Re: Cisco AnyConnect 4.7.x on the cloud's VM with RDP-connection

Roman N. Krivov · ‎06-01-2021

Hello,

I've a cloud virtual machine with Windows Server Standard Edition 2019. I have are problem with VPN-connection If I connected to the server using RDP.

But I don't have any problem if I connected to the server using the QEMU console as a remote connection (like as netVNC):

I'd use netVNC-connect first and reconnect using RDP, but that's not a good idea. )))

I need your help, because I have no idea.

What is problem? Is this problem with the kind of connection?

What type of connection is required?

Rob Ingram · ‎06-01-2021

@Roman N. Krivov

By default, access is only allowed from locally logged in windows users. You can modify the AnyConnect XML profile to permit access from RDP users. Locate the XML profile and modify WindowsVPNEstablishment attribute as below, changing from LocalUsersOnly to AllowRemoteUsers. Then restart anyconnect.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
!

!

!
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

Roman N. Krivov · ‎06-01-2021

Thanks, but I can't find the file with the XML profile.' Where is it located? Or How can I create it?

Rob Ingram · ‎06-01-2021

If you have an AnyConnect profile, there will be a host option in the drop-down list of the AnyConnect client. That will reference an XML profile, which will be located here:-

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

If you do not have an AnyConnect profile, you can use the AnyConnect Profile Editor (download from cisco website) to create an profile and amend the setting I mentioned above.

Roman N. Krivov · ‎06-01-2021

I created C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\AnyConnectProfile.xml:

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
    <ClientInitialization>
        <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>    		
        <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
    </ClientInitialization>

    <ServerList>
        <HostEntry>
        . . .
        </HostEntry>

        <HostEntry>
        . . .
        </HostEntry>
    </ServerList>
</AnyConnectProfile>

But I still have any problem with connection.

Yousif Ahmed · ‎06-01-2021

1. Create a VPN Profile, using the built in Profile Editor Configuration -> Anyconnect Client Profile

2. In Preferences (Part 1) look for "Windows VPN Establishment"

3. Set the option to AllowRemoteUsers, Apply Save & Exit. MAKE SURE TO ASSIGN THE PROFILE TO THE CORRECT GROUP in the GROUP POLICIES and MAKE SURE THE NAME MATCHES THE CONNECTION NAME MATCHES KOMOS.xml in your case.

4. Click the profile you created and click Export.

5. Import the .XML file to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ in the remote machine.

Note: The reason why you are exporting and importing the profile is because for some reason Anyconnect does not Download the profile until successful login attempt is made. In your case no successful login attempt is made, so the profile does not download until you manually import it.

One more thing there is a .xml file called

"AnyConnectLocalPolicy.xml in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client,

you can try adding the command below to see if that fixes it.

<ClientInitialization>
        <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>    		
        <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
    </ClientInitialization>

Roman N. Krivov · ‎06-03-2021

Thank you for your advice.

SOLVED.

Yousif Ahmed · ‎06-04-2021

You are most welcome! Make sure you mark this thread resolved by choosing "This solved my issue"