Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
735
Views
0
Helpful
5
Replies

Web security solution for anyconnect devices

Go to solution
giuseppe parlato
Level 1
Level 1

‎08-06-2015 09:38 AM - edited ‎02-21-2020 08:23 PM

Hello,

can someone point me to some Cisco security solution for devices (also mobiles) with anyconnect installed so that I can manage security policies even though they are connected from a remote site ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-06-2015 01:11 PM

AnyConnect clients on workstations have the option of using the Cloud Web Security (CWS) connector.

For mobile devices (iOS or Android) you are limited to a method such as disabling split tunnel and forcing all their traffic thought your VPN headend which in turn has either a CWS connector or other inspection engine (such as a FirePOWER module or WCCP to an ESA) in place and enabled.

The other option for mobile devices is to enforce their security policy via a third party Mobile Device Management (MDM) tool.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-06-2015 01:11 PM

AnyConnect clients on workstations have the option of using the Cloud Web Security (CWS) connector.

For mobile devices (iOS or Android) you are limited to a method such as disabling split tunnel and forcing all their traffic thought your VPN headend which in turn has either a CWS connector or other inspection engine (such as a FirePOWER module or WCCP to an ESA) in place and enabled.

The other option for mobile devices is to enforce their security policy via a third party Mobile Device Management (MDM) tool.

0 Helpful

Go to solution
giuseppe parlato
Level 1
Level 1
In response to Marvin Rhoads

‎08-12-2015 02:05 AM

Thanks Marvin,

just a couple of questions,

so CWS doesn't manage mobile devices ? do I have to configure client web security profile for anyconnect on ASA?

as regard FirePower with split tunnel disabled I believe it applies only to next generetion ASA, while maybe WCCP to IronPort WSA could be feasible. However I still can't understand if other then WSA physical appliance I also have to buy a user qty license.

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to giuseppe parlato

‎08-12-2015 06:33 AM

There are several methods to deploy CWS. Using a headend ASA is one of the most common ones. You can also pre-deploy manually or using an enterprise endpoint management solution (such as AD GPOs, Microsoft SCCM, Intel LANdesk, etc.), from an ISR G2, from a WSA etc.

Here is a page with a feature comparison for the various methods.

There are whitepapers for each method at this link.

I'm not positive on the answer re WSA licensing when using that method. I believe the users would count as named users in the WSA so they would decrement the license count if using WSA via WCCP.

0 Helpful

Go to solution
giuseppe parlato
Level 1
Level 1
In response to Marvin Rhoads

‎08-13-2015 07:56 AM

So the common one is creating a ASA CWS connector ? Then I should disable split  tunnel anyway to be sure all http traffic from workstation/mobile devices should be inspected by ASA CWS connector.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to giuseppe parlato

‎08-13-2015 08:10 AM

You can push all client traffic through the ASA (no split-tunnel) and it will redirect to Cisco's scanning towers for inspection. That's a CWS connector on the ASA approach.

You can also push the CWS tile of AnyConnect Secure mobility client along with the organizational policy and that can be used to force the clients to use CWS whether or not they are on VPN.

0 Helpful
Customers Also Viewed These Support Documents