Solved: AnyConnect Question

Dean Romanelli · ‎01-17-2017

Hi All,

With AnyConnect, I am being told that there are two methods supported: client-based SSL VPN (PLUS) and clientless SSL VPN (APEX).

Can someone confirm for me that if I go with the clientless VPN, all services have to be accessed through the web portal and general internet access is not provided, whereas if I install the AnyConnect VPN client on my PC and connect that way I will access all services from my desktop since I am connected to the SSL VPN from my PC itself and not the browser portal?

Rahul Govindan · ‎01-18-2017

Mostly yes :) There is a feature called Smart tunnels within Clientless VPN that allows a user access internal resources through the desktop applications (rdp, putty etc). So for example - once a user logs in via the portal page, Smart tunnel can autostart in the background. They can then open one of the Admin-defined smart tunneled applications (mstsc.exe for eg) and access internal RDP server. All this is done without the use of a client. More info below:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/tunnel.pdf

All of these features are admin-controlled, so you can not enable smart tunnel if you don't want them to access any resources other than through the web.

View solution in original post

Rahul Govindan · ‎01-17-2017

Clientless SSLVPN provides access to any browser based protocols (http, https, ftp, cifs and rdp). You can provide access to the internet to users via tunneling their browser access through the ASA, and you can restrict this also. But the clientless VPN is really useful if you want to allow only certain bookmarks to users (intranet, internal file share). In short, the Clientless SSLVPN and Anyconnect both can allow and block access to certain resources (using web based and network filters), but clientless allows the access to browser based applications and sites - without the need for users installing the client.

More information on Clientless SSLVPN here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/webvpn-overview.html

Dean Romanelli · ‎01-18-2017

Hi Rahul,

But with the clientless SSL VPN, the users have to access all of those services inside of the web portal right? They can't just launch the applications from their desktop and have them be on the SSL VPN with the client-based installation right?

Rahul Govindan · ‎01-18-2017

Mostly yes :) There is a feature called Smart tunnels within Clientless VPN that allows a user access internal resources through the desktop applications (rdp, putty etc). So for example - once a user logs in via the portal page, Smart tunnel can autostart in the background. They can then open one of the Admin-defined smart tunneled applications (mstsc.exe for eg) and access internal RDP server. All this is done without the use of a client. More info below:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/tunnel.pdf

All of these features are admin-controlled, so you can not enable smart tunnel if you don't want them to access any resources other than through the web.

Dean Romanelli · ‎01-18-2017

Basically I need to get them to access internet, email, and sales server over the remote access VPN. If any of that can be done on the clientless VPN where they can launch those applications from their desktop and not through the portal, that would be great. I didn't see the smart tunnel option when I was testing the webVPN config unfortunately, so the recommendation I ended up making was to use the client-based AnyConnect.

Rahul Govindan · ‎01-18-2017

If it was me, I would recommend the Anyconnect client too :) Smart tunnels provide the functionality to use certain applications, but this can get tricky as it does not support all applications. Rather than worry about this, the Anyconnect client access does not add any restrictions as the tunneling is on the network layer rather than on the application layer.