I now have a new boss and they have decided to change our remote access policies.
So I already have a working SSL VPN and RDP deployment, thanks in part to the expertise of this forum. Thank you all for that.
Originally we only allowed company hardware to connect to the SSL and everyone else was stuck with the RDP session.
Now I need to be able to allow non-company hardware to connect to the SSL, so I decided to enable CSD and do an OS check and a virus scan check.
After enabling CSD, I have found that when users connect to the RDP session it runs all of the CSD checks and is not allowing connections. Is there a way to only use CSD for the SSL Client connections, and for CSD to ignore all of the RDP Plugin connections?
I did a quick search of the Group Policies and did not see a CSD option in there.
I am running ASA 8.x and the newest version of CSD.
Yes, I am referring to Clientless users using the RDP plug-in.
I ended up contacting Cisco and they told me that the CSD is a global setting and that I would not be able to avoid using the CSD even with the RDP.
Here is my current config:
csd image disk0:/csd_3.5.1077-k9.pkg
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
group-policy EDIAccessPlc internal
group-policy EDIAccessPlc attributes
homepage value rdp://10.1.2.40/?geometry=1024x768
group-policy DfltGrpPolicy attributes
group-policy TSAccessPlc internal
group-policy TSAccessPlc attributes
homepage value rdp://10.1.2.70/?geometry=1024x768
group-policy OWAAccessPlc internal
group-policy OWAAccessPlc attributes
url-list value ECCOOWA
group-policy AnyConnectAccessPlc internal
group-policy AnyConnectAccessPlc attributes
dns-server value 10.1.2.3 10.1.2.80
default-domain value eccogroup.corp
address-pools value ECCOSSLDHCP
svc rekey time 30
svc rekey method ssl
tunnel-group DefaultWEBVPNGroup general-attributes
tunnel-group 126.96.36.199 type ipsec-l2l
tunnel-group 188.8.131.52 ipsec-attributes
tunnel-group 184.108.40.206 type ipsec-l2l
tunnel-group 220.127.116.11 ipsec-attributes
tunnel-group 18.104.22.168 type ipsec-l2l
tunnel-group 22.214.171.124 ipsec-attributes
tunnel-group AnyConnectVPNCon type remote-access
tunnel-group AnyConnectVPNCon general-attributes
If you have an idea on how to use the CSD and the RDP I would be most interested, as at this point I will end up rebuilding my RDP server into the DMZ, and pin-holing the firewall for it.
Ok, so if I now I understand the requirements.
If a user has a certain OS and Anti-Virus then you will permit the user to have AnyConnect and if not they only receive the Web Portal where you have enabled the RDP plugin as a resource..
If this is the case what you are trying to do I think you would benefit from checking out the SSL VPN Deployment Guide - specifically the 'Integrating Cisco Secure Desktop with DAP's' section. http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1128062
Essentially you are going to end up with 3 DAP's with one of them being the default policy which in most cases would terminate the session if the user did not match the 2 preceding policies. The first DAP would be the one where the user with AV would hit and be granted AnyConnect, the second would be where the users without AV would get Clientless access only thus being able to use RDP.