Configuration Steps for SSL VPN Client
Work through the following steps to configure the SSL VPN client configuration on the VPN 3000 Concentrator:
Step 1. Complete the configuration steps explained in the "Configuration Steps for Basic SSL VPN Connection" section.
Step 2. Go to Configuration > User Management > Groups > Modify to edit the group that you have configured for Basic SSL VPN connection. Under the WebVPN tab, check Enable Cisco SSL VPN Client to turn on the SSL VPN client option. The Require Cisco SSL VPN Client option is used if you want to allow the users to use only the SSL VPN client. If you do not want to remove the SSL VPN Client at the end of the session, check the Keep Cisco SSL VPN Client option.
Step 3. For IP address assignment, DNS/WINS Server address, and so on, follow the configuration steps explained in the section entitled "VPN Concentrator Configuration" under "Remote Access VPN Connection."
Troubleshooting Steps for SSL VPN Client (SVC)
The sections that follow examine the following issues that can arise with SSL VPN Client implementations:
SSL VPN Client tunnel establishment
SSL VPN Client installation
SSL VPN Client Establishment Issues
Before the VPN Concentrator can push the SSL VPN client software to the client PC, the tunnel must be established. Follow the configuration and troubleshooting steps in the section entitled "Basic SSL VPN Connection" to correct SSL VPN connection issues. Once the SSL VPN connection is established, the SSL VPN client software is downloaded and installed on the client PC. After that, SSL VPN client builds a full tunnel with the VPN Concentrator. If the SSL VPN Client installs correctly, usually you will not run into any tunnel establishment problems for the SSL VPN client. If you run into problems with the SSL VPN client installation, follow the steps outlined in the next section to correct the problem.
SSL VPN Client Installation Issues
If you can navigate to the WebVPN Portal page, but the client does not install, work through the following steps to fix the problem:
Step 1. Verify the group configuration for SSL VPN client.
Go to Configuration > User Management > Groups > Modify to verify that the group your user is in has Enable Cisco SSL VPN Client enabled.
Step 2. Check which account is being used and what rights it has.
You can do this by right-clicking on My Computer and going to Users and Groups. Select the Users by double-clicking on it, and then find out which group it is a member of. With Groups, Administrators, and Power Users, both ActiveX and Java are enabled by default. The Users group has more restrictions applied and only Java is allowed to run with default privileges.
Step 3. Verify the browser settings.
The following Internet Explorer settings are required for SSL VPN Client (SVC) Installation. Use these settings as a guideline for other browsers:
- To access and launch the executable page, enable the following parameters:
Scripting > Active scripting > Enable
Downloads > File download > Enable
- To launch ActiveX, enable the following parameters:
Scripting > Active scripting > Enable
ActiveX controls and plug-ins > Download signed ActiveX controls > Enable
ActiveX controls and plug-ins > Run ActiveX controls and plug-ins > Enable
- To launch Java using the Microsoft Virtual Machine, enable the following parameters:
Scripting > Active scripting > Enable
Scripting > Scripting of Java applets > Enable
ActiveX controls and plug-ins > Download signed ActiveX controls > Enable
Microsoft VM > Java permissions > High, medium or low safety
This information can be found from the following link:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/csd/csd30/csdfaq.htm#wp1056392
Step 4. Add the VPN 3000 Concentrator to the trusted Zone list. This ensures that the security settings are set to low, which by default allows both ActiveX and Java to be run as described in the following Release note: http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/prod_release_note09186a0080405b6c.html#wp535991
You can go to Configuration > System > Servers > Firewall to add the VPN 3000 Concentrator to the trusted zone list.
Step 5. Check the version of Sun Java.
If Sun Java is being used, then ensure that there is a "Java Plug-In" option under the control panel and select this to check that your browser of choice is selected under the Browser Tab.
Step 6. Clear the browser cache and cookies.
Clear the browser cache and cookies, and be sure to restart the browser.
Step 7. Try a different browser vendor.
If one browser vendor does not work, try a different browser vendor.
Step 8. Try a different website.
If one site does not work, try to access a different website that you know uses ActiveX or JAVA.
Step 9. Verify the proxy settings.
SSL VPN Client can read and work only with Microsoft Internet Explorer proxy settings as of the writing of this book.
Step 10. Analyze the client PC environment.
If you still have issues, the application and system event logs on the client PC might not be indicating failures. In this case, use the WINMSD.exe file to generate a full dump of the client PC, and look at the SetupApi.log file to look at specific install issues that may exist.