12-19-2009 10:38 AM - edited 03-11-2019 09:50 AM
Dear friends,
After reading the AnyConnect client 2.4 configuration guide at:
I have some doubts for the VPN session within the RDP session.
What is the difference between localuser and remoteuser?
Does local user mean the user who has direct console access of the machine? Or is it something else
Does remote user imply to any user who has connected to the PC via RDP?
Regarding vpn session within RDP session, does it mean RDP'ing to a machine that has the AnyConnect client installed?
Can anyone please clarify on this.
Thanks a lot
Gautam
Solved! Go to Solution.
12-19-2009 10:55 PM
LocalUser means someone "physically" logged into the server. RemoteUser would be someone logged in via RDP.
Prior to version 2.3.x of the AnyConnect client, it was impossible to RDP into a machine and then initiate an AnyConnect client VPN session from the machine you were RDP'd in to. The AnyConnect client would straight up tell you that it was not permitted.
You can modify the AnyConnectProfile.tmpl file on the machine to remove this limitation, however, I was not able to get it to work that way. I had to actually upload the new template to the ASA and setup the user policy or group policy to push down the template upon attempting to connect with AnyConnect.
You could try the following:
Upload the profile to the ASA using tftp or through ASDM, and add the following to the webvpn configuration:
svc profiles MY-PROFILE-NAME disk0:/AnyConnectProfile.tmpl
You should be able to push it down through the group policy, but I chose to do it on a per-user basis (as I only have one test user):
username testuser attributes
webvpn
svc profiles value MY-PROFILE-NAME
Example using group-policy:
group-policy my-vpn-group attributes
webvpn
svc profiles value MY-PROFILE-NAME
Hopefully that leads you in the right direction.
James
12-19-2009 10:55 PM
LocalUser means someone "physically" logged into the server. RemoteUser would be someone logged in via RDP.
Prior to version 2.3.x of the AnyConnect client, it was impossible to RDP into a machine and then initiate an AnyConnect client VPN session from the machine you were RDP'd in to. The AnyConnect client would straight up tell you that it was not permitted.
You can modify the AnyConnectProfile.tmpl file on the machine to remove this limitation, however, I was not able to get it to work that way. I had to actually upload the new template to the ASA and setup the user policy or group policy to push down the template upon attempting to connect with AnyConnect.
You could try the following:
Upload the profile to the ASA using tftp or through ASDM, and add the following to the webvpn configuration:
svc profiles MY-PROFILE-NAME disk0:/AnyConnectProfile.tmpl
You should be able to push it down through the group policy, but I chose to do it on a per-user basis (as I only have one test user):
username testuser attributes
webvpn
svc profiles value MY-PROFILE-NAME
Example using group-policy:
group-policy my-vpn-group attributes
webvpn
svc profiles value MY-PROFILE-NAME
Hopefully that leads you in the right direction.
James
12-19-2009 11:37 PM
Thank you so much James for the wonderful response.
Thanks a lot
Gautam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide