07-28-2020 01:54 PM
Hi everyone,
We have an active/standby pair of ASA 5555-X firewalls acting as a client VPN concentrator and primary Internet point of egress. Our users are running Windows 10 with AnyConnect VPN 4.8 and the Umbrella Roaming Agent installed as a module. Many remote users seldom connect to VPN, which makes pushing patches, GPO, and other logon scripts impossible.
We've tested Start Before Logon (SBL), but this only provides the option to connect to VPN before logging into Windows; it doesn't enforce it. Cisco TAC confirmed this is not supported (i.e., forcing AnyConnect to launch and prompt the user for credentials before permitting the user to log in to Windows).
It looks like the VPN Management Tunnel feature could be an option (since AnyConnect 4.7), but I haven't tested this yet. Microsoft has their built-in VPN solution (conveniently called "Always On," but no relation to the ASA client profile option) that uses a Universal Windows Platform (UWP) version of AnyConnect, though it's several revisions behind the official release from Cisco's Software Downloads page. It also doesn't bundle the Umbrella Roaming Agent module, so we'd be left with installing and managing that separately.
So, given what I've tried and what our requirements are, what have you used in your environment to accomplish forced VPN connectivity before the user logs in to Windows? (I would guess this isn't an uncommon scenario, but who knows--maybe we're somehow unique there.) Any and all suggestions are welcome. Let me know if you need any clarity here as well.
Thanks very much for your time in advance.
Solved! Go to Solution.
07-28-2020 03:37 PM
The management tunnel is the right solution for what you're trying to do...
We currently have an SCCM distribution point exposed so the SCCM client on machines connects to it to get updates pushed to it. GPO setting don't disappear when not connected, and we do run our login script at the Anyconnect OnConnect event though it does tend to be spotty...
07-28-2020 03:37 PM
The management tunnel is the right solution for what you're trying to do...
We currently have an SCCM distribution point exposed so the SCCM client on machines connects to it to get updates pushed to it. GPO setting don't disappear when not connected, and we do run our login script at the Anyconnect OnConnect event though it does tend to be spotty...
07-30-2020 05:31 AM
Thanks, Ken. We will definitely look at the Management VPN Tunnel feature.
10-03-2024 09:47 PM
I know that this is a super old post but I have been racking my brain trying to figure this out. I have setup the management tunnel and can connect via certificate but it will not connect before the user logs into windows.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide