ASA giving error "Clientless (browser) SSL VPN access is not allowed"

We recently switched to using Cisco AnyConnect VPN for our remote access needs, but I have a vendor that needs VPN access just to RDP into their server. I thought I would setup a Clientless SSL VPN just for them since they don't want to load any type of software on their PCs.

I've tried it manually and with the wizard and I get the above error. Config is below, and I'm using "dharrell" as my test account for the VPN.

ssl trust-point AnyConnectVPNTP outside
webvpn
 enable outside
 anyconnect-essentials
 svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1
 svc enable
group-policy dharrell internal
group-policy dharrell attributes
 banner none
 vpn-tunnel-protocol webvpn
 webvpn
  url-list value IT
  customization value IT

tunnel-group DefaultRAGroup ipsec-attributes
 isakmp ikev1-user-authentication (outside) none
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool COJ
 authentication-server-group CITY
tunnel-group DefaultWEBVPNGroup webvpn-attributes
tunnel-group dharrell type remote-access
tunnel-group dharrell general-attributes
 default-group-policy dharrell
tunnel-group dharrell webvpn-attributes
 group-alias dharrell enable
 group-url https://secure.ourdomain.org/dharrell enable
dharrell74Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
In your Group Policy, do you have the VPN-TUNNEL-PROTOCOL set for webvpn?  

dharrell74Author Commented:
Yes, it's there as well as SVC.

I'm not sure what I changed but now when I go to the url I get the login screen with the template changes I had made for the portal. However when I login it starts the anyconnect client.
dharrell74Author Commented:
Scratch that, I know what I did differently. I deleted the "dharrell" profile and added webvpn to another existing profile.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

MikeKaneCommented:
Good...   did that fix the issue then?
dharrell74Author Commented:
Nope, it still wants to install the anyconnect client once it passes the login stage.
MikeKaneCommented:
These lines are telling it to auto install

 svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 1
 svc enable


You can remove those to disable that feature.
dharrell74Author Commented:
So if I remove the line "svc enable", how will that affect my VPN users who are connecting for the first time?

MikeKaneCommented:
Those lines tell clients to download the image and run it if they don't already have it or if they have a lower version.  

dharrell74Author Commented:
Well, I can't take it out of the config, as it appears my Anyconnect won't work properly....

Anyway to disable it for a single profile?
MikeKaneCommented:
You would have to create a separate profile for this 1 connection.    Have that profile configured without the SVC image commands.    Since it is for 1 connection, you might want to use AAA local instead of passing it to another server group.   That way, that 1 id would be the only one able to use the profile.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dharrell74Author Commented:
I'll try that and see what I can come up with.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.