37-49
Cisco Security Appliance Command Line Configuration Guide
OL-12172-03
Chapter 37 Configuring Clientless SSL VPN
Optimizing Clientless SSL VPN Performance
Using Proxy Bypass
You can configure the security appliance to use proxy bypass when applications and web resources work
better with the special content rewriting this feature provides. Proxy bypass is an alternative method of
content rewriting that makes minimal changes to the original content. It is often useful with custom web
applications.
You can use this command multiple times. The order in which you configure entries is unimportant. The
interface and path mask or interface and port uniquely identify a proxy bypass rule.
If you configure proxy bypass using ports rather than path masks, depending on your network
configuration, you might need to change your firewall configuration to allow these ports access to the
security appliance. Use path masks to avoid this restriction. Be aware, however, that path masks can
change, so you might need to use multiple pathmask statements to exhaust the possibilities.
A path is everything in a URL after the .com or .org or other types of domain name. For example, in the
URL www.mycompany.com/hrbenefits,
hrbenefits
is the path. Similarly, for the URL
www.mycompany.com/hrinsurance,
hrinsurance
is the path. If you want to use proxy bypass for all hr
sites, you can avoid using the command multiple times by using the * wildcard as follows: /hr*.
To configure proxy bypass, use the
proxy-bypass
command in webvpn mode.
Configuring Application Profile Customization Framework
An APCF profile for Clientless SSL VPN lets the security appliance handle non-standard applications
and web resources so that they display correctly over a Clientless SSL VPN connection. An APCF
profile contains a script that specifies when (pre, post), where (header, body, request, response), and
what data to transform for a particular application. The script is in XML and uses sed (stream editor)
syntax for string/text transformation. Multiple APCF profiles can run in parallel on a security appliance.
Within an APCF profile script, multiple APCF rules can apply. In this case, the security appliance
processes the oldest rule first (based on configuration history), then the next oldest rule, and so forth.
You can store APCF profiles on the security appliance flash memory, or on an HTTP, HTTPS, or TFTP
server. Use the
apcf
command in webvpn mode to identify and locate an APCF profile that you want to
load on the security appliance.
Note
We recommend that you configure an APCF profile only with the assistance of Cisco personnel.
The following example shows how to enable an APCF profile named apcf1.xml, located on flash
memory.
hostname(config)#
webvpn
hostname(config-webvpn)#
apcf
flash:/apcf/apcf1.xml
This example shows how to enable an APCF profile named apcf2.xml, located on an https server called
myserver, port 1440 with the path being /apcf.
hostname(config)#
webvpn
hostname(config-webvpn)#
apcf
https://myserver:1440/apcf/apcf2.xml
Summary of Contents for 500 Series
Page 38: ...Contents xxxviii Cisco Security Appliance Command Line Configuration Guide OL 12172 03 ...
Page 45: ...P A R T 1 Getting Started and General Information ...
Page 46: ......
Page 277: ...P A R T 2 Configuring the Firewall ...
Page 278: ......
Page 561: ...P A R T 3 Configuring VPN ...
Page 562: ......
Page 891: ...P A R T 4 System Administration ...
Page 892: ......
Page 975: ...P A R T 5 Reference ...
Page 976: ......