cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
590
Views
0
Helpful
0
Replies

Start Before Logon host selection

tcsr121
Level 1
Level 1

We have two ASAs working separately for working from home access. The extra pair were set up last year due to working from home pressures of covid.  SBL was set up with half staff connecting to one - half to the other. However - a year later, and I need to set up a third profile. No one can remember how host selection was achieved and - no matter what I do - when using AnyConnect and SBL, always the same host is chosen.

 

We have 'remote' connecting to one ASA, 'remote2' connecting to our vASA - I need 'remotena' to connect also to the vASA using SBL. This works fine AFTER logon - all three are added as hosts in the main profile xml as follows ( located in c:\programdata\cisco anyconnect secure mobility agent\profile

 

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
 <ClientInitialization>
   <UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
   <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
   <ShowPreConnectMessage>false</ShowPreConnectMessage>
   <CertificateStore>All</CertificateStore>
   <CertificateStoreMac>All</CertificateStoreMac>
   <CertificateStoreOverride>true</CertificateStoreOverride>
   <ProxySettings>Native</ProxySettings>
   <AllowLocalProxyConnections>true</AllowLocalProxyConnections>
   <AuthenticationTimeout>12</AuthenticationTimeout>
   <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
   <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
   <LocalLanAccess UserControllable="true">true</LocalLanAccess>
   <DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
   <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
   <IPProtocolSupport>IPv4</IPProtocolSupport>
   <AutoReconnect UserControllable="true">true
    <AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
   </AutoReconnect>
   <SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
   <AutoUpdate UserControllable="true">true</AutoUpdate>
   <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
   <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
   <LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
   <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
   <LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
   <AutomaticVPNPolicy>true
     <TrustedDNSServers>10.xxx.x.xx,10.xxx.x.yy</TrustedDNSServers>
     <TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
    <UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
    <AlwaysOn>true
     <ConnectFailurePolicy>Closed
      <AllowCaptivePortalRemediation>true
       <CaptivePortalRemediationTimeout>10</CaptivePortalRemediationTimeout>
      </AllowCaptivePortalRemediation>
      <ApplyLastVPNLocalResourceRules>false</ApplyLastVPNLocalResourceRules>
     </ConnectFailurePolicy>
     <AllowVPNDisconnect>true</AllowVPNDisconnect>
    </AlwaysOn>
   </AutomaticVPNPolicy>
   <PPPExclusion UserControllable="false">Automatic
    <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
   </PPPExclusion>
   <EnableScripting UserControllable="false">false</EnableScripting>
   <CertificateMatch>
    <MatchOnlyCertsWithKU>false</MatchOnlyCertsWithKU>
    <ExtendedKeyUsage>
     <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
   </ExtendedKeyUsage>
  <DistinguishedName>
     <DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled" MatchCase="Enabled">
       <Name>CN</Name>
       <Pattern>xxxxxxxx.xxx.xxxxx.xxx.xx</Pattern>
     </DistinguishedNameDefinition>
   </DistinguishedName>
  </CertificateMatch>
  <EnableAutomaticServerSelection UserControllable="true">false
    <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
    <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
   </EnableAutomaticServerSelection>
   <RetainVpnOnLogoff>false
   </RetainVpnOnLogoff>
   <CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
    <AllowManualHostInput>true</AllowManualHostInput>
  </ClientInitialization>
<ServerList>
<HostEntry>
  <HostName>xxx xxx Windows Network Admin</HostName>
  <HostAddress>remotena.xxxx.xxx.xx</HostAddress>
  <UserGroup>NetAdmin</UserGroup>
</HostEntry>
<HostEntry>
  <HostName>xxx xxx Windows vASA</HostName>
  <HostAddress>remote2.xxxx.xxx.xx</HostAddress>
  <UserGroup>windows</UserGroup>
​ </HostEntry>
<HostEntry>
  <HostName>xxx xxx Windows</HostName>
  <HostAddress>remote.xxxx.xxx.xx</HostAddress>
  <UserGroup>windows</UserGroup>
</HostEntry>
</ServerList>
</AnyConnectProfile>

 

I choose one from the drop down list and it becomes the default for AFTER logon connections - and the hostname is referenced in c:\programdata\cisco anyconnect secure mobility agent\preferences_global.xml)

?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<MultipleClientCertificateThumbprints></MultipleClientCertificateThumbprints>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName>remotena.xxxx.xx.xx</DefaultHostName>
<DefaultHostAddress>y.y.y.y:443</DefaultHostAddress>
<DefaultGroup></DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences>
<LocalLanAccess>true</LocalLanAccess>
<EnableAutomaticServerSelection>false</EnableAutomaticServerSelection></ControllablePreferences>
</AnyConnectPreferences>

 

For example, my pc, when using SBL ALWAYS connects to remote2.xxx.xxx.xx whatever the settings above.

If I delete all references to remote2.xxxx.xxx.xx from all the XML files where I have found it - SBL still tries to connect to remote2.nottscc.gov.uk but then fails.

 

Any ideas how to point my AnyConnect to the new host entry??? 

 

 

 

 

 

0 Replies 0