Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3695
Views
0
Helpful
1
Replies

Only allow RDP in anyconnect vpn session

Go to solution
austinmbailey1
Level 1
Level 1

‎01-08-2016 03:19 AM

Hello,

We have an anyconnect remote access VPN and everything works great. Due to our network security, we are only allowed to connect using our work provided laptops. We were wondering if there was a way to only allow port 3389 with an access list, so we could install the anyconnect client on our home computer, login to the network, and RDP to the servers necessary. Is this possible, or is there anything similar to this? Any help or advice is appreciated! Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-08-2016 01:18 PM

Is this an ASA or some other Cisco device?

If it is a Cisco ASA have you considered using a clientless VPN connection?  Users just open a web browser and point it to the ASA.  You add RDP as an application, and then that is the only thing they can access.  This does not use AnyConnect at all.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-configure-gateway.html

You could also use the "Advanced Endpoint Assessment" licence and a Dynamic Access Policy.  "Advanced Endpoint Assessment" lets you test things on the machine - for example is this an AD joined machine.  You can then apply different access policies based on that test.

So, for example, a user with a work notebook and AnyConnect could get access to everything and the same user, with the same username, on a home notebook, using the same AnyConnect client, could be limited to only RDP access.

"Advanced Endpoint Assessment" also lets you test things like is antivirus installed and lots of other things.

This article talks about using DAP (Dynamic Access Policies) and Advanced Endpoint Assessment:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

(Search for "Advanced Endpoint Assessment" to get to the bit you are interested in).

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-08-2016 01:18 PM

Is this an ASA or some other Cisco device?

If it is a Cisco ASA have you considered using a clientless VPN connection?  Users just open a web browser and point it to the ASA.  You add RDP as an application, and then that is the only thing they can access.  This does not use AnyConnect at all.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-configure-gateway.html

You could also use the "Advanced Endpoint Assessment" licence and a Dynamic Access Policy.  "Advanced Endpoint Assessment" lets you test things on the machine - for example is this an AD joined machine.  You can then apply different access policies based on that test.

So, for example, a user with a work notebook and AnyConnect could get access to everything and the same user, with the same username, on a home notebook, using the same AnyConnect client, could be limited to only RDP access.

"Advanced Endpoint Assessment" also lets you test things like is antivirus installed and lots of other things.

This article talks about using DAP (Dynamic Access Policies) and Advanced Endpoint Assessment:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

(Search for "Advanced Endpoint Assessment" to get to the bit you are interested in).

0 Helpful
Customers Also Viewed These Support Documents