Re: AnyConnect Web Portal only works from inside

NetworkStorm9000 · ‎12-20-2021

Hi,

I have set up my AnyConnect and it works beautifully. However, from the outside, my browser can't open the Web Portal, even though connecting to the AnyConnect itself is fine. From the inside it also works fine.

I'd like to have the opportunity for my users to be able to download the client through the web interface.

Is this something that is normal to have enabled? Is it safe and advisable to have a web interface exposed to the outside? Is it possible to have some kind of captcha and connection attempt limitation? I'd like to maybe have an access restriction on which IPs can access that webpage also.

Rob Ingram · ‎12-20-2021

@NetworkStorm9000 ASA or FTD software?

Exposing the web interface is acceptable, just ensure the system is running an up to date patched version.

No you cannot use a captcha, you can do 2FA.

You can use a control-plane ACL to restrict IP addresses, though that'll be hard to do for RAVPN users with dynamic IP addresses.

NetworkStorm9000 · ‎12-20-2021

Thanks for that info. It's running ASA, any idea what's causing it? It's running on port 4443, and that's the only port that's NATed to the firewall.

Rob Ingram · ‎12-20-2021

@NetworkStorm9000 double check....

In order to enable the WebVPN on the outside interface, choose Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles.

Check the Allow Access checkbox next to the outside interface.

CLI:

ASA(config)# webvpn
ASA(config-webvpn)# enable outside

NetworkStorm9000 · ‎12-20-2021

I double checked it, it was enabled. But just to be clear, I want my users to use the AnyConnect desktop client, and only use the web portal to download it. Do I still need to enable this clientless access, does that simply mean that clients are allowed to connect to the portal page?

NetworkStorm9000 · ‎12-20-2021

null