This discussion is locked

ASK THE EXPERT - VPN REMOTE ACCESS (SSL) AND ANYCONNECT SECURE MOBILITY

Unanswered Question
Mar 14th, 2010
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. is an opportunity to get an update on the Cisco Remote Access VPN (SSL) and introduction to the brand new AnyConnect Secure Mobility with Cisco expert Kiran Sirupa.  Kiran is a technical marketing engineer in the product marketing team for the Cisco Adaptive Security Appliance (ASA). He also works on documentation, partner and system engineer trainings. Sirupa has been working in the Cisco Security Technologies Group (STG) for the past 6 years.


Remember to use the rating system to let Kiran know if you have received an adequate response. 



Kiran might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event.  This event lasts through March 26, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (34 ratings)
Loading.
tenaro.gusatu.novici Mon, 03/15/2010 - 11:51
User Badges:

Hi there,


security is really not my specialty but I do use VPN heavily, from the client side. Now, I did notice that Cisco is stopping development for VPN client (SE in local Cisco office confirmed there will be no 64-bit version of VPN client, for Windows 7) and there is a lot of rumors around this anyconnect. Can you put some light on this, what is currently changing, where all this is going, how this approach is different from VPN client access? I'm trying to see bigger picture here, like what is going to happen with UC clients (like IP Communicator or Webex Connect) for different platforms. Could you please comment this?


Regards,

Tenaro

ksirupa Mon, 03/15/2010 - 13:06
User Badges:
  • Silver, 250 points or more

Hi Tenaro,


Short Answer: AnyConnect provides everything the VPN Client provided and more. Cisco VPN client is not EOL'ed. However, Cisco strongly encourages transition to AnyConnect Client for support for new and 64-bit platforms. If you are concerned about licensing costs with SSL, checkout AnyConnect Essentials license which provides full tunnel connectivity at a nominal price. I believe the UC and various other Cisco initiatives are using the SSL based AnyConnect client. See below for detailed advantages of this new client.


Long Answer:


AnyConnect is the SSL based VPN Client. You will have the same functionality as offered by the Cisco VPN Client. That is, your user will be to establish a full tunnel to the corporate and receive a routable IP address. Hence, all the applications will work. In addition, AnyConnect provides many advanced features that enable better connectivity and stronger security protection for your remote users.


Connectivity:


AnyConnect (AC) is supported on multitude of platforms including Windows Vista, Windows-7, Mac OS X 10.5/10.6, Linux and Windows-Mobile based Smart Phones. AC supports 64-bit platforms and Cisco is committed to support AnyConnect to provide the maximum coverage for platforms.


Since AC is using SSL as a transport, you will not have to worry about various firewalls blocking IPSec.


Compared to Cisco VPN Client, AnyConnect is a light-weight (2MB) client which means less overhead on the user PC or smart phone.


AC introduced features such as Automatic Head-end selection (AHS), Auto-Reconnect, Trusted Network Detection, Always-On VPN, SCEP Proxy, which significantly improve user experience along with original VPN Client features such as Local LAN Access, Start-Before-Logon, Split-DNS etc.


AnyConnect supports dynamic and auto-upgrade without admin privileges, hence relieving the IT departments from administrative overhead to push new software versions.


Security:


With the Introduction of new "AnyConnect Secure Mobility" solution, your remote users are provided the same level of protection as your corporate users. The remote user traffic from AnyConnect client is inspected by the Web Security Appliance at the corporate. The WSA provides protection for the user from visiting known website with malware based on reputation database downloaded from Cisco Security Intelligence Operations center. You can also enforce customize acceptable use policy controls for the remote users.


If you buy AnyConnect Premium license, you can also take advantage of Cisco Secure Desktop which helps scan the end-user device for posture assessment such as registry, certificate, file, and also verify the versions of Anti-Virus, Anti-Spam and Personal Firewall. Administrator can also force remediation/update before the user allowed to connect.


In short, AnyConnect = More platform support + Better User Experience + Better Security protection.

debra-brown Mon, 03/15/2010 - 14:40
User Badges:

Kiran,


Besides cost, can you tell me the difference between AnyConnect Client and AnyConnect Essentials?


Thanks.


Debra

ksirupa Mon, 03/15/2010 - 14:52
User Badges:
  • Silver, 250 points or more

Hi Debra,


When you buy AnyConnect Client - it is actually called SSL VPN premium license - You get AnyConnect Client + Clientless SSL + Cisco Secure Desktop. When you buy AnyConnect Essentials, you get the AnyConnect client only. There is no Clientless or CSD support.

debra-brown Mon, 03/15/2010 - 14:29
User Badges:

Kiran,


Since AnyConnect client requires licensing, can you tell me when you would or would not use SSL clientless?


Thanks.


Debra

ksirupa Mon, 03/15/2010 - 14:45
User Badges:
  • Silver, 250 points or more

Hi Debra,


Clientless is best suited when you want to provide customized limited access to your partners and vendors. With Clientless SSL, the user can utilize a regular browser on any device and access corporate resources securely. Clientless supports all the webified applications, access to CIFS/FTP file folders, Java applets for RDP, VNC, SSH and Citrix applications. If you have any client-server applications that use TCP, you can use the "Smart Tunnel" feature to support those applications. Also, I have seen companies providing access to core applications such as email (OWA), chat and internal web-portal for quick remote access for their employees on the go. With Clientless its easy to provision and de-provision the VPN access. There is no client to install, not network ACLs to worry about etc. The Cisco Secure Desktop which comes with clientless access provides a virtual encrypted workspace to minimize the loss of sensitive data on non-corporate assets.


AnyConnect is best suited for employees accessing from corporate resource and those who require full-tunnel access for remote office like experience. As I detailed in an above thread, AnyConnect provides seamless connectivity and persistent security. With AnyConnect there are two types of licenses: AnyConnect Essentials and AnyConnect premium.


When you buy Essentials license you only get the client. With premium, you get Client + Clientless + Cisco Secure Desktop.

debra-brown Mon, 03/15/2010 - 19:33
User Badges:

Kiran,


Thanks for your prompt response and information.   I thought SSL clientless is free.  So, the only free VPN client is IPSEC VPN client.


We have an ASA 5550 and it comes with 2 SSL clients.  Does it mean we can implement SSL VPN, SSL clientless, and Cisco Secure Desktop for those 2 licenses?


Thanks.


Debra

ksirupa Mon, 03/15/2010 - 20:19
User Badges:
  • Silver, 250 points or more

Yes, for those 2 licenses, you can implement Clientless, AnyConnect Client and CSD.


The AnyConnect essentials is really nominal (< $200) for the low-end ASA 5505-20 and less than $500 for the high-end devices (5550-80). And, this license will enable the maximum VPN sessions on each platform. 5510 = 250 license, 5580 = 10,000 licenses.


In addition, you can request your Cisco Account Team (or SE) to issue a 3-month evaluation license for either AnyConnect Essentials or AnyConnect Premium (which includes Clientless SSL). Please note that at any time you can either activate Essential license or the premium license on the ASA. You can't have both active.

dianewalker Tue, 03/16/2010 - 06:54
User Badges:

Kiran,


I want to setup VPN for disaster recovery.  What client would you recommend?  Would you recommend AnyConnect client?


We have an ASA 5550 at the office and ASA 5520 at the disaster recovery site.  If I copy the config file from the ASA 5550 to 5520, do you think the groups, group policies, tunnel groups, etc. still work? (Sorry for asking a dumb question).  I am not sure the differences between 5550 and 5520 besides the capablities of handling more users.


Thanks.


Diane

jeppich Tue, 03/16/2010 - 08:08
User Badges:
  • Cisco Employee,

Hey Diane,


I would recommend a VPN Flex license for your ASA at the DR site.  This license can be used in emergency situations.  This will allow you to burst the number of SSL VPN license on the ASA for 60-days.  The license is tied to the ASA and can be only used on that device.


As an example, a customer has an ASA with a 500 user permanent SSL license.  The customer experiences a snow storm and 2500 employees need to work from home.  You can apply a 2500-user license on 1-day, and then revert back to the permanent licenses the following day. You will have 59 days remaining on the license.  When the count goes down to zero you would have to purchase another Flex license.


Anyconnect Premium license are required when using VPN flex licensing.


Thanks,

John

dianewalker Tue, 03/16/2010 - 09:40
User Badges:

John,


Thanks for your prompt response and information.  Please clarify something for me.   Since Anyconnect Premium licenses are required when using VPN Flex licensing, you are actually paying for the Anyconnect Premium licenses whether you use it or not.  Is this correct?  If it is, Anyconnect Premium licenses are quite expensive.  Please let me know since I am planning on having a ASA at the DR site.  Would you use AnyConnect client for DR? Do you have any other recommendations for DR?


Thanks. 


Diane

jeppich Wed, 03/17/2010 - 10:37
User Badges:
  • Cisco Employee,

Hey Diane,


I checked with my colleagues on this:


(a) You were correct in being able to copy over your groups, tunnels, etc over to the 5520.  Also, on the 5550, edit the profiles of the groups that will get routed over to the 5520. You will need to edit the 'BackupServer List'.  I;ve also enclosed a link from the AnyConnect 2.4 Admin Guide for more information:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac03features.html#wp1089961

(b) If you decided to go with a VPN flex license, you would not need to purchase separate 'premium' licenses.  I apologize from my previous posting. VPN flex licensing would be used in pandemic situations.


Option (a) would probably work best for you.


Thanks,

John

debra-brown Tue, 03/16/2010 - 07:36
User Badges:

Kiran,


Thanks for your prompt response and information.  You answered the questions that I had on my mind.


Thanks again.


Debra

debra-brown Thu, 03/18/2010 - 11:23
User Badges:

Kiran,


Thanks again for the info about SSL VPN Premium and AnyConnect Essentials licenses.  I have another question.


Since the ASA comes with two licenses for SSL, if I buy additional 1000 AnyConnect Essentials licenses for the ASA 5550, I will get 1002 AnyConnect licenses?  Anyway, I just want to know if I can still use SSL clientless and Cisco Secure Desktop for those two built-in licenses?


Thanks.


Debra

ksirupa Thu, 03/18/2010 - 12:09
User Badges:
  • Silver, 250 points or more

Hi Debra,


Unfortunately, we can't have both AnyConnect Essentials and AnyConnect Premium (the 2 default) active at the same time. So, you will either have 1000 AnyConnect Essentials or the default 2 Premium licenses, but not both. I know it is disappointing, but we have technical limitations which prevent us from supporting both at the same time.


By the way, AnyConnect Essentials is a feature license, not a per-user count license. That means if you buy AnyConnect Essentials for a 5520, you will automatically enable 750 users for AnyConnect Essentials access. Please note that the combined VPN user count (IPSec Client + AnyConnect Essentials) can't go beyond the maximum VPN for each platform. You can find them in the ASA datasheet below..


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_data_sheet0900aecd80402e3f.html


See figure-3/Table-9.


Thanks,

Kiran

debra-brown Thu, 03/18/2010 - 13:35
User Badges:

Kiran,


Thanks very much for your prompt response and information.  One more question.  I have two ASA's and set them up as VPN Load Balancing.   Do I need to purchase AnyConnect Essentials licenses for both ASA's in order for load balancing for AnyConnect client to work?  I am running IPSEC VPN client.


Thanks


Debra

ksirupa Thu, 03/18/2010 - 14:36
User Badges:
  • Silver, 250 points or more

Hi Debra,


As you are aware, there are 2 SSL VPN license on every ASA by default. So, if you install AnyConnect Essentials on only one of the cluster members (let's call it SSLASA), the master ASA may occasionally redirect some of your AnyConnect sessions to cluster members other than the SSLASA. If you don't configure the same SSL VPN configuration on all other cluster members, then your AnyConnect session will fail to connect. So, it is better to have same AnyConnect Essentials on both devices. Alternatively, you have to configure same SSL settings on your other cluster members even though they have only 2 SSL licenses.


Let me know for further clarity.


Thanks,

Kiran

clausonna Tue, 03/16/2010 - 08:06
User Badges:
  • Bronze, 100 points or more

We have been using another vendor's web filtering solution for several years, and have built our policies around the way it works, its site categorizations, etc.  Although I am interested in the Secure Mobility functionality, and would be OK with deploying an IronPort to facilitate that, I have no intention or desire to maintain two seperate web filtering policies.  Can I forward ICAP requests from the IronPort to my existing proxy servers?  In other words, is Secure Mobility interoperable with other web filtering solutions, or is Cisco suggesting that I rip-and-replace my existing filtering gear in order to use ACSM?

jeppich Tue, 03/16/2010 - 08:52
User Badges:
  • Cisco Employee,

Hi,


I don't think this would be possible, I will need to check this out.


However, at the heart of the CASM solution, is the AnyConnect client that accepts its 'secure connectivity' policies from the ASA head-end, and can be independent of web filtering solutions.


Thanks,

John

ksirupa Tue, 03/16/2010 - 17:55
User Badges:
  • Silver, 250 points or more

Hi,


The AnyConnect Secure Mobility solution is tightly integrated with WSA. The major advantage is that AnyConnect/ASA passes remote username to the WSA preventing subsequent authentication on WSA. WSA also supports location aware policies so you can provide different level of access based on the user is local or remote. The WSA also provides extensive reporting for remote user traffic.


If you really want to keep your existing web filtering solution, you could configure that proxy to be an up-stream proxy for the WSA. But, the ASA or WSA wouldn't be able to forward remote user information to your upstream proxy and you wouldn't be able to enforce any custom policies based on user group or whether they local versus remote. Of course, your other proxy will query the user to enter authentication credentials. Let me know if you need further details about this, I can provide licensing information.


Thanks,

Kiran

daniel.litwin Tue, 03/16/2010 - 09:31
User Badges:

Currently we have 2 ASA5520 in Active/Standby

configuration and we use both the AnyConnect and SSL (WebVPN) for a handful of

users.  Licensing is as follows:


Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 150
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
Security Contexts              : 2
GTP/GPRS                       : Disabled
SSL VPN Peers                  : 25
Total VPN Peers                : 750
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Enabled

This platform has an ASA 5520 VPN Plus license.


We are currently in the process of upgrading to ASA 8.3 once the memory upgrade comes in.  We do not use CSA in our organization.  Can you briefly explain any advantage of ACEssentials and ACPremium over the AnyConnect client we are currently using.  If we were to go with ACPremium, does that require additional hardware for the CSA piece?


Thanks,

Dan


jeppich Tue, 03/16/2010 - 11:54
User Badges:
  • Cisco Employee,

Hey Daniel,


Either AC Essentials or AnyConnect Premium plays a major part in Cisco's Secure Borderless Network Strategy. (Please see


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5699/ps10884/at_a_glance_c45-578609.pdf

for more information)


AC Essentials provides soley full tunnel connectivity and does not support advanced SSL VPN features such as Cisco Secure Desktop (CSD), Host Scanning, or clientless VPN tunnels which are found in AC Premium.


Both are independent of CSA. Cisco Security Agent is a separate software solution offering Day-Zero protection.

(please see www.cisco.com/go/csa for more information)


If you are uprading your ASA 8.3 talk to your Cisco account team, to see if your interesting in participating in the AnyConnect 2.5 beta program.

AnyConnect 2.5 offers the following new VPN features: Optimal Head-End Selection, Always-On Connection-Failure Policies, Hotspot Detection & Remedition policies.


Thanks,

John

debra-brown Tue, 03/16/2010 - 10:21
User Badges:

Kiran,


We setup private IP addresses for VPN client (10.10.xxx.xxx).  What would happen if the Remote site has either the same private IP address or the same private subnet (10.10.xxx.xxx)?  Would the client still be able to get to my network regardless of the client type (Cisco VPN client, SSL client, SSL clientless)?


Thanks.


Debra

jeppich Tue, 03/16/2010 - 13:32
User Badges:
  • Cisco Employee,

Hey Debra,


You'll see the client will able to establish the VPN session, but will not be able to connect to your network.


You'll see the following syslog message on your ASA  "Asymmetric NAT rules matched for forward and reverse flows;
Connection for icmp src outside:10.10.x.x dest inside:10.10.x.x (type 8, code 0) denied due to NAT reverse path failure" .


IF NAT is configured on the ASA and you do not want to change the source IP of traffic going over the VPN tunnel, you

would need to configure NAT exempt rules.  I've attached the following link for an example:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml#step7



Thanks,

John

Jim Bell Tue, 03/16/2010 - 15:55
User Badges:

Hi Kiran,


Is it possible to create an AnyConnect group policy that would restrict access to users from known (trusted) public IP addresses and other AnyConnect group policies that are less restrictive as to source IP of connection attempts to the ASA.


Thanks


Jim.

ksirupa Tue, 03/16/2010 - 17:23
User Badges:
  • Silver, 250 points or more

Hi Jim,


We can use Cisco Secure Desktop and Dynamic Access Policies together to achieve this. But, this requires AnyConnect Premium license.


Step-1: Configure Cisco Secure Desktop to scan for IP address and define a Policy as either "Trusted" or "Untrusted".


Step-2: Create a Dynamic Access Policy such that if the Cisco.TunnelGroup= Trusted_TG, but if if the CSD Policy is !=Trusted, then set the connection to "Terminate". However, this assumes you have a way to map users automatically to a Tunnel Group.


Let me know if this satisfies your query.

Jim Bell Wed, 03/17/2010 - 07:06
User Badges:

Thanks Kiran,


That looks as though it would satisfy some of our requirements.


We have a further requirement where we have multiple users coming from within a large 3rd party organisation that wish to use AnyConnect VPN to a specific resouce within our network  (we know the source public IP address of the organisations firewall that the mulitiple AnyConnect requests will be coming from).


We are keen to try and restrict AnyConnect attempts to access this specific resource to only be allowed from the (Trusted) 3rd Party source IP before the users are prompted to authenticate. Ideally we would like to restrict any other (untrusted) Internet users the capability of making authentication attempts to this resource.


Thanks Jim.

jeppich Wed, 03/17/2010 - 11:42
User Badges:
  • Cisco Employee,

Hey Jim,


In addition to Kiran's excellent information, you can also define 'Prelogin' Policies to satisfy your requirements.


You can define an "IP Range Check' for the trusted range of IP addresses, if this check fails this will represent untrusted Internet users. In addition, you can also create file checks on the laptop identifying it as a corporate laptop.


Enclosed is a link to the  'DAP' Deployment' Guide that provides some of the capabilities:

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml


Just as a reminder, a premium license is required.


Thanks,

John

Jim Bell Wed, 03/17/2010 - 13:34
User Badges:

Thanks John and Kiran


For your infomative replies they have been very helpfull.


Regards


Jim.

sding2006 Thu, 03/18/2010 - 19:36
User Badges:

Hi Kiran,


Any recent Pattern Matching enhancements in Dynamic Access Policy? Is LUI still the way to go for the complex logic combinations?


For example, our LDAP server use department = Computer Science:1 department = Chemistry:2

This means computer science is primary major and chemistry is secondary major. There might a nother student with department=chemistry:1 department = computer science:2, some students might have department = computer science, some might have department = chemistry.  We would like these student to be able to use chemistry profile as long as there is chemistry in the department attribute. It's not possible for DAP to match this as last time I talked with TAC.


We can't match  department = computer science.*  like in perl, we have to match the whole thing. The lui language is not working good as I last checked.  Any new improvement on the patter matching?


Thanks,


Shiling

ksirupa Thu, 03/18/2010 - 20:25
User Badges:
  • Silver, 250 points or more

Hi Shilling,


Do you by any chance have the TAC case number, so I can review the details.


There has been no further update to DAP pattern matching. The one example you gave me could be solved with DAP in its current form as in the attached diagram without using LUA expressions. Let me know if I am missing something.

Attachment: 
sding2006 Fri, 03/19/2010 - 09:26
User Badges:

Thanks for the reply.


To clarify a little bit, the number after computer science or chemistry might be have 1 to 10 values, it's also reflecting how much percentage the people are working in that department. For example, computer science:1.1 means computer science primary major, working 1/10th or time as TA or RA.  It seems to me that doing a brute force enumeration is not the right way to do it.  So that's way we just want to be able to match a substring of a ldap value.  TAC tried serveal of approaches, but the compilicated LUI will not work if the returned value does not have a computer science substring in it.



Shiling

ksirupa Fri, 03/19/2010 - 09:40
User Badges:
  • Silver, 250 points or more

Ok, I understand now. Let me follow-up on the pattern matching. Meanwhile, please review the recent LDAP browsing capability added to DAP. This lets you query AD and filter based on a sub-string. However, we still have to create conditions for all enumerations, so this is not ideal. But, I want to make sure you are aware of this option introduced in ASDM 6.2 release.

ksirupa Fri, 03/19/2010 - 12:14
User Badges:
  • Silver, 250 points or more

Hi Shilling,


I am not sure which LUA expression you were using. I have attached a LUA example from our developers. Please review this, may be it will help. If its the same as what you have, please excuse me.


Thanks,

Kiran

sding2006 Fri, 03/19/2010 - 12:34
User Badges:

Hi Kiran,


I think we got similar one as yours. One scenario

If the aaa.cisco.ipaddress is not in the returned attribute list, then the function will have an exception.


Shiling



laurabolda Sun, 03/21/2010 - 22:16
User Badges:

Kiran,


We have an ASA 5550.  Currently, the users need to install a client to get to the Payroll systems.  Is it possible to setup this payroll application under Cisco Secure Desktop so the users do not need to install the client at their computers?  Do you have the examples?


Please let me know if you have any questions or need additional information. Thanks.


Laura

ksirupa Sun, 03/21/2010 - 22:38
User Badges:
  • Silver, 250 points or more

Hi Laura,


Whether we could use the Clientless SSL VPN or not for your end-users depends on the type of application that you have. Most of the TCP based applications using either java and/or WinSock are known to be compliant with Clientless SSL VPN. 


You can find more configuration examples from the deployment guide:


http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1016526


Technical Details: When you use Clientless VPN, the ASA acts as a proxy and displays most of the webified applications (OWA, Citrix Web Interface)  after content rewrite. (I know this sounds very cryptic, but if you google for Clientless SSL VPN, you will notice this to be an industry standard method). Clientless VPN also offers Java Applet for popular remote access applications such as RDP, VNC, Citrix and SSH. If you have a specific Client/Server application (e.g. perforce.exe, vmview.exe, putty.exe), you may use Smart Tunnels for this application. When you enable Smart Tunnel for a specific application, the ASA downloads a DLL module to the end-user device which acts a proxy and monitors the specific application for network calls and proxy them to the VPN gateway.


Each ASA has 2 SSL VPN premium licenses by default. So, you may want to test it yourself whether the application works well with Clientless VPN with or without using Smart Tunnels. If you are allowed to share the application name or details, I can also review our history to see if someone else got it working and if there are any known caveats.


Let me know for further clarification.


Thanks,

Kiran

laurabolda Sun, 03/21/2010 - 23:14
User Badges:

Kiran,


Thank you very much for your quick response and information.  So, Cisco Secure Desktop only runs on SSL clientless?  We are using Humingbird Host Explorer, ver. 9.0 to login to the Payroll systems.  However, we are planning to use IBM Personal Communications (PCOMM) as a client by the end of this year.  We are testing PCOMM right now.


I have not looked at the documentation that you sent.  By the way, is there a limit of number of applications on Cisco Secure Desktop?  Can you open multiple applications at the same time?


Thanks.


Laura

ksirupa Sun, 03/21/2010 - 23:45
User Badges:
  • Silver, 250 points or more

Hi Laura,


Cisco Secure Desktop is independent of Clientless SSL VPN. You can deploy Cisco Secure Desktop with AnyConnect client as well. The Cisco Secure Desktop provides functionality such as:


HostScan - Scan the end-device for watermarks (Registry, Certificate, File, IP address etc).

EndPoint Assessment - Scan for the DAT version of Anti-Virus, Anti-SpyWare and Personal Firewall.

Secure Desktop - An Encrypted virtual workspace created after establishing VPN connection (either AnyConnect or Clientless SSL VPN). This virtual workspace will be destroyed after disconnecting from VPN.

Cache Cleaner - Clens the browser cache after disconnecting from VPN.


I researched our database and noticed that one other customer was using Passport(ZephyrCorp) which is very similar to the HummingBird Host Explorer. Both are TN3270E emulators. In that instance, smart tunnels was able to work with that application with one of the application feature not working. This case was opened long time back in Jul 2008. Hence, I suspect most of the recen tbug fixes in smart tunnels would have resolved the problems. So, I recommend that you test the HummingBird client using Smart Tunnels.


I didn't notice any mention of PCOMM in the database, so I am not sure about that. However, In general, any windows TCP based applications work with Smart Tunnels. If it doesn't work, we can work with Cisco TAC.


I suppose you meant whether we can support multiple applications using Clientless SSL VPN. Yes, we can. However, as an administrator you will have to enter the process names (e.g. hummingbird.exe, pcomm.exe) as a list of supported applications for Smart Tunnels.


On the other hand, You can open multiple applications inside the Cisco Secure Desktop (Virtual encrypted Workspace).


Thanks,

Kiran

laurabolda Mon, 03/22/2010 - 09:11
User Badges:

Kiran, thank you very much for taking time to answer my questions and doing the research.


Laura

laurabolda Wed, 03/24/2010 - 14:49
User Badges:

Kiran,


Thanks again for the info.  I followed the Deployment Guide that you sent http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1016526.  I got the error message after typing in the IP address.  Perhaps, you can tell me what I am missing.   I setup SSL Clientless.  I also setup user accounts on the local database on the ASA.  Then, I open a web browser and type https and the IP address (step 2 on page 14).  After following a few instructions on the screen, I got the error message:  "Secure Desktop:  This computer does not match the location settings.  You cannot continue.  Contact your IT Administrator for more information"


Please let me know if you need additional information or the print screen.


Thanks.


Laura

ksirupa Wed, 03/24/2010 - 17:33
User Badges:
  • Silver, 250 points or more

Hi Laura,


It appears you have Cisco Secure Desktop enabled even though it is not properly configured. Can you try disable the CSD? It is under "Secure Desktop Manager"-->Setup, Uncheck the "Enable Secure Desktop".


Once you verify that Clientless SSL is working,  you can enable "Cisco Secure Desktop" and follow the steps in the same guide:


http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1128062


Thanks,

Kiran

laurabolda Thu, 03/25/2010 - 14:08
User Badges:

Thanks again for your help,  Kiran.  You are right.  Cisco Secure Desktop is not configured properly.  I need to go back and check it again.  I no longer got the error message after disabling Cisco Secure Desktop.


Questions:


1.  When I type the IP address of the outside interface of the ASA in Internet Explorer, I got the message about the certificate "There is a problem with this website's security certificate."  Then, I got 3 choices to close the webpage, or continue to this website, or more information.  If I select Continue to this website, I get the Login page displayed which is fine.  I want to know if there is a way to get rid of the message about the certificate.  I just want the Login page displayed after typing the IP address.  I am running Internet Explorer, ver. 8


2. I wanted to download the plug-ins for clientless connection as instructed on page 46.  There are several plug-in files for RDP on Cisco web site.  Would you download the latest plug-in RDP file (RDP-plugin.080103.jar, RDP-plugin.080506.jar, rdp-plugin.jar)?


Please let me know if you need additional information.


Thanks.


Laura

jeppich Thu, 03/25/2010 - 16:17
User Badges:
  • Cisco Employee,

Hi Laura,


(1) For testing, you can create a cert locally using the IP address from your ASa as a trusted source
& store this locally as a 'trusted cert authority', this should rid you of the 'cert messages'

Below are the steps:

You'll see the message '....do you wish to proceed.."

Select "View certificate"
Select "Install"
Select "Next"
Select "Place all certs in the following store"
Select "Trusted cert Authority"
Click "OK"
Click "Next"
Click "Finished"

You'll see a security warning with the following message...

"..You are about to install a cert from a cert authority claiming to represent
"xxx.xxx.xxx.xxx.(your ASA IP address)..

(You'll be assigned a thumbprint to enable the cert)

Warning, Windows will automatically trust a cert issued by the CSA....

Do you wish to install the cert click "Yes"

You will see the 'import was successfull'.


For deployment, you would require a valid certificate for the ASA.
You would need to create a trustpoint and associate the certificate to the trust point,
and then associate the trust point to the outside interface.

Also, the certificate uploaded must be issued by a certificate provider that is trusted by the end-user browser.

(i.e. the link below shows how to install a cert from digicert to the ASA.)

http://www.digicert.com/ssl-certificate-installation-cisco-asa-5500.htm

For reference, please see: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html


(2) The RDP-plugin depend on the platform that you will be running on:


As an example, rdp-plugin.080506.jar will be supported  for Remote Desktop Active X, accessing Windows Terminal Services hosted

by Windows 2003 R1.


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1292902


Thanks,

John

laurabolda Thu, 03/25/2010 - 17:51
User Badges:

Thanks John for your prompt response and information.  I will look at the documentation.  I want to configure the nonbrowser-based applications such as RDP, application connect to Mainframe (Humingbird Host Explorer).  I would like to know if I need to import the plug-ins.  Look at page 52 on this link

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1128062


Thanks.


Laura

ksirupa Thu, 03/25/2010 - 21:24
User Badges:
  • Silver, 250 points or more

Hi Laura,


You don't need to import the plug-ins if you only want to use Smart Tunnels as described in Page-52. When you use Smart Tunnels, you are going to use the RDP client on the end-user laptop instead of downloading a java applet based plug-in.


So, you can create Smart tunnel for mstsc.exe, and also for Humming Bird (I hope you can find the process name using "Task Manager" in windows. Once you create the Smart Tunnel list, you can assign to the Group Policy under "Portal".


On the other hand, if you want to support Java Applet based plug-ins for VNC, RDP, SSH/Telnet then you have to upload the plug-ins.


Thanks,

Kiran

debra-brown Sun, 03/21/2010 - 22:50
User Badges:

Kiran,


Thanks very much for taking time to answer my questions.  For some reason, I do not see the button to rate.  Is it turned off or is it my browser?  I am using Internet Explorer 8.0.


Question:  When Cisco releases a new SSL client, does the new SSL client update automatically when the users login to VPN?  Do the users need to have Local Admin privileges in order to update the SSL client?


Thanks.


Debra

Actions

This Discussion