Solved: FTD Anyconnect - Internet AD User based policy

er.ankitsharma · ‎04-28-2018

Hello,

After deploying Anyconnect VPN and successfully allowing the Anyconect IP Pool to access the internal network resource, now I am facing challenges to deploy a internet policy for these Anyconnect VPN user.

I want to restrict the Anyconnect users going out on the internet using a AD username based policy.

When I create a outside to outside policy keeping the source as the Anyconnect VPN pool and destination as any with defined AD users and applications like outlook then this policy doesn't hit.

It seems that the FTD is not able to check the AD users added to the policy.

The rest of the inside to outside policies based on AD username, are working perfectly fine !

Please let me know your views on this.

er.ankitsharma · ‎04-30-2018

I think we cannot use tunnel policy for this issue. And now I have resolved this issue using Identity policies.

Thanks!

View solution in original post

Marius Gunnerud · ‎04-29-2018

Have you tried applying these rules using tunnel policies?

--
Please remember to select a correct answer and rate helpful posts

er.ankitsharma · ‎04-29-2018

Hi Marius,

I haven't tried applying these using tunnel policies.

Can we use tunnel policies for Anyconnect VPN and also can we restrict traffic based on usernames using tunnel policies ?

Also I noticed connection events where the 'initiator user' column says 'no authentication required' for the Anyconnect traffic.

Marius Gunnerud · ‎04-30-2018

Can we use tunnel policies for Anyconnect VPN and also can we restrict traffic based on usernames using tunnel policies ?

As far as I know, it is not possible to restrict traffic based on usernames using tunnel policies.

--
Please remember to select a correct answer and rate helpful posts

er.ankitsharma · ‎04-30-2018

I think we cannot use tunnel policy for this issue. And now I have resolved this issue using Identity policies.

Thanks!