cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2372
Views
5
Helpful
3
Replies

AnyConnect / SSL VPN / ScanSafe Questions

jason.henderson
Beginner
Beginner

Hi all,

A few questions relating to different VPN scenarios - basically i need to put together a solution that allows trusted company laptops full access to the internal network, an SSL VPN option for untrusted (e.g. internet cafe and home user) machines, Two-factor authentication (either SecureID or Ironkey/Cryptocard), posture assessment, and integration with ScanSafe.

The company laptop scenario seems straightforward enough - stick AnyConnect 3.0 on the laptops, with the VPN, Posture and Web Security modules.  Two-factor authentication will work, as will posture assessment and forwarding of web traffic to ScanSafe.

The questions i have are -

1 - From the Cisco docs - You need a Secure Mobility for ScanSafe license in addition to ScanSafe Web Filtering and/or ScanSafe Malware Scanning licenses in order for roaming users to be protected by ScanSafe web scanning services.

Is the Secure Mobility for ScanSafe license purchased from ScanSafe and not something that sits on the ASA?

SSL VPN setup is more of an issue -

1 - Is two-factor authentication possible through the web login page?

2 - How does ScanSafe fit into this, if at all?  Which ScanSafe product is appropriate?

Thanks in advance,

Jason

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

Is the Secure Mobility for ScanSafe license purchased from ScanSafe and not something that sits on the ASA?

YES, you are right. This will be a separate license that you would need to purchase with the Scansafe solution.

1 - Is two-factor authentication possible through the web login page? YES, it is possible

2 - How does ScanSafe fit into this, if at all?  Which ScanSafe product is appropriate?

ScanSafe is a cloud web security solution. The AnyConnect Web Security module will protect users even when they are not inside the organization network. This AnyConnect Web Security module works independantly from the AnyConnect client. AnyConnect Web Security will protect the Windows laptop even when they are not VPN in using the AnyConnect SSL VPN. AnyConnect Web Security will protect web traffic from malware, spyware and the solution can also provide web filtering rules.

To understand and learn more about Cisco ScanSafe web cloud solution offering, please kindly get in touch with your Cisco Account Manager.

Thanks Jennifer.  But how would ScanSafe relate to a user sitting in an internet cafe on an untrusted machine?  If they opened up a web browser and created an SSL VPN is it possible to protect their browsing (outwith their access to company resources) with ScanSafe?

Thanks,

Jason

With clientless SSL VPN, they won't be able to.

But with AnyConnect SSL VPN full tunnel, yes, they can. You can configure no split tunnel (ie: tunnel all traffic back to the corporate) and use the company internal proxy server to send the web traffic towards ScanSafe.

However, if they use untrusted machine on the internet cafe, typically they wouldn't have access to install any application to the machine. So installing the AnyConnect SSL VPN client might not an option.

In any case, user sitting on the internet cafe normally will be browsing out the Internet, not your company resources, so we don't really care if the internet kiosk machine is infected. In any case, it would have been infected anyway since it is not protected from the beginning. You would only want to protect company resources, not internet kiosk machine.

Further to that, internet kiosk machine as you advise is already untrusted, and if you create an SSL tunnel back to your organization, that would only infect your company resources as ScanSafe only scans Internet web traffic. Anything directed towards the company resources will not be scanned as it won't be reachable from Scansafe cloud, and anything non web traffic will also not be protected. So essentially, you really don't want user to be using internet kiosk machine to be connecting to your company resources.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers