I've been trying to setup End point protection for a customer (trying to ensure that the customer has anti-virus on his laptop before giving access to him for Remote Access VPN) and i understand that the only way this can be done is by installing CSD on the firewall. But when i try installing it i get an error that it's end of life.
I've been looking around and it seems that CSD is EOL. If that's the case, then is there an alternative for offering end point assessment?
Yes - CSD is End of Life.
Hostscan is the component that work with the ASA and its posture assessment features that come with AnyConnect Apex (new for AC 4.x) or Premium (old style) licenses. It can be downloaded from the AnyConnect downloads page.
Thanks for the response!
So i'm currently using the ASA 5525 which was ordered in March this year, 2015. So based on this a few questions for you:
1. Can i still use CSD? I know that Cisco says it's end of life since August 2015, but since was ordered earlier, i'm wondering if i can download it from Cisco and install it?
2. If i cannot download and install CSD, can i use Host scan alone as a functionality here on my firewall and can i tie that in with my DAP? I believe Host scan used to be integrated with CSD earlier, but i believe it is separate now. Am i right?
CSD is no longer offered for download.
Hostscan is a pkg file that will deploy to your remote users' client desktops (one image for Windows, Mac OS X and Linux).
It is now separate from CSD; but it is the important part for interacting with DAP on the ASA to provide the client posture information that is used by DAP to make policy enforcement decisions.
Apologies as i know that it's been a while since i asked this question. But would you be able to tell me how does posture assessment work with just Hostscan now with a DAP? I tried to choose Antivirus from the Endpoint section in the DAP and it tells me that CSD needs to be enabled.
Have you uploaded a hostscan package onto your ASA?
They can be found here:
As noted in the AnyConnect Release notes, the ASA Posture Module uses the hostscan package to perform the scanning that used to be integral to CSD.
If you have that (and have restarted ASDM since adding it), you should be able to configure AV and other hostscan-based checks in your DAP. See my example below (open in new tab to zoom):
I have the hostscan pkg file loaded on my ASA 5555x and I understand that I need to enable Host Scan to use a DAP. However when I enable Host Scan, and I navigate my web browser to my SSL portal, then a CSD page is launched (which I do not want to affect my webvpn users when navigating to my SSL portal page.).
My goal is to identify connecting machines based on registry keys and deny Anyconnect connections for machines that do have the key I'm looking for. I do not want it to change the behavior of the web SSL portal in any way (I do not want to display a CSD page to my end users).
Theoretically, this should be possible but it doesn't work. I have even created a separate tunnel-group that I'm dedicating to Anyconnect (I have the commands "without-csd" on all other tunnel groups and when I enable hostscan it still launches the CSD page when navigating to the SSL portal.
Is there a workaround? Remember, my goal is to identify connecting machines based on registry keys and deny connections for machines that do have the key I'm looking for.
I have been working with TAC and 2 bugs have been identified but neither seem to be maintained or up to date.
I'm running ASA software version 9.7(1) which is not mentioned in the details of either bug.
Ultimately, I need something that will help me reach my goal.
What are other people doing and why is this not an issue for anyone else?
It's very disappointing to say the least.
Thank you for your input.