10-30-2009 09:34 AM - edited 02-21-2020 03:46 AM
I'm setting up DAP rules for AnyConnect clients. When I set the default policy to terminate, I get the right results from AnyConnect connections, but all IPSec clients cannont connect. I know I need to set up a DAP rule for IPSec clients to allow them through, but can't remember how to set that up.
11-02-2009 08:09 AM
You can add a policy for your IPSec users which will match on the "application" endpoint attribute type. You will then set the "client type" to "IPSec" and the default action to continue.
11-02-2009 09:18 AM
Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (< 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.
Thanks
Brian
11-02-2009 09:23 AM
Brian,
You can't do hostscan with IPSEC, which is required for checking whether av/as/fw is installed. You have to use anyconnect.
--Jason
11-02-2009 09:32 AM
Hmm, no posturing for av/as/fw at all with IPSec, or just through the DAP? W/ pre-login policies you can check for file/registry/os, etc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide