Cisco Cisco ScanSafe Wi-Fi Hotspot Security
Cisco CWS
– AnyConnect Web Security Deployment Guide
16
Test
Deploy
Prepare
Step 31:
Open Windows Services. Notice the Cisco AnyConnect Web Security Agent and the service
status displays Started. Simply logging off and logging back on will update the AnyConnect Web
Security UI to reflect that the web security client is active. Otherwise, it will update on the next reboot.
Security UI to reflect that the web security client is active. Otherwise, it will update on the next reboot.
Figure 2.13
Scenario 2: Log on to a machine that does not have the AnyConnect Web Security client installed.
These actions can be facilitated through Microsoft Group Policy and Active Directory. Cisco recommends
using these options to provide users with the cleanest and most trouble-free experience.
using these options to provide users with the cleanest and most trouble-free experience.
Step 1:
Open a web browser and browse to the outside interface of the ASA using the HTTPS.
Step 2:
Authenticate using whatever method has been configured for VPN client access and the
installation will commence. By clicking on the AnyConnect tray icon, you can see that all components
have been installed correctly.
have been installed correctly.
Step 3:
user name should reflect the logged on user and the groups should reflect the groups of which the
user is a member of.
user is a member of.
*Note: Confirm traffic is redirecting to AnyConnect by looking for
“connectorVersion: AP_ACx.x.xxxxx”
*Note: By opening Services, you can see that there are two services for AnyConnect. One specifically
deals with the AnyConnect Web Security service and the other-AnyConnect Secure Mobility, controls
the VPN client service.
deals with the AnyConnect Web Security service and the other-AnyConnect Secure Mobility, controls
the VPN client service.
However, the web security service is controlled by the secure mobility service. The lockdown
transform can only be applied when installing or upgrading the client. Meaning that in scenario 1,
even though the web security service has lockdown applied, the secure mobility service does not. In
this scenario, the web security service can be disabled simply by disabling the Secure Mobility Agent.
transform can only be applied when installing or upgrading the client. Meaning that in scenario 1,
even though the web security service has lockdown applied, the secure mobility service does not. In
this scenario, the web security service can be disabled simply by disabling the Secure Mobility Agent.
To circumvent this problem, either perform a clean installation of the AnyConnect Web Security client
as in Scenario 2, or only use Scenario 1 when upgrading to a newer client version.
as in Scenario 2, or only use Scenario 1 when upgrading to a newer client version.
Install AnyConnect Web Security using the pre-deploy method for PC
When you are deploying the AnyConnect Web Security client, you can either run the setup executable, a
startup script via a Group Policy Object (Microsoft AD), or a software management solution. The
installation script at the end of this document can be used in a Group Policy Object or with a software
management solution.
This section of deploying the AnyConnect Web Security client using the pre-deploy method for PC will
focus on using the script found at the end of this document in an Active Directory Group Policy Object.
The use of this script or method is not mandatory, but is offered as a convenience for rolling out the
AnyConnect Web Security client.
startup script via a Group Policy Object (Microsoft AD), or a software management solution. The
installation script at the end of this document can be used in a Group Policy Object or with a software
management solution.
This section of deploying the AnyConnect Web Security client using the pre-deploy method for PC will
focus on using the script found at the end of this document in an Active Directory Group Policy Object.
The use of this script or method is not mandatory, but is offered as a convenience for rolling out the
AnyConnect Web Security client.