The AnyConnect Web Security

GnetMonitoring1 · ‎08-04-2016

The design:

ASA deployed AnyConnect Web Security: Hosted config file on Cloud Web Security portal.

The problem:

When users take their laptops home and are disconnected from the corporate network via AnyConnect's VPN, their public IP Address still shows up as Cisco's Web Proxy Tower IP's because the AnyConnect Web Security module forwards traffic at all times. While that's fine when connected to the AnyConnect VPN, we want users at home to bypass the Web Proxy.

I see Cloud Bypass for ISR devices. Is there a way to do this or something similar to this so that users can be excluded by common private IP ranges home ISP's dole out? I'd like users to see their own ISP's public IP instead of Cisco's when they're at home and not VPN'ing into the corporate network.

Thanks!

Thomas Busch · ‎08-04-2016

The AnyConnect Web Security module is designed to always be on to ensure that your clients are filtered through your configured policy.

There is a feature within AnyConnect called TND (trusted network detection) which allows you to disable the module when it can reach out to a trusted server (verified via a certificate hash) only accessible on your corporate network.

The logic can be work around however to do the opposite (stay enabled via the corporate network, disabled outside the corporate network) by instead using a certificate hash of any public HTTPS website and then ensure the configured website is blocked via the corporate network.

When the users are off the corporate network AnyConnect can pull the certificate hash and disable the module. While on the corporate network, the connection to the site will not establish (due to being blocked on edge firewall for example) and not pull the hash, allowing AnyConnect to still stay enabled and filtering.

Source IP Cloud Bypass for AnyConnect users?