11-04-2013 10:32 AM
Hello,
I've been playing with the Cisco Clientless VPN, but I'm a little worried about going live with as it it surrently setup with an SSL cert and the default logon screen where users put in their MS Activie Directory account to gain access to certain portal pages. I don't really like having our AD exposed to the Internet and wondered what solutions are out there to help with this?
Thanks
11-04-2013 10:42 AM
There are a couple ot things to consider. Here are the three most important points (IMO):
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-04-2013 10:59 AM
I think I need to update to 9.1 at somepoint as we are on 8.2, but the NAT changes have held me back.
Can you explain what you mean by the webtype ACLs?
Thanks
11-04-2013 11:05 AM
For clientless VPN you should always run new ASA versions also to support modern operating-systems.
Here is more on webtype ACLs:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_webtype.html
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-04-2013 11:11 AM
Thanks, I just had a look at Duosecurity, so how does this work from a users point of view? If they go to say https://clientlessvpn.company.com will they get the usual Cisco logon page or something else?
Sorry I really have had no experience yet with this type of authentication.
11-04-2013 11:24 AM
The users see two password fields. The first password is used for domain-authentication. The second as a second factor.
The input of the second field can be a one-time-password that your smartphone can generate or you got by SMS if the user doesn't have a smartphone. Or for smartphone users it can be the keyword "push" which means that they send a push notification to the smartphone of the user where the user acknowledges that the VPN should be established. So without the phone, the VPN can't be established.
And for maximum security you would only allow a terminal session (i.e. RDP or VNC) to an internal VM with alll disk-sharing disabled.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-04-2013 12:10 PM
So how is the second password field enabled? Is it on the same window as the default Cisco logon page? Don't suppose you have a screenshot?
So you recommend something like Citrix (which we have).
Hardest part I guess would be to move our users away from using the VPN client and the Anyconnect client as they love their mapped drives etc.
11-04-2013 02:30 PM
At the moment I don't have it enabled for clientless. But it could look similar to this screenshot from the AnyConnect client:
The secondary authentication is enabled in the tunnel-group and the Login-page is completely customizable.
The nice thing about a terminal-session is that files can be stopped to leave the company. But if your users need their local desktop on the notebooks, a good endpoint-security with full harddrive encryption could perhaps also be sufficient.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-05-2013 12:34 AM
Thanks for this.
Sorry for the silly question, is there anyway a user can connect to their mapped drives on their laptop if they use the clientless vpn?
11-05-2013 12:56 AM
with clientless, there are no mapped drives. But you can allow access to shared folders inside of the clientless portal. But that's far away from being comfortable.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: