cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
903
Views
5
Helpful
2
Replies

ASA to force updates before granting vpn access

Joel.Benson
Level 1
Level 1

I'm trying to secure my vpn access to my network from work at home laptops

is there a way I can have the ASA or anyconnect force windows updates before it grants VPN access?

I'm also trying to do the same thing with symantec as well

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

You can check for the presence of certain updates, processes or Symantec signature versions. You can further give the user a banner directing them they cannot access VPN until those bits are compliant. this is done with hostscan and the AnyConnect Plus (4.x) or Essentials (3.x) license.

Remediation would require Anyconnect Apex license (4.x or old 3.x Advanced Endpoint Assessment (AEA) feature license). Regarding remediation, you can force them to do a live update of Symantec AV (prior to Symantec version 12 - see the second link below) using AEA.

I don't believe you can force Windows Update - only alert them they need to do it and to try to reconnect after they have done it.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac05hostscanposture.html#48787

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.html#concept_A32AC01C0C5C486B8F59DDA8B92A9A47

View solution in original post

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

You can check for the presence of certain updates, processes or Symantec signature versions. You can further give the user a banner directing them they cannot access VPN until those bits are compliant. this is done with hostscan and the AnyConnect Plus (4.x) or Essentials (3.x) license.

Remediation would require Anyconnect Apex license (4.x or old 3.x Advanced Endpoint Assessment (AEA) feature license). Regarding remediation, you can force them to do a live update of Symantec AV (prior to Symantec version 12 - see the second link below) using AEA.

I don't believe you can force Windows Update - only alert them they need to do it and to try to reconnect after they have done it.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac05hostscanposture.html#48787

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-posture.html#concept_A32AC01C0C5C486B8F59DDA8B92A9A47

Thank you, I appreciate it. that is exactly what I am looking for.

Review Cisco Networking for a $25 gift card