08-06-2015 09:38 AM - edited 02-21-2020 08:23 PM
Hello,
can someone point me to some Cisco security solution for devices (also mobiles) with anyconnect installed so that I can manage security policies even though they are connected from a remote site ?
Solved! Go to Solution.
08-06-2015 01:11 PM
AnyConnect clients on workstations have the option of using the Cloud Web Security (CWS) connector.
For mobile devices (iOS or Android) you are limited to a method such as disabling split tunnel and forcing all their traffic thought your VPN headend which in turn has either a CWS connector or other inspection engine (such as a FirePOWER module or WCCP to an ESA) in place and enabled.
The other option for mobile devices is to enforce their security policy via a third party Mobile Device Management (MDM) tool.
08-06-2015 01:11 PM
AnyConnect clients on workstations have the option of using the Cloud Web Security (CWS) connector.
For mobile devices (iOS or Android) you are limited to a method such as disabling split tunnel and forcing all their traffic thought your VPN headend which in turn has either a CWS connector or other inspection engine (such as a FirePOWER module or WCCP to an ESA) in place and enabled.
The other option for mobile devices is to enforce their security policy via a third party Mobile Device Management (MDM) tool.
08-12-2015 02:05 AM
Thanks Marvin,
just a couple of questions,
so CWS doesn't manage mobile devices ? do I have to configure client web security profile for anyconnect on ASA?
as regard FirePower with split tunnel disabled I believe it applies only to next generetion ASA, while maybe WCCP to IronPort WSA could be feasible. However I still can't understand if other then WSA physical appliance I also have to buy a user qty license.
08-12-2015 06:33 AM
There are several methods to deploy CWS. Using a headend ASA is one of the most common ones. You can also pre-deploy manually or using an enterprise endpoint management solution (such as AD GPOs, Microsoft SCCM, Intel LANdesk, etc.), from an ISR G2, from a WSA etc.
Here is a page with a feature comparison for the various methods.
There are whitepapers for each method at this link.
I'm not positive on the answer re WSA licensing when using that method. I believe the users would count as named users in the WSA so they would decrement the license count if using WSA via WCCP.
08-13-2015 07:56 AM
So the common one is creating a ASA CWS connector ? Then I should disable split tunnel anyway to be sure all http traffic from workstation/mobile devices should be inspected by ASA CWS connector.
08-13-2015 08:10 AM
You can push all client traffic through the ASA (no split-tunnel) and it will redirect to Cisco's scanning towers for inspection. That's a CWS connector on the ASA approach.
You can also push the CWS tile of AnyConnect Secure mobility client along with the organizational policy and that can be used to force the clients to use CWS whether or not they are on VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide