topic Re: Cisco Secure Desktop on FTD in Network Security

Cisco Secure Desktop on FTD

andypowernet85 — Mon, 10 Mar 2025 14:01:18 GMT

Afternoon,

When browsing to the public IP of the FTD managed by FMC, I am being directed to /CACHE/sdesktop/install/start.html and presented with a Cisco Secure Desktop page. Does anyone know this can be disabled and why it is being presented?

Regards,

Re: Cisco Secure Desktop on FTD

rschlayer — Mon, 10 Mar 2025 14:20:32 GMT

Looks like you have AnyConnect VPN enabled, you can disable that portal using FlexConfig: https://bst.cisco.com/bugsearch/bug/CSCvp81746

Re: Cisco Secure Desktop on FTD

andypowernet85 — Mon, 10 Mar 2025 15:15:21 GMT

Thanks, but that would not help if you still wanted to provide access to the web portal to download anyconnect.

Re: Cisco Secure Desktop on FTD

Marvin Rhoads — Mon, 10 Mar 2025 15:29:16 GMT

@andypowernet85 please see this bugID: https://bst.cisco.com/bugsearch/bug/CSCwi63184?rfs=qvred

Basically, you need to add a Flexconfig to specify "without-csd" in your tunnel-group (aka connection profile)

Re: Cisco Secure Desktop on FTD

andypowernet85 — Mon, 10 Mar 2025 16:37:27 GMT

Thanks for the info! That would be under both defaultwebvpn and the specific RA connection profile?

Re: Cisco Secure Desktop on FTD

Marvin Rhoads — Tue, 11 Mar 2025 03:28:43 GMT

@andypowernet85

If they are exposed via your VPN configuration, yes.

Re: Cisco Secure Desktop on FTD

ronnie.shih — Thu, 28 Aug 2025 14:29:31 GMT

I am facing this same issue, except, we have dynamic access policy for endpoint posture scan enabled. Our security team flagged and hunted after me saying "why are our FTDs showing this cisco secure desktop page?" and is there anyway to disable it? I configured a group-url, inserted "without-csd" flag under webvpn along with a keepout message. Cisco secure desktop page now does not show, but at the same time, posture scan is no longer happening.

So is there a way to make dynamic access policy with posture scan work without showing the cisco secure desktop page when browsing to the vpn access URL of the FTD?

Re: Cisco Secure Desktop on FTD

Marvin Rhoads — Thu, 28 Aug 2025 15:11:49 GMT

@ronnie.shih unfortunately, no. Enabling DAP with posture scanning means you will see the CSD page, even though that feature is not in use. I doubt this will ever change since it is mostly a legacy feature and not being actively developed/enhanced.

Re: Cisco Secure Desktop on FTD

ronnie.shih — Fri, 29 Aug 2025 01:27:27 GMT

Is there such a thing as a new posture scan option in FTD for endpoints vpn-in? Or is DAP with hostscan package still the only option?

Re: Cisco Secure Desktop on FTD

Marvin Rhoads — Fri, 29 Aug 2025 02:17:31 GMT

@ronnie.shih nothing specific to FTD - DAP with hostscan continues to be the only options there.

If you offload posture to Cisco ISE, it can handle the function (and much more) as part of the Authorization conditions and associated results.

Re: Cisco Secure Desktop on FTD

kcavanagh — Wed, 29 Oct 2025 13:04:57 GMT

We are implementing SAML. My understanding is that it will then bypass DAP on Cisco and use whatever CAP you have defined in Entra. Would we then remove HostScan and be able to use Flexconfig to shutdown CSD? We found that portal-access-rule 1 deny also blocked SAML, because it blocked the the successful connection pop-up window.

Re: Cisco Secure Desktop on FTD

mgrzesia — Mon, 16 Feb 2026 13:30:56 GMT

Hi Marvin,

The bug to fix ASA/FTD side is CSCwk74566. It is now fixed on ASA, pending fixed FTD release.

The CSCwi63184 is for fixing the CSC side, but that is not related to the browser access.

Re: Cisco Secure Desktop on FTD

ronnie.shih — Mon, 16 Feb 2026 13:38:55 GMT

Are you referring to the CSD page being displayed while DAP is enabled?

Re: Cisco Secure Desktop on FTD

mgrzesia — Mon, 16 Feb 2026 15:36:11 GMT

Hi Ronnie,

That is correct. To clarify:
DAP is configured, connecting to an ASA DefaultWebvpnGroup with a browser. "Without-csd" is NOT configured.

0. User is asked to authenticate.
1a. Without fix - browser is redirected to CSD install page, which doesn't work.

1b. With fix - browser is redirected to CSC download page.

A fixed FTD version is not yet there.

Re: Cisco Secure Desktop on FTD

ronnie.shih — Mon, 16 Feb 2026 16:00:51 GMT

Thank you very much. Can you please update when a fix is available for the FTD and what version of upgrade to? Security team literally gave me a hard time on this for months, even getting our Cisco reps + a Cisco engineer on a group call simply to justify making an exemption for this issue in the Wiz scanner.

Re: Cisco Secure Desktop on FTD

mgrzesia — Tue, 17 Feb 2026 12:02:53 GMT

This should be fixed in next MRs for FTD. Tentatively planned between end of April and end of June 2026, depending on version.
Please subscribe to bug notifications to get notified when a fixed version is released.

Re: Cisco Secure Desktop on FTD

ronnie.shih — Fri, 20 Feb 2026 18:53:52 GMT

I just noticed FTD v7.2.11-313 got released on 2/11 and we are running on the 7.2x series. Does v7.2.11-313 fix this issue?

Re: Cisco Secure Desktop on FTD

Marvin Rhoads — Tue, 24 Feb 2026 15:16:53 GMT

You should be able to use flexconfig with the "portal-access-rule" as of 7.2.11.

It fixes this bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk14657

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72.html#resolved-bugs-72eleven0

Re: Cisco Secure Desktop on FTD

mgrzesia — Wed, 22 Apr 2026 06:32:22 GMT

The fixed FTD 7.4.7 is now available.

Re: Cisco Secure Desktop on FTD

ronnie.shih — Wed, 22 Apr 2026 12:25:33 GMT

We've upgraded to v7.7.11 a while back to support geo blocking on the external interface. Guess we are out of luck again on this one since we can't go backwards to 7.4.7