10-14-2024 07:19 AM
We have a customer that is moving many of their resources from on-prem datacentre to Azure cloud.
We would like to implement the Cisco Secure Client (AnyConnect) Management Tunnel, can this be done using Microsoft Cloud PKI? Has anyone configure certificate authentication for either client or management tunnels before? Could you point us to resources/guides for this.
Solved! Go to Solution.
10-14-2024 08:22 AM
@deanka75 I haven't seen a specific Cisco guide for integration with Microsoft Cloud PKI, but from the ASA perspective you just need to trust the certificate used by the client, so you need to import the CA certificate to the ASA.
Once you have the CA certificate installed on the ASA configure the management tunnel as per the following guide - https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html
The client computer must have a certificate in the computer store issued from the Microsoft Cloud PKI CA, these certificate would be distributed dynamically via Microsoft solution.
10-14-2024 08:20 AM
I'd always configured the management tunnel using internal PKI, however, I don't think using Microsoft PKI to issue your certificates would be an issue because end of the day the firewall needs to trust the certificates presented by the clients to establish the management tunnel which means you need to import the issuer certificate in the firewall.
10-14-2024 08:22 AM
@deanka75 I haven't seen a specific Cisco guide for integration with Microsoft Cloud PKI, but from the ASA perspective you just need to trust the certificate used by the client, so you need to import the CA certificate to the ASA.
Once you have the CA certificate installed on the ASA configure the management tunnel as per the following guide - https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html
The client computer must have a certificate in the computer store issued from the Microsoft Cloud PKI CA, these certificate would be distributed dynamically via Microsoft solution.
10-15-2024 03:56 AM
Thanks Aref and Rob,
I had a another attempt at this, and on my pre-production environment it is now working as expected.
Many Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide