this URL on the desktop of your PC after you deliver the Cisco IOS SSL VPN configuration to the router.
User Authentication
Use this window to specify how the router is to perform user authentication. The router can authenticate Cisco IOS SSL VPN users locally, or it can send authentication requests to remote AAA servers.
External AAA server Button
Click if you want the router to use an AAA server to authenticate Cisco IOS SSL VPN users. The router will use the AAA servers that are listed in this window. If there are no AAA servers configured, you can configure them in this window. To use this option, there must be at least one AAA server configured on the router.
Locally on this router Button
Click if you want the router to authenticate users itself. The router will authenticate each user displayed in this window. If no users are configured on the router, you can add users in this window.
First on an external AAA server and then locally on this router Button
Click if you want the router to authenticate using a AAA server first, and if authentication fails, to attempt local authentication. If the user is not configured on either a configured AAA server or locally on the router, authentication for that user fails.
Use the AAA authentication method list Button
Click if you want the router to use a method list for authentication. A method list contains the authentication methods that should be used. The router attempts the first authentication method in the list. If authentication fails, the router tries the next method in the list and continues until the user is authenticated, or until it reaches the end of the list.
AAA servers configured for this router List
This list contains the AAA servers that the router uses to authenticate users. If you choose to authenticate users with AAA servers, this list must contain the name or IP address of at least one server. Use the Add button to add information for a new server. To manage AAA configurations on the router, leave the wizard, click Additional Tasks, and then click the AAA node in the Additional Tasks tree. This list does not appear if you have chosen Locally on this router.
Create user accounts locally on this router
Enter the users that you want the router to authenticate in this list. Use the Add and Edit buttons to manage the users on the router. This list does not appear if you chose External AAA server.
Configure Intranet Websites
Configure groups of intranet websites that you want users to have access to in this window. These links will appear in the portal that the users of this Cisco IOS SSL VPN see when they log in.
Action and URL List Columns
If you are adding a policy to an existing Cisco IOS SSL VPN context, there may be URL lists present in the table that is displayed. Check Select if you want to use a displayed URL list for the policy.
To create a new list, click Add and provide the required information in the dialog displayed. Use the Edit and Delete keys to change or remove URL lists in this table.
Add or Edit URL
Add or edit the information for a Cisco IOS SSL VPN link in this window.
Label
The label appears in the portal that is displayed when users log in to the Cisco IOS SSL VPN. For example, might use the label Payroll calendar if you are providing a link to the calendar showing paid holidays and paydays.
URL Link
Enter or edit the URL to the corporate intranet website that you want to allow users to visit.
Customize SSL VPN Portal
The settings that you make in this screen determine the appearance of the portal to the user. You can select among the predefined themes listed, and obtain a preview of the portal as it would appear if that theme were used.
Theme
Select the name of a predefined theme.
Preview
This area shows what the portal looks like with the selected theme.You may want to preview several themes to determine which one you want to use.
SSL VPN Passthrough Configuration
In order for users to be able to connect to the intranet, access control entries (ACE) must be added to firewall and Network Access Control (NAC) configurations to permit SSL traffic to reach the intranet. Cisco SDM can configure these ACE for you, or you can configure them yourself by going to Firewall and ACL > Edit Firewall Policy/ACL and making the necessary edits.
If you are working in the Cisco IOS SSL VPN wizard, click Allow SSL VPN to work with NAC and Firewall if you want Cisco SDM to configure these ACEs. Click View Details to view the ACEs that Cisco SDM would create. An entry that Cisco SDM adds might look like this example:
permit tcp any host 172.16.5.5 eq 443If you are editing a Cisco IOS SSL VPN context, Cisco SDM displays the affected interface and ACL that is applied to it. Click Modify to allow Cisco SDM to add entries to the ACL to allow SSL traffic to pass through the firewall. Click Details to view the entry that Cisco SDM adds. The entry will be one similar to the one already shown.
User Policy
This window allows you to choose an existing Cisco IOS SSL VPN and add a new policy to it. For example, you might have created a Cisco IOS SSL VPN named Corporate, and you want to define intranet access for a new group of users that you name Engineering.
Select existing SSL VPN
Choose the Cisco IOS SSL VPN for which you want to create a new group of users. The policies already configured for that Cisco IOS SSL VPN are displayed in a box under the list. You can click any of them to display the details of the policy. See Details of SSL VPN Group Policy: Policyname for more information.
Name of new policy
Enter the name that you want to give the new group of users. The area below this field lists the group policies that already exist for this Cisco IOS SSL VPN.
Details of SSL VPN Group Policy: Policyname
This window displays the details of an existing Cisco IOS SSL VPN policy.
Services
This area lists the services, such as URL mangling, and Cisco Secure Desktop, that this policy is configured for.
URLs exposed to users
This area lists the intranet URLs exposed to users who are governed by this policy.
Servers exposed to users
This area displays the IP addresses of the port forwarding servers that this policy is configured to use.
WINS servers
This area displays the IP addresses of the WINS servers that this policy is configured to use.
Select the SSL VPN User Group
Choose the Cisco IOS SSL VPN and associated user group for which you want to configure advanced services in this window.
SSL VPN
Choose the Cisco IOS SSL VPN that the user group is associated with from this list.
User Group
Choose the user group for which you will configure advanced features. The contents of this list is based on the Cisco IOS SSL VPN that you chose.
Select Advanced Features
Choose the features that you want to configure in this window. The wizard will display windows that allow you to configure the features that you choose.
For example, if you click Thin Client (Port Forwarding), Cisco Secure Desktop, and Common Internet File System (CIFS), the wizard will display configuration windows for these features.
You must choose at least one feature to configure.
Thin Client (Port Forwarding)
Remote workstations must sometimes run client applications to be able to communicate with intranet servers. For example Internet Mail Access Protocol (IMAP) or Simple Mail Transfer Protocol (SMTP) servers may require workstations to run client applications in order to send and receive e-mail. The Thin-Client feature, also known as port forwarding, allows a small applet to be downloaded along with the portal so that a remote workstation can communicate with the intranet server.
This window contains a list of the servers and port numbers configured for the intranet. Use the Add button to add a server IP address and port number. Use the Edit and Delete buttons to make changes to the information in this list and to remove information for a server.
The list that you build appears in the portal that clients see when they log in.
Add or Edit a Server
Add or edit server information in this window.
Server IP Address
Enter the IP address or hostname of the server.
Server port on which service is listening
Enter the port the server is listening on for this service. This may be a standard port number for the service, such as port number 23 for Telnet, or it may be a nonstandard port number for which a Port-to-Application Map (PAM) has been created. For example if you changed the Telnet port number on the server to 2323, and you created a PAM entry for that port on that server, you would enter 2323 in this window.
Port on Client PC
Cisco SDM enters a number in this field, beginning with the number 3000. Each time you add an entry, Cisco SDM increments the number by 1. Use the entries that Cisco SDM has placed in this field.
Description
Enter a description for the entry. For example, if you are adding an entry that enables users to telnet to a server at 10.10.11.2, you could enter "Telnet to 10.10.11.2." The description you enter appears on the portal.
Learn More
Click this link for more information. You can view that information now by clicking Learn More about Port Forwarding Servers.
Full Tunnel
Full tunnel clients must download the full tunnel software and obtain an IP address from the router. Use this window to configure the IP address pool that full tunnel clients will draw from when they log in and to specify the location of the full tunnel install bundle.
Note
Enable Full Tunnel Checkbox
Check to allow the router to download the full tunnel client software to the user's PC, and to enable the other fields in this window.
IP Address Pool
Specify the IP address pool that full tunnel clients will draw from. You can enter the name of an existing pool in the field, or you can click the button to the right of the field and choose Select an existing IP pool to browse the list of pools, Choose Create a new pool and complete the dialog that is displayed to create a new pool. The address pool that you choose or create must contain addresses in the corporate intranet.
Keep the Full Tunnel Client software installed on client's PC Checkbox
Check if you want the Full Tunnel software to remain on the client's PC after they have logged off. If you do not check this checkbox, clients download the software each time they establish communication with the gateway.
Install Full Tunnel Client Checkbox
Check if you want to install the full tunnel client software at this time. You can also install the client software when editing this Cisco IOS SSL VPN.
The full tunnel client software must be installed on the router so that clients can download it to establish full-tunnel connectivity. If the Full Tunnel software was installed along with Cisco SDM, the path to it automatically appears in the Location field, as shown in Example 21-1.
Example 21-1 Full Tunnel Package Installed on Router
flash:sslclient-win-1.0.2.127.pkgIn Example 21-1, the Full Tunnel install bundle is loaded in router flash. If your router's primary device is a disk or a slot, the path that you see will start with diskn or slotn.
If this field is empty, you must locate the install bundle so that Cisco SDM can load it onto the router primary device, or download the software install bundle from Cisco.com by clicking on the Download latest... link at the bottom of the window. This link takes you to the following web page:
http://www.cisco.com/pcgi-bin/tablebuild.pl/sslvpnclient
Note
Click Locating the Install Bundle for Cisco SDM to learn how to locate the Full Tunnel software install bundle, and supply a path to it for Cisco SDM to use.
Advanced Button
Click to configure advanced options such as split tunneling, split DNS, and client Microsoft Internet Explorer settings.
Locating the Install Bundle for Cisco SDM
Use the following procedure to locate software install bundles for Cisco SDM so that it can use that location in the Cisco IOS SSL VPN configuration, or, if necessary, load the software onto the router.
Note
Step 1
Example 21-2 Full Tunnel Package Installed on Router
flash:sslclient-win-1.0.2.127.pkgStep 2
Step 3
If the software is on your PC, choose My Computer and browse for the file.
Cisco SDM places the router file system or PC path you specified in the Location field.
Step 4
a.
b.
c.
d.
e.
Example 21-3 Full Tunnel Package Installed on Router
C:\Documents and Settings\username\Desktop\sslclient-win-1.1.0.154.pkgCisco SDM installs the software onto the router from the PC directory that you specified when you deliver the configuration to the router by clicking Finish.
Enable Cisco Secure Desktop
The router can install Cisco Secure Desktop on the user PC when the user logs in to the Cisco IOS SSL VPN. Web transactions can leave cookies, browser history files, e-mail attachments, and other files on the PC after the user logs out. Cisco Secure Desktop create a secure partition on the desktop and uses a Department of Defense algorithm to remove the files after the session terminates.
Install Cisco Secure Desktop
Clients must download the Cisco Secure Desktop software install bundle from the router. If this software was installed along with Cisco SDM, the path to it automatically appears in the Location field as shown in Example 21-4.
Example 21-4 Cisco Secure Desktop Package Installed on Router
flash:/securedesktop-ios-3.1.0.29-k9.pkgIn Example 21-4, the Cisco Secure Desktop install bundle is loaded in router flash. If your router's primary device is a disk or a slot, the path that you see will start with diskn or slotn.
If this field is empty, you must locate the install bundle so that Cisco SDM can load it onto the router primary device, or download the software install bundle from Cisco.com by clicking the Download latest... link at the bottom of the window. This link takes you to the following web page:
http://www.cisco.com/pcgi-bin/tablebuild.pl/securedesktop
Note
Click Locating the Install Bundle for Cisco SDM to learn how to locate the Cisco Secure Desktop software install bundle, and supply a path to it for Cisco Cisco SDM to use.
Common Internet File System
Common Internet File System (CIFS) allows clients to remotely browse, access, and create files on Microsoft Windows-based file servers using a web browser interface.
WINS Servers
Microsoft Windows Internet Naming Service (WINS) servers maintain the database that maps client IP addresses to their corresponding NetBIOS names. Enter the IP addresses of the WINS servers in your network in this box. Use semicolons (;) to separate addresses.
For example, to enter the IP addresses 10.0.0.18 and 10.10.10.2, you enter 10.0.0.18;10.10.10.2 in this box.
Permissions
Specify the permissions to grant to users.
Enable Clientless Citrix
Clientless Citrix allows users to run applications such as Microsoft Word or Excel on remote servers in the same way that they would run them locally, without the need for client software on the PC. The Citrix software must be installed on one or more servers on a network that the router can reach.
Citrix Server
To create a new list, click Add and provide the required information in the dialog displayed. Use the Edit and Delete keys to change or remove URL lists in this table.
Summary
This window displays a summary of the Cisco IOS SSL VPN configuration that you have created. Click Finish to deliver the configuration to the router, or click Back to return to a wizard window to make changes.
To see the CLI commands that you are delivering to the router, go to Edit > Preferences, and check Preview commands before delivering to router.
Editing SSL VPN Connections
To edit an SSL VPN connection, complete the following tasks:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Editing SSL VPN Connection Reference describes the configuration screens.
Editing SSL VPN Connection Reference
The topics in this section describe the SSL VPN Edit screens.
•
•
•
•
•
•
•
•
Edit SSL VPN
The Edit SSL VPN window allows you modify or create Cisco IOS SSL VPN configurations. The top portion of the tab lists the configured Cisco IOS SSL VPN contexts. The bottom portion displays details for that context.
Click Cisco IOS SSL VPN to get an overview of the Cisco IOS SSL VPN features that Cisco SDM supports.
Click Cisco IOS SSL VPN links on Cisco.com for links to Cisco IOS SSL VPN documents.
Click Cisco IOS SSL VPN Contexts, Gateways, and Policies for a description of how the components of a Cisco IOS SSL VPN configuration work together.
SSL VPN Contexts
This area displays the Cisco IOS SSL VPN contexts configured on the router. Click a context in this area to display the detailed information for it in the lower part of the window. Add a new context by clicking Add and entering information in the dialog displayed. Edit a context by selecting it and clicking Edit. Remove a context and its associated group policies by selecting it and clicking Delete.
You can enable a context that is not in service by choosing it and clicking Enable. Take a context out of service by choosing it and clicking Disable.
The following information is displayed for each context.
Name
The name of the Cisco IOS SSL VPN context. If you created the context in the Cisco IOS SSL VPN wizard, the name is the string that you entered in the IP Address and Name window.
Gateway
The gateway that the context uses contains the IP address, and digital certificate that the Cisco IOS SSL VPN context will use.
Domain
If a domain has been configured for the context, it is displayed in this column. If a domain is configured, users must enter that domain in the web browser to access the portal.
Status
Contains icons for quick status identification.
Administrative Status
Textual description of status.
•
•
Sample Display
The following table shows a sample Cisco IOS SSL VPN contexts display.
WorldTravel
Gateway1
wtravel.net
In Service
A+Insurance
Gateway2
aplus.com
Not in Service
Details about SSL VPN Context: Name
This area displays details about the context with the name name that you selected in the upper part of the window. You can modify the settings that you see by clicking Edit in the top part of the window.
SSL VPN Context
Use this window to add or edit a Cisco IOS SSL VPN context.
Field ReferenceTable 21-1 describes the fields in this screen.
Table 21-1 SSL VPN Context Fields
Name
Enter the name of a new context, or choose the name of an existing context to edit it.
Associated Gateway
Select an existing gateway, or click Create gateway to configure a new gateway for the context. The gateway contains the IP address and digital certificate is used for this context. Each gateway requires a unique public IP address.
Domain
If you have a domain for this context, enter it in this field. Cisco IOS SSL VPN users will be able to use this domain name when accessing the portal, instead of an IP address. An example is mycompany.com.
Authentication List
Choose the AAA method list to be used to authenticate users to this context.
Authentication Domain
Enter the domain name that is to be appended to the username before it is sent for authentication. This domain must match the domain used on the AAA server for the users that will be authenticated for this context.
Enable Context
Check Enable Context if you want the context to be enabled when you finish configuring it. You do not have to return to this window to disable it if you enable it here. You can enable and disable individual contexts in the Edit SSL VPN tab.
Maximum Number of Users
Enter the maximum number of users that should be allowed to use this context at one time.
VRF Name
Enter the VPN Routing and Forwarding (VRF) name for this context. This VRF name must have already been configured on the router.
Default Group Policy
Select the policy that you want to use as the default group policy. The default group policy will be used for users who have not been included in any policy configured on the AAA server.
Enable RADIUS Accounting
Check Enable RADIUS Accounting to enable this feature for the context that you are editing. If this option is disabled, the AAA authentication list chosen for the context does not include any configured AAA servers. You must choose a different authentication list, or configure a new one.
To add the information for an AAA to the router configuration, click Additional Tasks > AAA > AAA Servers > Add. Enter the IP address and other required information in the displayed dialog. The AAA server information you enter becomes available for use in authentication lists.
Designate Inside and Outside Interfaces
An ACL that is applied to an interface on which a Cisco IOS SSL VPN connection is configured may block the SSL traffic. Cisco SDM can automatically modify the ACL to allow this traffic to pass through the firewall. However, you must indicate which interface is the inside (trusted) interface, and which is the outside (untrusted) interface for Cisco SDM to create the Access Control Entry (ACE) that will allow the appropriate traffic to pass through the firewall.
Check Inside if the listed interface is a trusted interface, and check Outside if it is an untrusted interface.
Select a Gateway
Select an existing gateway from this window. This window provides you with the information you need to determine which gateway to select. It displays the names and IP addresses of all gateways, the number of contexts each is associated with, and whether the gateway is enabled or not.
Context: Group Policies
This window displays the group policies configured for the chosen Cisco IOS SSL VPN context. Use the Add, Edit, and Delete buttons to manage these group policies.
For each policy, this window shows the name of the policy and whether the policy is the default group policy. The default group policy is the policy assigned to a user who has not been included in another policy. You can change the group policy by returning to the Context window and selecting a different policy as the default.
Click a policy in the list to view details about the policy in the lower part of the window. For a description of these details, click the following links
Group Policy: SSL VPN Client (Full Tunnel) Tab
Click here to learn more
Click the link in the window for important information. To get to that information from this help page, click Learn More About Group Policies.
Group Policy: General Tab
When creating a new group policy, you must enter information in each field of the General tab.
Field ReferenceTable 21-2 describes the fields in this screen.
Group Policy: Clientless Tab
Clientless Citrix allows users to run applications on remote servers in the same way that they would run them locally, without client software needing to be installed on the remote systems using these applications. The Citrix software must be installed on one or more servers on a network that the router can reach.
Enter information if you want Cisco IOS SSL VPN clients to be able to use Clientless Citrix.
Field ReferenceTable 21-3 describes the fields in this screen.
Group Policy: Thin Client Tab
Make settings in this tab if you want to configure Thin Client, also known as port forwarding, for members of this group.
Field ReferenceTable 21-4 describes the fields in this screen.
Group Policy: SSL VPN Client (Full Tunnel) Tab
Make setting in this tab if you want to enable the group members to download and use full-tunnel client software.
Note
Enable Full Tunnel connections by choosing Enable from the list. If you want to require Full Tunnel connections, choose Required. If you choose Required, Clientless and Thin Client communication will work only if the Cisco IOS SSL VPN client software is successfully installed on the client PC.
IP address pool from which clients will be assigned an IP address
Clients who establish Full Tunnel communication are assigned IP addresses by the router. Specify the name of the pool, or click the ... button to create a new pool from which the router can assign addresses.
Keep full-tunnel client software installed on client's PC Checkbox
Check if you want the Full Tunnel software to remain on the client's PC after they have logged off. If you do not check this checkbox, clients download the software each time they establish communication with the gateway.
Renegotiate Key field
Enter the number of seconds after which the tunnel should be brought down so that a new SSL key can be negotiated and the tunnel can be reestablished.
ACL to restrict access for users in this group to corporate resources
You can choose or create an access list (ACL) that specifies the resources on the corporate network that group members will be restricted to.
Home page client should see when a web browser is opened with full tunnel software installed
Enter the URL to the home page that is to be displayed to full-tunnel clients in this group.
Dead Peer Detection Timeouts
Dead Peer Detection (DPD) allows a system to detect a peer that is no longer responding. You can set separate timeouts that the router can use to detect clients that are no longer responding, and servers that are no longer responding. The range for both is from 0 to 3600 seconds.
Configure DNS and WINS servers Button
Click to display the DNS and WINS Servers dialog, which allows you to provide the IP addresses of the DNS and WINS servers on the corporate intranet that clients should use when accessing intranet hosts and services.
Configure Advanced Tunnel Options Button
Click to display the Advanced Tunnel Options dialog, which allows you to configure tunnel settings for split tunneling, split DNS, and proxy server settings for clients using Microsoft Internet Explorer.
Advanced Tunnel Options
The settings that you make in this dialog allow you to control the traffic that is encrypted, specify the DNS servers on the corporate intranet, and specify the proxy server settings that are to be sent to client browsers.
Split Tunneling
Encrypting all tunnel traffic may take excessive system resources. Split tunneling allows you to specify the networks whose traffic should be encrypted, and exempt traffic destined for other networks from encryption. You can either specify which tunnel traffic is to be encrypted or you can specify the traffic that is not to be encrypted and allow the router to encrypt all other tunnel traffic. You can only build one list; included and excluded traffic are mutually exclusive.
Click Include traffic and use the Add, Edit, and Delete keys to build a list of destination networks whose traffic is to be encrypted. Or, click Exclude traffic and build a list of the destination networks whose traffic is not to be encrypted.
Click Exclude Local LANs to explicitly exclude from encryption client traffic destined for LANs that the router is connected to. If there are networked printers on these LANs, you must use this option.
The section "Learn More About Split Tunneling" contains more information about this topic.
Split DNS
If you want Cisco IOS SSL VPN clients to use the DNS server in the corporate network only to resolve specific domains, you can enter those domains in this area. They should be domains within the corporate intranet. Separate each entry with a semicolon and do not use carriage returns. Here is a sample list of entries:
yourcompany.com;dev-lab.net;extranet.net
Clients must use the DNS servers provided by their ISPs to resolve all other domains.
Browser Proxy Settings
The settings in this area are sent to client Microsoft Internet Explorer browsers with full tunnel connections. These settings have no effect if clients use a different browser.
Do not use proxy server
Click to instruct Cisco IOS SSL VPN client browsers not to use a proxy server.
Auto-detect proxy settings
Click if you want the Cisco IOS SSL VPN client browsers to auto detect proxy server settings.
Bypass proxy settings for local addresses
Click if you want clients connecting to local addresses to be able to bypass normal proxy settings.
Proxy Server
Enter the IP address of the proxy server and the port number for the service that it provides in these fields. For example, if the proxy server supports FTP requests, enter the IP address of the proxy server and port number 21.
Do not use proxy server for addresses beginning with
If you do not want clients to use proxy servers when sending traffic to specific IP addresses or networks, you can enter them here. Use a semicolon to separate each entry. For example, if you do not want clients to use a proxy server when connecting to any server in the 10.10.0.0 or 10.11.0.0 networks, enter 10.10;10.11. You can enter as many networks as you want.
DNS and WINS Servers
Enter the IP addresses for the corporate DNS and WINS servers that will be sent to Cisco IOS SSL VPN clients. Cisco IOS SSL VPN clients will use these servers to access hosts and services on the corporate intranet.
Provide addresses for primary and for secondary DNS servers and WINS servers.
DNS and WINS Servers
Enter the IP addresses for the corporate DNS and WINS servers that will be sent to Cisco IOS SSL VPN clients. Cisco IOS SSL VPN clients will use these servers to access hosts and services on the corporate intranet.
Provide addresses for primary and for secondary DNS servers and WINS servers.
Context: HTML Settings
The settings that you make in this window control the appearance of the portal for the selected Cisco IOS SSL VPN context.
Select theme
You can specify the appearance of the portal by selecting a predefined theme instead of by selecting each color yourself. When you select a theme, the settings for that theme are displayed in the fields associated with the Customize button.
Customize Button
Click if you want to select each color used in the portal and specify a login message and title. If you selected a predefined theme, the values for that theme are displayed in the fields in this section. You can change these values, and the values you enter are used in the portal for the selected context. Changes that you make in this window only affect the portal you are creating. They do not change the default values for the theme.
Login Message
Enter the login message that you want clients to see when their browsers display the portal. For example:
Welcome to the company-name network. Log off if you are not an authorized user.Title
Enter the title that you want to give the portal. For example:
Company-name network login page
