Configuring CIFS file access in WebVPN

      No Comments on Configuring CIFS file access in WebVPN

Yet another cool feature of the the WebVPN is the ability for the user to browse CIFS shares.  If policy permits, users can openly browse shares and networks.  You can create URL lists which you can then  associate with a specific group policy.  Configuring this access is again pretty straightforward.  A prerequisite to this is that your file server needs to support CIFS/SMB.  On my Windows Server 2003, all that I needed to do to ‘enable’ this feature was add it under ‘add or remove programs’.  Once it was installed, the ASA was able to open up CIFS shares on it for users to access through the portal.  I will not be covering the installation of WINS.  If you need assistance doing that, give it a quick Google.

Getting CIFS running on the WebVPN portal requires the following configuration steps.
-Configure shares on the server and ensure the shares have appropriate permissions
-Configuring a WINS/NetBIOS server on the ASA
-Configuring a DNS server on the ASA
-Configuring an ‘Auto-Signon’ server on the ASA
-Configuring URL list object for the CIFS shares

Configure shares on the server and ensure the shares have appropriate permissions
Again, I’m not going to dive into this one.  Usually, I just ensure that the ‘Everyone’ group has full share permissions and that the specific group has full security permissions.  Test it out from a domain workstation to ensure that the user you are logging into the ASA with can get to the shares locally before we try it on the ASA.

Configuring a WINS/NetBIOS server on the ASA
I’m operating under the assumption that we are using a single tunnel group with multiple group policies.  The RADIUS server is still doing the work of ensuring that at logon, a user gets assigned the correct group policy.  Since we are using a single tunnel group I decided to use the default WebVPN group (DefaultWEBVPNGroup) as the default.  I usually don’t recommend using the default objects but due to the way the ASA handles tunnel group selection I’m forced to use the default group.  Recall that if we don’t give our users the ability to select the tunnel group from a drop down on the default WebVPN logon page, the default WebVPN group is used.  That being said, I will be configuring the WINS server under the default WebVPN tunnel group.

-Insert your relevant information between <>
-Console prompts are show in green

Configure a WINS Server in the default WebVPN tunnel group
ASA(config)# tunnel-group DefaultWEBVPNGroup webvpn-attributes
ASA(config-tunnel-webvpn)# nbns-server <WINS Server IP Address>
Note: There are other configuration parameters that are assumed as default when you configure the WINS server as done above.   Take a look at the running config after you execute these commands.  You’ll notice you configuration command now looks like this – nbns-server timeout 2 retry 2

Configure a DNS server for a tunnel group
ASA(config)# dns server-group DefaultDNS
ASA(config-dns-server-group)# name-server <DNS Server IP>
Note: If you already have a DNS server defined and you execute the above command the DNS server you specified will be added as a secondary.  If you want to remove the old server issue the ‘no name-server <IP address>’ command prior to specifying your new DNS server.

Configure an Auto-Signon server
This isn’t a required step; however, if you don’t specify your file server as an auto sign-on server, your users will have to logon a second time when they try to open a CIFS share.  Auto sign-on servers are specified on a per group policy basis.  That being said, it makes good sense to define these within the default group policy and allow other policies to inherit this setting.  Word of warning here: If you haven’t noticed, the default group policy (DfltGrpPolicy) does not appear under the running config.  If you weren’t aware of this, you could spend a lot of time trying to find where all of your settings are going!  We will configure this setting in the default group policy and our other policies will inherit it by default.

Assign a auto-sign in server to the default group policy
ASA(config)# group-policy DfltGrpPolicy attributes
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# auto-sign allow ip <IP of the server> auth-type ntlm

Configure a URL list for portal page
Unfortunately, this is another item that you can’t configure via the CLI.  The URL list object can be imported, exported, and reverted in the same manner that customization objects can be.  The commands to do so are listed below.

Export WebVPN URL-Lists
export webvpn url-list <Name of URL list to be exported> <Destination URL-List name>
Notes: If you simply enter this command, it will look in flash for the file name you specify.  If you’d prefer to do it all in one step insert ‘tftp://<tftp server name>/’ before the destination URL-List name.

Import WebVPN URL-Lists
import webvpn url-list <URL-List name> <source URL-List name>
Notes: If you simply enter this command, it will look in flash for the file name you specify.  If you’d prefer to do it all in one step insert ‘tftp://<tftp server name>/’ before the path to source URL-List name.

Delete WebVPN URL-Lists
revert webvpn url-list <Name of URL list to be deleted>

Beyond importing, exporting, and deleting the URL-Lists via the CLI, you’ll need to do the rest from the ASDM.  To configure the URL-Lists in the ASDM, open the configuration tab of the ASDM, expand ‘Clientless SSL VPN Access’, expand ‘Portal’, and select ‘Bookmarks’. 

As with customizations, there will be a ‘Template’ file by default.  Let’s walk through how to add a bookmark (URL-List).  The list ,as its name implies, is a list of different bookmarks.  The bookmarks can be for a variety of things: CIFS, HTTP, FTP, RDP, VCN, SSH, Telnet, etc…  As of right now, we will just be talking about CIFS bookmarks.  Click the ‘Add’ button at the top of the window.  The ‘Add Bookmark List’ window will appear as shown below.

Give the URL list a name and then press the ‘Add’ button on the right-hand side of the screen.

This window allows us to define the actual name of the bookmark as well as the location path.  This list is going to be for our marketing group, so we’ll define a bookmark for their share on the file server.  Note, here we are using the DNS domain name of the server.  Make sure DNS is working properly, if the ASA can’t resolve the file server name this won’t work at all.  Enter the bookmark’s name in the ‘Bookmark Title’ text box, select ‘cifs’ from the URL drop-down and then complete the path in the URL text box.  If we wanted to, we could give the URL a subtitle that would be displayed beneath the bookmark title on the portal page.  Additionally, if we wanted an icon to appear next to the bookmark, we could select it from the ‘Thumbnail’ drop-down.  The drop-down will display any available objects that have been uploaded to web content on the appliance.  Press OK to finish adding the bookmark, and then OK again on the ‘Add Bookmark List’ window to finish adding the list.  Make sure to hit ‘apply’ at the bottom of the ASDM window once you are done configuring the list.

Alright, now that we have the URL-list defined let’s add it to our group policy.

Define a URL-List for a Group Policy
ASA(config)# group-policy <Group Policy Name> attributes
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# url-list value <URL List Name>

That was the last step, now let’s try it out to see if it works.  Go ahead and login to the portal.  When I login to my marketing user on the main portal screen, I see the bookmark shown below.

When I click on the ‘Marketing Share’ link it opens the web-based network browser as shown below.  You’ll notice that our bookmark path is displayed in the address bar and I can see all of my files that are in the marketing share on the server.image

I’m not going to go through what all of the icons on the top of screen do, but I will point out one.  The 9th icon from the left is called ‘Web Folder’.  When you click that icon, it opens a Windows Explorer window for the current directory you are in.  Once it’s open, you can do any and all of the normal file actions that you could do as if you were browsing a mapped network drive.  I will also note that AD file/folder permissions are in effect when you browse the shares through the ASA portal.

Play around with some of the other icons and options in the CIFS viewer.  It’s a pretty cool system and since it’s very straight forward, it can be easy for remote users to understand.

Leave a Reply

Your email address will not be published. Required fields are marked *