Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2897
Views
15
Helpful
8
Replies

Anyconnect SBL for Firepower 1140

Go to solution
kapydan88
Level 4
Level 4

‎07-10-2020 03:22 AM

Hello for everybody.

 

Is there anyconnect start before logon in firepower 1140 devices managed by fmc? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎07-10-2020 04:01 AM

Hi Kapydan88,

I agree with Rob’ reply, the FTD does not work the same way the ASA does for the modules deployment.

However, as a solution for this, the SBL’s module which is named “vpngina” can be enabled on the FTD/FMC by using FlexConfig.

See the following link under “Configure AnyConnect Modules and Profiles Using FlexConfig”:

https://www.cisco.com/c/en/us/td/docs/security/firepower/config_examples/advanced-anyconnect-ftd-fmc/advanced-anyconnect-vpn-ftd-fmc.html

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎07-10-2020 03:35 AM - edited ‎07-10-2020 03:42 AM

Hi,
If you pre-deploy the GINA module and AnyConnect profile using your software management solution (such as SCCM) to the client computer, SBL will work when connecting to an FTD.

FTD/FMC just doesn't support the deployment of the SBL module, as the ASA currently does.

HTH

Go to solution
kapydan88
Level 4
Level 4
In response to Rob Ingram

‎07-10-2020 04:10 AM

Yes, i couldnt find any info about this feature for Firepower 1140 - only for ASA.

 

To get GINA, i need to download the predeploy archive for Windows, unpack it and select the necessary file?

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to kapydan88

‎07-10-2020 04:14 AM

Yes, If you wish to pre-deploy. download the pre-deploy zip file e.g. "anyconnect-win-4.8.01090-predeploy-k9.zip" and uncompress the files, you will see the msi file "anyconnect-win-4.8.03036-gina-predeploy-k9.msi".

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee

‎07-10-2020 04:01 AM

Hi Kapydan88,

I agree with Rob’ reply, the FTD does not work the same way the ASA does for the modules deployment.

However, as a solution for this, the SBL’s module which is named “vpngina” can be enabled on the FTD/FMC by using FlexConfig.

See the following link under “Configure AnyConnect Modules and Profiles Using FlexConfig”:

https://www.cisco.com/c/en/us/td/docs/security/firepower/config_examples/advanced-anyconnect-ftd-fmc/advanced-anyconnect-vpn-ftd-fmc.html

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

0 Helpful

Go to solution
kapydan88
Level 4
Level 4
In response to Josue Brenes

‎07-10-2020 04:48 AM

If i understood correctly, i need to use next chapter - "Configure AnyConnect Modules and Profiles Using FlexConfig".

 

And if i want add only gina module i need to add next config in flexconfig for every from policies?

 

webvpn

group-policy <GP_NAME> attributes
webvpn
anyconnect modules value vpngina

0 Helpful

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee
In response to kapydan88

‎07-10-2020 05:07 AM

That is correct.

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

Go to solution
kapydan88
Level 4
Level 4
In response to Josue Brenes

‎07-10-2020 05:14 AM

But how this feature works with LDAP attribute map? Because several access groups are configured on this device for remote connection.

 

 

0 Helpful

Go to solution
Josue Brenes
Cisco Employee
Cisco Employee
In response to kapydan88

‎07-10-2020 08:06 AM

Actually, it has nothing to do with the LDAP attribute mapping.

The link I shared just contains some advanced FMC deployments where the LDAP mapping is one of them but it's completely unrelated to the Anyconnect Modules section.

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

0 Helpful
Customers Also Viewed These Support Documents