User Guide

ManualsBrandsCisco Manualsantivirus security softwareCisco Web Security Appliance S670

Table Of Contents

Cisco AnyConnect Secure Mobility Solution Guide

Cisco AnyConnect Secure Mobility Solution Guide

Cisco AnyConnect Secure Mobility

Solution Guide

This document contains the following information:

• Cisco AnyConnect Secure Mobility Overview, page 1

• Understanding How AnyConnect Secure Mobility Works, page 3

• Supported Architectures, page 6

• Configuring AnyConnect Secure Mobility, page 16

• Troubleshooting, page 21

• Additional Documentation, page 22

• Contacting Support, page 23

Cisco AnyConnect Secure Mobility Overview

Users and their devices are increasingly more mobile, connecting to the Internet

from several locations, such as the office, home, airports, or cafes. Traditionally,

users inside the network were protected from security threats, and users outside

the traditional network boundary had no acceptable use policy enforcement,

minimal protection against malware, and are at a higher risk of data loss.

Employers want to create flexible working environments where employees and

partners can work anywhere on any device, but they also want to protect corporate

interests and assets from Internet-based threats at all times (always-on security).

Summary of content (24 pages)

PAGE 1
Cisco AnyConnect Secure Mobility Solution Guide This document contains the following information: • Cisco AnyConnect Secure Mobility Overview, page 1 • Understanding How AnyConnect Secure Mobility Works, page 3 • Supported Architectures, page 6 • Configuring AnyConnect Secure Mobility, page 16 • Troubleshooting, page 21 • Additional Documentation, page 22 • Contacting Support, page 23 Cisco AnyConnect Secure Mobility Overview Users and their devices are increasingly more mobile, connecting to
PAGE 2
Cisco AnyConnect Secure Mobility Solution Guide Cisco AnyConnect Secure Mobility Overview Traditional network and content security solutions are ideal for protecting users and assets behind the network firewall, but they are ineffective when users or devices are not connected to the network, or when data is not routed through the security solutions.
PAGE 3
Cisco AnyConnect Secure Mobility Solution Guide Understanding How AnyConnect Secure Mobility Works from the adaptive security appliance based on its authentication of the AnyConnect client, providing an automatic authentication step for the user to access web content. Understanding How AnyConnect Secure Mobility Works Cisco AnyConnect Secure Mobility is a collection of features across multiple Cisco products that extends control and security into borderless networks.
PAGE 4
Cisco AnyConnect Secure Mobility Solution Guide Understanding How AnyConnect Secure Mobility Works The Web Security appliance tracks the requests it receives and applies policies configured for remote users to traffic received from remote users. For information on how it identifies remote users, see Communication Between the ASA and WSA, page 4.
PAGE 5
Cisco AnyConnect Secure Mobility Solution Guide Understanding How AnyConnect Secure Mobility Works established, the Web Security appliance authenticates with the adaptive security appliance using the configured ASA access password. After successful authentication, the adaptive security appliance sends the IP address-to-user mapping to the Web Security appliance. The connection remains open, and the adaptive security appliance updates the IP address-to-user mapping as necessary.
PAGE 6
Cisco AnyConnect Secure Mobility Solution Guide Supported Architectures Supported Architectures Enterprise network infrastructures are dynamic and unique, and there is an array of architectures to consider when implementing the AnyConnect Secure Mobility solution.
PAGE 7
Cisco AnyConnect Secure Mobility Solution Guide Supported Architectures Table 5-1 Summary of Architecture Scenarios Architecture Scenario Description Architecture Scenario 1, Single Subnet, page 8 This architecture has the following characteristics: • Web transactions are transparently redirected to the Web Security appliance, and those transactions are redirected by a WCCP enabled router. • The adaptive security appliance, WCCP router, and Web Security appliance reside on the same subnet.
PAGE 8
Cisco AnyConnect Secure Mobility Solution Guide Supported Architectures Architecture Scenario 1, Single Subnet Figure 1 illustrates the architecture described in this section. Figure 1 Single Site and Subnet The deployment scenario in Figure 1 depicts a layer 2 (L2) topology which includes an ASA acting as a remote access and Internet gateway. In addition, this topology includes a WCCP router for L2 redirection of web traffic. All command examples included below refer to the example in Figure 1.
PAGE 9
Cisco AnyConnect Secure Mobility Solution Guide Supported Architectures • Note The WSA receives web traffic redirected from the WCCP router and enforces its policies on the traffic received from the AnyConnect client. If the WSA grants access to the web request, it rewrites the traffic prior to forwarding it to the Internet via its default route, the ASA. This will enable the ASA to return the traffic back to the WSA for scanning and policy enforcement.
PAGE 10
Cisco AnyConnect Secure Mobility Solution Guide Supported Architectures Architecture Scenario 2, Multiple Subnets Figure 2 illustrates the architecture described in this section. Figure 2 Single Site and Multiple Subnets The deployment scenario in Figure 2 depicts an architecture similar to Figure 1 on page 8. However, this architecture introduces WCCP with Generic Routing Encapsulation (GRE) redirection which is required when the WSA is on a different subnet than the WCCP router.
PAGE 11
Cisco AnyConnect Secure Mobility Solution Guide Supported Architectures the ASA, or to a predefined static route if destined for the enterprise network. On the WCCP router, you must still apply the command syntax ip wccp [port] redirect in on the interface configured for redirection. This command enables web traffic inbound to the interface to be redirected to the WSA. The WSA decapsulates the GRE packet and enforces its security policies.
PAGE 12
Cisco AnyConnect Secure Mobility Solution Guide Supported Architectures Architecture Scenario 3, Explicit Forward Proxy Figure 3 illustrates the architecture described in this section. Figure 3 Explicit Mode Policy Enforcement In the deployment scenario depicted in Figure 3, client web traffic is configured to explicitly use the WSA for web traffic instead of the web traffic being transparently redirected to the WSA.
PAGE 13
Cisco AnyConnect Secure Mobility Solution Guide Supported Architectures Note You can only dynamically deploy proxy configuration settings using the ASA to Internet Explorer on Windows and Safari on Mac OS connected AnyConnect clients. Other browsers must be manually configured on the client machine in order to explicitly use the WSA as a proxy.
PAGE 14
Cisco AnyConnect Secure Mobility Solution Guide Supported Architectures For more information on accessing Cisco documentation, see Additional Documentation, page 22. Note AnyConnect profile settings, such as IgnoreProxy, only apply when the AnyConnect client connects to the ASA. The client does not use these settings after it establishes a tunnel with the ASA.
PAGE 15
Cisco AnyConnect Secure Mobility Solution Guide Supported Architectures Architecture Scenario 4, Non-WCCP Router Figure 4 illustrates the architecture described in this section. Figure 4 Using WCCP on the ASA The deployment scenario in Figure 4 illustrates using WCCP on the ASA to redirect web traffic to the WSA instead of using a WCCP router for traffic redirection. In the deployment scenarios documented previously, a WCCP router is used to transparently redirect web traffic to the WSA.
PAGE 16
Cisco AnyConnect Secure Mobility Solution Guide Configuring AnyConnect Secure Mobility Note Version 8.3 of the ASA can only use WCCP to redirect web traffic when the traffic enters the ASA on the same interface where WCCP is enabled. However, the AnyConnect client traffic does not enter the ASA on the same interface where WCCP is enabled (which is the same interface connected to the WSA).
PAGE 17
Cisco AnyConnect Secure Mobility Solution Guide Configuring AnyConnect Secure Mobility • A single access password that you configure on each adaptive security appliance and Web Security appliance To use secure mobility, you must use the following Cisco product versions: • Cisco adaptive security appliance release 8.3.1.6 or higher • Cisco adaptive security device manager (ASDM) Release 6.3 or later • Cisco IronPort Web Security appliance version 7.
PAGE 18
Cisco AnyConnect Secure Mobility Solution Guide Configuring AnyConnect Secure Mobility – No authentication required. Configure the Identity to not use authentication. Users are identified by IP address. – Authentication required. Configure the Identity to apply to remote users only and to transparently identify users by integrating with the Cisco adaptive security appliance. Users are identified by the user name using the IP address to user name mapping from the adaptive security appliance. 3.
PAGE 19
Cisco AnyConnect Secure Mobility Solution Guide Configuring AnyConnect Secure Mobility 3. In the Mobile User Security window in ASDM, add one or more Web Security appliances that the adaptive security appliance communicates with. After you choose Add or Edit, you can specify the Interface Name, IP address, and mask of the host. 4. Enable the Mobile User Security feature on the adaptive security appliance.
PAGE 20
Cisco AnyConnect Secure Mobility Solution Guide Configuring AnyConnect Secure Mobility 3. Load the AnyConnect Secure Mobility client package Release 2.5 or later onto the adaptive security appliance. 4. Using ASDM, configure the adaptive security appliance to support Network (Client) Access as usual. 5. In ASDM, consider configuring the VPN profile to be always on. You might want to configure this feature for when the user is in an untrusted network.
PAGE 21
Cisco AnyConnect Secure Mobility Solution Guide Troubleshooting For more information on configuring the Cisco AnyConnect secure mobility client, read the Cisco AnyConnect Secure Mobility Client Administrator Guide. See Additional Documentation, page 22 for the location. Troubleshooting Web Security appliance: • AnyConnect Secure Mobility events are included in the User Discovery Service (UDS) log.
PAGE 22
Cisco AnyConnect Secure Mobility Solution Guide Additional Documentation Additional Documentation This document is intended to serve as an overview of the entire AnyConnect Secure Mobility solution. It does not include detailed steps on configuring each component of the product, nor does it list all potential interactions with other features of each component.
PAGE 23
Cisco AnyConnect Secure Mobility Solution Guide Contacting Support Contacting Support Because the Cisco AnyConnect Secure Mobility solution covers multiple Cisco products, you might need to contact a different support group for help resolving issues related to AnyConnect Secure Mobility. Each AnyConnect Secure Mobility product is supported by a different product support team which is located in either Cisco TAC (Technical Assistance Center) or Cisco IronPort Customer Support.
PAGE 24
Cisco AnyConnect Secure Mobility Solution Guide Contacting Support Cisco AnyConnect Secure Mobility Solution Guide 24