37-35
Cisco Security Appliance Command Line Configuration Guide
OL-12172-03
Chapter 37 Configuring Clientless SSL VPN
Configuring Application Access
About Smart Tunnels
A smart tunnel is a connection between a Winsock 2, TCP-based application and a private site, using a
clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the security
appliance as a proxy server. You can identify applications to which you want to grant smart tunnel
access, and specify the local path to each application and the SHA-1 hash of its checksum to check
before granting it access. Lotus SameTime, Microsoft Outlook, and Microsoft Outlook Express are
examples of applications to which you might want to grant smart tunnel access.
Why Smart Tunnels?
With Release 8.0(2), Cisco added two alternative technologies for supporting Winsock 2, TCP-based
applications: smart tunnel access and plug-ins. Plug-ins offer better performance and do not require the
client application to be installed on the remote computer. Therefore, configure smart tunnel access only
if a plug-in for the application you want to support is unavailable.
Compared to the legacy technology, port forwarding, smart tunnel access simplifies the remote user
experience by not requiring the user connection of the local application to the local port. Therefore,
smart tunnels do not require users to have administrator privileges.
Smart Tunnel Requirements and Restrictions
Smart tunnels have the following requirements:
•
The remote host originating the smart tunnel connection must be running a 32-bit version of
Microsoft Windows 2000 or Microsoft Windows XP.
•
The browser must be enabled with Java, Microsoft ActiveX, or both.
Smart tunnels also have the following restrictions:
•
Only Winsock 2, TCP-based applications are eligible.
•
If the remote computer requires a proxy server to reach the security appliance, the URL of the
terminating end of the connection must be in the list of URLs excluded from proxy services (See
OK). In this configuration, smart tunnels support only basic authentication.
Note
Smart tunnels do not support MAPI, also called Microsoft Outlook Exchange proxy. For
MAPI proxy access, remote users must use AnyConnect.
•
A group policy or username supports no more than one list of applications eligible for smart tunnel
access.
•
A stateful failover does not retain smart tunnel connections. Users must reconnect following a
failover.
Note
Note: Some open-source, Java applet plug-ins display a status of connected and online, even if a session
to the destination service is not set up. The applet displays the incorrect status, not the security appliance.
Summary of Contents for 500 Series
Page 38: ...Contents xxxviii Cisco Security Appliance Command Line Configuration Guide OL 12172 03 ...
Page 45: ...P A R T 1 Getting Started and General Information ...
Page 46: ......
Page 277: ...P A R T 2 Configuring the Firewall ...
Page 278: ......
Page 561: ...P A R T 3 Configuring VPN ...
Page 562: ......
Page 891: ...P A R T 4 System Administration ...
Page 892: ......
Page 975: ...P A R T 5 Reference ...
Page 976: ......