BRKSEC-2697 - Clintless VPN

Remote Access Using Clientless VPN
BRKSEC-2697
Hkan Nohre
Consulting Systems Engineer
New in 2697
Agenda Comparison
Big Overlap
BRKSEC-2697 (Clientless) vs BRKSEC-3033 (AnyConnect)
Introduction Basic
Configuration AAA
Non Web Apps
Posture SSO Citrix
Network Design
DAP Customization Licensing
BRKSEC-2697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Scenario : Labrats
*
Pharmaceutical Research Conglomerate* Conglomerate
run by Rats and Cats * two or more corporations engaged in
entirely different businesses that fall
Using Corporate Devices under one corporate group
Windows, MAC, iPADs
Wikipedia definition
Embracing BYOD
Heavy use of Consultants
Key Requirements :
Security
Easy to Use
IPv6
BRKSEC-2697 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
The Scenario : Labrats
Network Design and Versions Used
Windows 7
ASA 5510
Windows 8 Resources:
(active- Web Server
MAC OS X
standby) File Server
iOS ASA 9.1(4) Citrix Xenapp
IPv4 ASDM 7.1(4)
Internet
IPv4/IPv6
Intranet
IPv6
Internet
OTP Server Active Directory

Windows 2008 R2
Agenda
Basic
Configuration AAA
Introduction
Non Web Apps
Posture SSO Citrix
Network Design
Choosing Clientless SSL VPN or AnyConnect?
Clientless SSL VPN AnyConnect
Web Browser to access

End User Experience Just like in the Office
some applications
Network ACL:
Access Control Granular at URL level
IP and TCP/UDP port
*
Installation of client SW No, uses browser. Yes, Thick Client
New versions of
Maintenance browsers, java, Once setup works fine
applications
* Features may depend on OS, browser, Java, Active-X, endpoint security settings.
Clientless SSL VPN : Key Takeaways
It is not completely Clientless
It is not easier to implement than AnyConnect
User experience will be different from in-the-office
Clientless SSL VPN still has a role to play for remote access
With ASA 5500 we can combine Clientless with AnyConnect!
Key Objective of this breakout:
What we can do with Clientless SSL VPN
Limitations
How we configure it
Helping to choose wisely: When to use clientless
Important Web Protocols and Mechanisms
HTML
Hypertext Markup Language : Defines the
structure of web page
CSS
Cascading Style Sheets : Defines the look and
feel of web page
JavaScript
Script run inside the browser Javascript is NOT the
Java Applets same as Java/Java
Java code compiled to independent machine Applets
language downloaded to client
Runs inside Java Sandbox
ActiveX
Flash
Secure Sockets Layer (SSL) Overview
A Secure Protocol developed by Netscape for secure e-commerce.
SSL2.0 released in 1994, but had flaws and was replaced by SSL 3.0.
Transport Layer Security (TLS) was published after that and continued to
evolve.
Creates a tunnel between web browser and
web server
Authenticated and encrypted (RC4, 3DES, DES, AES)
https://
Usually over port :TCP/443
Refer to RFC 2246, for TLS 1.0

Refer to RFC 4346, 2006 for TLS 1.1
Refer to RFC 5246, 2008 for TLS 1.2
The TLS Handshake
Client Server
ClientHello
Client Version, ClientNonce ServerHello,
SessionID, Ciphersuites ServerCertChain,
ServerHelloDone
Server Version, ServerNonce
ClientKeyExchange, Selected Ciphersuite, CertificateChain
(Option: CertRequest)
ChangeCipherSpec,
ClientFinished ChangeCipherSpec,
Encrypted pre_master_secret
PRF computation ServerFinished
PRF computation
Application Data Application Data
SSL Fundamentals : ASA Server Certificate
ASA certificate should be trusted by clients
Public (well-known) Certificate Authority (e.g. Verisign, Thawte)
Enterprise Certificate Authority, e.g. Microsoft Active Directory
Self-Signed (need to import certificate to all clients)
FQDN in Subject Name : roddy.labrats.se
Internet Intranet
Public
CA
Clientless SSL Fundamentals : IPv4 and IPv6
ASA can proxy between IPv4 or IPv6
management/control servers (CA, AD, RADIUS) IPv4 only
web
IPv4 fileshare
IPv4
Internet
IPv4/IPv6 DNS
Intranet
IPv6 IPv6
Internet
CA, AD, RADIUS
HTTPS Proxy to HTTP(S), CIFS and FTP
ASA proxies HTTPS to HTTP(S), CIFS or FTP
ASA publishes bookmarks (collection of links to click) to access service
http://catserver.labrats.se
https://roddy.labrats.se
intranet
internet
cifs://catserver.labrats.se
HTTP(S) Proxy and Content Transformation Engine
ASA Content Transformation Engine Rewrites HTML, Javascript, Flash, CSS...
Required, since internal names and IP addresses are not visible on the outside
Original HTML on Server

<a href="http://catserver.labrats.se/mousetraps.html">Mousetraps - ProjectX</A>
<a href="fish.html">Research: Fish evasive techniques in Aquarium</a>
https://roddy.labrats.se http://catserver.labrats.se
internet intranet
HTTP(S) Proxy and Content Transformation Engine
ASA Content Transformation Engine Rewrites HTML, Javascript, Flash, SVG, CSS...
Required, since internal names and IP addresses are not visible on outside
Modified HTML Rendered to Client

<a href="https://roddy.labrats.se/+CSCO+0E..6++/mousetraps.html" >Mousetraps - ProjectX</a>
<a href="-CSCO-3h--fish.html" >Research: Fish evasive techniques in Aquarium</a>
https://roddy.labrats.se http://catserver.labrats.se
internet intranet
Agenda
Introduction
AAA
Basic
Configuration
Non Web Apps
Posture SSO
Citrix
Network Design
How to configure Clientless SSL VPN
Command Line Interface
Not really feasible : a lot of configuration in
XML files
ASDM
Easiest Option, used in this breakout
Cisco Security Manager
For configuring many ASAs
but does not support 100% of features
We could use the Wizard but Man or Mouse?
Use
Wizard!
Step-by-Step Wizard that

configures Clientless SSL
VPN
Fundamental Settings : ASA DNS Client
ASA needs to resolve DNS
It is a Proxy!
(not configured by Wizard) DNS server IP
v4 or v6
Default Domain
Enable DNS
ASA needs a certificate
Certificate should be trusted

by clients to avoid warnings
and errors
Import cert + keys in
PKCS#12
or
Create CSR (Certificate
Signing Request), then
installed signed cert from CA
Enable Clientless SSL VPN on Interface
Specify Certificate
Allow Clientless SSL
on interface
Connection Profiles Group Policy

- authorization
- Specifies how to authenticate (and more)
Group Policy
Group Policy
The Group Policy defines Authorization, what the client can do, when and how
Bookmark List, Allowing URL Entry, Timeouts, Look-and-feel etc.
DfltGrpPolicy defines default Policy, that can be overridden by more specific
Policy
Bookmark List
List of URLs to publish to the end user
Bookmark List User Experience
Web ACLs
URL based ACL
Can be assigned per Group Policy (or DAP, covered later)
Limits user to certain path on specific servers
Group Policy
- cats
WebACL permitting http://webserver.labrats.se/cats/*
CLIENTLESS SSL VPN
USER EXPERIENCE
Agenda
Introduction Basic
Configuration AAA
Non Web Apps
Posture SSO
Citrix
Network Design
Authentication and Authorization by RADIUS
User can be authenticated and authorized by RADIUS.
RADIUS attribute IETF 25 (Class) is used to assign the group policy.
AAA Server Group

Connection Profile RADIUS
"SMS"
Default
Group Group Policy Group Policy
Policy Rats Cats
Authentication by RADIUS Authorization by LDAP
User authenticated by RADIUS (typically strong authentication, OTP)
Username used for LDAP lookup
LDAP attributes are mapped to a Group Policy AAA Server Group
RADIUS
Connection Profile
"SMS"
AAA Server Group
LDAP
LDAP
map
Default
Group Group Policy Group Policy
Policy Rats Cats
Connection Profile defines how to Authenticate
Connection
Profile
Alias : Shown as drop-
down selection to user
AAA, Cert or Both?
AAA server group
AAA Server Group

RADIUS
Group-Policy used
unless overwritten by
BRKSEC-2697 2014 Cisco and/or its affiliates. All rights reserved.
Authorization Server
Cisco Public 32
Connection
Connection Profile defines how to Authorize Profile
Possible to define different AAA server group for authorization (if not specified,
the same group is used for authentication and authorization).
AAA server group

used for Authorization
AAA Server Group

AD_SamAccount (LDAP)
User Selection of Connection Profile
Alias for drop-down at

login page
URL to land on this

connection profile
User Selection of Connection Profile (2)
Drop-Down list allows

user to select login
method (Connection Profile)
AAA Server Group AAA Server Group
LDAP RADIUS
AAA Server Groups
Using the same authentication protocol and characteristics
Same Protocol but

different Groups if
different characteristics
Several Servers in
a Group for
redundancy
RADIUS Server Definition
Double check port

numbers on RADIUS
server
Shared Secret must
match with RADIUS
server
LDAP Server Definition (Active Directory)
LDAP over SSL
Domain is labrats.se
Attribute for user lookup
Map LDAP attributes to ASA ASA Credentials

attributes (to be covered)
A Good LDAP Browser is Useful
To learn LDAP structure, and for troubleshooting : http://www.softerra.com
memberOf
CN=ITsupport,CN=Users,DC=labrats,DC=se
CN=Cats,CN=Users,DC=labrats,DC=se
sAMAccountName=scratchy
Using Active Directory memberOf
A user in Active Directory can be a member of many groups
But can only belong one Group Policy in ASA
A group may be a member of another group in AD
ASA will not do recursive lookup
Mammals
Rats Cats ITsupport
Mapping memberOf to Group Policy
Map memberOf to ASA Group Policy with an LDAP attribute map
Beware: First match will apply (many memberOf one Group Policy)
Warning
Beware: No support for lookup of nested groups (group in group)
DAP (covered later) allows for more flexibility in handling "many memberOf"
LDAP
map
CN=Rats,CN=Users,DC=labrats,DC=se : RatsBYOD
CN=Cats,CN=Users,DC=labrats,DC=se : CatsBYOD
Troubleshooting AAA server
Test that AAA server works
Troubleshooting AAA
Checking that the right Group Policy has been assigned
LOGIN WITH OTP
USER MAPPED TO GROUP POLICY
Agenda
Introduction Basic AAA

Configuration
Non Web Apps
Posture SSO
Citrix
Network Design
Smart Tunnel
Downloads a Java (or Active-X) component that relays/tunnels application over
https session
Works for Windows and MAC (x86 and 64 bit)
Works for TCP based applications (example : Remote Desktop)
Does not require administrative privileges on client
SSL
ASA
internet labrats
Configuring Smart Tunnels
Process
Group Policy
Name
Plugins Deliver the Application from ASA
Plugins are java apps downloaded from ASA to end system
Remote Desktop, VNC, SSH/Telnet, TN3270. and Citrix Receiver
Downloaded Application tunneled over SSL connection to server
Windows and MAC OS
SSL
ASA
internet labrats
Download plugins from CCO
the most difficult step. Where do I find them?
Uploading Plugins
Configuring URLs for Plugins
URL Single Sign On Domain

rdp://ratbert.labrats.se csco_sso=1 domain=labrats.se
The Java Problem
Plugins and Smarttunnels require
Java
Java Runtime Environment needs to
be enabled on the client
Not installed by default OS installation
Java has a recent history of
serious security issues
Many Enterprises disable Java
Apple, Mozilla etc. have also
disabled Java
No guarantee that Java will work http://www.theregister.co.uk/2013/12/10/fire
on unmanaged remote clients fox_26_blocks_java/
Tomorrow Starts Here : HTML5 and WebSockets
Widely supported in different OS and Browsers
Full-duplex and asynchronous communication between client and server
Ideal for very dynamic user interface experience, like games and VDI
GET /path
200 OK
GET /path
Upgrade:websocket
101 Switching Protocols
Data
Websocket
ASA Support for WebSockets New in
9.1.4
ASA works as a proxy for websockets

Need Websocket Server on inside
No changes to CLI or ASDM
WebSocket Server communicates with end application
No change in ASA configuration
Configured as normal http(s) bookmark
SSL HTTP(S)
ASA
internet labrats
WebSocket
Application
Server
RDP JAVA PLUGIN
HTML5 WEBSOCKETS
Agenda
Basic
Introduction Configuration AAA
Non Web Apps
Posture SSO
Citrix
Network Design
Citrix Integration
Citrix provides application and desktop virtualization with XenApp and XenDesktop
Both use the ICA protocol that transfers keyboard/mouse events and screen
update between a client receiver and the XenApp/XenDesktop servers
Many possible ways to integrate Cisco Remote Access with ASA and Citrix
Cisco AnyConnect tunneling Citrix receiver to the Citrix Servers
Cisco ASA as a proxy between Citrix mobile receivers and XenApp/XenDesktop
Citrix Plugin
Citrix Mobile Receiver
This feature provides secure remote access for Citrix Receiver applications
running on mobile devices to XenApp and XenDesktop
ASA acts as proxy for ICA protocol
Supported Mobile Devices
iPad Citrix Receiver version 4.x or later
iPhone/iTouch Citrix Receiver version 4.x or later
Android 2.x/3.x/4.0/4.1 Citrix Receiver version 2.x or later
Citrix
ASA Xenapp
Citrix
XenDesktop
Citrix Mobile Receiver Implementation Details
Fixed in
Only default connection profile is supported 9.1.4
One XenApp or XenDesktop server at a time

Requires XML service on XenApp and XenDesktop servers
Requires trusted identity certificate for ASA
No support for
Client Certificates, Smart Cards, Double Authentication, Internal passwords
Citrix Mobile Receiver ASA configuration
Citrix Receiver Client Configuration
User adds an account
Citrix Receiver Client Configuration: ASA FQDN
FQDN of ASA
Citrix Receiver Client Configuration (3)
Choose Access Gateway
Choose Standard Edition
Enter Username
Connecting to ASA with Citrix Mobile Receiver
Enter Password
Every day experience
Select your Desktop
Every day experience (XenDesktop)
Agenda

Configuration
Non Web Apps
Posture
Citrix
SSO
Network Design
Single-Sign-On to Internal Applications
Auto Sign-On
Leverages Username/Password entered by user to authenticate against ASA
Kerberos Constrained Delegation
Leverages Kerberos but only works for Kerberized Applications
Also works if no static password given (e.g. client certificates, RSA OTP)
External SSO Servers (SAML 1.1 only)
Auto Sign-On: Known Protocols
Many applications, including Microsoft IIS, Microsoft Remote Desktop, can
leverage protocol (HTTP, RDP, SSH) built-in authentication methods:
Remote Desktop Logon

Web Server configured for
authentication. Sends HTTP
401 Unauthorized back to
client initiating login
Configuring Auto Sign-On for Known Protocols
For http:// and cifs:// specify
the network/prefix and
authentication type in Group
Policy
For plugins, append parameter

csco_sso=1 to URL
73
(for windows domain also add domain)
Auto Sign-On : HTML Form Based Authentication
Many custom Web Applications use
their own HTML authentication forms to
authenticate user.
<form>
First name: <input type="text" name=uname"><br>
Last name: <input type=password" name=passwd">
</form>
ASA must know (or be configured with)

the names of the input fields
ASA has templates for common
applications
ASA can discover input fields for other
applications
Configuring Auto Sign-On : Form based Authentication
Predefined Templates for

Microsoft OWA, Sharepoint,
Citrix XenApp/XenDesktop,
Lotus Domino
Auto Submit uses capture

function to learn the input
fields
Configuring Auto Sign-On: Form based Authentication
Change for
CSCO_WEBVPN_INTERNAL_PASSWORD
If necessary
Kerberos Constrained Delegation - KCD
Allows for SSO when ASA has no access to the users AD password
Client certificates
OTP systems that does not prompt for AD password
Require support by application (i.e Microsoft IIS)
ASA gets Kerberos

Session Ticket on Application must
behalf of user support Kerberos
ASA is member of
Domain with
permissions for
KCD
Agenda
Introduction Basic
Configuration AAA
Non Web Apps
SSO
Citrix
Posture
Network Design
Posture : Do the Clients Meet Requirements?
Possible to check that client meets Posture Requirements : OS, Anti-Virus,
Personal Firewall, Registry Keys, Open Ports etc
Used in combination with Dynamic Access Policies (DAP) to grant access to
clients depending on their posture status
Depends on working Java on the Client
Microsoft Firewall ON,
but No Antivirus...
and he is a RAT!!!!!
VPN Connection
Internet
Agenda
Introduction Basic
Configuration AAA
Non Web Apps
Posture SSO
Citrix
Network Design
Customization Licensing
DAP
Dynamic Access Policies (DAP) : Granular Access
Control
DAP allows granular access to resources based on authentication method,
AAA parameters and Posture
Very flexible, allowing policies set by Data Owners access to Data :
"to access my data you must be member of AD groups Cats and ProjectX, you must
be logged in with strong authentication and you must have Antivirus on a corporate
machine"
Microsoft Firewall ON, Antivirus
ON,
memberOf Cats AND projectX
PERMIT
Internet
DENY
How DAP relates to AAA
AAA Server Group SMS
(RADIUS)
Connection AAA Server Group

AD (LDAP)
Profile SMS
Posture: .....
LDAP
map
Default
Group Policy Group Policy memberOf
Group
Cats Rats Cats
Policy
memberOf
DAP-1 DAP-2
+
Dynamic Access Policies
DAP-N ProjectX
override certain attributes from Group Policy

depending on AAA, Posture, Connection Profile...
Configuring DAP
and Policy is
If member of Cats and Corporate Windows
ProjectX Registry Key is
logged on with OTP Antivirus Updated...
Bookmarklist and
WebACL
Default DAP (DfltAccessPolicy)
Condition Bookmark + WebACL

If no DAP matches
ITSupport w clean PC RDP to WebServers then
DfltAccessPolicy
Cats+ProjectX w clean PC ProjectX WebSite Applies
Rats Rats WebSite
DfltAccessPolicy Action=
Terminate
DAP Grows On You! (DAP accumulates)
Condition Bookmark + WebACL

Matching
ITSupport w clean PC RDP to Webservers Several conditions
Accumulates
Cats+Project X w clean PC ProjectX WebSite Access Rights
Rats Rats WebSite
RDP to everything
Rats Website
The Power of DAP
Very flexible mapping to multiple "memberOf"
Example : 4 groups in Directory A B C D
n
A user may be a member of 0 to 4 groups : 16 combinations (2 )
A B C D A B A C A D B C B D
A B C D B C D A C D A B D A B C C D
Quiz : How many DAP policies do you need to cover the 16 combinations?
Condition (memberOf) BookmarkList WebACL

A BookmarkList-A WebACL-A
B BookmarkList-B WebACL-B
C BookmarkList-C WebACL-C
D BookmarkList-D WebACL-D
Agenda
Introduction Basic
Configuration AAA
Non Web Apps
Posture SSO
Citrix
Network Design
DAP
Licensing
Customization
Customizing the Web Portal
Login Portal, Portal and Logoff Portal can be completely customized
Images, Icons, Text, Font, Background Colors
Full Customization with HTLM and Javascript
Possible with different customizations per Connection Profile and Group Policy
Possible to include external web page in portal
Configuring Customization (1)
Specify Connection
Profiles where to apply
this customization
Specify Group Policies
where to apply this
customization
Configure Customization (2)
Agenda

Configuration
Non Web Apps
Posture SSO
Citrix
DAP Customization
Network Design
Licensing
Clientless SSL VPN Platforms and Performance
Performance more related to number of simultaneous users and transactions
per second than throughput
Figures below are maximum
Platform Max Users
ASA 5585-X (SSP20,SSP40,SSP60) 10.000
ASA5585-X (SSP10) 5.000
ASA5555-X 5.000
ASA5545-X 2.500
ASA5525-X 750
ASA5515-X, ASA5512-X 250
ASA5505 25
Cisco SSL VPN Premium Licenses
Required for Clientless SSL VPN (and AnyConnect with premium features like
hostscan, Always-On)
Eternal license (one-off purchase)
Counts simultaneously connected endpoints
Cannot be combined with AnyConnect Essentials on same ASA
Clientless SSL VPN with Failover
SSL VPN supports failover between 2 ASAs in Active-Standby
Since ASA 8.3, Licenses only required on primary
Stateful failover (sessions are synchronized)
Exceptions :Smart Tunnels, Plugins, all IPv6 Clientless, Citrix
Configuration data is synchronized
CLI, DAP, Certificates with public and private keys
internet labrats
Clientless SSL VPN with RA VPN Clustering
Cluster of up to N ASAs sharing the load
ASAs must be on same LANs
Client connects to virtual ip owned by master, redirected to least loaded member
SSL VPN Premium licenses required on all members
No synchronization of sessions or configurations
Note: This is not the

same feature as
clustering ASA in DC
internet labrats
(does not support RA
Redirect VPN)
Master
Global Deployment with Shared Licenses
Several ASA (typically active-standby) deployments around the world
License sharing through common pool of shared licenses
One ASA is license server (keep track of license pool)
Participant license ASAs only have participants license (cheap)
License
pool sharing
Participant Shared License
License Server
internet
License
Participant
License
pool sharing
Conclusion
Clientless SSL VPN offers
Very granular access control, depending on authentication, AD membership, posture
Support for many applications apart from web applications
Clientless is not always Clientless
No guarantee that all features will work on any unknown device (java, privileges etc)
Use AnyConnect (BRKSEC-3033) for more transparent in-the-office experience
Clientless SSL VPN can be a complement to AnyConnect
To access resources where granular access control is required
For specific use cases where AnyConnect Installation not desirable
Call to Action
Visit the World of Solutions:-
Cisco Campus
Walk-in Labs
Technical Solutions Clinics
Meet the Engineer
Hkan Nohre, Jeff Fanelli, Thorsten Rosendahl
Lunch Time Table Topics, held in the main Catering Hall
Recommended Reading: For reading material and further resources for this
session, please visit www.pearson-books.com/CLMilan2014
Complete Your Online Session Evaluation
Complete your online session
evaluation
Complete four session evaluations
and the overall conference evaluation
to receive your Cisco Live T-shirt
Presentation_ID 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 103

BRKSEC-2697 - Clintless VPN

Uploaded by

Copyright:

Available Formats

BRKSEC-2697 - Clintless VPN

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKSEC-2697 - Clintless VPN

Uploaded by

Copyright:

Available Formats

Remote Access Using Clientless VPN

Non Web Apps

Posture SSO Citrix

OTP Server Active Directory

Non Web Apps

Posture SSO Citrix

Web Browser to access

Refer to RFC 2246, for TLS 1.0

Application Data Application Data

Original HTML on Server

<a href="fish.html">Research: Fish evasive techniques in Aquarium</a>

Modified HTML Rendered to Client

<a href="-CSCO-3h--fish.html" >Research: Fish evasive techniques in Aquarium</a>

Step-by-Step Wizard that

Certificate should be trusted

Connection Profiles Group Policy

Bookmark List User Experience

WebACL permitting http://webserver.labrats.se/cats/*

Non Web Apps

AAA Server Group

AAA Server Group

AAA server group

AAA Server Group

Alias for drop-down at

URL to land on this

Drop-Down list allows

Same Protocol but

Double check port

LDAP over SSL

Attribute for user lookup

Map LDAP attributes to ASA ASA Credentials

Rats Cats ITsupport

Introduction Basic AAA

Non Web Apps

URL Single Sign On Domain

101 Switching Protocols

ASA works as a proxy for websockets

Non Web Apps

One XenApp or XenDesktop server at a time

User adds an account

Choose Access Gateway

Choose Standard Edition

Select your Desktop

Introduction Basic AAA

Non Web Apps

Remote Desktop Logon

For plugins, append parameter

ASA must know (or be configured with)

Predefined Templates for

Auto Submit uses capture

ASA gets Kerberos

Non Web Apps

Non Web Apps

Connection AAA Server Group

override certain attributes from Group Policy

Condition Bookmark + WebACL

Rats Rats WebSite

Condition Bookmark + WebACL

Condition (memberOf) BookmarkList WebACL

Non Web Apps