cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
650
Views
5
Helpful
7
Replies
Roman N. Krivov
Beginner

Cisco AnyConnect 4.7.x on the cloud's VM with RDP-connection

Hello,

 

I've a cloud virtual machine with Windows Server Standard Edition 2019. I have are problem with VPN-connection If I connected to the server using RDP.

 

Снимок экрана 2021-06-01 в 17.18.51.png

 

But I don't have any problem if I connected to the server using the QEMU console as a remote connection (like as netVNC):

 

Снимок экрана 2021-06-01 в 17.26.11.png

I'd use netVNC-connect first and reconnect using RDP, but that's not a good idea. )))

 

I need your help, because I have no idea.

What is problem? Is this problem with the kind of connection?

What type of connection is required?

 

 

7 REPLIES 7
Rob Ingram
VIP Mentor

@Roman N. Krivov 

By default, access is only allowed from locally logged in windows users. You can modify the AnyConnect XML profile to permit access from RDP users. Locate the XML profile and modify WindowsVPNEstablishment attribute as below, changing from LocalUsersOnly to AllowRemoteUsers. Then restart anyconnect.

 

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
!

!

!
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

Thanks, but I can't find the file with the XML profile.' Where is it located? Or How can I create it?

If you have an AnyConnect profile, there will be a host option in the drop-down list of the AnyConnect client. That will reference an XML profile, which will be located here:-

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

If you do not have an AnyConnect profile, you can use the AnyConnect Profile Editor (download from cisco website) to create an profile and amend the setting I mentioned above.

I created C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\AnyConnectProfile.xml:

 

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
    <ClientInitialization>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment> </ClientInitialization>
<ServerList> <HostEntry>
. . .
</HostEntry>
<HostEntry>
. . . </HostEntry> </ServerList> </AnyConnectProfile>

But I still have any problem with connection. 

 

Снимок экрана 2021-06-01 в 19.14.23.png

 

1. Create a VPN Profile, using the built in Profile Editor Configuration -> Anyconnect Client Profile

2. In Preferences (Part 1) look for "Windows VPN Establishment" 

3. Set the option to AllowRemoteUsers, Apply Save & Exit. MAKE SURE TO ASSIGN THE PROFILE TO THE CORRECT GROUP in the GROUP POLICIES  and MAKE SURE THE NAME MATCHES THE CONNECTION NAME MATCHES KOMOS.xml in your case.

4. Click the profile you created and click Export.

5. Import the .XML file to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ in the remote machine.

 

 

Note: The reason why you are exporting and importing the profile is because for some reason Anyconnect does not Download the profile until successful login attempt is made. In your case no successful login attempt is made, so the profile does not download until you manually import it.

 

One more thing there is a .xml file called

"AnyConnectLocalPolicy.xml in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client,

you can try adding the command below to see if that fixes it.

<ClientInitialization>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment> </ClientInitialization>

 

Untitled.png

Roman N. Krivov
Beginner

Thank you for your advice.

SOLVED.

You are most welcome! Make sure you mark this thread resolved by choosing "This solved my issue"