Cisco AnyConnect Secure Mobility & VDI Demo Guide (partner version) Overview... 2 Value Proposition... 2 Deployment Scenario... 3 Role Play Demo Script... 5 Demo Equipment Bill of Material... 9 Demo Documentation & Configuration Highlight... 10 Page 1
Overview With the ever- increasing demand for business usage on mobile devices including laptops, netbooks, iphone, ipad, and other smartphones and tablets, corporate network and security administrators have a need to provide secure access to corporate network, intranet applications as well as SaaS applications for those mobile device users no matter whether they are inside and outside office. Cisco offers AnyConnect Secure Mobility to extend the network perimeter to remote endpoints, enabling the seamless integration of web filtering services offered by the Web Security appliance. Cisco AnyConnect Secure Mobility provides an innovative new way to protect mobile users on computer- based or smart- phone platforms, providing a more seamless, always- protected experience for end users and comprehensive policy enforcement for IT administrators. The goal of this demo is to demonstrate how Cisco AnyConnect Secure Mobility works using Windows, ipad and iphone and at the same time showcase some of the key differentiators of ASA, WSA and AnyConnect. We also demonstrate how a remote user can securely access their intranet applications or host through virtual desktop from mobile devices and laptops. We will showcase a typical Internet edge deployment with ASA and WSA. AnyConnect clients are installed on Windows, ipad and iphone. AnyConnect Secure Mobility is a collection of features across the following Cisco products: Cisco IronPort Web Security appliance (WSA) Cisco ASA 5500 series adaptive security appliance (ASA) Cisco AnyConnect client Value Proposition Cisco AnyConnect Secure Mobility addresses the challenges of a mobile workforce by offering the following features: Secure, persistent connectivity. Cisco AnyConnect client (with the adaptive security appliances as the headend) provides the remote access connectivity portion of AnyConnect Secure Mobility. The connection is secure because both the user and device must be authenticated and validated prior to being provided access to the network. The connection is persistent because AnyConnect SSL VPN connection is typically configured to be always- on even when roaming between networks. Although Page 2
AnyConnect VPN connection is always- on, it is also flexible enough to apply different policies based on user and location, allowing users access to the Internet in a captive portal situation, when users must accept terms of agreement before accessing the Internet. Consistent security and policy enforcement. The Web Security appliance applies context- aware policies, including enforcing acceptable use policies and protection from malware for all users, including mobile (remote) users. The Web Security appliance also accepts user authentication information from the adaptive security appliance based on its authentication of the AnyConnect client, providing an automatic authentication step for the user to access web content. Deployment Scenario The deployment scenario in above figure illustrates ASA using WCCP to redirect web traffic to the WSA. Alternatively, WCCP router can be used to transparently redirect web traffic to the WSA. In this scenario, we are not using the WCCP feature on Cisco router. Using the WCCP functionality in the ASA to redirect web traffic to the WSA, it allows us to use any router in this deployment scenario. With this deployment scenario, ASA tunnels all VPN traffic to its default gateway which is a Cisco router. The router returns VPN web traffic back to the ASA, and forwards non- web traffic based on its routing table. The ASA then uses WCCP to redirect web traffic to the WSA for scanning. The WSA must be configured with a default route to the Internet gateway to enforce its policies. In addition, the WSA must be configured with a route back to the ASA to return scanned traffic back to the AnyConnect client. The Citrix VDI server is installed on Cisco Unified Computing System (UCS). Cisco AnyConnect Secure Mobility Demo Guide Page 3
ASA The idea is to show how ASA works as a firewall and SSL VPN headend. - WCCP is enabled on ASA and ASA will redirect AnyConnect client s HTTP and HTTPS to WSA WSA We will demonstrate WSA functionality on:- - - - - blocking malicious or malware site enforcing web access policy based on remote user identity SaaS single sign- on (e.g. WebEx) Demonstrating data security (e.g. blocking upload of PDF document using gmail.com) AnyConnect Anyconnect Secure Mobility - AnyConnect SSO to WebEx through IronPort WSA - Platform agnostic Anyconnect (e.g. Windows, iphone, ipad) SSL VPN connection to ASA Firewall - Connection persistence Page 4
Role Play Demo Script Financial Controller (FC) is on vacation trip. Sales Director (SD) is now in coffee shop and is going to have a WebEx web conferencing session with Managing Director and needs to get this quarter s financial report from FC. SD opens his laptop and starts AnyConnect SSL VPN connection to connect back to his office VPN headend remoteaccess.im- hk.com. He then calls up FC and asks for her help to get the financial report which is only available in company intranet server. SD finds that the existing Wifi connection is not stable and he switches his laptop from using Wifi connection- 1 to Wifi connection- 2 which has a strong signal. The AnyConnect SSL VPN connection reconnects without the need for re- authentication. Figure 1: AnyConnect login screen on Windows Narrator: Cisco AnyConnect client supports always- on and persistent connection which allows users to restore his last SSL VPN session without the need to re- authenticate. This provides a very user- friendly and seamless secure access to corporate network. SD opens http://webex.im- hk.com and automatically sign on to his WebEx account. He then calls up FC and ask for her help. Narrator: Cisco IronPort Web Security Appliance supports SaaS single sign- on and allow users to sign on to SaaS applications without the need to remember each single SaaS application password. This can greatly improve work efficiency and security. It also helps the IT administrator to manage SaaS access and track SaaS application usage and user activities much easier. For example, ex- employee will not be able to access SaaS applications since their account on company directory server has been disabled. Page 5
Figure 2: WebEx user home page after single sign- on through WSA Since FC is on vacation and she carries only ipad with her, she will use AnyConnect to access internal server using RDP or Citrix client and email the financial report to SD. SD thanks FC and drops the phone call. Figure 3: AnyConnect view on ipad Figure 4: RDP client accessing her own desktop and send the email with financial report Cisco AnyConnect Secure Mobility Demo Guide Page 6
Narrator: Cisco IronPort Web Security Appliance gets the remote AnyConnect user identity from ASA and administrator can enforce remote user web access policy. We can demonstrate that only selected restricted user can access some intranet server remotely. In this demo, we use RDP ipad client instead of web browser due to limit in time to set up intranet application web server in demo environment. SD gets his email with financial report and wants to upload the file to his gmail.com for future use but gets blocked due to corporate policy. He then recalls that it is not allowed by company security policy. Narrator: Cisco IronPort Web Security Appliance gets the remote AnyConnect user identity from ASA can apply local and/or remote data security policy (e.g. blocking upload of Office or PDF document). FC drops the phone call and she recalls that she wants to use her ipad to check the lottery result last night because there is a big pool. FC accesses http://bet.hkjc.com and the access gets blocked by IronPort WSA due to corporate policy. She recalls that her ipad is still connecting using AnyConnect. Figure 5: End User Notification Page showing that the access is blocked Narrator: Cisco IronPort Web Security Appliance can enforce web usage control for remote users. Administrator can choose to control web usage according to user identity or user group, and can have different policies depending on whether the user is in office or outside office. She then checks a message on Facebook which is sent by her friend, and click on the URL http://www.ihaveabadreputation.com in the message, and web access gets blocked by IronPort WSA due to poor web reputation. She says that it is lucky that she is still protected by the company security gateway. Page 7
Figure 6: A malicious URL in Facebook message and the web page gets blocked due to poor web reputation Narrator: Cisco IronPort Web Security Appliance can block malicious content effectively by web reputation and/or antimalware scanning engines by McAfee/WebRoot (and also Sophos). Although some people say that there is no virus or malware on ipad yet, however, your ipad is still vulnerable to be infected/hijacked (just think of visiting jailbreak site and by just one single click, your ipad has been jailbreaked and installed with jailbreak program). Page 8
Demo Equipment Bill of Material The customer needs: * Cisco Adaptive Security Appliance (ASA) 8.3 or above * Cisco AnyConnect Secure Mobility Client 2.5 or above * Cisco IronPort Web Security Appliance (WSA) 7.0 or above The below is a sample equipment list for a customer size of 250 users. Please note that any ASA model will work. AnyConnect Mobile license is required if customer requires AnyConnect support on mobile devices like Windows mobile, iphone, ipad, etc. Please note that Secure Mobility involves user licenses on two devices; AnyConnect license on the ASA, and Secure Mobility license on the WSA. - - AnyConnect license: Maximum expected concurrent SSL VPN connections Secure Mobility license on the WSA: Total number of remote users. Licensing information can be found in:- http://www.cisco.com/en/us/docs/security/vpn_client/anyconnect/anyconnect25/feature/guide/anyco nnect25features.html Product Number Description Quantity ASA5510- BUN- K9 ASA 5510 Appliance with SW, 1 5FE,3DES/AES ASA- AC- E- 5510 AnyConnect Essentials VPN 1 License - ASA 5510 (250 Users) ASA- AC- M- 5510 AnyConnect Mobile - ASA 5510 (req. Essentials or Premium) 1 (required if support of mobile devices is required) WBUN- 2A- EN- DBC- 1Y Dual IronPort S160, 1yr WUC, Number of users WREP, ASPY, AV & Platinum support CASM- ACP- EN- 1Y Cisco Secure Mobility for AnyConnect Premium Enterprise 1 Year License Key (2000-4999 user tier) Number of users Page 9
Demo Documentation & Configuration Highlight WSA 7.0 documentation: http://www.cisco.com/en/us/products/ps10164/tsd_products_support_series_home.html AnyConnect 2.5 documentation: http://www.cisco.com/en/us/docs/security/vpn_client/anyconnect/anyconnect25/administration/guid e/anyconnectadmin25.html ASA 8.3 documentation: http://www.cisco.com/en/us/docs/security/asa/roadmap/asaroadmap.html#wp50591 Page 10
Highlights of configurations:- Router configuration: (in the demo, router just uses one interface 172.16.0.58) ip default- gateway 172.16.0.254 ip route 0.0.0.0 0.0.0.0 172.16.0.254 Note: define default gateway and route to firewall IP address 172.16.0.254 Firewall configuration: (internal interface 172.160.254, external interface remoteaccess.im- hk.com) route demo1 0.0.0.0 0.0.0.0 172.16.0.58 tunneled access- list WCCP extended permit object- group DM_INLINE_SERVICE_3 object Demo1_network any access- list WCCP extended permit object- group DM_INLINE_SERVICE_4 object AnyConnectClientRange any IronPort Web Security Appliance configuration: (M1 interface 172.16.0.23) Access Policy for local and remote user Page 11
Remote User Identity Identity Provider for SaaS Page 12
SaaS Application Definition for WebEx Single Sign- On WebEx Single Sign- On Redirection Page 13
WebEx SSO Configuration Page 14