I'm configuring a clientless VPN on an ASA 5505, and have a few questions:
-
I assume that, when accessing CIFS, if they delete a file it just goes bye-bye? (i.e. no recycle bin equivalent on the client side… I also can't find one on the server side for a regular Windows file server. Noticed a few NASs have some sort of CIFS recycle bin feature, but don't see a way to turn this on for Windows.)
-
Is it possible to have some sort of confirmation dialog before they can delete? I know they're irritating, but with no trash it seems a reasonable precaution.
-
I can add individual Windows file servers as CIFS addresses, and that works fine. However, if I click the "Network" button, I get the error "Failed to retrieve domains". Where would I start to look for this issue? It's definitely using the LDAP logins fine, seeing the files according to the user's permissions, etc… so I'm not sure where else to look to rectify this.
-
Is there a way to have links to pages on the VPN home page that don't get accessed through the VPN? One example would be our OWA. We use Office365 for our Exchange server. I'd like to have a link for the OWA login for this, that would ideally use SSO (but that might not be possible in this scenario). I want to have the SSL VPN be basically be a portal for them to see all of the links to our resources, and not have to log in multiple times, but not use our bandwidth when it's not necessary.
ETA: To clarify, by clientless VPN I'm referring to the Cisco VPN usable through a web browser – almost a sort of portal page. The one that looks basically like this, although the appearance has been updated slightly since – Cisco example screenshot
Best Answer
After a long period of experimentation and follow-up with Cisco, I've got the following answers:
There is no recycle bin equivalent when deleting CIFS files from a Windows server via the clientless VPN.
There is no way to enable any kind of confirmation dialogue for file deletions at this point in time. So people can be trying to click the "favourite" button, be off by a millimetre, and accidentally delete with no confirmation and no trash to recover from. :-( They've put in the ability to turn on confirmations as a feature request, but there's no timeline on when it might be implemented. So guess we won't be using this feature, which is sad.
I added our nbns server to the Cisco config, and now clicking the Browse entire network button shows me the domain. However, when I click on the domain, it says "Failed to retrieve servers". A had a support tech look at this, and he said the config all looks fine, and he found a few other instances of this for other users. He said he'd investigate and get back to me.
While waiting, I disabled file browsing. A few days later, when he wanted me to show him the issue, I turned it back on and it was working! (There's still a second domain showing in there that isn't on my nbns server...still no idea what the deal is with that. But the real domain is working.) So I don't know if the browsing just basically needed a kick in the pants after I added the nbns server config? No idea. But it's okay now.
"By default, the security appliance rewrites, or transforms, all clientless traffic. You might not want some applications and web resources (for example, public websites) to go through the ASA. The ASA therefore lets you create rewrite rules that let users browse certain sites and applications without going through the ASA. This is similar to split-tunneling in an IPSec VPN connection."
However - and I have confirmation of this from a Cisco support rep to back up my test results - this does not work in combination with SSO. If you're using the rewrite rules you cannot send parameters of any kind.