Disable install of AnyConnect

Answered Question

I have ran into two problems with my VPN that I have not been able to figure out;

1.  If a user has permission to access the AnyConnect VPN then and they go to access the RDP SSL VPN then it automatically downloads and installs the AnyConnect.  Is it possible to disable the auto download and install of the AnyConnect client?

2.  If a user belongs to the AD groups for both the AnyConnect VPN and the RDP VPN, then that user can only access the RDP VPN.  Is there a way to allow a user that is a member of both groups to access both VPN types (not simulataneously of course)?  Or would it be better if I create a new AD group that allows both connections?

Currently I have 4 ways to connect into the VPN;

An SSL Tunnel to my EDI RDP server (For contractors)

An SSL Tunnel to my RDP server

An SSL Tunnel to my webmail

And using the AnyConnect application

The biggest problem is finding a way to disable the automatic download and install of the AnyConnect client

Here is my config that I am using:

ldap attribute-map VPNAccessMap
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=EDI Access Grp,OU=VPN OU,OU=Groups,DC=test,DC=corp" EDIAccessPlc
  map-value memberOf "CN=OWA Access Grp,OU=VPN OU,OU=Groups,DC=test,DC=corp" OWAAccessPlc
  map-value memberOf "CN=TS Access Grp,OU=VPN OU,OU=Groups,DC=test,DC=corp" TSAccessPlc
  map-value memberOf "CN=VPN Access Grp,OU=VPN OU,OU=Groups,DC=test,DC=corp" AnyConnectAccessPlc
dynamic-access-policy-record SSLDenyPlc
user-message "Access Denied"
action terminate
webvpn
  file-browsing disable
  file-entry disable
  http-proxy disable
  url-entry disable
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP_SRV_GRP protocol ldap
aaa-server LDAP_SRV_GRP (IntNet) host DomainController
server-port 636
ldap-base-dn DC=test,DC=corp
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=TestDude,OU=Users OU,DC=test,DC=corp
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map VPNAccessMap

webvpn
enable IntNet
enable ExtNet
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy EDIAccessPlc internal
group-policy EDIAccessPlc attributes
vpn-tunnel-protocol webvpn
webvpn
  homepage value rdp://10.1.2.40/?geometry=1024x768
group-policy TSAccessPlc internal
group-policy TSAccessPlc attributes
banner value Terminal Server Access Policy
vpn-tunnel-protocol svc webvpn
webvpn
  homepage value rdp://10.1.2.70/?geometry=1024x768
group-policy OWAAccessPlc internal
group-policy OWAAccessPlc attributes
banner value Outlook Web Access Policy
vpn-idle-timeout 20
vpn-tunnel-protocol webvpn
webvpn
  url-list value OWA
  hidden-shares none
  file-entry disable
  file-browsing disable
  url-entry disable
group-policy AnyConnectAccessPlc internal
group-policy AnyConnectAccessPlc attributes
dns-server value 10.1.2.3 10.1.2.80
vpn-tunnel-protocol svc
address-pools value SSLDHCP


tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP_SRV_GRP

I have this problem too.
0 votes
Correct Answer by Diego Armando C... about 6 years 5 months ago

To disable the client installation just modify the group policy

SanJose(config)# group-policy NAME attributes
SanJose(config-group-policy)# webvpn
SanJose(config-group-policy)# svc keep-installer none

For the Second question.. Go ahead and creat a second AD Group

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Diego Armando C... Mon, 07/05/2010 - 13:49

To disable the client installation just modify the group policy

SanJose(config)# group-policy NAME attributes
SanJose(config-group-policy)# webvpn
SanJose(config-group-policy)# svc keep-installer none

For the Second question.. Go ahead and creat a second AD Group

Actions

This Discussion