Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1455
Views
5
Helpful
1
Replies

AnyConnect client on RDP client - profile question

Craig Laurer
Level 1
Level 1

‎03-31-2017 10:09 AM - edited ‎02-21-2020 09:13 PM

OK, so to allow a user on an RDP session to successfully initiate an AnyConnect session, they need to have a profile.xml that includes the settings

WindowsLogonEnforcement     SingleLogon (default is SingleLocalLogon)
WindowsVPNEstablishment     AllowRemoteUsers  (default is LocalUsersOnly)

IF these settings are secure, why are they not the defaults?  What's the risk of changing from the defaults?

Or, put another way, should I make these changes (and compromise security?), or should I just tell users they can't come to me from RDP?

Labels:
0 Helpful
1 Reply 1

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎04-01-2017 09:34 AM

Hi Craig,

I do not think it is due to any security concerns but more of what customers needed by default.

WindowsVPNEstablishment     AllowRemoteUsers  (default is LocalUsersOnly)

"Allows remote users to establish a VPN connection. However, if the configured VPN connection routing causes the remote user to become disconnected, the VPN connection is terminated to allow the remote user to regain access to the client PC".

Since the establishment of connection may result in disconnection of user depending upon routing, it is left to administrator (asa, vpn) to decide if such a functionality should be allowed or not.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Customers Also Viewed These Support Documents