AnyConnect - within RDP session

Answered Question
Dec 19th, 2009

Dear friends,

After reading the AnyConnect client 2.4 configuration guide at:

http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/anyconnectadmin24.html

I have some doubts for the VPN session within the RDP session.

What is the difference between localuser and remoteuser?

Does local user mean the user who has direct console access of the machine? Or is it something else

Does remote user imply to any user who has connected to the PC via RDP?

Regarding vpn session within RDP session, does it mean RDP'ing to a machine that has the AnyConnect client installed?

Can anyone please clarify on this.

Thanks a lot

Gautam

I have this problem too.
0 votes
Correct Answer by busterswt about 6 years 11 months ago

LocalUser means someone "physically" logged into the server. RemoteUser would be someone logged in via RDP.

Prior to version 2.3.x of the AnyConnect client, it was impossible to RDP into a machine and then initiate an AnyConnect client VPN session from the machine you were RDP'd in to. The AnyConnect client would straight up tell you that it was not permitted.

You can modify the AnyConnectProfile.tmpl file on the machine to remove this limitation, however, I was not able to get it to work that way. I had to actually upload the new template to the ASA and setup the user policy or group policy to push down the template upon attempting to connect with AnyConnect.

You could try the following:

Upload the profile to the ASA using tftp or through ASDM, and add the following to the webvpn configuration:

svc profiles MY-PROFILE-NAME disk0:/AnyConnectProfile.tmpl

You should be able to push it down through the group policy, but I chose to do it on a per-user basis (as I only have one test user):

username testuser attributes
webvpn
  svc profiles value MY-PROFILE-NAME

Example using group-policy:

group-policy my-vpn-group attributes
  webvpn
   svc profiles value MY-PROFILE-NAME

Hopefully that leads you in the right direction.

James

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
busterswt Sat, 12/19/2009 - 22:55

LocalUser means someone "physically" logged into the server. RemoteUser would be someone logged in via RDP.

Prior to version 2.3.x of the AnyConnect client, it was impossible to RDP into a machine and then initiate an AnyConnect client VPN session from the machine you were RDP'd in to. The AnyConnect client would straight up tell you that it was not permitted.

You can modify the AnyConnectProfile.tmpl file on the machine to remove this limitation, however, I was not able to get it to work that way. I had to actually upload the new template to the ASA and setup the user policy or group policy to push down the template upon attempting to connect with AnyConnect.

You could try the following:

Upload the profile to the ASA using tftp or through ASDM, and add the following to the webvpn configuration:

svc profiles MY-PROFILE-NAME disk0:/AnyConnectProfile.tmpl

You should be able to push it down through the group policy, but I chose to do it on a per-user basis (as I only have one test user):

username testuser attributes
webvpn
  svc profiles value MY-PROFILE-NAME

Example using group-policy:

group-policy my-vpn-group attributes
  webvpn
   svc profiles value MY-PROFILE-NAME

Hopefully that leads you in the right direction.

James

gautamzone Sat, 12/19/2009 - 23:37

Thank you so much James for the wonderful response.

Thanks a lot

Gautam

Actions

This Discussion