Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best way to allow contractors to VPN in?

The goal: Allow contractors VPN access to our company network utilizing VPN while minimizing risk and maximizing ease and convenience.

Question: We are using Cisco ASA 5540's with SSL VPN clients for employees and contractors. We check to see if the machine is an asset and then allow it to connect to the VPN after the user is authenticated. If they're a contractor, we're imposing an Access Control List (ACL) on them and enabling split tunneling.

We'd like to limit this even further, since right now we have to support our vpn client on THEIR computer, which a bit sticky and also we don't trust their computer - with antivirus etc.

What we're thinking about is to allow them to WEBVPN, which is basically an encrypted reverse proxy and then allow them to remote control a "pc farm" in a DMZ running on vmware or Windows Terminal Serer. Then, they'd be using one of OUR assets - for which we can maintain appropriate patches, antivirus, etc. Then, we can build firewall rules allowing their RDP session in through the firewall.

Is this how you do it? Or would do it? Or do you have a better idea?

1 REPLY

Re: Best way to allow contractors to VPN in?

What we're thinking about is to allow them to WEBVPN, which is basically an encrypted reverse proxy and then allow them to remote control a "pc farm" in a DMZ running on vmware or Windows Terminal Serer....

Brannen,

This is an excellent solution for your concerns, at least for me. You have prety much lay down a very good RA access control for contractor users, you could also throw in per user vpn filters and have a single ssl tunnel for contractors to even segregate your contractors per username if they happen to be in different companies.

Remote access VPN filters

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Also there are other solutions for your main concern you previously posted like for example

RA users personal systems and viruses on none company machines, I will post the link for just reference in future etc..

Network Admision Control framework, but that requires other platforms and architecture.

http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

137
Views
0
Helpful
1
Replies