larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

SSL Remote Access VPNs (Network Security)


  • Sorry, this book is no longer in print.
Not for Sale
  • Description
  • Sample Content
  • Updates
  • Copyright 2007
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 376
  • Edition: 1st
  • Book
  • ISBN-10: 1-58705-242-3
  • ISBN-13: 978-1-58705-242-2

SSL Remote Access VPNs

An introduction to designing and configuring SSL virtual private networks

Jazib Frahim, CCIE® No. 5459

Qiang Huang, CCIE No. 4937

Cisco® SSL VPN solutions (formerly known as Cisco WebVPN solutions) give you a flexible and secure way to extend networking resources to virtually any remote user with access to the Internet and a web browser. Remote access based on SSL VPN delivers secure access to network resources by establishing an encrypted tunnel across the Internet using a broadband (cable or DSL) or ISP dialup connection.

SSL Remote Access VPNs provides you with a basic working knowledge of SSL virtual private networks on Cisco SSL VPN-capable devices. Design guidance is provided to assist you in implementing SSL VPN in existing network infrastructures. This includes examining existing hardware and software to determine whether they are SSL VPN capable, providing design recommendations, and guiding you on setting up the Cisco SSL VPN devices. Common deployment scenarios are covered to assist you in deploying an SSL VPN in your network.

SSL Remote Access VPNs gives you everything you need to know to understand, design, install, configure, and troubleshoot all the components that make up an effective, secure SSL VPN solution.

Jazib Frahim, CCIE® No. 5459, is currently working as a technical leader in the Worldwide Security Services Practice of the Cisco Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks, with a focus on network security. He holds two CCIEs, one in routing and switching and the other in security.

Qiang Huang, CCIE No. 4937, is a product manager in the Cisco Campus Switch System Technology Group, focusing on driving the security and intelligent services roadmap for market-leading modular Ethernet switching platforms. During his time at Cisco, Qiang has played an important role in a number of technology groups, including the Cisco TAC security and VPN team, where he was responsible for trouble-shooting complicated customer deployments in security and VPN solutions. Qiang has extensive knowledge of security and VPN technologies and experience in real-life customer deployments. Qiang holds CCIE certifications in routing and switching, security, and

ISP Dial.

  • Understand remote access VPN technologies, such as Point-to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPsec), Layer 2 Forwarding (L2F), Layer 2 Tunneling (L2TP) over IPsec, and SSL VPN
  • Learn about the building blocks of SSL VPN, including cryptographic algorithms and SSL and Transport Layer Security (TLS)
  • Evaluate common design best practices for planning and designing an SSL VPN solution
  • Gain insight into SSL VPN functionality on Cisco Adaptive Security Appliance (ASA) and Cisco IOS® routers
  • Install and configure SSL VPNs on Cisco ASA and Cisco IOS routers
  • Manage your SSL VPN deployment using Cisco Security Manager

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Networking: Security

Covers: SSL VPNs

Online Sample Chapter

SSL VPN Design Considerations

Sample Pages

Download the sample pages

Table of Contents


Chapter 1: Introduction to Remote Access VPN Technologies

Remote Access Technologies 5

IPsec 5

    Software-Based VPN Clients 7

    Hardware-Based VPN Clients 7


L2TP 9

L2TP over IPsec 11


Summary 14

Chapter 2: SSL VPN Technology

Cryptographic Building Blocks of SSL VPNs 17

    Hashing and Message Integrity Authentication 17

        Hashing 18

        Message Authentication Code 18

    Encryption 20

        RC4 21

        DES and 3DES 22

        AES 22

        Diffie-Hellman 23

        RSA and DSA 24

    Digital Signatures and Digital Certification 24

        Digital Signatures 24

        Public Key Infrastructure, Digital Certificates, and Certification 25

SSL and TLS 30

    SSL and TLS History 30

    SSL Protocols Overview 31

        OSI Layer Placement and TCP/IP Protocol Support 31

        SSL Record Protocol and Handshake Protocols 33

        SSL Connection Setup 34

        Application Data 42

        Case Study: SSL Connection Setup 43

    DTLS 48


    Reverse Proxy Technology 50

        URL Mangling 52

        Content Rewriting 53

    Port-Forwarding Technology 55

    Terminal Services 58

    SSL VPN Tunnel Client 58

Summary 59

References 60

Chapter 3: SSL VPN Design Considerations

Not All Resource Access Methods Are Equal 63

User Authentication and Access Privilege Management 65

    User Authentication 66

    Choice of Authentication Servers 66

    AAA Server Scalability and High Availability 67

        AAA Server Scalability 67

        AAA Server High Availability and Resiliency 68

        Resource Access Privilege Management 68

Security Considerations 70

    Security Threats 71

        Lack of Security on Unmanaged Computers 71

        Data Theft 71

        Man-in-the-Middle Attacks 72

        Web Application Attack 73

        Spread of Viruses, Worms, and Trojans from Remote Computers to the Internal Network 73

        Split Tunneling 73

        Password Attacks 74

    Security Risk Mitigation 74

Strong User Authentication and Password Policy 75

        Choose Strong Cryptographic Algorithms 75

        Session Timeout and Persistent Sessions 75

        Endpoint Security Posture Assessment and Validation 75

        VPN Session Data Protection 76

        Techniques to Prevent Data Theft 76

        Web Application Firewalls, Intrusion Prevention Systems, and Antivirus and Network Admission Control Technologies 77

Device Placement 78

Platform Options 79

Virtualization 79

High Availability 80

Performance and Scalability 81

Summary 82

References 82

Chapter 4: Cisco SSL VPN Family of Products

Overview of Cisco SSL VPN Product Portfolio 85

Cisco ASA 5500 Series 87

    SSL VPN History on Cisco ASA 87

    SSL VPN Specifications on Cisco ASA 88

    SSL VPN Licenses on Cisco ASA 89

Cisco IOS Routers 90

    SSL VPN History on Cisco IOS Routers 90

    SSL VPN Licenses on Cisco IOS Routers 90

Summary 91

Chapter 5: SSL VPNs on Cisco ASA

SSL VPN Design Considerations 93

SSL VPN Prerequisites 95

    SSL VPN Licenses 95

    Client Operating System and Browser and Software Requirements 96

    Infrastructure Requirements 97

Pre-SSL VPN Configuration Guide 97

    Enrolling Digital Certificates (Recommended) 98

        Step 1: Configuring a Trustpoint 98

        Step 2: Obtaining a CA Certificate 99

        Step 3: Obtaining an Identity Certificate 100

    Setting Up ASDM 101

        Uploading ASDM 102

        Setting Up the Appliance 103

    Accessing ASDM 104

    Setting Up Tunnel and Group Policies 106

        Configuring Group-Policies 107

        Configuring a Tunnel Group 110

    Setting Up User Authentication 110

Clientless SSL VPN Configuration Guide 114

    Enabling Clientless SSL VPN on an Interface 116

    Configuring SSL VPN Portal Customization 117

        Logon Page 118

        Portal Page 123

        Logout Page 125

        Portal Customization and User Group 126

        Full Customization 129

    Configuring Bookmarks 134

        Configuring Websites 135

        Configuring File Servers 137

        Applying a Bookmark List to a Group Policy 139

        Single Sign-On 140

    Configuring Web-Type ACLs 141

    Configuring Application Access 144

        Configuring Port Forwarding 144

        Configuring Smart Tunnels 147

    Configuring Client-Server Plug-Ins 150

AnyConnect VPN Client Configuration Guide 152

    Loading the SVC Package 154

    Defining AnyConnect VPN Client Attributes 155

        Enabling AnyConnect VPN Client Functionality 155

        Defining a Pool of Addresses 156

        Configuring Traffic Filters 159

        Configuring a Tunnel Group 159

    Advanced Full Tunnel Features 159

        Split Tunneling 159

        DNS and WINS Assignment 161

        Keeping the SSL VPN Client Installed 162

        Configuring DTLS 163

Cisco Secure Desktop 164

    CSD Components 165

        Secure Desktop Manager 165

        Secure Desktop 165

        Cache Cleaner 166

    CSD Requirements 166

        Supported Operating Systems 166

        User Privileges 167

        Supported Internet Browsers 167

        Internet Browser Settings 167

    CSD Architecture 168

    Configuring CSD 169

        Loading the CSD Package 169

        Defining Prelogin Sequences 170

Host Scan 182

    Host Scan Modules 183

        Basic Host Scan 183

        Endpoint Assessment 183

        Advanced Endpoint Assessment 184

    Configuring Host Scan 184

        Setting Up Basic Host Scan 184

        Enabling Endpoint Host Scan 186

        Setting Up an Advanced Endpoint Host Scan 187

Dynamic Access Policies 189

    DAP Architecture 190

        DAP Records 191

        DAP Selection Rules 191

        DAP Configuration File 191

    DAP Sequence of Events 191

    Configuring DAP 192

        Selecting a AAA Attribute 193

        Selecting Endpoint Attributes 195

        Defining Access Policies 197

Deployment Scenarios 205

    AnyConnect Client with CSD and External Authentication 206

        Step 1: Set Up CSD 207

        Step 2: Set Up RADIUS for Authentication 207

        Step 3: Configure AnyConnect SSL VPN 208

    Clientless Connections with DAP 209

        Step 1: Define Clientless Connections 210

        Step 2: Configuring DAP 211

Monitoring and Troubleshooting SSL VPN 212

    Monitoring SSL VPN 212

    Troubleshooting SSL VPN 215

        Troubleshooting SSL Negotiations 215

        Troubleshooting AnyConnect Client Issues 215

        Troubleshooting Clientless Issues 217

        Troubleshooting CSD 219

        Troubleshooting DAP 219

Summary 220

Chapter 6: SSL VPNs on Cisco IOS Routers

SSL VPN Design Considerations 223

IOS SSL VPN Prerequisites 225

IOS SSL VPN Configuration Guide 226

    Configuring Pre-SSL VPN Setup 226

        Setting Up User Authentication 226

        Enrolling Digital Certificates (Recommended) 229

        Loading SDM (Recommended) 232

    Initial SSL VPN Configuration 235

        Step 1: Setting Up an SSL VPN Gateway 237

        Step 2: Setting Up an SSL VPN Context 239

        Step 3: Configuring SSL VPN Look and Feel 241

        Step 4: Configuring SSL VPN Group Policies 245

Advanced SSL VPN Features 247

    Configuring Clientless SSL VPNs 247

    Windows File Sharing 253

    Configuring Application ACL 257

    Thin Client SSL VPNs 259

        Step 1: Defining Port-Forwarding Lists 261

        Step 2: Mapping Port-Forwarding Lists to a Group Policy 262

    AnyConnect SSL VPN Client 264

        Step 1: Loading the AnyConnect Package 264

        Step 2: Defining AnyConnect VPN Client Attributes 266

Cisco Secure Desktop 276

    CSD Components 277

        Secure Desktop Manager 277

        Secure Desktop 277

        Cache Cleaner 278

    CSD Requirements 278

        Supported Operating Systems 278

        User Privileges 279

        Supported Internet Browsers 279

        Internet Browser Settings 279

    CSD Architecture 280

    Configuring CSD 281

        Step 1: Loading the CSD Package 282

        Step 2: Launching the CSD Package 283

        Step 3: Defining Policies for Windows-Based Clients 283

        Defining Policies for Windows CE 298

        Defining Policies for the Mac and Linux Cache Cleaner 298

Deployment Scenarios 301

    Clientless Connections with CSD 301

        Step 1: User Authentication and DNS 302

        Step 2: Set Up CSD 303

        Step 3: Define Clientless Connections 303

    AnyConnect Client and External Authentication 304

        Step 1: Set Up RADIUS for Authentication 305

        Step 2: Install the AnyConnect SSL VPN 306

        Step 3: Configure AnyConnect SSL VPN Properties 306

Monitoring an SSL VPN in Cisco IOS 307

Summary 311

Chapter 7: Management of SSL VPNs

Multidevice Policy Provisioning 314

    Device View and Policy View 314

        Device View 314

        Policy View 318

    Use of Common Objects for Multidevice Management 320

Workflow Control and Role-Based Access Control 322

    Workflow Control 323

    Workflow Mode 324

    Role-Based Administration 326

        Native Mode 326

        Cisco Secure ACS Integration Mode 327

Summary 331

References 331

1587052423   TOC   5/13/2008

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive:

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020