Disable ASA SSL WebVPN portal.Can you Still download anyconnect agents

tryingtofixit · ‎08-23-2024

We don't use the SSL WebVpn portal. I know it can disabled several ways.

Does disabling this portal prevent the downloading of Anyconnect clients via https?

ccieexpert · ‎08-23-2024

Yes if you disable it it will not allow downloads as the portal login is blocked..

there are ways to filter out all clientless access once they login and just be able to download the image...

tryingtofixit · ‎08-25-2024

Will having the portal disabled affect the ability for any connect to upgrade the clients automatically to newer versions provided that option is enabled?

MHM Cisco World · ‎08-25-2024

Are you use anyconnect ikev2 and enable ssl vpn for downlaod ?

If you disable ssl vpn and you use ssl vpn the all anyconnect will disable not only download

MHM

tryingtofixit · ‎08-25-2024

I am only using Anyconnect Windows SSL vpn clients. no Ikev2 with Anyconnect client.

MHM Cisco World · ‎08-25-2024

Then friend you can not disable ssl vpn then if you disable you will lost anyconnect connection.

MHM

tryingtofixit · ‎08-25-2024

I am not disabling sslvpn on the interface, but disabling the sslvpn client less web portal.

MHM Cisco World · ‎08-25-2024

Under webvpn

Keepout

This will disconnect any client less vpn

Note:- this not effect anyconnect

MHM

ccieexpert · ‎08-25-2024

the portal cannot be disabled as such otherwise anyconnect will not be able to connect. and behavior is different depending on version of code. with 9.17 the clientless feature was disabled/deprecated, so you can only download the anyconnect /secure client .

if you disable webvpn from a interface, then secure client also cannot connect.

What is your real goal ? with 9.17 clientless being deprecated , they can only download the image nothing else. prior to 9.16 you can block clientless from the group policy and the login using a browser can be blocked..

**Please rate as helpful if this was useful**

ccieexpert · ‎08-25-2024

quick correction with this command you can disable clientless, and still anyconnect will connect and download image updates etc when there is a new version.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/m_j-k.html#wp3977105965

keepout

To present an administrator-defined message rather than a login page for new user sessions (when the ASA undergoes a maintenance or troubleshooting period), use the keepout command in webvpn configuration mode. To remove a previously set keepout page, use the no version of the command.

keepout

no keepout string

Syntax Description


`string`	An alphanumeric string in double quotation marks.

Command Default

No keepout page.

Command Modes

The following table shows the modes in which you can enter the command:


Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
	Routed	Transparent	Single	Context	System
Webvpn configuration	Yes	—	Yes	—	—

Command History


Release	Modification
8.0(2)	This command was added.

Usage Guidelines

When this command is enabled, the clientless WebVPN portal page becomes unavailable. You receive an administrator-defined message stating the unavailability of the portal rather than a login page for the portal. Use the keepout command to disable clientless access, but still allow AnyConnect access. You can also use this command to indicate portal unavailability when maintenance is occurring.

Note

If HostScan is installed, the keepout feature does not stop the ASA from opening pages like Cisco Secure Desktop portal. To avoid the Cisco Secure Desktop port, HostScan needs to be uninstalled.