We believe this is relatively new. CX module is prompting for credentials (Active Auth) for users at home, connecting to Outlook Web Acces, Citrix, etc. inside of the firewall. Internal users using the same resources are not.
I cannot even visualize where the CX module would be inspecting the traffic in, then out again for an internal server.
What configuration / policies exists to control that behavior?
The CX will inspect traffic per its rules according to the service-policy on the ASA. If traffic isn't flowing through the firewall (e.g internal users) the service policy will never redirect the flow to the CX for inspection. You could reference an ACL in the service-policy exempting flows from the VPN pool addresses to your internal servers from inspection.
Re: CX Prompting for Authentication to Citrix, OWA
Actually, I am talking about pure port 80/443 traffic in bound to our OWA, Citrix. If our users are at home, via VPN, the CX behaves correctly - using passive authentication via the AD agent. If the user is not on VPN, goes to OWA or Citrix via their browser (80/443) they see the login screen load for OWA, Citrix but immediately receive a pop-up from the CX module requiring active authentication.
Because you have the class map with cxsc redirection in your global policy it will apply to all interfaces. The ones I have setup applied the CX inspection to outbound user traffic (e.g. that coming into the Inside interface). That is, specify Inside at step 8 of the configuration guide here.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :