Customizing WebVPN

      No Comments on Customizing WebVPN

Now that we have a good understanding of how tunnel groups and group policies are part of the configuration we can add in customizations.  Customizations allow you to create different WebVPN experiences for different groups of users.  For example, I can have a portal page for my marketing group that is completely different than the portal page for my sales group.  I can even have different access URL’s for the portal pages.  Marketing could be or I could have a drop-down box on the main portal log-on that has a list of aliases for each group so that the user can select which one they want to use.  During this post we will walk through creating new customizations, assigning aliases, and assigning group URLs.

-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Customization files
At the base of the customization are the template customization objects.  Basically all of your customizations are stored and written to a XML file that the ASA keeps stored separately from most of the other flash files (startup-config, SVC packages, ASA Code, ASDM Code, etc..).  In fact, the customization files don’t even appear when you look at the contents of Disk0.  When you start with a brand new ASA and you look in the ASDM underneath Portal and Customization you will see two files.  One called Template and one called DfltCustomization.  Template is a file that the customization uses.  You cant edit, delete or import it.  DfltCustomization can be exported and imported.  However since they aren’t part of the flash files you need to use special commands to import and export them.  The commands to export, import, and revert (delete) are listed below.

Export Customization File
ASA(config)# export webvpn customization <customization template name> <destination template file name>
Notes: If you simply enter this command, the template will be exported to flash where it can be TFTP’d off.  If you’d prefer to do it all in one step insert ‘tftp://<tftp server name>/’ before the destination file name. 

Import Customization File
ASA(config)# import webvpn customization <customization template name> <source template file name>
Notes: Same concept here.  The import will check flash for the template name you specify.  If you want to pull it from TFTP all in the same step insert the tftp URL path prior to the source template file name. 

Delete Customization File
ASA(config)# revert webvpn customization <customization template name>

Create a new Customization File
Notes: This is a two step process.  There isn’t a command to create a new customization file so you have to export the DfltCustomization and then re-import it with a new name.
ASA(config)# export webvpn customization DfltCustomization BaseCustomization
ASA(config)# import webvpn customization <New Customization template name> BaseCustomization

Here is some advice.  Don’t modify the DfltCustomization customization.  The problem is that when you add a new customization it copies all of the properties/settings from the DfltCustomization into the one you just made.  So if you edit the DfltCustomization there isn’t any way, that I am aware of, to revert back to the original customization.  You cant revert the DfltCustomization either.  I made this mistake when I started playing around with customizations.  Seeing as these files aren’t stored in flash I don’t think (I’m not positive here) a ‘write erase’ will get you your original customization back.  To fix it, I exported the DfltCustomization off of another ASA and import back into mine.  After I re-imported the customization, things were back to normal. 

Before we dive into modifying the customization objects now would be an appropriate time to discuss ’Web Content’.  Part of modifying the customizations will involve us inserting our own images into the log-on and portal pages.  Before we can add images to the aforementioned pages we need to upload them to the ASA.  To do that, we need to upload them as web content.  Web content comes in two forms, authenticated and unauthenticated.  For example, if you want to upload a logo and use it on the log-on page it needs to be uploaded to the ASA as unauthenticated.  If you have a logo that you only want people to be able to see once they log-on then you should upload it as authenticated web content.  Authenticated content gets uploaded to /+CSCOE+/ and unauthenticated content gets uploaded to /+CSCOU+/.   The below code shows how to import, export, and remove web content

Import Unauthenticated Web Content
ASA(config)# import webvpn webcontent /+CSCOU+/<image name> <import location (tftp)>
Notes: An example of the command is given here.
import webvpn webcontent /+CSCOU+/MarketingLogo.gif tftp://

Import Authenticated Web Content
ASA(config)# import webvpn webcontent /+CSCOE+/<image name> <import location (tftp)>
Notes: An example of the command is given here.
import webvpn webcontent /+CSCOE+/MarketingLogo.gif tftp://

ExportWeb Content
ASA(config)# export webvpn webcontent </+CSCOU+/ or /+CSCOE+/>/<image name> <export location(tftp)> Notes: An example of the command is given here.
export webvpn webcontent /+CSCOU+/MarketingLogo.gif tftp://

Remove Web Content
ASA(config)# revert webvpn webcontent </+CSCOU+/ or /+CSCOE+/>/<image name>
Notes: An example of the command is given here.
revert webvpn webcontent /+CSCOU+/MarketingLogo.gif

Once we create a customization and uploaded some images as web content we can begin to edit our customizations.  Customizations allow you to customize the login, portal, and log-off pages.  Unfortunately, we can’t do this through the CLI.  The only way to edit the customization is through the ASDM.  To edit a customization open the ASDM, select configuration, expand clientless SSL VPN on the left hand side, expand Portal, and selection Customization.  Once you select customization, on the right hand side of the screen you should see all of your customizations.  In the example below I have created two additional customization objects.  One for Marketing and another for Sales. 

To edit the customization simply select it on the right hand side of the screen and select the ‘Edit’ buttonimage

When you click ‘edit’ a new browser window will open that provides the editing interface for the customization.  You may or may not get a certificate warning when the page loads.  If you do just continue through the warning.  Once the page loads you should see something very similar to what is shown below. image

I’m not going to go through every menu and explain each customization, as I feel for the most part it’s pretty straightforward.  Play around with different settings just make sure that you save your changes.  I’m paranoid, so after every change I make I click the ‘Save’ button which is located in the upper right-hand corner of the screen.  The other neat feature is ‘Preview’ which allows you to see what your new customization will look like without having to actually hit the ASA’s outside interface and logon.  Let’s walk through an example of changing the image on the Logon and Portal pages.  Select ‘Logon Page’ and then ‘Title Page’ from the left-hand side of the screen.  You should see options similar to the ones displayed below.  I like how the customization editor tells you in several places which profile you are editing.  If you are working on many different customization files it can become a problem to remember which is currently loaded in the editor.  Click the drop-down arrow on the ‘Logo URL’ text box.   You should see any web content that you had previously uploaded.  Since this is the Marketing customization we will select the Marketing logo for the logon page.  Select the logo and the press ‘Save’ in the upper right-hand corner of the screen.  Since we want the user to still see the logo once they log-on select ‘Portal’ and ‘Title Page’ from the left side bar.  Change the logo to the marketing logo as you did on the ‘Logon Page’ settings.  Press ‘Save’ in the upper right-hand corner and then close the IE window.image

After I closed the window I opened the Sales customization for editing and changed the ‘Logo URL’ on both the Logon and Portal pages to the SalesLogo.gif using the same steps as described above.  Now that we have two distinct customizations we can assign aliases and group URLs to them. 

Aliases and Group URL
An alias is really just another name for a tunnel group.  There are three different ways to select a tunnel group on connection.  You can use the group URL, alias, or certificate maps (we aren’t going to talk about these at the moment).  Aliases can be selected from a drop down menu on the main logon page.  Group URLs are actual different URLs that the user browses to in order to reach a particular tunnel group.  Adding an alias and/or a group URL is relatively straight forward.  If you’re confused as to how all of this connects, think of it this way.  A tunnel group is connection path that can have a customization, alias, and group URL associated with it.  I think once we walk through the commands the ‘big picture’ will become clearer.  For the sake of clarification I’ll show the command for creating the tunnel group as well.  In the notes section of each command reference I will include the actual commands I execute for creating the tunnel group, alias, and group URL for our marketing group example.  And to wrap it all up, we assign our specific customization to the tunnel group.

Create a tunnel group
ASA(config)# tunnel-group <tunnel group name> type remote-access
CiscoASA(config)# tunnel-group TG_Marketing type remote-access

Set the alias for the tunnel group
ASA(config)# tunnel-group <tunnel group name> webvpn-attributes 
ASA(config-tunnel-webvpn)# group-alias <alias name> enable
ASA(config)# tunnel-group TG_Marketing webvpn-attributes 
ASA(config-tunnel-webvpn)# group-alias MarketingGroup enable

Set the Group URL for the tunnel group
ASA(config)# tunnel-group <tunnel group name> webvpn-attributes 
ASA(config-tunnel-webvpn)# group-url https://<External DNS record to ASA>/<User specified URL> enable
ASA(config)# tunnel-group TG_Marketing webvpn-attributes 
ASA(config-tunnel-webvpn)# group-url

Assign a customization to the the tunnel group
ASA(config)# tunnel-group <tunnel group name> webvpn-attributes 
ASA(config-tunnel-webvpn)# customization <customization name>
ASA(config)# tunnel-group TG_Marketing webvpn-attributes 
ASA(config-tunnel-webvpn)# customization Marketing

There is one last piece of information we need to configure in order to allow the users to select which alias to log into.  To do this we enable the tunnel group list.  You might already have done this if you followed my previous post on configuring SSL VPN.

Enable the tunnel group list
ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable

Now that we have all of this configured, let’s test it out!  Get on a external connection and hit the outside IP of your ASA on SSL (https).  If you ran the configuration described above for both the Sales and the Marketing group you should be greeted with the log-on page for our marketing group.  The log-on page has to pick one of the aliases to display by default and it does this alphabetically.  If all went to plan you should see the logo you uploaded in the upper left hand corner (Mine is sort of weak).  If you select the drop down for ‘Group’ and select the Sales tunnel group the logo should change to the Sales logo you uploaded.  image


Before we log-on and ensure that our logos are on the portal page as well, let’s test out our group URLs.  Browse to the URL’s you defined for each tunnel group and see what you get.  When I browsed to https://<External IP Address>/Marketing I got the log-on page for the Marketing group.  Note, I no longer have the option to select a group.  When you use group URLs its expected that the URL you browse to is the one you wish to log-on to.image

Now when I browse to https://<External IP Address>/Sales I get…..image

Note: The URLs you define are case sensitive!  If I defined the URL to use ‘Sales’ and I try to browse to ‘Sales’ I get the following error in my web browser.  This is a likely issue to come up at some point or another.  Just keep it in mind if you start getting users that can’t get to the log-on page. 

Now that we know that our alias and group URL definitions work, try logging into the portal.  With any luck you should get the correct logo on the top of the portal page for the tunnel group you are logging into.  In the next few posts we are going to talk about adding SSL based applications to the portal as well as different AAA methods to use for WebVPN. 

Leave a Reply

Your email address will not be published. Required fields are marked *