cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
744
Views
3
Helpful
9
Replies

Disable ASA SSL WebVPN portal.Can you Still download anyconnect agents

tryingtofixit
Level 1
Level 1

We don't use the SSL WebVpn portal. I know it can disabled several ways. 

Does disabling this portal prevent the downloading of Anyconnect clients via https? 

 

9 Replies 9

ccieexpert
Spotlight
Spotlight

Yes if you disable it it will not allow downloads as the portal login is blocked..

there are ways to filter out all clientless access once they login and just be able to download the image...

Will having the portal disabled affect the ability for any connect to upgrade the clients automatically to newer versions provided that option is enabled?

Are you use anyconnect ikev2 and enable ssl vpn for downlaod ?

If you disable ssl vpn and you use ssl vpn the  all anyconnect will disable not only download 

MHM

I am only using Anyconnect Windows SSL vpn clients. no Ikev2 with Anyconnect client.

Then friend you can not disable ssl vpn then if you disable you will lost anyconnect connection.

MHM

I am not disabling sslvpn on the interface, but disabling the sslvpn client less web portal.

Under webvpn 

Keepout 

This will disconnect any client less vpn

Note:- this not effect anyconnect 

MHM

ccieexpert
Spotlight
Spotlight

the portal cannot be disabled as such otherwise anyconnect will not be able to connect. and behavior is different depending on version of code. with 9.17 the clientless feature was disabled/deprecated, so you can only download the anyconnect /secure client .

if you disable webvpn from a interface, then secure client also cannot connect.

What is your real goal ? with 9.17 clientless being deprecated , they can only download the image nothing else. prior to 9.16 you can block clientless from the group policy and the login using a browser can be blocked..

**Please rate as helpful if this was useful**

ccieexpert
Spotlight
Spotlight

quick correction with this command you can disable clientless, and still anyconnect will connect and download image updates etc when there is a new version.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/m_j-k.html#wp3977105965

keepout

To present an administrator-defined message rather than a login page for new user sessions (when the ASA undergoes a maintenance or troubleshooting period), use the keepout command in webvpn configuration mode. To remove a previously set keepout page, use the no version of the command.

keepout

no keepout string

Syntax Description

 

string

An alphanumeric string in double quotation marks.

Command Default

No keepout page.

Command Modes


The following table shows the modes in which you can enter the command:

 

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Webvpn configuration

  • Yes

  • Yes

Command History

 

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

When this command is enabled, the clientless WebVPN portal page becomes unavailable. You receive an administrator-defined message stating the unavailability of the portal rather than a login page for the portal. Use the keepout command to disable clientless access, but still allow AnyConnect access. You can also use this command to indicate portal unavailability when maintenance is occurring.

ccieexpert_0-1724615873855.gif

 

Note


If HostScan is installed, the keepout feature does not stop the ASA from opening pages like Cisco Secure Desktop portal. To avoid the Cisco Secure Desktop port, HostScan needs to be uninstalled.