Cisco ASA Portal


We have some ASA 5520's on order for firewall services.

Can the ASA's also serve as a portal? I know that for the ssl vpn solution there is a portal you can use, but we are not planning on using SSL VPN.

What I'm looking for is for staff to enter a URL to a portal using their Windows AD credentials to authenticate. Once they have authenticated they get presented with the apps that they have the privilege to access. Since the ASA sits in front of the apps is there anything builtin on the ASA that I can use as the portal?


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

luc_roySystem AdminCommented:
Are you asking if an ASA can host a portal or grant access to a DMZ area where a web server is located?
58872Author Commented:

I want the ASA to host the portal. I have seen and used the portal on the ASA when the SSL VPN solution is used.

Regarding the apps. The apps interrogate AD when authenticating the user but they have their own internal authorization model. When a user logs into the portal, the portal should display all the apps (akin to a service catalogue) but it would be a bonus if users could only see those apps on the portal to which they have been granted privileges to access.
The ASA has a feature called "WebVPN".  This feature is the one you're looking for where you can configure it as a portal interface.  Once the user logs into the portal interface, you can configure what they will see and options to choose from.  You can configure access to internal Web based applications, and there is integrations for SSH, Telnet, RDP, VNC, and Windows file share access.  If your application doesn't use any of these, then using the portal to access it will be a challenge.  It may be possible to use "Smart Tunnels" or Port Forwarding through the WebVPN to get it to work, but it would require some effort and testing/configuration.

Also this feature requires licenses. The ASA will come with qty 2 licenses so you can configure this feature and test it, but for more licenses you have to buy them depending on your model of ASA and the qty of concurrent users you wish to have.  For example, for an ASA5510 with 50 concurrent users you'd need: L-ASA-SSL-50, ASA 5500 SSL VPN 50 Premium User License.  

Note that this license gives you 50 Anyconnect SSL VPN client users as well (they use the same licenses).  Oh and I'd upgrade IOS and ADSM to the latest version before doing this configuration.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

luc_roySystem AdminCommented:
Ok well that would be determined by the portal application you are using. You have a few options you can do.

1) Active Directory bound login.  Several portal applications like web sphere, SharePoint, dotnetnuked, this.  The problem is the computer / user would need to be a part of your domain for this to work. If the users are created in active directory and are allowed to log in with an off network computer this would work fine.

2) Local portal credentials.  Doing it this way you just have the portal application sync with your AD server or maintain a separate login for the portal.
Either way unless your AD is set up to require the PC and user to be a part of the domain you can simply make your portal available through a DMZ configuration in your ASA.   This will not require any licensing or end user knowledge other then knowing how to get to the web site.

Here is a DMZ configuration example.
Pete LongTechnical ConsultantCommented:
>>What I'm looking for is for staff to enter a URL to a portal using their Windows AD credentials to authenticate

Yes as already stated set-up the SSL Portal see my website here

>> Once they have authenticated they get presented with the apps that they have the privilege to access

However its not designed to present apps on a web page - though it can present a URL to somewhere hosting apps :) Look at TSWeb see - simply present the URL for web access on the SSL Portal.
58872Author Commented:
Thanks Pete,

If I was to use the client-less SSL VPN solution, would I need to (and this sounds like an oxymoron) to purchase client licenses? Or is there a fixed amount of sessions an appliance can take (we are getting the 5520's)?

Also, as we would be using Citrix apps through this solution (connecting to the Citrix Web interface) is there any issues? We can only use client-less SSL VPN - the ICA client is however installed on the relevant PCs.

58872Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.