Configuring Secure Client Management VPN Tunnel on Threat Defense

Procedure

Step 1

Create a remote access VPN policy configuration using the wizard:

For information about configuring a remote access VPN, see Configuring a New Remote Access VPN Connection.

Step 2

Configure connection profile settings for management VPN tunnel:

Note

It is advisable to create a new connection profile to be used only for Secure Client management VPN tunnel.

  1. Edit the remote access VPN policy you have created.

  2. Select and edit the connection profile that will be used for management VPN tunnel.

  3. Click AAA > Authentication Method and select Client Certificate Only. Configure the authorization and accounting settings as required.

  4. Click the Aliases tab of the connection profile.

  5. Click Add (+) under URL Aliases and URL Alias for the connection profile.

  6. Click Enabled to enable the URL.

  7. Click OK and then click Save to save the connection profile settings.

For more information about connection profile settings, see Configure Connection Profile Settings.

Step 3

Create a management tunnel profile using the Secure Client profile editor:

  1. Download the Secure Client VPN Management Tunnel Standalone Profile Editor from Cisco Software Download Center if you have not done already.

  2. Create a management tunnel profile with the required settings for your VPN users and save the file.

  3. Configure a server in the Server List with the group URL you have configured in the connection profile.

For information about creating a management profile using the Profile Editor, see the Cisco Secure Client (including AnyConnect) Administrator Guide.

Step 4

Create a management tunnel object:

  1. On your Secure Firewall Management Center web interface, navigate to Object > Object Management > VPN > Secure Client File

  2. Click Add Secure Client File.

  3. Specify the Name for the Secure Client file.

  4. Click Browse and select the management tunnel profile file you have saved.

  5. Click the File Type drop-down and select Secure Client Management VPN Profile.

  6. Click Save.

Note

You an also create the management tunnel object when you create or update Secure Client settings for a group policy. See Group Policy Secure Client Options.

Step 5

Associate a management profile with a group policy and configure group policy settings:

You must add the management VPN profile to the group policy associated with the connection profile used for the management tunnel VPN connection. When the user connects, the management VPN profile is downloaded along with the user VPN profile already mapped to the group policy, enabling the management VPN tunnel feature.

Caution

No Banner: Check and ensure that no banner is configured in the group policy settings. You can check the banner settings under Group Policy > General Settings > Banner.

  1. Edit the connect profile you have created for management VPN tunnel.

  2. Click Edit Group Policy > Secure Client > Management Profile.

  3. Click the Management VPN Profile drop-down and select the management profile file object you have created.

    Note

    You can also click + and add a new Secure Client Management VPN Profile object.

  4. Click Save.

Step 6

Configure split tunneling in group policy:

  1. Click Edit Group Policy > General > Split Tunneling.

  2. From the IPv4 or IPv6 split tunneling drop-down, select Tunnel networks specified below.

  3. Select the Split Tunnel Network List Type: Standard Access List or Extended Access List, and then select the required access list to allow the traffic over the management VPN tunnel.

  4. Click Save to save the split tunnel settings.

Secure Client Custom Attribute

Secure Client Management VPN tunnel requires split include tunneling configuration by default. If you are configuring Secure Client custom attribute in the group policy to deploy the management VPN tunnel with split tunneling to tunnel all, you can do so using FlexConfig because management center 6.7 web interface does not support Secure Client custom attribute.

The following is an example command for Secure Client custom attribute: 

webvpn
	anyconnect-custom-attr ManagementTunnelAllAllowed description ManagementTunnelAllAllowed
anyconnect-custom-data ManagementTunnelAllAllowed true true
group-policy MGMT_Tunnel attributes
	anyconnect-custom ManagementTunnelAllAllowed value true

Step 7

Deploy, verify, and monitor the remote access VPN policy:

  1. Deploy the management VPN tunnel configuration to threat defense.

    Note

    Client systems must connect to the threat defense remote access VPN once to download the management tunnel VPN profile to the client machines.

  2. You can verify the Secure Client management VPN tunnel at Secure Mobility Client > VPN > Statistics.

    You can also check the management VPN session details on the threat defense command prompt using the show vpn-sessiondb anyconnect command.

  3. On your management center web interface, click Analysis to view the management tunnel session information.