Overview of WebVPN
WebVPNs are a new form of VPN access introduced with the ASA 55X0 family of firewalls.
A WebVPN is a clientless remote-access VPN that uses a web browser to access an enterprise
information technology (IT) network. Unlike a standard IPSec VPN, which requires a specific
VPN client software, a WebVPN client can use any web browser that supports Java Runtime
Environment (JRE) 1.4.1 or later. This allows more mobility for an end user, access from
home or extranet computers, and use by employees who may only need infrequent access.
WebVPN uses secure Secure Sockets Layer (SSL) and Secure Sockets Layer/Transport Layer
Security (SSL/TLS) protocols to create secure connections to an internal IT resource from an
end user’s system. Through the WebVPN, a client will have access to many of the IT resources
normally accesses through a traditional IPSec VPN. The services that can be enabled through
a WebVPN connection are as follows:
■ E-mail Proxy—Allows proxy access to many common mail servers and software,
including POP3S, IMAP4S, Post Office, and SMTPS
■ MAPI Access—Allows proxy access to a Microsoft Exchange Server
■ HTTPS—Allows secure (SSL) access to internal websites, Microsoft Web Outlook
Access, and other web-based resources
■ Windows File Access—Allows access to file browsing on the IT network, NT/Active
Director (AD), and other preconfigured file servers
■ Port Forwarding—Allows access through port forwarding of several TCP-based
applications
Although WebVPN has some advantages over an IPSec VPN, as previously described,
enabling WebVPN on a Security Appliance will also have a few disadvantages. One major
disadvantage in that enabling WebVPN on a Security Appliance causes a reduction in
performance. Essentially, all WebVPN connections are proxied through the Security
Appliance. Another major disadvantage in enabling WebVPN is that several features are
disabled for WebVPN connections. This is due to the way the Security Appliance handles the
WebVPN SSL and SSL/TLS connections. These features are only unavailable to WebVPN
users and do not effect any other traffic flows or VPN users on the Security Appliance. The
following features are not supported with a WebVPN connection:
■ NAT
■ PAT
■ Active-active or active-standby stateful failover
■ The Modular Policy Framework inspection feature
■ Filter configuration commands
■ Rate limiting using the police command and priority-queue command
■ Connection limits
■ The established command
Additionally, if WebVPN has been configured on the outside interface of the Security
Appliance, management of the outside interface by the Cisc Adaptive Security Device
Manager (ASDM) will be lost. Additional security concerns arise when implementing
WebVPNs for remote users. Key loggers can be used on public terminals to capture username
and password sets for future access. Web browsers could capture in their caching
mechanisms username and password sets that could be used by a malicious user to gain
access. Make sure a vulnerabilities assessment has been done before enabling WebVPN for
public Internet access.
WebVPN Portal Interface
WebVPN uses a front-end portal interface to authenticate and give access to end users. To
access the WebVPN portal, an end user will first authenticate using the authentication,
authorization, and authorization (AAA) method configured on the ASA that has the
WebVPN enabled. The end user will connect to a domain name or IP address, such as
192.168.11.103, which represents the interface that WebVPN in enabled on using https://.
Port 80 access to WebVPN is not allowed. The end user will be greeted with an
authentication screen, as shown in Figure 13-7.
The portal interface uses SSL/TLS encryption during access and runs on a local https server.
Through the portal interface, the end user gains access to authorized parts of the internal
network and accesses e-mail and file servers via click-through links. The https server that
controls the portal interface shown in Figure 13-8 resides on the ASA 55x0 Security
Appliance and is fully customizable by the security administrator.
NOTE WebVPN can only be used on the ASA 55X0 Security Appliances and is not
supported by the PIX 500 series firewalls.