Re: CSD and RDP Plugin

kharvey · ‎07-27-2010

I now have a new boss and they have decided to change our remote access policies.

So I already have a working SSL VPN and RDP deployment, thanks in part to the expertise of this forum. Thank you all for that.

Originally we only allowed company hardware to connect to the SSL and everyone else was stuck with the RDP session.

Now I need to be able to allow non-company hardware to connect to the SSL, so I decided to enable CSD and do an OS check and a virus scan check.

After enabling CSD, I have found that when users connect to the RDP session it runs all of the CSD checks and is not allowing connections. Is there a way to only use CSD for the SSL Client connections, and for CSD to ignore all of the RDP Plugin connections?

I did a quick search of the Group Policies and did not see a CSD option in there.

I am running ASA 8.x and the newest version of CSD.

Paul Carco · ‎08-13-2010

When you say "RDP deployment" are you referring to Clientless users and the RDP plug-in?

What do your Dynamic Access Policies look like?

kharvey · ‎08-13-2010

Yes, I am referring to Clientless users using the RDP plug-in.

I ended up contacting Cisco and they told me that the CSD is a global setting and that I would not be able to avoid using the CSD even with the RDP.

Here is my current config:
webvpn
enable IntNet
enable ExtNet
csd image disk0:/csd_3.5.1077-k9.pkg
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy EDIAccessPlc internal
group-policy EDIAccessPlc attributes
vpn-tunnel-protocol webvpn
webvpn
homepage value rdp://10.1.2.40/?geometry=1024x768
group-policy DfltGrpPolicy attributes
group-policy TSAccessPlc internal
group-policy TSAccessPlc attributes
vpn-tunnel-protocol webvpn
webvpn
homepage value rdp://10.1.2.70/?geometry=1024x768
group-policy OWAAccessPlc internal
group-policy OWAAccessPlc attributes
vpn-idle-timeout 20
vpn-tunnel-protocol webvpn
webvpn
url-list value ECCOOWA
hidden-shares none
file-entry disable
file-browsing disable
url-entry disable
group-policy AnyConnectAccessPlc internal
group-policy AnyConnectAccessPlc attributes
dns-server value 10.1.2.3 10.1.2.80
vpn-tunnel-protocol svc
default-domain value eccogroup.corp
address-pools value ECCOSSLDHCP
webvpn
svc rekey time 30
svc rekey method ssl
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP_SRV_GRP
tunnel-group 216.133.173.98 type ipsec-l2l
tunnel-group 216.133.173.98 ipsec-attributes
pre-shared-key *
tunnel-group 213.1.213.226 type ipsec-l2l
tunnel-group 213.1.213.226 ipsec-attributes
pre-shared-key *
tunnel-group 203.52.44.138 type ipsec-l2l
tunnel-group 203.52.44.138 ipsec-attributes
pre-shared-key *
tunnel-group AnyConnectVPNCon type remote-access
tunnel-group AnyConnectVPNCon general-attributes
authentication-server-group LDAP_SRV_GRP
default-group-policy AnyConnectAccessPlc

If you have an idea on how to use the CSD and the RDP I would be most interested, as at this point I will end up rebuilding my RDP server into the DMZ, and pin-holing the firewall for it.

Paul Carco · ‎08-14-2010

Hello,

Ok, so if I now I understand the requirements.

If a user has a certain OS and Anti-Virus then you will permit the user to have AnyConnect and if not they only receive the Web Portal where you have enabled the RDP plugin as a resource..

If this is the case what you are trying to do I think you would benefit from checking out the SSL VPN Deployment Guide - specifically the 'Integrating Cisco Secure Desktop with DAP's' section. http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1128062

Essentially you are going to end up with 3 DAP's with one of them being the default policy which in most cases would terminate the session if the user did not match the 2 preceding policies. The first DAP would be the one where the user with AV would hit and be granted AnyConnect, the second would be where the users without AV would get Clientless access only thus being able to use RDP.

Good Luck.

Best regards

Paul