Setting Webvpn Http/Https Proxy - Cisco FirePOWER ASA 5500 series Configuration Manual

Getting Started with WebVPN

Setting WebVPN HTTP/HTTPS Proxy

The security appliance can terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP
and HTTPS proxy servers. These servers act as intermediaries between users and the Internet. Requiring
all Internet access via a server that the organization controls provides another opportunity for filtering
to assure secure Internet access and administrative control.
To set values for HTTP and HTTPS proxy, use the http-proxy and https-proxy commands in webvpn
mode. These commands let you identify HTTP and HTTPS proxy servers and ports.
Configuring SSL/TLS Encryption Protocols
When you set SSL/TLS encryption protocols, be aware of the following:
•
•
•
Negotiate SSLv3
Negotiate SSLv3/TLSv1
Negotiate TLSv1
TLSv1Only
SSLv3Only
Authenticating with Digital Certificates
SSL uses digital certificates for authentication. The security appliance creates a self-signed SSL server
certificate when it boots; or you can install in the security appliance an SSL certificate that has been
issued in a PKI context. For HTTPS, this certificate must then be installed on the client. You need to
install the certificate from a given security appliance only once.
Restrictions for authenticating users with digital certificates include the following:
•
•
For more information on authentication and authorization using digital certificates, see
Certificates and User Login
chapter.
Cisco Security Appliance Command Line Configuration Guide
37-4
Make sure that the security appliance and the browser you use allow the same SSL/TLS encryption
protocols.
If you configure e-mail proxy, do not set the security appliance SSL version to TLSv1 Only.
MS Outlook and MS Outlook Express do not support TLS.
TCP Port Forwarding requires Sun Microsystems Java Runtime Environment (JRE) version 1.4.x
and 1.5.x. Port forwarding does not work when a WebVPN user connects with some SSL versions,
as follows:
Application Access does not work for WebVPN users who authenticate using digital certificates.
JRE does not have the ability to access the web browser keystore. Therefore JAVA cannot use a
certificate that the browser uses to authenticate a user, so it cannot start.
E-mail proxy supports certificate authentication with Netscape 7.x e-mail clients only. Other e-mail
clients such as MS Outlook, MS Outlook Express, and Eudora lack the ability to access the
certificate store.
Credentials" in the
Java downloads
Java downloads
Java does NOT download
Java does NOT download
Java does NOT download
"Configuring AAA Servers and the Local
Chapter 37 Configuring WebVPN
"Using
Database"
OL-10088-01