ASA Clientless SSL VPN RDP Port Forwarding and DNS
We're experiencing an issue on our Corpoate network, connecting to an external Supplier. The external Supplier use an AnyConnect device with a frontend, after logging in, they then appear to use the AnyConnect RDP Port Forwading functionality (sorry, I don't know the official Cisco product name for this "AnyConnect SSL Clientless VPN"?).
Access to this Supplier Site works fine from a typical ADSL Network, and other locations - but not on our Corporate network. This access appears to do some "magic" on the PC, which causes the RDP Traffic destined for 220.127.116.11 to be Port Forwarded through to the Supplier's ASA, which then translates the flow to the Actual 10.205.x.x IP address of the RDP Server in their estate.
On our Corporate estate, we make use of Websense proxies - explicitly pointed to by a WPAD/PAC file - and importantly, the WPAD/PAC also proxies all DNS requests to external websites. To reiterate, our Corporate internal DNS servers do not resolve external DNS entries - Internet access works fine to external websites, it is just that the original DNS request is also proxied via the Websense proxy, which then makes the DNS lookup (and HTTP/HTTPS proxying) on the client's behalf.
When I've Wiresharked this flow, it appears that subsequent DNS lookups - once the AnyConnect session is created - to the Supplier's website fail. I assume what the SSL VPN Port Forwarding Java/ActiveX Client does is to hijack these DNS lookups, and redirect them to 127.1.2.3 - to force them via the Port Forwarding "Tunnel"?
If so, can you please advise what client-side (or Supplier server-side) changes we need to make, given that our internal DNS servers cannot be made to resolve external domain names (those outside or Corporate/Company internal hostnames)? Or is this a known bug?
Radius server configuration for 802.1XServer radius test1Address ipv4 10.1.1.1Key 1234!Server radius test2Address ipv4 10.1.1.2Key 1234!aaa group server radius TEST-grserver name test1server name test2!aaa authentication dot1x default group TEST-graaa aut...
One of the biggest concept in VPN Technologies is NAT Traversal, like NAT Traversal in VOIP deployment with SIP Protocol, the history is always inside the payload to solve the Incompatibility between NAT and IPSEC like the Incompatibility between SIP prot...
"What is this 'Orbital Query Corner' thing", you ask? It's the name of an occasional series of articles, each discussing one particular point or use case for the Orbital advanced search feature that is available in Cisco Secure Endpoint starting at ...
0. The Issue
On 20 July 2021, Microsoft issued an alert for CVE-2021-36934 "Windows Elevation of Privilege Vulnerability".  The problem in this case is an overly permissive Access Control List (ACL) applied to system files, including the Se...