Aug 23, 2016

Redirecting HTTP (TCP/80) requests to the WebVPN portal

After completing a WebVPN setup, the users access the SSL VPN portal using a web browser and going to https://fw_ip_address (or a URL mapped to the firewall address). However users are not network experts and sometimes they will forget the "https://" or even use "http://" and the ASA will reject the connection attempt.

If we want to avoid users crying about timeout pages on their browsers, we can redirect HTTP requests to the TCP port in use for the WebVPN with the following command:

asa(config)# http redirect outside http

These are the HTTP messages that we see in the wire:

Browser to ASA
GET / HTTP/1.1
Host: 192.0.2.1
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


ASA to Browser
HTTP/1.0 302 Temporary moved
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Tue, 23 Aug 2016 20:54:22 GMT
Location: https://192.0.2.1/


It doesn't matter if we are using TCP port 443 or any other for the SSL VPN portal, the ASA will redirect the browser to the right location.

No comments:

Post a Comment