Cisco AnyConnect Secure Mobility & VDI Demo Guide

Similar documents
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Cisco AnyConnect Secure Mobility Solution. György Ács Regional Security Consultant

SAS and F5 integration at F5 Networks. Updates for Version 11.6

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Partner Webinar. AnyConnect 4.0. Rene Straube Cisco Germany. December 2014

Designing Workspace of the Future for the Mobile Worker

TECHNOLOGY Introduction The Difference Protection at the End Points Security made Simple

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Cisco Network Admission Control (NAC) Solution

Using the Terminal Services Gateway Lesson 10

Cisco AnyConnect Is A New Mobile Security Model

Exam A QUESTION 1 An XYZ Corporation systems engineer, while making a sales call on the ABC Corporation headquarters, tried to access the XYZ sales de

Adaptacyjny dostęp do aplikacji wszędzie i z każdego urządzenia

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Threat Control Solutions. Version: Demo

A comprehensive security solution for enhanced mobility and productivity

New Features for ASA Version 9.0(2)

The Context Aware Network A Holistic Approach to BYOD

Expressway for Mobile and Remote Access Deployments, page 1 Cisco AnyConnect Deployments, page 9 Survivable Remote Site Telephony, page 17

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Secure Mobile Access to Corporate Applications

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Question: 1 An engineer is using the policy trace tool to troubleshoot a WSA. Which behavior is used?

Network. Arcstar Universal One

Policing The Borderless Network: Integrating Web Security

Secure Mobility. Klaus Lenssen Senior Business Development Manager Security

Vendor: Cisco. Exam Code: Exam Name: Cisco Sales Expert. Version: Demo

Identity Awareness Software Blade Check Point Software Technologies Ltd. [Unrestricted] For everyone

SASSL v1.0 Managing Advanced Cisco SSL VPN. 3 days lecture course and hands-on lab $2,495 USD 25 Digital Version

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

Secure Network Access for Personal Mobile Devices

BIG-IP APM: Access Policy Manager v11. David Perodin Field Systems Engineer

Cisco s Appliance-based Content Security: IronPort and Web Security

SonicOS 5.6 Feature Overview

CISCO EXAM QUESTIONS & ANSWERS

Release Notes for Cisco IronPort AsyncOS for Web

Introducing. Secure Access. for the Next Generation. Bram De Blander Sales Engineer

Release Notes for Cisco IronPort AsyncOS for Web

MOBILE SECURITY, SECURE ACCESS AND BYOD AS A SERVICE. Jonas Gyllenhammar NNTF 2012

WORLD WIDE TECHNOLOGY Brief Overview

Cisco CISCO Securing Networks with ASA Advanced. Practice Test. Version

Overview What is Azure Multi-Factor Authentication? How it Works Get started Choose where to deploy MFA in the cloud MFA on-premises MFA for O365

PCI DSS Compliance. White Paper Parallels Remote Application Server

Check Point Virtual Systems & Identity Awareness

Identity Firewall. About the Identity Firewall

Passit4Sure (50Q) Cisco Advanced Security Architecture for System Engineers

Vlastnosti sítě v době rozmachu mobilních zařízení

Release Notes for Cisco IronPort AsyncOS for Web

Release Notes for Cisco IronPort AsyncOS 7.0 for Web

Cisco ASA Next-Generation Firewall Services

Web Security Deployment. Ryan Wager Technical Marketing Engineer

ApplicationServer XG Version 11. Last updated:

Selftestengine q

Introduction. The Safe-T Solution

2S00012W -Selling the Avaya IP Office Platform Overview. Selling the Avaya IP Office Platform Overview. October, S00012W

Aventail ST2 SSL VPN New Features Guide

Cisco Protects Internal Infrastructure from Web-Based Threats

Mohit Saxena Senior Technical Lead Microsoft Corporation

Deploying Cisco ASA VPN Solutions v2.0 (VPN)

Simplify, Strengthen and Unify your security.

DOWNLOAD PDF CISCO IRONPORT CONFIGURATION GUIDE

Cisco Security Enterprise License Agreement

DevNet Sandbox Collaboration 11.5

Cisco AnyConnect. Ordering Guide. June For further information, questions, and comments, please contact

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

AnyConnect on Mobile Devices

Borderless Networks. Tom Schepers, Director Systems Engineering

Mobile Security using IBM Endpoint Manager Mobile Device Management

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

Q&As. Advanced Borderless Network Architecture Sales Exam. Pass Cisco Exam with 100% Guarantee

Pulse Policy Secure X Network Access Control (NAC) White Paper

NetConnect to GlobalProtect Migration Tech Note PAN-OS 4.1

Cisco Self Defending Network

Microsoft Windows Server 2008 R2 Remote Desktop Services Session Virtualization and VDI Microsoft RemoteFX

Delivering a Secure BYOD Solution with XenMobile MDM and Cisco ISE

Cisco Passguide Exam Questions & Answers

New methods to protect the network. Deeper visibility with Cisco NGFW Next Generation Firewall

Cisco Cloud Web Security

Seqrite TERMINATOR (UTM) Unified Threat Management Solution.

Powering Transformation With Cisco

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Cisco NAC Network Module for Integrated Services Routers

CITRIX 1Y0-200 EXAM QUESTIONS & ANSWERS

NGFW Security Management Center

Future-ready security for small and mid-size enterprises

Implementing Cisco Edge Network Security Solutions ( )

Training UNIFIED SECURITY. Signature based packet analysis

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Release Notes for Cisco IronPort AsyncOS for Web

Enterprise-ready Unified communications platform

Security for the Cloud Era

CYAN SECURE WEB Installing on Windows

Load Balancing VMware Workspace Portal/Identity Manager

Enterprise Guest Access

MaaS360 Secure Productivity Suite

SonicWALL Security Appliances. SonicWALL SSL-VPN 200 Getting Started Guide

BYOD Business year of decision!

Citric Access Gateway VPX Essentials

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

Exam Name: PASCERSE - Cisco SaaS Conferencing and EIM Resale ATP for the SE Exam

Transcription:

Cisco AnyConnect Secure Mobility & VDI Demo Guide (partner version) Overview... 2 Value Proposition... 2 Deployment Scenario... 3 Role Play Demo Script... 5 Demo Equipment Bill of Material... 9 Demo Documentation & Configuration Highlight... 10 Page 1

Overview With the ever- increasing demand for business usage on mobile devices including laptops, netbooks, iphone, ipad, and other smartphones and tablets, corporate network and security administrators have a need to provide secure access to corporate network, intranet applications as well as SaaS applications for those mobile device users no matter whether they are inside and outside office. Cisco offers AnyConnect Secure Mobility to extend the network perimeter to remote endpoints, enabling the seamless integration of web filtering services offered by the Web Security appliance. Cisco AnyConnect Secure Mobility provides an innovative new way to protect mobile users on computer- based or smart- phone platforms, providing a more seamless, always- protected experience for end users and comprehensive policy enforcement for IT administrators. The goal of this demo is to demonstrate how Cisco AnyConnect Secure Mobility works using Windows, ipad and iphone and at the same time showcase some of the key differentiators of ASA, WSA and AnyConnect. We also demonstrate how a remote user can securely access their intranet applications or host through virtual desktop from mobile devices and laptops. We will showcase a typical Internet edge deployment with ASA and WSA. AnyConnect clients are installed on Windows, ipad and iphone. AnyConnect Secure Mobility is a collection of features across the following Cisco products: Cisco IronPort Web Security appliance (WSA) Cisco ASA 5500 series adaptive security appliance (ASA) Cisco AnyConnect client Value Proposition Cisco AnyConnect Secure Mobility addresses the challenges of a mobile workforce by offering the following features: Secure, persistent connectivity. Cisco AnyConnect client (with the adaptive security appliances as the headend) provides the remote access connectivity portion of AnyConnect Secure Mobility. The connection is secure because both the user and device must be authenticated and validated prior to being provided access to the network. The connection is persistent because AnyConnect SSL VPN connection is typically configured to be always- on even when roaming between networks. Although Page 2

AnyConnect VPN connection is always- on, it is also flexible enough to apply different policies based on user and location, allowing users access to the Internet in a captive portal situation, when users must accept terms of agreement before accessing the Internet. Consistent security and policy enforcement. The Web Security appliance applies context- aware policies, including enforcing acceptable use policies and protection from malware for all users, including mobile (remote) users. The Web Security appliance also accepts user authentication information from the adaptive security appliance based on its authentication of the AnyConnect client, providing an automatic authentication step for the user to access web content. Deployment Scenario The deployment scenario in above figure illustrates ASA using WCCP to redirect web traffic to the WSA. Alternatively, WCCP router can be used to transparently redirect web traffic to the WSA. In this scenario, we are not using the WCCP feature on Cisco router. Using the WCCP functionality in the ASA to redirect web traffic to the WSA, it allows us to use any router in this deployment scenario. With this deployment scenario, ASA tunnels all VPN traffic to its default gateway which is a Cisco router. The router returns VPN web traffic back to the ASA, and forwards non- web traffic based on its routing table. The ASA then uses WCCP to redirect web traffic to the WSA for scanning. The WSA must be configured with a default route to the Internet gateway to enforce its policies. In addition, the WSA must be configured with a route back to the ASA to return scanned traffic back to the AnyConnect client. The Citrix VDI server is installed on Cisco Unified Computing System (UCS). Cisco AnyConnect Secure Mobility Demo Guide Page 3

ASA The idea is to show how ASA works as a firewall and SSL VPN headend. - WCCP is enabled on ASA and ASA will redirect AnyConnect client s HTTP and HTTPS to WSA WSA We will demonstrate WSA functionality on:- - - - - blocking malicious or malware site enforcing web access policy based on remote user identity SaaS single sign- on (e.g. WebEx) Demonstrating data security (e.g. blocking upload of PDF document using gmail.com) AnyConnect Anyconnect Secure Mobility - AnyConnect SSO to WebEx through IronPort WSA - Platform agnostic Anyconnect (e.g. Windows, iphone, ipad) SSL VPN connection to ASA Firewall - Connection persistence Page 4

Role Play Demo Script Financial Controller (FC) is on vacation trip. Sales Director (SD) is now in coffee shop and is going to have a WebEx web conferencing session with Managing Director and needs to get this quarter s financial report from FC. SD opens his laptop and starts AnyConnect SSL VPN connection to connect back to his office VPN headend remoteaccess.im- hk.com. He then calls up FC and asks for her help to get the financial report which is only available in company intranet server. SD finds that the existing Wifi connection is not stable and he switches his laptop from using Wifi connection- 1 to Wifi connection- 2 which has a strong signal. The AnyConnect SSL VPN connection reconnects without the need for re- authentication. Figure 1: AnyConnect login screen on Windows Narrator: Cisco AnyConnect client supports always- on and persistent connection which allows users to restore his last SSL VPN session without the need to re- authenticate. This provides a very user- friendly and seamless secure access to corporate network. SD opens http://webex.im- hk.com and automatically sign on to his WebEx account. He then calls up FC and ask for her help. Narrator: Cisco IronPort Web Security Appliance supports SaaS single sign- on and allow users to sign on to SaaS applications without the need to remember each single SaaS application password. This can greatly improve work efficiency and security. It also helps the IT administrator to manage SaaS access and track SaaS application usage and user activities much easier. For example, ex- employee will not be able to access SaaS applications since their account on company directory server has been disabled. Page 5

Figure 2: WebEx user home page after single sign- on through WSA Since FC is on vacation and she carries only ipad with her, she will use AnyConnect to access internal server using RDP or Citrix client and email the financial report to SD. SD thanks FC and drops the phone call. Figure 3: AnyConnect view on ipad Figure 4: RDP client accessing her own desktop and send the email with financial report Cisco AnyConnect Secure Mobility Demo Guide Page 6

Narrator: Cisco IronPort Web Security Appliance gets the remote AnyConnect user identity from ASA and administrator can enforce remote user web access policy. We can demonstrate that only selected restricted user can access some intranet server remotely. In this demo, we use RDP ipad client instead of web browser due to limit in time to set up intranet application web server in demo environment. SD gets his email with financial report and wants to upload the file to his gmail.com for future use but gets blocked due to corporate policy. He then recalls that it is not allowed by company security policy. Narrator: Cisco IronPort Web Security Appliance gets the remote AnyConnect user identity from ASA can apply local and/or remote data security policy (e.g. blocking upload of Office or PDF document). FC drops the phone call and she recalls that she wants to use her ipad to check the lottery result last night because there is a big pool. FC accesses http://bet.hkjc.com and the access gets blocked by IronPort WSA due to corporate policy. She recalls that her ipad is still connecting using AnyConnect. Figure 5: End User Notification Page showing that the access is blocked Narrator: Cisco IronPort Web Security Appliance can enforce web usage control for remote users. Administrator can choose to control web usage according to user identity or user group, and can have different policies depending on whether the user is in office or outside office. She then checks a message on Facebook which is sent by her friend, and click on the URL http://www.ihaveabadreputation.com in the message, and web access gets blocked by IronPort WSA due to poor web reputation. She says that it is lucky that she is still protected by the company security gateway. Page 7

Figure 6: A malicious URL in Facebook message and the web page gets blocked due to poor web reputation Narrator: Cisco IronPort Web Security Appliance can block malicious content effectively by web reputation and/or antimalware scanning engines by McAfee/WebRoot (and also Sophos). Although some people say that there is no virus or malware on ipad yet, however, your ipad is still vulnerable to be infected/hijacked (just think of visiting jailbreak site and by just one single click, your ipad has been jailbreaked and installed with jailbreak program). Page 8

Demo Equipment Bill of Material The customer needs: * Cisco Adaptive Security Appliance (ASA) 8.3 or above * Cisco AnyConnect Secure Mobility Client 2.5 or above * Cisco IronPort Web Security Appliance (WSA) 7.0 or above The below is a sample equipment list for a customer size of 250 users. Please note that any ASA model will work. AnyConnect Mobile license is required if customer requires AnyConnect support on mobile devices like Windows mobile, iphone, ipad, etc. Please note that Secure Mobility involves user licenses on two devices; AnyConnect license on the ASA, and Secure Mobility license on the WSA. - - AnyConnect license: Maximum expected concurrent SSL VPN connections Secure Mobility license on the WSA: Total number of remote users. Licensing information can be found in:- http://www.cisco.com/en/us/docs/security/vpn_client/anyconnect/anyconnect25/feature/guide/anyco nnect25features.html Product Number Description Quantity ASA5510- BUN- K9 ASA 5510 Appliance with SW, 1 5FE,3DES/AES ASA- AC- E- 5510 AnyConnect Essentials VPN 1 License - ASA 5510 (250 Users) ASA- AC- M- 5510 AnyConnect Mobile - ASA 5510 (req. Essentials or Premium) 1 (required if support of mobile devices is required) WBUN- 2A- EN- DBC- 1Y Dual IronPort S160, 1yr WUC, Number of users WREP, ASPY, AV & Platinum support CASM- ACP- EN- 1Y Cisco Secure Mobility for AnyConnect Premium Enterprise 1 Year License Key (2000-4999 user tier) Number of users Page 9

Demo Documentation & Configuration Highlight WSA 7.0 documentation: http://www.cisco.com/en/us/products/ps10164/tsd_products_support_series_home.html AnyConnect 2.5 documentation: http://www.cisco.com/en/us/docs/security/vpn_client/anyconnect/anyconnect25/administration/guid e/anyconnectadmin25.html ASA 8.3 documentation: http://www.cisco.com/en/us/docs/security/asa/roadmap/asaroadmap.html#wp50591 Page 10

Highlights of configurations:- Router configuration: (in the demo, router just uses one interface 172.16.0.58) ip default- gateway 172.16.0.254 ip route 0.0.0.0 0.0.0.0 172.16.0.254 Note: define default gateway and route to firewall IP address 172.16.0.254 Firewall configuration: (internal interface 172.160.254, external interface remoteaccess.im- hk.com) route demo1 0.0.0.0 0.0.0.0 172.16.0.58 tunneled access- list WCCP extended permit object- group DM_INLINE_SERVICE_3 object Demo1_network any access- list WCCP extended permit object- group DM_INLINE_SERVICE_4 object AnyConnectClientRange any IronPort Web Security Appliance configuration: (M1 interface 172.16.0.23) Access Policy for local and remote user Page 11

Remote User Identity Identity Provider for SaaS Page 12

SaaS Application Definition for WebEx Single Sign- On WebEx Single Sign- On Redirection Page 13

WebEx SSO Configuration Page 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback