Configure the Adaptive Security Appliance to Support WebVPN
Configure WebVPN general parameters

Enabling WebVPN and HTTP Server
WebVPN features must be enabled on an interface-specific basis. On any interface, these features can be configured either singly or in combination. To use the following features on an interface, the administrator must enable them on each individual interface :

  • WebVPN (HTTPS) connections
  • POP3S, IMAP4S, and SMTPS for e-mail proxy sessions
  • HTTPS management sessions

To enable the Adaptive Security Appliance HTTP server, use the http server enable command . To specify hosts that can access the HTTP server internal to the ASA, use the http command.

WebVPN Command Sub Mode
The items listed in Figure are configured in one location and apply to all users accessing the Adaptive Security Appliance via WebVPN. Generally, they apply to items where the group has not been determined. This configuration is done using a subcommand mode called webvpn. The webvpn command is used to enter the subcommand mode. WebVPN does not need to be configured for the e-mail proxies to be configured.

These webvpn commands let the administrator configure AAA servers, default group policies, default idle timeout, http and https proxies, and NetBIOS Name Service (NBNS) servers for WebVPN, as well as the appearance of WebVPN screens that end users see.

NBNS Server Configuration
The Adaptive Security Appliance queries NBNS servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems. There is a maximum of 3 server entries. The first server configured is the primary server, and the others are backups for redundancy.

The nbns-server command adds a NBNS server for Common Internet File System (CIFS) name resolution . Specifying the master option indicates that this is a master browser, rather than just a WINS server. This command may be entered multiple times. The no option will remove the matching entry from the configuration. The timeout value is in seconds. The default timeout value is 2 seconds, and the range is 1 to 30. The default number of retries is 2, and the range is 0 to 10.

Authentication Server Configuration
The authentication-server-group command specifies the set of authentication servers to use with WebVPN or one of the e-mail proxies . For WebVPN, use this command in webvpn mode. For e-mail proxies, IMAP4S, POP3S, or SMTPS, use this command in the applicable e-mail proxy mode. The default is to not have any authentication servers configured.

Home Page Look and Feel Configuration
Many of the commands in the webvpn subcommand mode control and customize the look and feel of the home page of the end user . Some of the items that can be configured include:

  • HTML Title – The HTML title string that is in the browser title and on the title bar. Limited to 255 characters. The default is "WebVPN Service". Specifying no title removes the command from the configuration and resets the value to the default. To have no title, the title command is issued without a string.
  • login-message – This is the HTML text that prompts the user to login. The prompt is limited to 255 characters. The default is "Please enter your username and password." This string is presented to the user before login. Specifying no login-message removes the command from the configuration and resets the value to the default. To have no login message, the login-message command is issued without a string
  • logo – This specified the custom logo image that is displayed on the login and Home Pages. It is a file that can be uploaded by the administrator to the security gateway. The filename is limited to no more than 255 characters. The logo must be a JPG, PNG or GIF file, and must be less than 100KB. An error will occur if the file does not exist. If the logo file is subsequently deleted, then no logo is displayed. The default is to use the Cisco logo. Specifying no logo removes the command from the configuration and resets the value to the default. To have no logo, specify logo none.
  • title-color – This is the color of the title bars on the login, home and file access pages. The value can be a comma separated RGB value, an HTML color value beginning with a # sign, or the name of the color that is recognized in HTML. The value is limited to 32 characters. The default is one of the Cisco purples, #9999CC. Specifying no title-color reverts the value to the default.
  • secondary-colorcolor – This is the color of the secondary title bars on the login, home and file access pages. The value can be a comma-separated RGB value, an HTML color value beginning with a # sign, or the name of the color that is recognized in HTML. The value is limited to 32. The default is one of the Cisco purples, #CCCCFF. Specifying no secondary-color reverts the value to the default.
  • text-color – This is the color of the text on the title bars. It is restricted to just two values to limit the number of icons that need to exist for the toolbar. The default value is white. Specifying no text-color reverts the value to the default.
  • secondary-text-color – This is the color of the text on the secondary bars. It is restricted to be aligned with the title bar text color. The default value is black. Specifying no secondary-ext-color reverts the value to the default.

Web Links