Customize the SSL portal for remote users in the Cisco ASA

By Lori Hyde
April 30, 2009, 9:36 AM PDT

Takeaway: Lori Hyde explains how to customize the SSL portal for remote users with customizations that can be configured via the Adaptive Security Device Manager (ASDM) interface in the Cisco ASA.

Customizing the SSL Support portal is the second part of my post, Clientless SSL VPN Remote Access Set-up Guide for the Cisco ASA, in which I went over the basic setup of SSL VPN access. In this second part, we’ll look at customizing the remote user portal. It’s via the customization of the remote user SSL portal that internal resources are made available to the remote user.

As I pointed out in part one, setting up the clientless SSL VPN access is more complicated than using the VPN Client, but after you become familiar with the key pieces, you’ll find it’s really not too bad.
The Cisco ASA supports a variety of features that can be customized for the clientless SSL VPN user experience, among which are portal look and feel, application access, and file browsing. These customizations can be configured via the Adaptive Security Device Manager (ASDM) interface or by creating your own HTML files.

The first step in providing access should be to gather your user requirements to define which specific resources and applications you will need to configure. For this example, I’ll configure user file-share access, SSH access, VNC access and I’ll incorporate a support HTML page, but there are many more features you could use.

I’ll use Client-Server Plug-ins, Web Contents, and Bookmarks to customize the user portal page.

Client-Server Plug-ins

Web browser plug-ins are actually separate programs that the browser uses to provide specific functionality, such as connecting the remote client to a server. Cisco provides plug-ins for SSH and Telnet access, Terminal Server access, Citrix access, and VNC access. Client-Server Plug-ins can be downloaded from the Cisco Web site and then uploaded to the ASA by navigating: Configuration | Remote Access VPN | Clientless SSL VPN Access | Portal | Client-Server Plug-ins, as shown in Figure A.

Figure A

You can also configure Smart Tunnels instead of, or in addition to, using plug-ins. They perform better than plug-ins; however, plug-ins do not require the client application to be installed on the remote users system.

Web content
Upload any images you want to use in your customization, such as company logos, thumbnail pictures, etc., to the Configuration | Remote Access VPN | Clientless SSL VPN Access | Portal | Web Contents section of the ASDM, as shown in Figure B. These objects will be used during the Bookmark configuration and the User Portal Page configurations.

Figure B

Bookmarks
We can now create bookmarks that will use the plug-ins to provide specific access to the remote user. You can also tie a thumbnail picture to the bookmark if you choose: Configuration | Remote Access VPN | Clientless SSL VPN Access | Portal | Bookmarks, as shown in Figure C.

Figure C

We’ve now configured the background resources that we’ll use. The next step is to configure the GUI for the user portal.

Portal page customization
While not truly 100 percent customizable, the remote user portal can be modified to provide a different look, feel, and set of resources for each SSL VPN group you have. There are three primary pages that can be customized: Logon, User Portal, and Logout. All these changes are made via a default browser window that the ASA opens when you edit a Customization Object. Changes can be previewed here prior to saving the configuration. This is also where you configure the ASA to use your own HTML page if you have created one. Figure D shows the default page that is presented by the ASA.

Figure D
Click to enlarge.
The Logon page, shown in Figure E, allows for customization of the page title, the look and feel, such as colors and text, as well as the languages you want to use and any informational text you want the users to see. Keep in mind that this page can be seen by the general public prior to user authentication unless you have access locked down via an Access Control List (ACL) on the firewall, so take care with what information you allow to be seen.

Figure E

The Portal page, shown in Figure F, is where you customize the remote users’ access to applications, customize their home page, and set up custom panes and columns. The Applications section allows you to enable or disable the plug-ins you have uploaded and change the titles. You could easily have several different customized pages that offer different resources to each user group based on their requirements.

Figure F
Click to enlarge.
The Custom Panes section, shown in Figure G, allows you to configure four types of panes that can display information to the remote user. These panes include HTML, Text, Images, and RSS feeds.
Figure G

Remote user experience
Figures H, I, and J show screenshots of a remote user session that shows some of the fruits of our customization efforts.

Figure H

Authenticated User Screen
Figure I
User Application Screen

Figure J

An SSH session Finishing  UpYour customizations are not saved in the ASA running configuration so be sure to export them to host on your network. These will export as XML files that can then be imported at a later time or to another ASA.


0 comments:

Post a Comment