Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4618
Views
40
Helpful
5
Replies

Ignore local proxy with AnyConnect VPN?

andrewtrev
Level 1
Level 1

‎02-02-2022 03:38 AM

Hi,

We have Cisco AnyConnect VPN deployed for remote connectivity to our corporate network. Whilst working on the corporate network we have the Windows 10 (IE) proxy settings configured by GPO. When connecting to the VPN, the proxy should not be used as this is inaccessible at this stage. If we disable the IE proxy, then the VPN can be established with no issue.

From reading the admin guide, it appears that this behaviour can be changed by setting VPN profile proxy settings to "IgnoreProxy" using the profile editor. This should "ignore the browser proxy settings on the user's computer" whilst establishing the tunnel. Setting this appears to make no difference for us and we still have to disable the proxy on the local pc. Are we missing something here?

Labels:
5 Replies 5

MHM Cisco World
VIP
VIP

‎02-02-2022 03:53 AM

follow

Aref Alsouqi
VIP
VIP

‎02-02-2022 03:54 AM - edited ‎02-02-2022 03:55 AM

Please try to go into the group policy attributes settings and issue the command "msie-proxy method no-proxy".

andrewtrev
Level 1
Level 1
In response to Aref Alsouqi

‎02-02-2022 06:05 AM

Thanks for the response. Couple of questions though.

Will this disable the proxy prior to the VPN establishment phase? This is the critical bit as as we are using AnyConnect with Azure MFA vising SAML (I forgot to mention this!)  and the client needs to be able to access the authentication URLs which is not possible if the proxy is set.

Will the proxy remain disabled after the VPN has been established? This should not be the case as the corporate proxy settings are required once connected.

 

Basically we need to be able to disable the proxy temporarily whilst the VPN is being established only.

Aref Alsouqi
VIP
VIP
In response to andrewtrev

‎02-14-2022 04:10 AM

No it shouldn't as already mentioned. As those attributes are applied to the firewall group policy, they would live only during the connection lifetime, once the connection is ended, those attributes won't have any effect.

0 Helpful

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎02-02-2022 11:41 PM

Hi @andrewtrev,

I believe answer to your question is - no, it will not. You are applying group-policy upon successfull connection, not during one. After you get authenticated, you'll proceed with authoriyation in which you'll get no-proxy configuration.

IgnoreProxy option that you originally mentioned is meant to instruct AnyConnect not to use proxy while building the tunnel, but it doesn't state that it should bypass other dependent communication (such as SSO). Upon successfull connection, you can again push proxy settings via group-policy, for the tunneled connection.

One option that I see is that you create proxy exception for SSO page. You might get some issues with this, is same GPO is applied for both on and off-site users.

Another solution could be introduction of PAC file, and some logic behind it.

BR,

Milos

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents