Case Studies
This section discusses the new feature called Secure Socket Layer (SSL) VPN or Web VPN on the VPN Concentrator. SSL VPN provides remote access connectivity from almost any Internet-enabled location using a Web browser and its native SSL encryption. This section presents a general discussion, configuration steps and troubleshooting issues for different modes of operation for SSL VPN. SSL VPN can be operated in one of the three modes based on your corporation needs and requirements:
Clientless This mode of operation is for web-based applications (web server access with http/https), and file shares (CIFS). A standard browser acts as a VPN client in this mode, and the VPN Concentrator acts as a proxy.
Thin client This mode of operation is for fixed TCP port applications (such as e-mail/Telnet/ssh, terminal services, and so on). Any multi-channel protocol that requires port negotiation (FTP, for example) does not work with this mode. Java applet (generally less than 100K) is downloaded using a browser on a client PC which proxies TCP connections.
SSL VPN Client (SVC) A larger client (generally around 500K max) is delivered to the end user and the applications that can be accessed are very similar to those available via regular IPsec Remote Access VPN client. This client is delivered via a web page, and never needs to be manually distributed or installed.
The next few sections present more detailed discussions on all three modes of operation.
Clientless SSL VPN
As mentioned before, in Clientless SSL VPN mode of operation, a standard browser is used as a VPN client. There is no requirement to download any applet on the client PC, as the VPN Concentrator acts as a proxy in this mode. Clientless SSL VPN is supported for website access and web applications such as NT and Active Directory file sharing (CIFS). For websites, the URL is mangled to present to the end user. For NT and Active Directory file sharing, the application is translated to HTTP, and presents to users in HTML format. The sections that follow discuss the following topics:
Configuration steps for basic SSL VPN connection
Troubleshooting steps for Basic SSL VPN connection
Configuration steps for web server access
Troubleshooting steps for web server access
Configuration steps for CIFS access
Troubleshooting steps for CIFS access
Configuration Steps for Basic SSL VPN Connection
Work through the following steps to configure Basic SSL VPN Connection:
Step 1. Go to Configuration > Interfaces > Ethernet2, and check Allow WebVPN HTTS sessions to turn on WebVPN. If you want to allow the HTTPS web access to the VPN Concentrator for Management purpose, check Allow Management HTTPS sessions.
Step 2. Be sure WebVPN box is checked under Tunneling Protocols when you go to the General tab on the page Configuration > User Management > Base Group. You also can set this up in the specific group.
Step 3. To enable client authentication using digital certificates for both HTTPS administrative and WebVPN sessions, go to the Configuration > Tunneling and Security > SSL > HTTPS page, and check the Enable HTTPS box, define the HTTPS port 443, and check Client Authentication. Note that WebVPN sessions require an active authorization server. By default Client Authentication is not checked.
Step 4. Go to the Configuration > Tunneling and Security > SSL > Protocols page and check at least one encryption protocol. The default is that all three protocol options are checked. It is recommended to set everything at the default.
Troubleshooting Steps for Basic SSL VPN Connection
When working with Basic SSL VPN Connection, you may encounter these problems, which are described in the sections that follow:
Inability to establish SSL session with VPN 3000 Concentrator
Inability to login to VPN 3000 Concentrator
Inability to Establish SSL Session with VPN 3000 Concentrator
Work through the following steps to troubleshoot the inability to establish an SSL session:
Step 1. To verify general connectivity, ping by name and IP address of the VPN Concentrator's from the client PC. If the ICMP is blocked between the client and the VPN Concentrator, try http or https on the public interface and see if you can connect.
Step 2. If one vendor's browser does not work, try a different browser and check to see if you get the web portal page.
Step 3. Be sure the interface you are connecting to is configured to support WebVPN Connections by going into the Configuration > Interfaces > Ethernet2 page.
Step 4. Verify that the Interface you are connecting to has an SSL certificate and that the certificate is valid by going into Administration > Certificate Management. Look under the SSL Certificates section. View the certificate to see the details and validity of the certificate.
Step 5. Enable Allow Management HTTPS Sessions on the interface and try connecting to https://VPN_Concentrator_IP_Address/admin. This also will fail if the issue is with the certificate.
Step 6. Verify that the group the user is connecting to supports WebVPN.
Step 7. Verify the SSL/HTTPS configuration by verifying that the HTTPS is enabled, the port defined and authentication is turned on.
Step 8. Turn on SSL Event Class severities 1-9. This gives you general reason codes for the failure.
Step 9. Use an external sniffer to trace the network traffic. Verify that the three-way TCP handshakes complete successfully. If the TCP handshake completes, you should see an SSL handshake occur. The sniffer also helps you determine the cipher suites being negotiated and where in the session the establishment process is breaking.
Step 10. Verify that the cipher being offered by the client is supported by the configuration of the concentrator:
- Server Gated Cryptography (SGC) is not supported.
- Minimum 56 bit keys.
- Verify that the certificates you are using are valid; the smart card certificate can be read by the browser.
- Try using the self-signed concentrator certificates.
Step 11. If you still fail to create a HTTPS session to the concentrator, contact the Cisco Support Team.
Inability to Log in to VPN 3000 Concentrator
If you can get the Web VPN portal but cannot establish an SSL VPN connection because of login failure, work through the following steps to diagnose the problem:
Step 1. Enable logging for the auth and webvpn classes at severity levels 19, try to connect to the SSL VPN, and see if it shows any error.
Step 2. If you are using an external AAA server, verify that you have network connectivity to the AAA server.
Step 3. Verify that the client's browser is not configured to use a proxy server.
Step 4. Perform a test authentication to the external AAA server from the VPN 3000 Concentrator.
Configuration Steps for Web Server Access
To provide the links of the websites on the Web VPN portal after the user logs in, work through the following steps:
Step 1. Complete the configuration steps explained in the section entitled "Configuration Steps for Basic SSL VPN Connection."
Step 2. Configure access to URLs in the Configuration > Tunneling and Security > WebVPN > Servers and URLs screen. To add a new URL for the website, click on Add. In the Add page, specify the Name as it should appear on the Web VPN portal page, server type (HTTP/HTTPS Server), and the actual web site URL.
Note
Outlook Web Access (OWA) on the Microsoft Exchange Server can be accessed using the procedure previously explained, as OWA on Exchange Server works just like any other web application.
Troubleshooting Steps For Web Server Access
You might run into one of the following problems with web server access through SSL VPN connection:
Web site does not display at all.
Web site displays but incorrectly.
The sections that follow detail the troubleshooting of these two issues. But before you delve into those details, it is important to know how to turn on debug for website access issues on the VPN Concentrator. The next section discusses this topic.
Turning on WEBVPN Event Class for Logging
Work through the following steps to turn on debug and collect the log to troubleshoot issues pertaining to web access through SSL VPN tunnel:
Step 1. From VPN Concentrator GUI, go to the Monitoring > WebVPN Logging page, and turn on the logging by checking Enable. Be sure to define the username and path to capture the amount of information you desire.
Step 2. View or copy the log files from the Administration > File Management page. WebVPN Logging creates pairs of files; Mangled.xxx and Original.xxx. The Original file contains the request sent from the Concentrator to the Web Server and the response sent from the Web Server to the Concentrator. The Mangled file contains the response message sent from the Concentrator to the browser.