Enabling WebVPN and HTTP Server
WebVPN features must be enabled
on an interface-specific basis. On any interface, these features can be
configured either singly or in combination. To use the following features on an
interface, the administrator must enable them on each individual interface
:
- WebVPN (HTTPS) connections
- POP3S, IMAP4S, and SMTPS for e-mail proxy sessions
- HTTPS management sessions
To enable the Adaptive Security Appliance HTTP server, use the
http server enable command
. To
specify hosts that can access the HTTP server internal to the ASA, use the
http command.
WebVPN Command Sub Mode
The
items listed in Figure
are configured
in one location and apply to all users accessing the Adaptive Security
Appliance via WebVPN. Generally, they apply to items where the group has not
been determined. This configuration is done using a subcommand mode called
webvpn. The webvpn command is used to enter the subcommand
mode. WebVPN does not need to be configured for the e-mail proxies to be
configured.
These webvpn commands let the
administrator configure AAA servers, default group policies, default idle
timeout, http and https proxies, and NetBIOS Name Service (NBNS) servers for
WebVPN, as well as the appearance of WebVPN screens that end users see.
NBNS Server Configuration
The Adaptive Security Appliance queries
NBNS servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to
access or share files on remote systems. There is a maximum of 3 server
entries. The first server configured is the primary server, and the others are
backups for redundancy.
The nbns-server command adds
a NBNS server for Common Internet File System (CIFS) name resolution
. Specifying the
master option indicates that this is a master browser, rather than just a WINS
server. This command may be entered multiple times. The no
option will remove the matching entry from the configuration. The timeout value
is in seconds. The default timeout value is 2 seconds, and the range is 1 to
30. The default number of retries is 2, and the range is 0 to 10.
Authentication Server Configuration
The
authentication-server-group command specifies the set of
authentication servers to use with WebVPN or one of the e-mail proxies
. For WebVPN, use
this command in webvpn mode. For e-mail proxies, IMAP4S, POP3S, or SMTPS, use
this command in the applicable e-mail proxy mode. The default is to not have
any authentication servers configured.
Home Page Look and Feel
Configuration
Many of the commands in the webvpn subcommand mode
control and customize the look and feel of the home page of the end user
. Some of the
items that can be configured include:
-
HTML Title – The HTML title string that is in the browser title and
on the title bar. Limited to 255 characters. The default is "WebVPN
Service". Specifying no title removes the command from the configuration
and resets the value to the default. To have no title, the
title command is issued without a string.
-
login-message – This is the HTML text that prompts the
user to login. The prompt is limited to 255 characters. The default is
"Please enter your username and password." This string is presented
to the user before login. Specifying no login-message
removes the command from the configuration and resets the value to the default.
To have no login message, the login-message command is
issued without a string
-
logo – This specified the custom logo image that is
displayed on the login and Home Pages. It is a file that can be uploaded by the
administrator to the security gateway. The filename is limited to no more than
255 characters. The logo must be a JPG, PNG or GIF file, and must be less than
100KB. An error will occur if the file does not exist. If the logo file is
subsequently deleted, then no logo is displayed. The default is to use the
Cisco logo. Specifying no logo removes the command from the
configuration and resets the value to the default. To have no logo, specify
logo none.
-
title-color – This is the color of the title bars on
the login, home and file access pages. The value can be a comma separated RGB
value, an HTML color value beginning with a # sign, or the name of the color
that is recognized in HTML. The value is limited to 32 characters. The default
is one of the Cisco purples, #9999CC. Specifying no
title-color reverts the value to the default.
-
secondary-colorcolor – This is the color of the
secondary title bars on the login, home and file access pages. The value can be
a comma-separated RGB value, an HTML color value beginning with a # sign, or
the name of the color that is recognized in HTML. The value is limited to 32.
The default is one of the Cisco purples, #CCCCFF. Specifying no
secondary-color reverts the value to the default.
-
text-color – This is the color of the text on the title
bars. It is restricted to just two values to limit the number of icons that
need to exist for the toolbar. The default value is white. Specifying
no text-color reverts the value to the default.
-
secondary-text-color – This is the color of the text on
the secondary bars. It is restricted to be aligned with the title bar text
color. The default value is black. Specifying no
secondary-ext-color reverts the value to the default.