Observing Clientless Ssl Vpn Security Precautions - Cisco PIX 500 Series Configuration Manual

Getting Started
The security appliance does not support the Microsoft Outlook Exchange (MAPI) proxy. Neither port
Note
forwarding nor the smart tunnel feature that provides application access through a clientless SSL VPN
session supports MAPI. For Microsoft Outlook Exchange communication using the MAPI protocol,
remote users must use AnyConnect.
Clientless SSL VPN uses Secure Sockets Layer Protocol and its successor, Transport Layer Security to
provide the secure connection between remote users and specific, supported internal resources that you
configure at a central site. The security appliance recognizes connections that need to be proxied, and
the HTTP server interacts with the authentication subsystem to authenticate users.
The network administrator provides access to resources by users of clientless SSL VPN sessions on a
group basis. Users have no direct access to resources on the internal network.
The following sections address getting started with the configuration of clientless SSL VPN access:
•
•
•
•
•
•
•
•

Observing Clientless SSL VPN Security Precautions

Clientless SSL VPN connections on the security appliance differ from remote access IPSec connections,
particularly with respect to how they interact with SSL-enabled servers, and precautions to reduce
security risks.
In a clientless SSL VPN connection, the security appliance acts as a proxy between the end user web
browser and target web servers. When a user connects to an SSL-enabled web server, the security
appliance establishes a secure connection and validates the server SSL certificate. The end user browser
never receives the presented certificate, so therefore cannot examine and validate the certificate.
The current implementation of clientless SSL VPN on the security appliance does not permit
communication with sites that present expired certificates. Nor does the security appliance perform
trusted CA certificate validation. Therefore, users cannot analyze the certificate an SSL-enabled
web-server presents before communicating with it.
To minimize the risks involved with SSL certificates:
1.
2.
3.
Cisco Security Appliance Command Line Configuration Guide
37-2
Observing Clientless SSL VPN Security Precautions
Understanding Features Not Supported in Clientless SSL VPN
Using SSL to Access the Central Site
Authenticating with Digital Certificates
Enabling Cookies on Browsers for Clientless SSL VPN
Managing Passwords
Using Single Sign-on with Clientless SSL VPN
Authenticating with Digital Certificates
Configure a group policy that consists of all users who need clientless SSL VPN access and enable
it only for that group policy.
Limit Internet access for users of clientless SSL VPN sessions. One way to do this is to disable URL
entry. Then configure links to specific targets within the private network that you want users in
clientless SSL VPN sessions to be able to access.
Educate users. If an SSL-enabled site is not inside the private network, users should not visit this
site over a clientless SSL VPN connection. They should open a separate browser window to visit
such sites, and use that browser to view the presented certificate.
Chapter 37 Configuring Clientless SSL VPN
OL-12172-03