Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using Clientless VPN securely

Hello,

I've been playing with the Cisco Clientless VPN, but I'm a little worried about going live with as it it surrently setup with an SSL cert and the default logon screen where users put in their MS Activie Directory account to gain access to certain portal pages.  I don't really like having our AD exposed to the Internet and wondered what solutions are out there to help with this?

Thanks

9 REPLIES
VIP Purple

Using Clientless VPN securely

There are a couple ot things to consider. Here are the three most important points (IMO):

  1. Educate your users to never accept a certificate warning message when connecting to the VPN (yes, I know that this will not work for all users ...)
  2. Deploy a second factor for authentication. For VPN I really like the solution from DuoSecurity, but there are many more.
  3. Don't forget to deploy webtype ACLs. Just because the users don't have a shortcut for an internal ressource doesn't mean that they can't access them.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Using Clientless VPN securely

I think I need to update to 9.1 at somepoint as we are on 8.2, but the NAT changes have held me back.

Can you explain what you mean by the webtype ACLs?

Thanks

VIP Purple

Using Clientless VPN securely

For clientless VPN you should always run new ASA versions also to support modern operating-systems.

Here is more on webtype ACLs:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_webtype.html

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Using Clientless VPN securely

Thanks, I just had a look at Duosecurity, so how does this work from a users point of view?  If they go to say https://clientlessvpn.company.com will they get the usual Cisco logon page or something else?

Sorry I really have had no experience yet with this type of authentication.

VIP Purple

Using Clientless VPN securely

The users see two password fields. The first password is used for domain-authentication. The second as a second factor.

The input of the second field can be a one-time-password that your smartphone can generate or you got by SMS if the user doesn't have a smartphone. Or for smartphone users it can be the keyword "push" which means that they send a push notification to the smartphone of the user where the user acknowledges that the VPN should be established. So without the phone, the VPN can't be established.

And for maximum security you would only allow a terminal session (i.e. RDP or VNC) to an internal VM with alll disk-sharing disabled.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Using Clientless VPN securely

So how is the second password field enabled?  Is it on the same window as the default Cisco logon page?  Don't suppose you have a screenshot?

So you recommend something like Citrix (which we have). 

Hardest part I guess would be to move our users away from using the VPN client and the Anyconnect client as they love their mapped drives etc.

VIP Purple

Using Clientless VPN securely

At the moment I don't have it enabled for clientless. But it could look similar to this screenshot from the AnyConnect client:

The secondary authentication is enabled in the tunnel-group and the Login-page is completely customizable.

The nice thing about a terminal-session is that files can be stopped to leave the company. But if your users need their local desktop on the notebooks, a good endpoint-security with full harddrive encryption could perhaps also be sufficient.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Using Clientless VPN securely

Thanks for this.

Sorry for the silly question, is there anyway a user can connect to their mapped drives on their laptop if they use the clientless vpn?

VIP Purple

Using Clientless VPN securely

with clientless, there are no mapped drives. But you can allow access to shared folders inside of the clientless portal. But that's far away from being comfortable.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
186
Views
0
Helpful
9
Replies
CreatePlease login to create content