Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8027
Views
14
Helpful
11
Replies

Force Anyconnect?

Go to solution
Alan Herriman
Level 1
Level 1

‎04-11-2012 01:50 PM - edited ‎02-21-2020 06:00 PM

Hello All,

I think this is a pretty easy question, but I was enable to find a good answer anywhere. Is it possible to force a client to connect with Anyconnect when they get an internet connection? Basically, this would be for client control. Split tunneling would be disabled so all traffic would have to go through the VPN. They wouldn't be able to browse the internet not on the anyconnect VPN client. Is this even possible?

Thanks,

Alan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9

‎04-12-2012 05:35 AM

Dear Alan,

Thank you for posting.

Please check this out:

Trusted Network Detection

"Trusted Network Detection (TND) gives you the ability to have AnyConnect automatically disconnect a VPN connection when the user is inside the corporate network (thetrusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network). This feature encourages greater security awareness by initiating a VPN connection when the user is outside the trusted network."

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac03vpn.html#wp1059922

Keep me posted.

Thanks.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Javier Portuguez
Level 9
Level 9

‎04-12-2012 05:35 AM

Dear Alan,

Thank you for posting.

Please check this out:

Trusted Network Detection

"Trusted Network Detection (TND) gives you the ability to have AnyConnect automatically disconnect a VPN connection when the user is inside the corporate network (thetrusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network). This feature encourages greater security awareness by initiating a VPN connection when the user is outside the trusted network."

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac03vpn.html#wp1059922

Keep me posted.

Thanks.

0 Helpful

Go to solution
Alan Herriman
Level 1
Level 1
In response to Javier Portuguez

‎04-12-2012 06:13 AM

Hello Javier,

Thanks for the reply that is different in the right direction I was going with my question. It doesn't seem like there is a way to force the user to use the Anyconnect VPN. It would be nice if we could have either our clients connected with Anyconnect VPN to the Internet or nothing at all. That way we can control all the traffic on those machines. Thanks again for the post, very useful information.

Best Regards,

Alan Herriman

0 Helpful

Go to solution
Alan Herriman
Level 1
Level 1
In response to Javier Portuguez

‎04-12-2012 06:19 AM

Actually the Always-on VPN feature with the TND feature seem like it would do the job, that document had it listed  a little further down.

Thanks again Javier!

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Alan Herriman

‎04-12-2012 06:37 AM

Yes, I actually wanted to post about Always-on, but it will always force the VPN connection so I was not sure if that was the ideal feature for you.

I am glad to know you find it helpful.

Take care

0 Helpful

Go to solution
MarkoTanaskovic
Level 1
Level 1

‎04-12-2012 08:11 AM

You would need Anyconnect TND feature with the always on functionality, plus, optiomally, an Ironport Web Security appliance (if you want extra control and protection).

Basically, TND and Always on would keep the employee either disconnected when on premisses or connected when on premisses. When connected, the tunneled traffic would be routed to a WCCP speaking router and sent to IronPort for inspection and back through the ASA to the internet. ASA integrates with the Ironport via the MUS protocol for user identity forwarding.

If no extra inspection is required than user traffic is u- turned and NATed back to the internet. It is a rather simple setup alltogether.

The behaviour of the employee AnyConnect client is remotely controlled via the client profiles.

Always on requires ssl premium licenses. This costs a lot more than the essentials.

Hope this helps.

Sent from Cisco Technical Support iPad App

Go to solution
Alan Herriman
Level 1
Level 1
In response to MarkoTanaskovic

‎04-12-2012 08:34 AM

Thanks for the reply Marko,

Do you know if the TND feature require a premium license as well? Good licensing info!

Thanks,

Alan

0 Helpful

Go to solution
MarkoTanaskovic
Level 1
Level 1
In response to Alan Herriman

‎04-14-2012 07:27 AM

According to the documentation, the TND does not seem to require the premium license. However, what would be the usecase without some sort of connectiona enforcement/automation. The users are generally aware when that they are not on-premise :-)

Regards,

Marko

0 Helpful

Go to solution
vabruno
Level 1
Level 1

‎04-15-2012 04:10 PM

Actually I have done lots of testing with Anyconnect Always-on and TND , seems to work well however you have to make sure of a few things for this to work correctly if you want the user experience to be smooth. Some of this information is leaking in Cisco's documentation but I learned the hard way.

Requirements for Always-on

- ASA Premium Anyconnect License, essential license will not work.

- You will need a 3 party cert like verisign or equivalent applied to the ASA

- You will also need a private trusted certificate on the ASA that is trusted by your internal CA and a client side cert on your machines using Anyconnect, this is what will be used you authenticate the end user. You can also use the ASA's built in CA capabilities if you don't have an internal CA. You will need to figure out how you want to distribute these certificates buy using GPO or SCEP which is supported by ASA and works pretty nice.

Depending on how and what you want to run prior to windows login you may want to use the Anyconnect start before login feature if you are running login scripts to map drives, etc. we use both.

Last but not least depending on what you use for your 802.11 and 802.1x supplicant you may want to look at Cisco Anyconnect NAM module which is free with Anyconnect and requires no additional license. This works nice and allows you to pre- configure connection policies and works pretty slick helping Anyconnect transition between wired, wireless, etc connection.

Good lunch with your testing.

Sent from Cisco Technical Support iPad App

Go to solution
Alan Herriman
Level 1
Level 1
In response to vabruno

‎04-16-2012 06:03 AM

Thanks for the info Vabruno that was all really useful information!

0 Helpful

Go to solution
jintao99
Level 1
Level 1
In response to Alan Herriman

‎09-27-2012 12:58 PM

Can anyone share their experience with large scale deployment of Always on, with either fail open or fail close option? I have concerns about end user support if their vpn doesn't work especially with fail close. How do you support these users?

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to jintao99

‎09-27-2012 02:09 PM

Hi Jintao99,

This post has been answered already, I encourage you to open a new one and ask again, it will be more visible as a new post.

Thanks.

Portu.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents