01-08-2016 03:19 AM
Hello,
We have an anyconnect remote access VPN and everything works great. Due to our network security, we are only allowed to connect using our work provided laptops. We were wondering if there was a way to only allow port 3389 with an access list, so we could install the anyconnect client on our home computer, login to the network, and RDP to the servers necessary. Is this possible, or is there anything similar to this? Any help or advice is appreciated! Thanks!
Solved! Go to Solution.
01-08-2016 01:18 PM
Is this an ASA or some other Cisco device?
If it is a Cisco ASA have you considered using a clientless VPN connection? Users just open a web browser and point it to the ASA. You add RDP as an application, and then that is the only thing they can access. This does not use AnyConnect at all.
You could also use the "Advanced Endpoint Assessment" licence and a Dynamic Access Policy. "Advanced Endpoint Assessment" lets you test things on the machine - for example is this an AD joined machine. You can then apply different access policies based on that test.
So, for example, a user with a work notebook and AnyConnect could get access to everything and the same user, with the same username, on a home notebook, using the same AnyConnect client, could be limited to only RDP access.
"Advanced Endpoint Assessment" also lets you test things like is antivirus installed and lots of other things.
This article talks about using DAP (Dynamic Access Policies) and Advanced Endpoint Assessment:
(Search for "Advanced Endpoint Assessment" to get to the bit you are interested in).
01-08-2016 01:18 PM
Is this an ASA or some other Cisco device?
If it is a Cisco ASA have you considered using a clientless VPN connection? Users just open a web browser and point it to the ASA. You add RDP as an application, and then that is the only thing they can access. This does not use AnyConnect at all.
You could also use the "Advanced Endpoint Assessment" licence and a Dynamic Access Policy. "Advanced Endpoint Assessment" lets you test things on the machine - for example is this an AD joined machine. You can then apply different access policies based on that test.
So, for example, a user with a work notebook and AnyConnect could get access to everything and the same user, with the same username, on a home notebook, using the same AnyConnect client, could be limited to only RDP access.
"Advanced Endpoint Assessment" also lets you test things like is antivirus installed and lots of other things.
This article talks about using DAP (Dynamic Access Policies) and Advanced Endpoint Assessment:
(Search for "Advanced Endpoint Assessment" to get to the bit you are interested in).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide