https://community.cisco.com/t5/network-security/csd-and-rdp-plugin/m-p/1437976#M660961 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Ok, so if I now I understand the requirements.</P><P></P><P>If a user has a certain OS and Anti-Virus then you will permit&nbsp; the user to have AnyConnect and if not they only receive the Web Portal where you have enabled the RDP plugin as a resource..</P><P></P><P>If this is the case what you are trying to do I think you would benefit from checking out the SSL VPN Deployment Guide - specifically the 'Integrating Cisco Secure Desktop with DAP's' section.&nbsp; <SPAN class="content"></SPAN><A href="http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1128062">http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1128062</A></P><H3 class="p_H_Head2"></H3><P class="p_H_Head2"></P><P class="p_H_Head2">Essentially you are going to end up with 3 DAP's with one of them being the default policy which in most cases would terminate the session if the user did not match the 2 preceding policies.&nbsp; The first DAP would be the one where the user with AV would hit and be granted AnyConnect, the second would be where the users without AV would get Clientless access only thus being able to use RDP.</P><P class="p_H_Head2"></P><P class="p_H_Head2">Good Luck.</P><P class="p_H_Head2"></P><P class="p_H_Head2">Best regards</P><P class="p_H_Head2">Paul</P></BODY></HTML> Sun, 15 Aug 2010 00:00:51 GMT Paul Carco 2010-08-15T00:00:51Z https://community.cisco.com/t5/network-security/csd-and-rdp-plugin/m-p/1437973#M660877 <P>I now have a new boss and they have decided to change our remote access policies.</P><P></P><P>So I already have a working SSL VPN and RDP deployment, thanks in part to the expertise of this forum.&nbsp; Thank you all for that.</P><P>Originally we only allowed company hardware to connect to the SSL and everyone else was stuck with the RDP session.</P><P>Now I need to be able to allow non-company hardware to connect to the SSL, so I decided to enable CSD and do an OS check and a virus scan check.</P><P></P><P>After enabling CSD, I have found that when users connect to the RDP session it runs all of the CSD checks and is not allowing connections.&nbsp; Is there a way to only use CSD for the SSL Client connections, and for CSD to ignore all of the RDP Plugin connections?</P><P>I did a quick search of the Group Policies and did not see a CSD option in there.</P><P></P><P>I am running ASA 8.x and the newest version of CSD.</P> Mon, 11 Mar 2019 18:16:36 GMT https://community.cisco.com/t5/network-security/csd-and-rdp-plugin/m-p/1437973#M660877 kharvey 2019-03-11T18:16:36Z https://community.cisco.com/t5/network-security/csd-and-rdp-plugin/m-p/1437974#M660897 <HTML><HEAD></HEAD><BODY><P>When you say "RDP deployment"&nbsp; are you referring to Clientless users and the RDP plug-in?</P><P></P><P>What do your Dynamic Access Policies look like?</P></BODY></HTML> Fri, 13 Aug 2010 20:39:30 GMT https://community.cisco.com/t5/network-security/csd-and-rdp-plugin/m-p/1437974#M660897 Paul Carco 2010-08-13T20:39:30Z https://community.cisco.com/t5/network-security/csd-and-rdp-plugin/m-p/1437975#M660935 <HTML><HEAD></HEAD><BODY><P>Yes, I am referring to Clientless users using the RDP plug-in.</P><P></P><P>I ended up contacting Cisco and they told me that the CSD is a global setting and that I would not be able to avoid using the CSD even with the RDP.</P><P></P><P>Here is my current config:<BR />webvpn<BR /> enable IntNet<BR /> enable ExtNet<BR /> csd image disk0:/csd_3.5.1077-k9.pkg<BR /> svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1<BR /> svc enable<BR />group-policy EDIAccessPlc internal<BR />group-policy EDIAccessPlc attributes<BR /> vpn-tunnel-protocol webvpn<BR /> webvpn<BR />&nbsp; homepage value rdp://10.1.2.40/?geometry=1024x768<BR />group-policy DfltGrpPolicy attributes<BR />group-policy TSAccessPlc internal<BR />group-policy TSAccessPlc attributes<BR /> vpn-tunnel-protocol webvpn<BR /> webvpn<BR />&nbsp; homepage value rdp://10.1.2.70/?geometry=1024x768<BR />group-policy OWAAccessPlc internal<BR />group-policy OWAAccessPlc attributes<BR /> vpn-idle-timeout 20<BR /> vpn-tunnel-protocol webvpn<BR /> webvpn<BR />&nbsp; url-list value ECCOOWA<BR />&nbsp; hidden-shares none<BR />&nbsp; file-entry disable<BR />&nbsp; file-browsing disable<BR />&nbsp; url-entry disable<BR />group-policy AnyConnectAccessPlc internal<BR />group-policy AnyConnectAccessPlc attributes<BR /> dns-server value 10.1.2.3 10.1.2.80<BR /> vpn-tunnel-protocol svc <BR /> default-domain value eccogroup.corp<BR /> address-pools value ECCOSSLDHCP<BR /> webvpn<BR />&nbsp; svc rekey time 30<BR />&nbsp; svc rekey method ssl<BR />tunnel-group DefaultWEBVPNGroup general-attributes<BR /> authentication-server-group LDAP_SRV_GRP<BR />tunnel-group 216.133.173.98 type ipsec-l2l<BR />tunnel-group 216.133.173.98 ipsec-attributes<BR /> pre-shared-key *<BR />tunnel-group 213.1.213.226 type ipsec-l2l<BR />tunnel-group 213.1.213.226 ipsec-attributes<BR /> pre-shared-key *<BR />tunnel-group 203.52.44.138 type ipsec-l2l<BR />tunnel-group 203.52.44.138 ipsec-attributes<BR /> pre-shared-key *<BR />tunnel-group AnyConnectVPNCon type remote-access<BR />tunnel-group AnyConnectVPNCon general-attributes<BR /> authentication-server-group LDAP_SRV_GRP<BR /> default-group-policy AnyConnectAccessPlc</P><P>If you have an idea on how to use the CSD and the RDP I would be most interested, as at this point I will end up rebuilding my RDP server into the DMZ, and pin-holing the firewall for it.</P></BODY></HTML> Fri, 13 Aug 2010 20:57:08 GMT https://community.cisco.com/t5/network-security/csd-and-rdp-plugin/m-p/1437975#M660935 kharvey 2010-08-13T20:57:08Z https://community.cisco.com/t5/network-security/csd-and-rdp-plugin/m-p/1437976#M660961 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Ok, so if I now I understand the requirements.</P><P></P><P>If a user has a certain OS and Anti-Virus then you will permit&nbsp; the user to have AnyConnect and if not they only receive the Web Portal where you have enabled the RDP plugin as a resource..</P><P></P><P>If this is the case what you are trying to do I think you would benefit from checking out the SSL VPN Deployment Guide - specifically the 'Integrating Cisco Secure Desktop with DAP's' section.&nbsp; <SPAN class="content"></SPAN><A href="http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1128062">http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1128062</A></P><H3 class="p_H_Head2"></H3><P class="p_H_Head2"></P><P class="p_H_Head2">Essentially you are going to end up with 3 DAP's with one of them being the default policy which in most cases would terminate the session if the user did not match the 2 preceding policies.&nbsp; The first DAP would be the one where the user with AV would hit and be granted AnyConnect, the second would be where the users without AV would get Clientless access only thus being able to use RDP.</P><P class="p_H_Head2"></P><P class="p_H_Head2">Good Luck.</P><P class="p_H_Head2"></P><P class="p_H_Head2">Best regards</P><P class="p_H_Head2">Paul</P></BODY></HTML> Sun, 15 Aug 2010 00:00:51 GMT https://community.cisco.com/t5/network-security/csd-and-rdp-plugin/m-p/1437976#M660961 Paul Carco 2010-08-15T00:00:51Z