Cisco dCloud

Cisco ASA Clientless VPN v1

Last Updated: 01-AUGUST-2017

About This Demonstration

This guide for the preconfigured demonstration includes:

Requirements

About This Solution

Topology

Get Started

Scenario 1: Clientless VPN

Requirements
The table below outlines the requirements for this preconfigured demonstration.

Table 1. Requirements

Required Optional

Laptop Cisco AnyConnect

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 27
 Cisco dCloud

About This Solution

The Cisco ASA clientless VPN solution allows convenient, limited secure access to the corporate network from any location with
internet access. Users are able to access the most common internal network resources from anywhere with an internet connection
and compatible browser, without needing to install or run additional endpoint software such as the Cisco AnyConnect Secure
Mobility Client. The Cisco ASA clientless VPN feature is a simple, secure and scalable way to provide limited network access for
both contractors and employees.

Configuration
This demonstration contains preconfigured users and components to illustrate the scripted scenarios. All access information
needed to complete the demonstration is listed throughout the demonstration guide.

Table 2. Available Portals

Scenario / Vertical General Resources (All) Internal Resources Internal Records

Healthcare For Patients and Families For Healthcare Professionals Medical Records / Insurance Server

Education For Students and Guests For Faculty/Educators Student Records / Student Contacts

Federal For Visitors For Federal Agents Background Records / Human Resource Server

Corporate For Customers and Guests For Corporate Employees Corporate Financial Records / HR Records

Table 3. Credentials and Access Levels

Scenario / Vertical Username Password

Healthcare doctor C1sco12345

Education dean C1sco12345

Federal captain C1sco12345

Corporate manager C1sco12345

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 27
 Cisco dCloud

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.

Figure 1. dCloud Topology

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 27
 Cisco dCloud

Get Started
BEFORE PRESENTING

Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.

It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Follow the steps to schedule a session of the content and configure your presentation environment.

1. Initiate your dCloud session. [Show Me How]

NOTE: It may take up to 10 minutes for your session to become active.

2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]

Workstation 1: 198.18.133.36, Username: administrator, Password: C1sco12345

NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 27
 Cisco dCloud

Scenario 1. Clientless VPN

In this scenario, you will demonstrate some of the more popular features of the Cisco ASA clientless VPN solution, including:

Accessing internal corporate web sites using web bookmarks.

Accessing internal corporate file shares with single sign-on (SSO).

Accessing internal corporate resources using RDP and SSH with smart tunnels.

Accessing the internal Citrix XenDesktop and XenApp environment through clientless VPN with single sign-on (SSO).

Utilizing ASA host scan with pre-login policies to identify corporate or non-corporate assets.

Utilizing Dynamic Access Policies (DAP) to limit network access based on user identity and host scan posture.

In this scenario, we begin by showing how the clientless VPN allows limited network access for contractors, giving them only
access to the specific network resources they require, while at the same time not requiring them to install additional software on
their machines. The ASA host scan, in conjunction with Dynamic Access Policy (DAP), dictates that contractors are limited to using
the clientless VPN feature.

The scenario then shifts focus to how the ASA provides clientless access for corporate employees that are accessing the ASA
from personal devices. ASA host scan with Dynamic Access Policy (DAP) limits the employee on a personal device to only
accessing the VPN using clientless, as opposed to full tunnel access. Employees have access to a different, more extensive list of
resources.

Steps

NOTE: If you have already completed either of the scenarios in the Cisco ASA Posture with AMP and ISE v1 demo guide,
complete the following before continuing. If you have not completed other scenarios, continue to Step 1.

Delete c:\dCloud_watermark.txt.

Open certificates.msc on the desktop. Navigate to Certificates Current User > Personal > Certificates and delete any
present user certificates.

Contractors and employees using personal, non-corporate owned assets are given clientless-only VPN access. A contractor or
employee on a personal machine attempting to gain full access to the network using Cisco AnyConnect will be denied access. A
combination of Host Scan pre-login policies and the Dynamic Access Policy (DAP) feature of the ASA enforce this restriction.

1. From Wkst1, click the Cisco AnyConnect Secure Mobility Client icon in the taskbar. Select asav.dcloud.cisco.com from
the dropdown menu.

Figure 2. AnyConnect Client

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 27
 Cisco dCloud

2. Login using the credentials username: contractor and password: C1sco12345 to demonstrate that the connection fails due to
DAP policy enforcing clientless VPN-only access for contractors.

Figure 3. Access Denied

3. Click Cancel.

4. From Wkst1, open Firefox. The Cisco AnyConnect with AMP desktop displays.

Figure 4. Cisco AnyConnect with AMP

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 27
 Cisco dCloud

5. Select ASAv from the bookmarks. This runs the Cisco Secure Desktop and leads to a login page. Log in with the credentials
username: contractor and password: C1sco12345.

NOTE: The Cisco Secure Desktop (CSD) host scan process runs when accessing the ASAv through Firefox for clientless VPN
access. This is a Java-based process that scans the machine for posture-related information that the ASA uses later to make
enforcement decisions. For example, it detects if the machine has the correct digital certificate installed, if certain processes are
running, or if certain files are present. The host scan process can take up to 60 seconds to fully complete before displaying the
login screen.

6. Click Continue on the welcome banner. This displays the dCloud Contractor VPN Portal.

Figure 5. dCloud contractor VPN Portal

7. Click the yellow exclamation point. The message indicates that the user has contractor-only access. Click Close.

Figure 6. Yellow Exclamation Point and Message

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 27
 Cisco dCloud

8. Click one of the portal bookmarks (Healthcare, Education, Federal or Corporate).

Figure 7. Portal Bookmarks

9. From the portal page, click the General Resources. As a contractor, the user can access this resource.

Figure 8. General Resources

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 27
 Cisco dCloud

10. Click the back button on the browser and select Internal Resources. The internal resource page blocks access for the
contractor.

Figure 9. Internal Resources

Figure 10. Access Denied

11. Click Back. Click the Cisco Clientless VPN Home icon in the upper right hand corner to return to the dCloud contractor VPN
portal.

Figure 11. Home Icon

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 27
 Cisco dCloud

12. Click AD Contractor Fileshare to demonstrate the contractor has access to the file share on AD1.

NOTE: Since the fileshare resource uses single sign-on, you do not enter credentials after clicking the AD1 Contractor Fileshare
bookmark.

Figure 12. AD Contractor Fileshare

Figure 13. AD Contractor Fileshare Listing

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 27
 Cisco dCloud

13. Click Application Access in the left column.

Figure 14. Application Access

14. You should see the message Smart Tunnel has been started. Minimize, but do not close, Firefox.

NOTE: The clientless VPN session must remain open for the smart tunnels to function. If you close Firefox, the clientless VPN
session ends, and the smart tunnels are torn down.

Figure 15. Smart Tunnel Message

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 27
 Cisco dCloud

NOTE: The Application Access area shows information related to any smart tunnels that enabled for the clientless VPN. Smart
tunnels allow us to tunnel specific application traffic securely over the clientless SSL VPN connection, in order to give those
specific applications direct access to internal resources. The ASA is able to securely proxy the connection between the clientless
VPN user and the internal network resource.

In this particular demonstration, smart tunnels are configured for the Microsoft Windows RDP client and the PuTTY application.
When the user logs into the clientless VPN, and they launch the Windows RDP client or PuTTY, the network traffic from those
applications is securely sent over the SSL VPN connection to the ASA. The ASA then proxies the connection between the client
and the accessed internal resource.

An often-voiced concern with smart tunnel technology is verifying restrictions in place to stop a user from accessing restricted
resources on the internal network. Web ACLs help solve that by limiting the specific resources accessible through smart tunnels.
Throughout this demonstration, the contractor has a smart tunnel for both the RDP client and PuTTY, and Web ACLs are applied
in the ASA dynamic access policy (DAP) to limit access to resources.

For example, the contractor may use the RDP client ONLY to access the AD1 server, and may use PuTTY ONLY to access the
linux web server via SSH. Attempting to use those applications for other purposes will not be successful. Smart tunnels provide the
flexibility to use full applications separate from the clientless portal to gain access to internal resources, but at the same time,
provide the ability to limit what specific resources those applications access.

15. From the Wkst1 desktop, double click the PuTTY icon. Double click the Portals Linux Machine saved session to open an
SSH session to the portals server.

Figure 16. Portals Linux Machine

16. Log in using the credentials username: linuxuser and password: C1sco12345.

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 27
 Cisco dCloud

17. At the prompt, type who and press Enter. Note that the IP address shown is 198.19.10.100.

Figure 17. Who Command and IP Address

18. At the prompt, enter exit to close PuTTY.

NOTE: The linux who command displays current system logins, including the IP address from which the user is logged in. When
connecting to this machine through the smart tunnel, the IP address shown is 198.19.10.100. That is the inside interface of the
ASA. Since the ASA is acting as proxy for the SSH connection between the user and the linux machine, the linux machine
recognizes the user as connecting from 198.19.10.100.

At this point, if the user attempted to use PuTTY to access any other resource, such as ISE, failure will occur. The WebACL
associated with the contractor clientless VPN session specifically dictates that the PuTTY smart tunnel may ONLY be used to
access the linux web server using SSH.

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 27
 Cisco dCloud

19. From the Wkst1 desktop, double click Contractor AD1.rdp icon to open an RDP session to AD1 and demonstrate RDP
access. The window opens with cached credentials.

Figure 18. Contractor AD1 Window

20. Scroll down in the window and select Logoff from the Start menu to close the RDP session.

NOTE: If the user attempts to use RDP to access any other resource, such as the VDI desktop, failure will occur. The WebACL
that associated with the contractor clientless VPN session specifically dictates that the RDP smart tunnel may ONLY be used to
access the AD1 server.

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 27
 Cisco dCloud

21. Return to the Firefox window and click the word Logout to close the VPN portal session. Click X to close the Firefox window.

Figure 19. Logout of VPN Portal

NOTE: Now that we have successfully demonstrated the contractor clientless access, we can move on to the employee scenarios.
The Dynamic Access Policy (DAP) on the ASA dictates how employees can access the network. Employees logging in from
personal non-corporate assets are only granted employee clientless VPN access. They may not login using AnyConnect.
Conversely, employees that are using corporate-owned assets may login either through clientless VPN, or by using the full
AnyConnect client. The level of access the employee is granted is based on the posture information gathered by the host scan
process.

To define corporate assets or personal devices, the ASA host scan pre-scan policy looks for two characteristics. First, it scans the
machine and looks for a digital certificate. If the digital certificate is valid and signed by the internal corporate certificate authority
(CA) with dCloud identified as the organizational unit, the machine is classified as a corporate asset. Additionally, if the machine
contains a special watermark file in a specific location, it is classified as a corporate asset.

At this point in the demonstration, WKST1 has neither the watermark file, nor the digital certificate, so it will be classified as a non-
corporate asset. Therefore, attempting to login to the network using AnyConnect with an employee account will fail, just as it did for
the contractor.

22. Open Cisco AnyConnect Security Mobility Client and connect again to asav.dcloud.cisco.com. Log in using specific vertical
credentials, that is username: doctor, dean, captain or manager and password: C1sco12345.

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 27
 Cisco dCloud

23. This also fails due to DAP policy that is enforcing clientless VPN-only access for employees on personal machines.

Figure 20. Access Denied Healthcare Credentials

24. Click Cancel.

25. Open Firefox and select ASAv from the bookmarks. This runs the Cisco Secure Desktop and leads to a login page. Log in
using specific vertical credentials, that is, username: doctor, dean, captain or manager and password: C1sco12345.

26. Click Continue on the welcome banner. This displays the dCloud employee VPN Portal.

NOTE: The portal banner now displays employee instead of contractor, and the font is blue instead of red. Employees have a
distinctly independent and different portal customization applied as compared to contractors. Employees have access to a different
set of resources, that is, Citrix and a CIFS share to a different machine, as well as additional SSH access using smart tunnels.

At this point in the demonstration, the employee is still accessing the VPN from a personal non-corporate asset. The clientless
VPN portal offers no way for the employee to launch AnyConnect from inside the portal. The employee on a non-corporate asset
has no access to AnyConnect.

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 27
 Cisco dCloud

27. Click the yellow exclamation point and read the message indicating you are an employee on a personal machine. Click
Close.

Figure 21. Personal Machine Message

NOTE: The employee has access to more resources than the contractor.

28. Click the bookmark for the vertical specific portal. In the image below, it is the Healthcare Portal, since the login used the
doctor credentials.

Figure 22. Healthcare Portal

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 27
 Cisco dCloud

29. From the portal page, click the General Resources. As an employee on a personal machine, the user can access this
resource.

Figure 23. General Resources

30. Click the back button on the browser and select Internal Resources. The Internal Resources page allows access to the
employee on a personal machine.

Figure 24. Internal Resources

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 27
 Cisco dCloud

31. Click the link for Medical Records. The employee is blocked from accessing the records since they are using a personal
machine.

NOTE: The screen shots display the healthcare portal. The Internal Resources and Internal Records links vary for the other three
verticals, but all follow the same general pattern. There is always a General Resources section, an Internal Resources section, and
within the internal resources, and one or more Internal Records type of links. Check Table 2 - Available Portals for information on
alternative log in credentials.

Figure 25. Access Denied

32. Click Back. Click the browser Home icon in the upper right hand corner to return to the dCloud Employee VPN portal.

33. Click the Citrix Storefront bookmark to be automatically logged into Citrix storefront.

NOTE: This link uses SSO (single sign on), and you are automatically logged into Citrix with the same credentials used to login to
the clientless VPN, that is, doctor, dean, captain or manager.

Figure 26. Citrix Storefront

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 27
 Cisco dCloud

Figure 27. Citrix Receiver Page

34. Click the dCloud Desktop icon to launch the Citrix receiver. You will receive a connection error (this is a known bug more
information here https://tools.cisco.com/bugsearch/bug/CSCuy51258/), so close the pop up window and click the dCloud
Desktop icon again. You are automatically logged into the VDI desktop.

Figure 28. VDI Desktop

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 27
 Cisco dCloud

35. After the desktop is shown, log off from the VDI desktop by selecting Log off from the Start Menu. You are returned to the
Citrix Storefront screen.

NOTE: Do not select Shutdown, even though it is the default choice.

36. Click Apps from the bottom of the screen. This displays the published appsCalculator, Notepad and Paint.

Figure 29. Apps

37. Click one of the apps. The Citrix receiver opens and you may experience a flash reminiscent of a user logging into the
desktop. This process usually takes about 10 seconds.

NOTE: There may be a delay while the application opens. Be patient. The application may also open only in the taskbar of WKST1
initially. You may have to click the application in the taskbar to make it visible.

38. Close the application.

NOTE: It is important that you wait at least 30 seconds after closing the application. This is necessary so that the user is properly
logged out of the VDI desktop.

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 27
 Cisco dCloud

39. At the top right of the screen, click the arrow next to the username and click Log Off.

Figure 30. Log Off

40. Click the Cisco Clientless VPN Home button in the upper right to return to the dCloud Employee VPN portal.

41. Click VDI Desktop C: Share to demonstrate the user has access to the C: fileshare on the VDI desktop.

NOTE: The user is not prompted for log in credentials. The CIFS share uses single sign-on.

Figure 31. VDI Desktop C: Share

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 27
 Cisco dCloud

Figure 32. VDI Desktop C: Drive Share

42. Click Application Access from the left column. Confirm that the message reads Smart Tunnel has been started. Minimize,
but do not close, Firefox.

NOTE: The clientless VPN session must remain open for the smart tunnels to function. If you close Firefox, the clientless VPN
session ends, and the smart tunnels are torn down.

Figure 33. Application Access

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 27
 Cisco dCloud

NOTE: The Application Access area shows information related to any smart tunnels that enabled for the clientless VPN. Smart
tunnels allow us to tunnel specific application traffic securely over the clientless SSL VPN connection, in order to give those
specific applications direct access to internal resources. The ASA is able to securely proxy the connection between the clientless
VPN user and the internal network resource.

In this demonstration, smart tunnels are configured for the Microsoft Windows RDP client and the PuTTY application. When the
user logs into the clientless VPN, and they launch the Windows RDP client or PuTTY, the network traffic from those applications is
securely sent over the SSL VPN connection to the ASA. The ASA then proxies the connection between the client and the
accessed internal resource.

An often-voiced concern with smart tunnel technology is verifying restrictions in place to stop a user from accessing restricted
resources on the internal network. Web ACLs help solve that by limiting the specific resources accessible through smart tunnels.
Throughout this demonstration, the contractor has a smart tunnel for both the RDP client and PuTTY, and Web ACLs are applied
in the ASA dynamic access policy (DAP) to limit access to resources.

For example, the contractor may use the RDP client ONLY to access the AD1 server, and may use PuTTY ONLY to access the
linux web server via SSH. Attempting to use those applications for other purposes will not be successful. Smart tunnels provide the
flexibility to use full applications separate from the clientless portal to gain access to internal resources, but at the same time,
provide the ability to limit what specific resources those applications access.

43. From the Wkst1 desktop, double click the PuTTY icon. Double click the Portals Linux Machine saved session to open an
SSH session to the portals server.

Figure 34. Portals Linux Machine

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 27
 Cisco dCloud

44. Log in using the credentials username: linuxuser and password: C1sco12345.

45. At the prompt, enter who and note that the IP address shown is 198.19.10.100.

Figure 35. Who Command and IP Address

46. At the prompt, enter exit to close PuTTY.

NOTE: The linux who command displays current system logins, including the IP address. When connecting to this machine
through the smart tunnel, the IP address shown is 198.19.10.100. That is the inside interface of the ASA. Since the ASA is acting
as proxy for the SSH connection between the user and the linux machine, the linux machine recognizes the user as connecting
from 198.19.10.100.

As an employee, the WebACL applied to the clientless session now allows PuTTY smart tunnel access to both the linux web
server and the ISE server.

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 27
 Cisco dCloud

47. From the Wkst1 desktop, double click the PuTTY icon again. Double click the ISE saved session to open an SSH session to
ISE.

Figure 36. ISE

48. Log in using the credentials username: admin and password: C1sco12345.

49. At the prompt, enter the show users command and click Enter. Note that the IP address shown is 198.19.10.100.

NOTE: The show users command displays current system logins, including the IP address from which the user is logged in. When
connecting to this machine through the smart tunnel, the IP address shown is 198.19.10.100. That is the inside interface of the
ASA. Since the ASA is acting as proxy for the SSH connection between the user and the ISE, the ISE machine recognizes the user
as connecting from 198.19.10.100.

50. Close the Putty window.

51. From the Wkst1 desktop, double click the RDP shortcut for any user vertical (Healthcare.rdp, Education.rdp, Federal.rdp or
Corporate.rdp). This opens an RDP session to the VDI desktop to demonstrate RDP access through the smart tunnel.

Figure 37. Healthcare.rdp Shortcut

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 27
 Cisco dCloud

52. Scroll down in the window and select Logoff from the Start menu to close the RDP session.

53. Return to the Firefox window and click the word Logout to close the VPN portal session. Click X to close the Firefox window.

Figure 38. Logout of VPN Portal

2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 27