At this point we have a very secure and customizable WebVPN experience for our users. In this post we’ll talk about adding client server plug-ins and bookmarks into your customizations. In my last post we saw how easy it was to add a CIFS share to the portal so users can access their shares. The capability to browse CIFS share is actually a default client server plug-in, which is called “Browse Networks”. If you disable this add-in on the portal page, users will be unable to browse to CIFS shares. In addition to that plug-in there are a few more that are pretty handy. These include a plug-in for RDP(remote desktop protocol), telnet, and SSH. There are other ones as well that we won’t configure in this walk through. I believe there is one for Citrix and a couple of other vendors. Check with your Cisco support team to get a complete list.
Note: These plug-ins don’t usually come on the ASA or even on its included software support CD. You will most likely need to download them from Cisco using your current support contract. If you have an older copy of any of these plug-ins I suggest you contact Cisco and get the newest ones. There are some pretty significant changes/modifications/fixes to some of them. On that note if you have tried any of these in the past and have been disappointed, I would try the new ones.
I’m going to be working with the following client server plug-ins, which we will be uploading to the ASA.
RDP – rdp-plugin.080506.jar
SSH/Telnet – ssh-plugin.080430.jar
VNC – vnc-plugin.080130.jar
There’s a RDP2 plug-in which documentation claims is for Vista and Server 2008 connections. I’ve used the standard RDP plug-in for both, so I’m not going to discuss RDP2 in this post. I’ve placed all three of these plug-ins in a separate folder on my TFTP server called ‘CSPlugin’. The commands shown below will reference that location. Portal plug-ins are another item (much like all the other WebVPN files we have discussed) that are hidden for normal view. That being said, we need to use our friendly import, export, and revert commands, which we have used previously, to do any plug-in file manipulation.
Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
Import WebVPN Plug-ins
ASA# ASA# import webvpn plug-in protocol <Protocol Type> tftp://<TFTP Server IP>/CSPlugin/<Plug-in name>
Notes: The <Protocol Type> field listed in the above command is dependant on the plug-in you are importing. The three different types we are working with are…
rdp
ssh,telnet
vnc
Please note you HAVE to use the exact protocol type for the plug-in you are importing. If you try to use a protocol type of rdp5 when trying to import rdp you’ll get an error similar to this one…..
’%ERROR: Wrong protocol rdp5. Please use: import webvpn plug-in protocol rdp’
Export WebVPN URL-Lists
ASA# export webvpn plug-in protocol <Protocol Type> tftp://<TFTP Server IP>/<Plug-in name>
Notes: Ensure you specify a plug-in name with your export otherwise you’ll get some weird looking files showing up in your TFTP folder
Delete WebVPN URL-Lists
ASA# revert webvpn plug-in protocol <Protocol Type>
Notes: Since you can only have one plug-in loaded for each type you simply specify the protocol type which you with to delete.
As far as configuration goes, that’s really all you have to do. Plug-ins are set to enabled by default so at this point I could logon to the portal, select the plug-in name from the address bar drop-down list, and connect to a resource by entering its name or IP. Bookmarks can be added for each application in a similar fashion as we did for CIFS shares earlier. Additionally, on a per customization template basis I can enable and disable particular applications. For instance, I can disable RDP for sales and enable it for marketing. Let’s take a quick look at our portal page and see how we can access the new applications.
When we log onto our Marketing portal we should see our new Plug-ins displayed on the left hand side of the screen. In case you don’t know, Terminal Services is pretty much the same as saying remote desktop. If you click on any one of the application icons a short web page will appear on the right-hand side of the screen giving a brief explanation of the plug-in as well as some syntax (in most cases).
Additionally, you’ll notice that our address bar drop-down now includes address prefixes for the new plug-ins.
In order to use any of the applications, I can enter the IP address or DNS name of what I wanted to connect to, select the correct prefix, and press browse. I’m not going to go through how to use each plug-in but I will leave you with some notes/tips that I found helpful.
-The telnet/ssh plug-in doesn’t seem to be as solid as the rest. I haven’t been able to use it to telnet/SSH into my ASA but I believe that to be because my WebVPN connection is terminating on the appliance as well. I tried opening both ssh and telnet to all IP’s on both interfaces and I still couldn’t connect. I have used it successfully to get into switches and WAPs but even then it doesn’t always work. I seem to get the error “Failed to Connect” quite often.
-RDP is my favorite; it’s rock solid. Once I found out that I could maximize the RDP session out of the internet explorer window and into a normal RDP window; I was incredibly pleased.
-VNC has been handy a few times since a couple of companies use it as their remote assistance application for user workstations. It isn’t as fast as the RDP plug-in though
-Play around with which plug-ins work well and in certain scenarios. You can waste a lot of time trying to get multiple plug-ins working for different types of access when it might just be easier to RDP into a workstation and do it all locally from there.
Saw your Blog bookmarked on Reddit. Nice Blog.
Thanks for reading!
Have you ever seen issues RDP’ing to a machine on the other end of a IPSEC L2L tunnel? I have L2L tunnels terminating on another interface of the Same ASA, I can only RDP to machines behind the internal interface. Not behind the IPSEC L2L interface
Since they are different interfaces Im assuming that they are different networks. Can you ping the machines? Just not RDP?
Any chance you can explain how you maximized the RDP session? I am having a heck of a hard time finding this answer via Google.
-RDP is my favorite; it’s rock solid. Once I found out that I could maximize the RDP session out of the internet explorer window and into a normal RDP window; I was incredibly pleased.
I might have to check again, are you saying that you cant get the RDP window to fully maximize? Are you loading the activeX component?