cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
281
Views
5
Helpful
3
Replies

Cisco AnyConnect Management Tunnel with Microsoft Cloud PKI

deanka75
Level 1
Level 1

We have a customer that is moving many of their resources from on-prem datacentre to Azure cloud.

We would like to implement the Cisco Secure Client (AnyConnect) Management Tunnel, can this be done using Microsoft Cloud PKI?  Has anyone configure certificate authentication for either client or management tunnels before? Could you point us to resources/guides for this.

1 Accepted Solution

Accepted Solutions

@deanka75 I haven't seen a specific Cisco guide for integration with Microsoft Cloud PKI, but from the ASA perspective you just need to trust the certificate used by the client, so you need to import the CA certificate to the ASA.

Once you have the CA certificate installed on the ASA configure the management tunnel as per the following guide - https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

The client computer must have a certificate in the computer store issued from the Microsoft Cloud PKI CA, these certificate would be distributed dynamically via Microsoft solution.

 

View solution in original post

3 Replies 3

I'd always configured the management tunnel using internal PKI, however, I don't think using Microsoft PKI to issue your certificates would be an issue because end of the day the firewall needs to trust the certificates presented by the clients to establish the management tunnel which means you need to import the issuer certificate in the firewall.

@deanka75 I haven't seen a specific Cisco guide for integration with Microsoft Cloud PKI, but from the ASA perspective you just need to trust the certificate used by the client, so you need to import the CA certificate to the ASA.

Once you have the CA certificate installed on the ASA configure the management tunnel as per the following guide - https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

The client computer must have a certificate in the computer store issued from the Microsoft Cloud PKI CA, these certificate would be distributed dynamically via Microsoft solution.

 

deanka75
Level 1
Level 1

Thanks Aref and Rob,

I had a another attempt at this, and on my pre-production environment it is now working as expected.

 

Many Thanks