remote access using clientless vpnd2zmdbbm9feqrf.cloudfront.net/2013/eur/pdf/brksec-2697.pdf ·...

Remote Access using Clientless VPN Thorsten Rosendahl

trosenda@cisco.com

BRKSEC-2097

Agenda

Integrate Enable IT Add real Users

• Will cover

‒ ASA as the Headend

‒ Clientless Access

….with focus on 9.0 Release

• Won’t cover

‒ IOS headends

‒ The AnyConnect Client (BRKSEC-

‒ Cisco Secure Desktop

This Breakout

The embedded videos are available at http://ciscosales.webex.com/meet/trosenda

Cisco Secure Desktop

The following features are deprecated (November 20, 2012) :

‒ Secure Desktop (Vault)

‒ Cache Cleaner

‒ Keystroke Logger Detection (KSL)

‒ Host Emulation Detection

http://www.cisco.com/en/US/docs/security/csd/csd36/public_notices/vault_cc_ksl_host_emulation_deprecat_notice.html

Hardware

• Every ASA can handle Clientless SSL VPN

• A 5505 can handle up to 25 Sessions

• A5585 can handle up to 10.000 Sessions

• As rewriting of Content occurs, CPU is more important than throughput

Overview

Software

We need a DES (K8) and/or 3DES (K9) License

We need an “AnyConnect Premium” License, as this enables Clientless (default 2 per chassis)

Premium and Essentials can *not* run concurrently

Licensing

Client(less) Requirements

Firefox Chrome IE Safari

Windows XP 3 + 6 + 6/7/8

Windows Vista 3 + 6 + 7/8/9

Windows 7 3 + 6 + 8/9

Windows 8 tbd tbd tbd tbd

MacOS X 3 + 6 + 3/4/5

Linux 3 +

http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html

Plugins ActiveX (32bit) / Java 1.4-1.7

Smart Tunnels x86/64 only, no itanium or ppc

Port Forwarding 32 bit only

Windows XP ✓ ✓ ✓

Windows Vista ✓ ✓ ✓

Windows 7 ✓ ✓ -

Windows 8 tbd tbd tbd

MacOS X ✓ ✓ ✓

Fedora Core 4 - - ✓

Overview

https http[s]

ftp/cifs

Smarttunnels : TCP Portforwarding : TCP Plugins : ssh, telnet, rdp, vnc, citrix

Secure Sockets Layer (SSL) Overview

• A “Secure Protocol” developed by Netscape for secure e-commerce.

• SSL2.0 released in 1994, but had flaws and was replaced by SSL 3.0. Transport Layer Security (TLS) was published 1999 and continued to evolve.

• Creates a tunnel between web browser and web server

Authenticated and encrypted (RC4, 3DES, DES, AES)

• https://

Usually over port :TCP/443

Closed lock indicates SSL-enabled!

Refer to RFC 2246, for TLS 1.0 Refer to RFC 4346, 2006 for TLS 1.1 Refer to RFC 5246, 2008 for TLS 1.2

SSL on ASA

ssl-lab# show crypto ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: aes256-sha1 aes128-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 rc4-sha1 null-sha1

SSL trust-points:

outside interface: ASDM_TrustPoint0

Certificate authentication is not enabled

ssl-lab#

Parameters that identify the protocol, encryption algorithm and hash

function.

Overview

https http[s]

Content Transformation Engine

Rewrites HTML[5], Java, JavaScript, Flash, SVG, CSS

*GET /intranetsite/index.html HTTP/1.0 *GET /index.html HTTP/1.0

*<a href=”/about.html”>About</a> *<a href=”/intranetsite/about.html”>About</a>

* Very Simplified statement

10.1.1.66

Content Transformation Engine

Server Certificate Validation (ASA v9.0) – new commands

ssl-lab(config-webvpn)# ssl-server-check ?

webvpn mode commands/options:

deny-on-failure Disconnect the connection and show the denying page to end users on failure of verification

warn-on-failure Show the warning page to end users on failure of verification

ssl-lab(config)# crypto ca trustpool ?

configure mode commands/options:

policy Define trustpool policy

exec mode commands/options:

export Export a trustpool bundle

import Import a trustpool bundle

remove Remove a trustpool certificate

ssl-lab(config)#

Overview

https http[s]

ftp/cifs

Files Access

GET /+CSCOE+/files/browse.html?code=init&path=cifs%3A%2F%2F31302E312E312E3636%2FC%24 HTTP/1.1 %3A%2F%2F31302E312E312E3636

Overview

https http[s]

ftp/cifs

Smarttunnels : TCP Portforwarding : TCP Plugins : ssh, telnet, rdp, vnc, citrix

Overview

GET /+CSCOE+/tunnel_mac.jnlp?….HTTP/1.1 GET /+CSCOE+/relayocx.html?p=w32 HTTP/1.1

<<<<<<<<<<<<<<<java/active-x<<<<<<<<<<<<<

TCP/22,TCP/3389,etc %3A%2F%2F31302E312E312E3636

Plugins

• “In Browser Access” to rdp, ssh, vnc, citrix ressources

• No Need for an Application on the Client, just java/active-x

• Supported on Windows and Mac OS X platforms only.

Smart Tunnels

• For Web Applications/Bookmarks if CTE fails (shouldn’t happen)

• For Non-Web-Applications, TCP only like :

Telnet, Passive FTP, SSH, RDP, VNC, VMWare View (rdp, not PCoIP)

but Application has to reside on Endpoint.

• Supported on Windows and Mac OS X platforms only.

• Supported on x86 and x64 architectures only

• Requires Active X or Java enabled browsers.

• Better Performance than Plugins

Use Cases

Port Forwarding

• “Legacy” method, kept for compatibility

• Application on end System needs to be reconfigured

• Smart tunnels offer better Performance

• Smart tunnels do not need Admin privileges

First Time Setup

CLI Config

Overview

webvpn

enable outside

group-policy it internal

group-policy it attributes

vpn-tunnel-protocol ssl-clientless

webvpn

url-list none

tunnel-group it type remote-access

tunnel-group it general-attributes

default-group-policy it

tunnel-group it webvpn-attributes

group-alias it enable

group-url https://10.1.30.254/it enable

• Group Policies What can be done during a session ACL, Times, Portal, Customization,…

• Connection Profiles

What is needed to establish a session AAA, Username Mapping, Alias, url,… …and map that back to a group

Connection Profile / tunnel-group

DNS lookup for the Clients

Group Policy

Primary Authentication

If (Client) Certificates are

used for authentication.

Secondary (double) authentication

With secondary authentication enabled, the User *must* present two sets of credentials

Authorization

The authorization Server takes precedence over “Secondary Authentication Server -> Attribute Server”

How Clients connect

Alias which appears in

drop down list

Direct URL

(like apache vhosts)

Group Policies

Let’s rollout to some users

Assign an ACL

Inherit from DfltGrpPolicy

WEB ACL

Allow to filter on URLs with wildcard support (smart-tunnel is URL as well) Allow to filter on IP Address and Service

Portal Policy

Freedom vs. Workload ?

Assign a bookmark list*

* Dedicated (next) Chapter

Smart Tunnels

Include

Exclude

Define a list of

Application(s)

Smart Tunnel Entry

Windows / Mac

Full Path for Mac

Name of Process

(Parent)

Group Policy – More Options - Customization

Apply Customization

(This is Portal Only)

Single Sign-on

• Auto Sign-On

• External SSO Servers

• Kerberos Constrained Delegation (Global)

3 Methods Available

Auto Sign-On

• Submits static Clientless SSL Login credentials to

‒ Web Servers, ftp/cifs shares, Webapps with smart tunnels, plugins

• Supports

‒ Basic, NTLMv1, FTP or CIFS authentication, HTTP Form*

• Can use double authentication when users are authenticated by OTP or

Certificates

External SSO Servers

• SAML 1.1 (Browser) Post Profile (push,!=pull)

‒ ASA plays role of asserting party (sends assertions), SAML Server of relying

party, hence cannot accept assertions (Novell Identity Manager)

‒ SAML1 Federated/Trust component is not supported

‒ Only Single Cookie Domain is supported

• Works with RSA ClearTrust, CA Siteminder, Entrust GetAccess (CTSESSION, SMSESSION, AUTH_SESSION_ID) SAML COOKIE

Kerberos Constrained Delegation - KCD

• Global configuration

• Useful to extend Certificate- and OTP-based authentication methods to

web applications.

Login, Access URL ASA

Challenge, SPENGO

Request impersonate Ticket

Return Ticket with User authorization Data Request Service Ticket

Return Service Ticket

Use Service Ticket

Kerberized Server

Domain Controller (KDC)

Per User editable Bookmarks

smb or ftp Username:password@host:port/path

Storage Key to encrypt data

Bookmarks

Bookmarks are organized into Lists

• More convenient to end users

Bookmark Lists can be assigned to group(s)

Bookmarks

• URL with GET or POST method

• Predefined Application Templates, HTML form auto-submit

ASA v9.0 added 2 new Types

URL with GET or POST method

Create a meaningful Title

Enter URL

For Post, define Parameters

Predefined Application Templates

Select a Predefined App

Predefined Templates for well known Applications prepopulate settings.

Outlook Web Access

Create a meaningful Title

Optional Icon

http/https

Host Name

See next slide

Select Application

Variables

Variable Name

CSCO_WEBVPN_USERNAME

CSCO_WEBVPN_PASSWORD

CSCO_WEBVPN_INTERNAL_PASSWORD

CSCO_WEBVPN_CONNECTION_PROFILE

CSCO_WEBVPN_PRIMARY_USERNAME

CSCO_WEBVPN_PRIMARY_PASSWORD

CSCO_WEBVPN_SECONDARY_USERNAME

CSCO_WEBVPN_SECONDARY_PASSWORD

CSCO_WEBVPN_MACRO1

CSCO_WEBVPN_MACRO2

See Connection Profile / Customization to enable

Outlook Web Access

Auto appended

Predefined

From previous screen

VIDEO WALK THROUGH

Customization

• General

• Logon Page

• Portal Page

• Logout Page

• External Portal Page

Is divided into 5 Main Parts

Will be enabled in

Connection Profile

External Portal with new Bookmark Methods

Adding a second Group

Combining What we have seen so far

• Create a new Customization which enables “External Portal Page”

• Setup URL with “Predefined Application Templates”

• Create a Group Policy which only allows OWA

• Create a Connection Profile which accepts https://ssl-lab.cisco.com/owa

Enabling Users to access Outlook Web Access only

From there on

Only First time

Group Policy / Connection Profile

access-list owa_only webtype permit url https://mail.cisco.com/* log default

access-list owa_only webtype deny url any log default

group-policy owa internal

group-policy owa attributes

vpn-tunnel-protocol ssl-clientless

webvpn

filter value owa_only

customization value owa

hidden-shares none

file-entry disable

file-browsing disable

url-entry disable

tunnel-group owa_only type remote-access

tunnel-group owa_only general-attributes

authentication-server-group LDAP

default-group-policy owa

tunnel-group owa_only webvpn-attributes

group-alias owa enable

group-url https://ssl-lab.cisco.com/owa enable

VIDEO WALK THROUGH

A word about (Web)ACLs

• Remember that many emails contain html links nowadays

• The above might be to restrictive

Little Troubleshooting tips

Notice that there is a capture type “webvpn” This capture should be used for a particular User, not all traffic. Unzipping the capture requires a password “koleso” (no quotes) The extracted files have following naming format : <request number>-<response/request files/log>-<front-end|backend><0-original content| 1-content after transfer encoding> For example, lets suppose we need to look at captures for the very first request. We need to look for file names starting with "1-" 1-req-f0 - request received by WebVPN from the browser 1-req-b0 - request sent to the backend server 1-res-b0 - response WebVPN received from the backend server 1-res-f0 - response after transformer 1-res-f1 - response after transformer sent to the browser with transfer encoding applied by ASA (gzip,chunked) 1 - log - log entries for the request

local Radius LDAP Tacacs+ NT

Domain SDI Kerberos

HTTP Form

Authentication Y Y Y Y Y Y Y Y

Authorization Y* Y Y N N N N N

Accounting N Y N Y? N N N N

Source: Placeholder for Notes is 12pts

• ASA supports LDAP v3 with plain text and SASL

• SASL supports Digest-MD5 and Kerberos (GSSAPI)

• Tested with Java System Directory Server, MS-AD, Novell, OpenLDAP

• To learn LDAP Structure and for troubleshooting see

http://www.softerra.com or use LDP.exe (Windows 2008)

• We will walk through Active Directory Configuration now

For the Active Directory Admin it looks like

We have to deal with

Where we find Users

Sample Attribute

Where we find Users

MS AD in this example

As MS requires Login,

enter a valid User. N.B.: Administrator is for LAB use only

LDAP bind

debug ldap enabled at level 100

ssl-lab#

[422] Session Start

[422] New request Session, context 0x00007fff2ef348f8, reqType = Authentication

[422] Fiber started

[422] Creating LDAP context with uri=ldap://10.1.1.66:389

[422] Connect to LDAP server: ldap://10.1.1.66:389, status = Successful

[422] supportedLDAPVersion: value = 3

[422] supportedLDAPVersion: value = 2

[422] Binding as Administrator

[422] Performing Simple authentication for Administrator to 10.1.1.66

[422] LDAP Search:

Base DN = [CN=Users,DC=duslab,DC=cisco,DC=com]

Filter = [sAMAccountName=trosenda]

Scope = [SUBTREE]

[422] User DN = [CN=thorsten rosendahl,CN=Users,DC=duslab,DC=cisco,DC=com]

[422] Talking to Active Directory server 10.1.1.66

[422] Reading password policy for trosenda, dn:CN=thorsten rosendahl,CN=Users,DC=duslab,

DC=cisco,DC=com

[422] Read bad password count 0

LDAP Attributes

[422] Binding as trosenda

[422] Performing Simple authentication for trosenda to 10.1.1.66

[422] Processing LDAP response for user trosenda

[422] Message (trosenda):

[422] Authentication successful for trosenda to 10.1.1.66

[422] Retrieved User Attributes:

[TRUNCATED TO FIT SCREEN]

[422] cn: value = thorsten rosendahl

[422] sn: value = rosendahl

[422] givenName: value = thorsten

[422] distinguishedName: value = CN=thorsten rosendahl,CN=Users,DC=duslab,DC=cisco,

DC=com

[422] displayName: value = thorsten rosendahl

[422] uSNCreated: value = 20557

[422] memberOf: value = CN=owa,CN=Builtin,DC=duslab,DC=cisco,DC=com

[422] wWWHomePage: value = 10.1.1.66

[422] Fiber exit Tx=596 bytes Rx=2436 bytes, status=1

[422] Session End

LDAP Attribute Maps

• As LDAP does provide additional Attributes, we could use these to :

‒ Map LDAP Group Membership to Group Policy

‒ Map User Attributes to Bookmarks

• Goal is to let LDAP decide on Group-Policy rather than hand out different

URLs (/beta, /owa)

Enabling ASA to parse & use Attributes existent in your Directory

LDAP memberOf = Cisco Group Policy

Start here

Mapping the value as well

Complete here

Create a mapping

One by One

Mapping a second Attribute

“Web page” in Microsoft view

Picking up CSCO_WEBVPN_MACRO1 in Bookmarks

This String will resolve to an Address

Debug view

debug ldap enabled at level 100

ssl-lab#

[TRUNCATED]

[425] memberOf: value = CN=owa,CN=Builtin,DC=duslab,DC=cisco,DC=com

[425] mapped to Group-Policy: value = owa

[425] mapped to LDAP-Class: value = owa

[TRUNCATED]

[425] wWWHomePage: value = 10.1.1.66

[425] mapped to WebVPN-Macro-Substitution-Value1: value = 10.1.1.66

VIDEO WALK THROUGH

Dynamic Access Policies

• Based on AAA and/or Endpoint Attributes, DAPs can

assign Access and Authorization Attributes.

• AAA examples : Cisco Username, LDAP memberOf, Radius 4097*

• Endpoint examples : OS, FW, AV, AS, HostName

• Access/Authorization Attribute examples : ACL, Bookmarks, Functions,

Terminate/Continue

*DAP add 4096 to Numerical Radius Attribute ID, i.e. 4097-4096=1=Access-Hours

Order of Enforcement:

• Dynamic Access Policy (DAP)

• User Attributes

• Group-Policy Attributes

• Connection Profile

• Default Groups

* More Information: https://supportforums.cisco.com/docs/DOC-1369

rwrite

Default Access Policy

• Is always the last entry

• The default action for DfltAccessPolicy is “Continue”

• As you go and add Policies, you should change to “Terminate”

Challenge

• Active Directory Users are typically member of more than ONE group

• On ASA a user can only be member of single group

• Dynamic Access Policies can multi-match and aggregate

Source Condition

Action

Action Action

Source Condition

Action

Action Action

Source Condition

Debug DAP

debug dap trace enabled at level 1

ssl-lab#

The DAP policy contains the following attributes for user: jupp

--------------------------------------------------------------------------

1: url-list = engineering,marketing

2: action = continue

3: appl-acl = DAP-web-user-74CBC80D

rule 1: permit tcp 10.0.0.0 255.0.0.0 lt 1024 log default

rule 2: permit tcp 144.254.0.0 255.255.0.0 lt 1024 log default

DAP_TRACE: DAP_open: 7FFF32905670

[TRUNCATED]

DAP_TRACE: Username: jupp, aaa.ldap.memberOf.1 = Engineering

DAP_TRACE: Username: jupp, aaa.ldap.memberOf.1 = Marketing

[TRUNCATED]

DAP_TRACE: Username: jupp, Selected DAPs: ,engineering,marketing

DAP_TRACE: dap_process_selected_daps: selected 2 records

DAP_TRACE: Username: jupp, dap_aggregate_attr: rec_count = 2

DAP_TRACE: Username: jupp, dap_comma_str_fcn: [engineering] 11 128

DAP_TRACE: Username: jupp, dap_comma_str_fcn: [engineering,marketing] 21 128

DAP_TRACE: Username: jupp, DAP_close: 7FFF32905670

Aggregation Result

User has 2 Bookmarks

2 ACE for the User

VDI Access for mobiles

Citrix Mobile Receiver

• This feature provides secure remote access for Citrix Receiver

applications running on mobile devices to XenApp and XenDesktop VDI

servers through the ASA.

• Supported Mobile Devices

‒ iPad — Citrix Receiver version 4.x or later

‒ iPhone/iTouch — Citrix Receiver version 4.x or later

‒ Android 2.x/3.x/4.0/4.1— Citrix Receiver version 2.x or later

New in ASA v9.0

Citrix Mobile Recevier

• Only default tunnel group is supported

• One XenApp or XenDesktop server at a time

• Requires XML service on XenApp and XenDesktop servers

• No support for

Certificates, Smart Cards, Double Authentication, Internal passwords, Group-URL

• Requires trusted identity certificate for ASA

Implementation Details

Citrix Mobile Receiver

Configuration

This is your Citrix Server

First time Setup

User adds an account

First time Setup

FQDN of ASA

First time Setup

Choose Access Gateway

Choose Standard Edition

Enter Username

Every day experience

Enter Password

Every day experience

Select your Desktop

Every day experience (XenDesktop)

Wrap up

• IPv6 address for Endpoint and ASA

• Supported:

‒ Rewriter, Java Plug-ins

‒ Smart Tunnels for IPv6 aware applications

‒ Web-type ACL

‒ Auto Sign-On

• Unsupported:

‒ SSH / Telnet plug-in

‒ Port Forwarding, Email-Proxy, Proxy-Bypass

• Internal back-end resources still use IPv4

‒ Netfs / CIFS / SMB / FTP

‒ OCSP, CRL

‒ DNS, AAA Servers

Summary

• The requirements to get started

• The Configuration of different groups with different Policies

• How AAA/LDAP can be used to assign these Policies

• The new Bookmark Methods

• How Customization can influence User experience

We have seen

remote access using clientless vpnd2zmdbbm9feqrf.cloudfront.net/2013/eur/pdf/brksec-2697.pdf ·...

Documents

vpn (remote access)

chapter 71, “configuring clientless ssl vpn”

configuring anyconnect vpn client connections - · pdf...

clientless ssl vpn remote access set-up guide for the cisco...

chapter 10 configure clientless remote access ssl vpns...

customizing clientless ssl vpn - cisco · customizing...

configure clientless ssl vpn (webvpn) on the asa -...

cisco anyconnect vpn -...

vpn remote access installation and configuration … · vpn...

clientless ssl vpn users - cisco · procedure step1...

configuring clientless ssl vpn - cisco.com · 71-3 cisco...

cliente liviano ssl vpn (webvpn) en el asa con el ejemplo...

clientless ssl vpn troubleshooting · understanding...

customizing clientless ssl vpn

remote access vpn sand security

vpn remote access for dummies

using radius authentication for remote access vpn...using...

1 chapter 12: vpn connectivity in remote access designs...

chapter 10 configure clientless remote access ssl vpns ......

configuring clientless ssl vpn