Cisco Secure Desktop on FTD

andypowernet85 · ‎03-10-2025

Afternoon,

When browsing to the public IP of the FTD managed by FMC, I am being directed to /CACHE/sdesktop/install/start.html and presented with a Cisco Secure Desktop page. Does anyone know this can be disabled and why it is being presented?

Regards,

rschlayer · ‎03-10-2025

Looks like you have AnyConnect VPN enabled, you can disable that portal using FlexConfig: https://bst.cisco.com/bugsearch/bug/CSCvp81746

andypowernet85 · ‎03-10-2025

Thanks, but that would not help if you still wanted to provide access to the web portal to download anyconnect.

Marvin Rhoads · ‎03-10-2025

@andypowernet85 please see this bugID: https://bst.cisco.com/bugsearch/bug/CSCwi63184?rfs=qvred

Basically, you need to add a Flexconfig to specify "without-csd" in your tunnel-group (aka connection profile)

andypowernet85 · ‎03-10-2025

Thanks for the info! That would be under both defaultwebvpn and the specific RA connection profile?

Marvin Rhoads · ‎03-10-2025

@andypowernet85

If they are exposed via your VPN configuration, yes.

mgrzesia · ‎02-16-2026

Hi Marvin,

The bug to fix ASA/FTD side is CSCwk74566. It is now fixed on ASA, pending fixed FTD release.

The CSCwi63184 is for fixing the CSC side, but that is not related to the browser access.

ronnie.shih · ‎02-16-2026

Are you referring to the CSD page being displayed while DAP is enabled?

mgrzesia · ‎02-16-2026

Hi Ronnie,

That is correct. To clarify:
DAP is configured, connecting to an ASA DefaultWebvpnGroup with a browser. "Without-csd" is NOT configured.

0. User is asked to authenticate.
1a. Without fix - browser is redirected to CSD install page, which doesn't work.

1b. With fix - browser is redirected to CSC download page.

A fixed FTD version is not yet there.

ronnie.shih · ‎02-16-2026

Thank you very much. Can you please update when a fix is available for the FTD and what version of upgrade to? Security team literally gave me a hard time on this for months, even getting our Cisco reps + a Cisco engineer on a group call simply to justify making an exemption for this issue in the Wiz scanner.

mgrzesia · ‎02-17-2026

This should be fixed in next MRs for FTD. Tentatively planned between end of April and end of June 2026, depending on version.
Please subscribe to bug notifications to get notified when a fixed version is released.

ronnie.shih · ‎02-20-2026

I just noticed FTD v7.2.11-313 got released on 2/11 and we are running on the 7.2x series. Does v7.2.11-313 fix this issue?

Marvin Rhoads · ‎02-24-2026

You should be able to use flexconfig with the "portal-access-rule" as of 7.2.11.

It fixes this bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk14657

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72.html#resolved-bugs-72eleven0

mgrzesia · ‎04-21-2026

The fixed FTD 7.4.7 is now available.

ronnie.shih · ‎04-22-2026

We've upgraded to v7.7.11 a while back to support geo blocking on the external interface. Guess we are out of luck again on this one since we can't go backwards to 7.4.7