Unfortunately VDI does not

AndrewDuf · ‎04-07-2016

I have installed AnyConnect Web Security client using the scripts found in this document: http://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/cws_anyconnect.pdf

The software is version 4.2.01035 and I have done this on Windows 7, 8.1, and 10 clients - all 64-bit. All are virtual machines patched up to date, and have full internet access.

The software installs without errors, the services all start, and the licence key is correctly read from the policy file, so the system tray icon shows "Web Security Enabled (UK)".

The web portal is configured to sync with my Active Directory and all users/groups are correctly visible there.

Domain logons are being employed throughout, and "SET U" or "SET L" confirms this.

My problem is that browsing to whoami.scansafe.net or policytrace.scansafe.net produces a display with just the client's IP address as username. It recognises my company (presumably from the external IP address) but does not seem to pull through the user name and therefore the groups of which this user is a member.

Example (from whoami...) :

authUserName: 10.1.5.136
authenticated: true
companyName: "BlahBlahBlah"
connectorGuid: 76A027FE03F255D116DE57B755104E6E
connectorVersion: AP_AC4.2.01035
countryCode: GB
externalIp: 1.2.3.4
groupNames: []
internalIp: 10.1.5.136
logicalTowerNumber: 10030
staticGroupNames: 
  - default
userName: 10.1.5.136

(NB Obviously, some data has been redacted here)

Because of this, any rules based on group membership are not being recognised, which limits the usefulness somewhat ;-)

What could be wrong?

AndrewDuf · ‎04-08-2016

OK I have a partial answer so I will post it in case anyone else has this problem.

It is due to the fact that I was using VM's to test - accessed via RDP.

If I do exactly the same config on a physical machine, it works fine.

If I test the VM but using a console connection to it (through the Hyper-V host), it also works fine.

I would still like to find a solution, because we use a VDI solution, which clearly isn't going to support AnyConnect Web Security client, the way things are.

So the thread is not answered.

Ken Stieers · ‎04-08-2016

Vdi may still work. I'm not working on ours so I'm not exactly sure, but if its implemented "below" the OS, instead of via the RDP layer, like console access in VMware is, it will probably work.

I'm betting that this wouldn't work on Citrix XenApp either... or that you have to jump through some hoops to make it work...

AndrewDuf · ‎04-11-2016

Unfortunately VDI does not work.

We're not deploying the client on the VDI desktops, we are setting a static proxy (the Cisco one) and running PIM.exe to identify the user so that policies can be applied correctly.

After doing so, we are seeing the same behaviour - the IP address is reported instead of the username, and no user or group info is available to the rules and policies.

Does anyone have a solution to this?

Tao Yang · ‎04-11-2016

Can you please use RDP console mode by running "mstsc /console" or "mstsc /admin" to see if it helps?

AndrewDuf · ‎04-12-2016

Yes, using that method it does work - see my "partial solution" posted above. However we don't have a way to use this as the production solution, since the VDI sessions are brokered by a Citrix product (VDI-in-a-box) which doesn't offer this as a choice.

I've now been advised by Cisco that AnyConnect does not support this configuration, and we must use an alternative (Connector has been suggested).

Unless anyone has a better idea, this might be only option.

User info missing in AnyConnect Web Security client