ASA WebVPN and Brokers?

Unanswered Question
Oct 1st, 2008

We are currently reviewing various ways to provide virtual desktops for home users.

One of the things we are testing is using the ASA webvpn option with the RDP plugin to connect to a remote desktop.

One issue with this however is the method of connecting the user to the remote desktop. For instance, with the ASA I have two options. Let someone manually enter an address in the connection box once they login to webvpn. They select RDP and put in the virtual desktop address.

This obviously isn't very good, user error and inconvenience.

Second option is manually creating a bookmark, however this doesn't seem to be practical. I don't think I can create one on a per user basis but I might be wrong. And on a group basis this wouldnt work as each individual needs to connect to there individual virtual desktop.

I understand thats where "Brokers" come in. Brokers apparently act as a medium way for automating the process of connecting a user to a specific virtual desktop.

Wondering what others are using and doing with regards to virtual desktops through ASA. Any particular brokers recommended by Cisco or partners with Cisco in this matter?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ROBERTO GIANA Thu, 10/02/2008 - 05:11

Maybe "Macro Substitution" would be a way to go for you. If the needed URL could be composed of the user id you could use "CSCO_WEBVPN_USERNAME" within the URL and all the users could use the same group bookmark list. So if the user "jack" would need to access "rdp://jack.domain.local" just configure the bookmark "rdp://CSCO_WEBVPN_USERNAME.domain.local".

But I guess that you need to use a different parameter. Therefore you could use "CSCO_WEBVPN_MACRO1" and/or "CSCO_WEBVPN_MACRO2". The values for those parameters can be assigned through RADIUS or LDAP during login. So if you would like to assign "jack" the server "server01", than the bookmark should be "rdp://CSCO_WEBVPN_MACRO1.domain.local" and the value "server01" should be assigned through RADIUS setting the parameter "[026/3076/223] WebVPN-Macro-Value1" to "server01".

And last but not least you could even do Single Sign On by extending the URL with "?csco_sso=1".

You can find some information under:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml#macro

Hope this helps.

danedevalcourt Thu, 10/02/2008 - 07:04

This was very eye opening, great information I was not familiar.

Curious about something though. If we use a designation for the virtual desktop name in addition to the username could a bookmark be made that would combine the two?

For instance, would a bookmark such as this work:

rdp://VPCCSCO_WEBVPN_USERNAME.domain.local

VPC - virtual PC designation, then username so...

VPCJDOE - VPCCSCO_WEBVPN_USERNAME

I know that when doing something like this in the windows world you would do something like:

VPC%CSCO_WEBVPN_USERNAME%

Got someone cloning a virtual desktop for me now with my username as the name so that I can test this. But thought I would ask as well.

ROBERTO GIANA Thu, 10/02/2008 - 07:56

Yes. That's how it works. Every instance of CSCO_WEBVPN_USERNAME will be replaced within the URL. So you could even use rdp://serverCSCO_WEBVPN_USERNAME.myCSCO_WEBVPN_USERNAMEdomain.company.local/?username=CSCO_WEBVPN_USERNAME&domain=myCSCO_WEBVPN_USERNAMEdomain&csco_sso=1 which would result in rdp://serverJDOE.myJDOEdomain.company.local/?username=JDOE&domain=myJDOEdomain&csco_sso=1 for the user id "JDOE".

But just a small hint for testing: The macros only work with bookmarks. When you paste the URL manualy into the address field the macro keywords wont be replaced. :-)

Actions

This Discussion