Enable WebVPN Protocol for Group Policy
Use the
vpn-tunnel-protocol command in group-policy configuration
mode or username configuration mode to configure a VPN tunnel type for the user
or group
. The following
types are available:
-
IPSec – Negotiates an IPSec tunnel between two peers, such as a
remote access client or another secure gateway. Creates security associations
that govern authentication, encryption, encapsulation, and key management.
-
Ltp2/IPSec –Provides interoperability with the Microsoft VPN
client.
-
webvpn – Provides VPN services to remote users via an HTTPS-enabled
web browser, and does not require a client.
Enable URL Entry for WebVPN Users
Use the
webvpn command in group-policy configuration mode or in
username configuration mode to enter the webvpn mode
. These
webvpn commands apply to the username or group policy from
which they are configured. webvpn commands for group
policies and usernames define access to files, MAPI proxy, URLs and TCP
applications over WebVPN. They also identify ACLs and types of traffic to
filter.
Webvpn mode, which is entered from global configuration mode,
lets the administrator configure global settings for WebVPN. Webvpn mode,
described in this section, and which is entered from group-policy or username
mode, lets the administrator customize a WebVPN configuration for specific
users or group policies. WebVPN does not need to be configured to use e-mail
proxies.
Use the functions command in webvpn mode to
enable file access and file browsing, MAPI Proxy, and URL entry over WebVPN for
this user or group policy
. To remove a
configured function, use the no form of this command. To
remove all configured functions, including a null value created by issuing the
functions none command, use the no form
of this command without arguments. The no option allows
inheritance of a value from another group policy. To prevent inheriting
function values, use the functions none command. Functions
are disabled by default.
The url-entry parameter
enables or disables user entry of URLs. When enabled, the Adaptive Security
Appliance still restricts URLs with any configured URL or network ACLs. When
URL entry is disabled, the ASA restricts WebVPN users to the URLs on the home
page. Use the url-list command in webvpn mode, which is
entered from group-policy or username mode, to apply a list of WebVPN servers
and URLs to a particular user or group policy. To remove a list, including a
null value created by using the url-list none command, use
the no form of this command. The no
option allows inheritance of a value from another group policy.
To
prevent inheriting a URL list, use the url-list none
command. Before the url-list command can be used in webvpn
mode to identify a URL list that to display on the WebVPN home page for a user
or group policy, the list must be created. Use the url-list
ommand in global configuration mode to create one or more lists.
Defining URLs with the url-listCommand
Use the url-list command in global
configuration mode to configure a set of URLs for WebVPN users to access
. To configure a
list with multiple URLs, use this command with the same listname multiple
times, once for each URL. To remove an entire configured list, use the
no url-list listname command. To remove a configured
URL, use the no url-list listname url
command. To configure multiple lists, use this command multiple
times, assigning a unique listname to each list. To allow access to the
URLs in a list for a specific group policy or user, use the listname
created here with the url-list command in webvpn
mode.
The example in Figure
illustrates the
various parameters which must be configured on the Adaptive Security Appliance
to enable WebVPN access to the resources on the private network. Files access
via CIFS is configured in the same basic manner.