Which of these statements regarding Cisco’s WebVPN support is correct?
A.
Cisco’s WebVPN solution supports both TCP and UDP port forwarding for application support.
B.
Cisco ISR Routers with the Enhanced Security Bundles support WebVPN.
C.
Cisco security appliances act as a proxy between the end user and the target web server.
D.
Cisco PIX Security Appliances (running release 7.0) and Adaptive Security
Appliances both support WebVPN.
Explanation:
Clientless SSL VPN (WebVPN) on ASA Configuration Example: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtmlA remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported.
Clientless SSL VPN (WebVPN) allows for limited but valuable secure access to the corporate network from any location. Users can achieve secure browser-based access to corporate resources at anytime.
Clientless SSL VPN enables secure access to these resources on the corporate LAN:
-OWA/Exchange
-HTTP and HTTPS to internal web servers
-Windows file access and browsing
-Citrix Servers with the Citrix thin client
The Cisco ASA adopts the role of a secure proxy for client computers which can then access pre-selected resources on the corporate LAN.
I changed my position since the last time this question appeared. I agree C is a correct answer, but that it only has meaning in the context of connecting to web servers.
“Observing WebVPN Security Precautions
WebVPN connections on the security appliance are very different from remote access IPSec connections, particularly with respect to how they interact with SSL-enabled servers, and precautions to reduce security risks.
In a WebVPN connection, the security appliance acts as a proxy between the end user web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore cannot examine and validate the certificate.
The current implementation of WebVPN on the security appliance does not permit communication with sites that present expired certificates. Nor does the security appliance perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.
To minimize the risks involved with SSL certificates:
1. Configure a group policy that consists of all users who need WebVPN access and enable the WebVPN feature only for that group policy.
2. Limit Internet access for WebVPN users. One way to do this is to disable URL entry. Then configure links to specific targets within the private network that you want WebVPN users to be able to access.
3. Educate users. If an SSL-enabled site is not inside the private network, users should not visit this site over a WebVPN connection. They should open a separate browser window to visit such sites, and use that browser to view the presented certificate.
” – http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/webvpn.html
0
0