DAP rule for IPSec clients

Unanswered Question
Oct 30th, 2009

I'm setting up DAP rules for AnyConnect clients. When I set the default policy to terminate, I get the right results from AnyConnect connections, but all IPSec clients cannont connect. I know I need to set up a DAP rule for IPSec clients to allow them through, but can't remember how to set that up.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Todd Pula Mon, 11/02/2009 - 08:09

You can add a policy for your IPSec users which will match on the "application" endpoint attribute type. You will then set the "client type" to "IPSec" and the default action to continue.

brian.kennedy Mon, 11/02/2009 - 09:18

Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (< 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.

Thanks

Brian

Jason Gervia Mon, 11/02/2009 - 09:23

Brian,

You can't do hostscan with IPSEC, which is required for checking whether av/as/fw is installed. You have to use anyconnect.

--Jason

brian.kennedy Mon, 11/02/2009 - 09:32

Hmm, no posturing for av/as/fw at all with IPSec, or just through the DAP? W/ pre-login policies you can check for file/registry/os, etc.

Actions

This Discussion