04-11-2012 01:50 PM - edited 02-21-2020 06:00 PM
Hello All,
I think this is a pretty easy question, but I was enable to find a good answer anywhere. Is it possible to force a client to connect with Anyconnect when they get an internet connection? Basically, this would be for client control. Split tunneling would be disabled so all traffic would have to go through the VPN. They wouldn't be able to browse the internet not on the anyconnect VPN client. Is this even possible?
Thanks,
Alan
Solved! Go to Solution.
04-12-2012 05:35 AM
Dear Alan,
Thank you for posting.
Please check this out:
Trusted Network Detection
"Trusted Network Detection (TND) gives you the ability to have AnyConnect automatically disconnect a VPN connection when the user is inside the corporate network (thetrusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network). This feature encourages greater security awareness by initiating a VPN connection when the user is outside the trusted network."
Keep me posted.
Thanks.
04-12-2012 05:35 AM
Dear Alan,
Thank you for posting.
Please check this out:
Trusted Network Detection
"Trusted Network Detection (TND) gives you the ability to have AnyConnect automatically disconnect a VPN connection when the user is inside the corporate network (thetrusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network). This feature encourages greater security awareness by initiating a VPN connection when the user is outside the trusted network."
Keep me posted.
Thanks.
04-12-2012 06:13 AM
Hello Javier,
Thanks for the reply that is different in the right direction I was going with my question. It doesn't seem like there is a way to force the user to use the Anyconnect VPN. It would be nice if we could have either our clients connected with Anyconnect VPN to the Internet or nothing at all. That way we can control all the traffic on those machines. Thanks again for the post, very useful information.
Best Regards,
Alan Herriman
04-12-2012 06:19 AM
Actually the Always-on VPN feature with the TND feature seem like it would do the job, that document had it listed a little further down.
Thanks again Javier!
04-12-2012 06:37 AM
Yes, I actually wanted to post about Always-on, but it will always force the VPN connection so I was not sure if that was the ideal feature for you.
I am glad to know you find it helpful.
Take care
04-12-2012 08:11 AM
You would need Anyconnect TND feature with the always on functionality, plus, optiomally, an Ironport Web Security appliance (if you want extra control and protection).
Basically, TND and Always on would keep the employee either disconnected when on premisses or connected when on premisses. When connected, the tunneled traffic would be routed to a WCCP speaking router and sent to IronPort for inspection and back through the ASA to the internet. ASA integrates with the Ironport via the MUS protocol for user identity forwarding.
If no extra inspection is required than user traffic is u- turned and NATed back to the internet. It is a rather simple setup alltogether.
The behaviour of the employee AnyConnect client is remotely controlled via the client profiles.
Always on requires ssl premium licenses. This costs a lot more than the essentials.
Hope this helps.
Sent from Cisco Technical Support iPad App
04-12-2012 08:34 AM
Thanks for the reply Marko,
Do you know if the TND feature require a premium license as well? Good licensing info!
Thanks,
Alan
04-14-2012 07:27 AM
According to the documentation, the TND does not seem to require the premium license. However, what would be the usecase without some sort of connectiona enforcement/automation. The users are generally aware when that they are not on-premise :-)
Regards,
Marko
04-15-2012 04:10 PM
Actually I have done lots of testing with Anyconnect Always-on and TND , seems to work well however you have to make sure of a few things for this to work correctly if you want the user experience to be smooth. Some of this information is leaking in Cisco's documentation but I learned the hard way.
Requirements for Always-on
- ASA Premium Anyconnect License, essential license will not work.
- You will need a 3 party cert like verisign or equivalent applied to the ASA
- You will also need a private trusted certificate on the ASA that is trusted by your internal CA and a client side cert on your machines using Anyconnect, this is what will be used you authenticate the end user. You can also use the ASA's built in CA capabilities if you don't have an internal CA. You will need to figure out how you want to distribute these certificates buy using GPO or SCEP which is supported by ASA and works pretty nice.
Depending on how and what you want to run prior to windows login you may want to use the Anyconnect start before login feature if you are running login scripts to map drives, etc. we use both.
Last but not least depending on what you use for your 802.11 and 802.1x supplicant you may want to look at Cisco Anyconnect NAM module which is free with Anyconnect and requires no additional license. This works nice and allows you to pre- configure connection policies and works pretty slick helping Anyconnect transition between wired, wireless, etc connection.
Good lunch with your testing.
Sent from Cisco Technical Support iPad App
04-16-2012 06:03 AM
Thanks for the info Vabruno that was all really useful information!
09-27-2012 12:58 PM
Can anyone share their experience with large scale deployment of Always on, with either fail open or fail close option? I have concerns about end user support if their vpn doesn't work especially with fail close. How do you support these users?
09-27-2012 02:09 PM
Hi Jintao99,
This post has been answered already, I encourage you to open a new one and ask again, it will be more visible as a new post.
Thanks.
Portu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide