Professional Documents
Culture Documents
Requirements
Topology
Get Started
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 27
Cisco dCloud
Configuration
This demonstration contains preconfigured users and components to illustrate the scripted scenarios. All access information
needed to complete the demonstration is listed throughout the demonstration guide.
Healthcare For Patients and Families For Healthcare Professionals Medical Records / Insurance Server
Education For Students and Guests For Faculty/Educators Student Records / Student Contacts
Federal For Visitors For Federal Agents Background Records / Human Resource Server
Corporate For Customers and Guests For Corporate Employees Corporate Financial Records / HR Records
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 27
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 27
Cisco dCloud
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
Follow the steps to schedule a session of the content and configure your presentation environment.
2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]
NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 27
Cisco dCloud
Accessing internal corporate resources using RDP and SSH with smart tunnels.
Accessing the internal Citrix XenDesktop and XenApp environment through clientless VPN with single sign-on (SSO).
Utilizing ASA host scan with pre-login policies to identify corporate or non-corporate assets.
Utilizing Dynamic Access Policies (DAP) to limit network access based on user identity and host scan posture.
In this scenario, we begin by showing how the clientless VPN allows limited network access for contractors, giving them only
access to the specific network resources they require, while at the same time not requiring them to install additional software on
their machines. The ASA host scan, in conjunction with Dynamic Access Policy (DAP), dictates that contractors are limited to using
the clientless VPN feature.
The scenario then shifts focus to how the ASA provides clientless access for corporate employees that are accessing the ASA
from personal devices. ASA host scan with Dynamic Access Policy (DAP) limits the employee on a personal device to only
accessing the VPN using clientless, as opposed to full tunnel access. Employees have access to a different, more extensive list of
resources.
Steps
NOTE: If you have already completed either of the scenarios in the Cisco ASA Posture with AMP and ISE v1 demo guide,
complete the following before continuing. If you have not completed other scenarios, continue to Step 1.
Delete c:\dCloud_watermark.txt.
Open certificates.msc on the desktop. Navigate to Certificates Current User > Personal > Certificates and delete any
present user certificates.
Contractors and employees using personal, non-corporate owned assets are given clientless-only VPN access. A contractor or
employee on a personal machine attempting to gain full access to the network using Cisco AnyConnect will be denied access. A
combination of Host Scan pre-login policies and the Dynamic Access Policy (DAP) feature of the ASA enforce this restriction.
1. From Wkst1, click the Cisco AnyConnect Secure Mobility Client icon in the taskbar. Select asav.dcloud.cisco.com from
the dropdown menu.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 27
Cisco dCloud
2. Login using the credentials username: contractor and password: C1sco12345 to demonstrate that the connection fails due to
DAP policy enforcing clientless VPN-only access for contractors.
3. Click Cancel.
4. From Wkst1, open Firefox. The Cisco AnyConnect with AMP desktop displays.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 27
Cisco dCloud
5. Select ASAv from the bookmarks. This runs the Cisco Secure Desktop and leads to a login page. Log in with the credentials
username: contractor and password: C1sco12345.
NOTE: The Cisco Secure Desktop (CSD) host scan process runs when accessing the ASAv through Firefox for clientless VPN
access. This is a Java-based process that scans the machine for posture-related information that the ASA uses later to make
enforcement decisions. For example, it detects if the machine has the correct digital certificate installed, if certain processes are
running, or if certain files are present. The host scan process can take up to 60 seconds to fully complete before displaying the
login screen.
6. Click Continue on the welcome banner. This displays the dCloud Contractor VPN Portal.
7. Click the yellow exclamation point. The message indicates that the user has contractor-only access. Click Close.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 27
Cisco dCloud
9. From the portal page, click the General Resources. As a contractor, the user can access this resource.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 27
Cisco dCloud
10. Click the back button on the browser and select Internal Resources. The internal resource page blocks access for the
contractor.
11. Click Back. Click the Cisco Clientless VPN Home icon in the upper right hand corner to return to the dCloud contractor VPN
portal.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 27
Cisco dCloud
12. Click AD Contractor Fileshare to demonstrate the contractor has access to the file share on AD1.
NOTE: Since the fileshare resource uses single sign-on, you do not enter credentials after clicking the AD1 Contractor Fileshare
bookmark.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 27
Cisco dCloud
14. You should see the message Smart Tunnel has been started. Minimize, but do not close, Firefox.
NOTE: The clientless VPN session must remain open for the smart tunnels to function. If you close Firefox, the clientless VPN
session ends, and the smart tunnels are torn down.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 27
Cisco dCloud
NOTE: The Application Access area shows information related to any smart tunnels that enabled for the clientless VPN. Smart
tunnels allow us to tunnel specific application traffic securely over the clientless SSL VPN connection, in order to give those
specific applications direct access to internal resources. The ASA is able to securely proxy the connection between the clientless
VPN user and the internal network resource.
In this particular demonstration, smart tunnels are configured for the Microsoft Windows RDP client and the PuTTY application.
When the user logs into the clientless VPN, and they launch the Windows RDP client or PuTTY, the network traffic from those
applications is securely sent over the SSL VPN connection to the ASA. The ASA then proxies the connection between the client
and the accessed internal resource.
An often-voiced concern with smart tunnel technology is verifying restrictions in place to stop a user from accessing restricted
resources on the internal network. Web ACLs help solve that by limiting the specific resources accessible through smart tunnels.
Throughout this demonstration, the contractor has a smart tunnel for both the RDP client and PuTTY, and Web ACLs are applied
in the ASA dynamic access policy (DAP) to limit access to resources.
For example, the contractor may use the RDP client ONLY to access the AD1 server, and may use PuTTY ONLY to access the
linux web server via SSH. Attempting to use those applications for other purposes will not be successful. Smart tunnels provide the
flexibility to use full applications separate from the clientless portal to gain access to internal resources, but at the same time,
provide the ability to limit what specific resources those applications access.
15. From the Wkst1 desktop, double click the PuTTY icon. Double click the Portals Linux Machine saved session to open an
SSH session to the portals server.
16. Log in using the credentials username: linuxuser and password: C1sco12345.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 27
Cisco dCloud
17. At the prompt, type who and press Enter. Note that the IP address shown is 198.19.10.100.
NOTE: The linux who command displays current system logins, including the IP address from which the user is logged in. When
connecting to this machine through the smart tunnel, the IP address shown is 198.19.10.100. That is the inside interface of the
ASA. Since the ASA is acting as proxy for the SSH connection between the user and the linux machine, the linux machine
recognizes the user as connecting from 198.19.10.100.
At this point, if the user attempted to use PuTTY to access any other resource, such as ISE, failure will occur. The WebACL
associated with the contractor clientless VPN session specifically dictates that the PuTTY smart tunnel may ONLY be used to
access the linux web server using SSH.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 27
Cisco dCloud
19. From the Wkst1 desktop, double click Contractor AD1.rdp icon to open an RDP session to AD1 and demonstrate RDP
access. The window opens with cached credentials.
20. Scroll down in the window and select Logoff from the Start menu to close the RDP session.
NOTE: If the user attempts to use RDP to access any other resource, such as the VDI desktop, failure will occur. The WebACL
that associated with the contractor clientless VPN session specifically dictates that the RDP smart tunnel may ONLY be used to
access the AD1 server.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 27
Cisco dCloud
21. Return to the Firefox window and click the word Logout to close the VPN portal session. Click X to close the Firefox window.
NOTE: Now that we have successfully demonstrated the contractor clientless access, we can move on to the employee scenarios.
The Dynamic Access Policy (DAP) on the ASA dictates how employees can access the network. Employees logging in from
personal non-corporate assets are only granted employee clientless VPN access. They may not login using AnyConnect.
Conversely, employees that are using corporate-owned assets may login either through clientless VPN, or by using the full
AnyConnect client. The level of access the employee is granted is based on the posture information gathered by the host scan
process.
To define corporate assets or personal devices, the ASA host scan pre-scan policy looks for two characteristics. First, it scans the
machine and looks for a digital certificate. If the digital certificate is valid and signed by the internal corporate certificate authority
(CA) with dCloud identified as the organizational unit, the machine is classified as a corporate asset. Additionally, if the machine
contains a special watermark file in a specific location, it is classified as a corporate asset.
At this point in the demonstration, WKST1 has neither the watermark file, nor the digital certificate, so it will be classified as a non-
corporate asset. Therefore, attempting to login to the network using AnyConnect with an employee account will fail, just as it did for
the contractor.
22. Open Cisco AnyConnect Security Mobility Client and connect again to asav.dcloud.cisco.com. Log in using specific vertical
credentials, that is username: doctor, dean, captain or manager and password: C1sco12345.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 27
Cisco dCloud
23. This also fails due to DAP policy that is enforcing clientless VPN-only access for employees on personal machines.
25. Open Firefox and select ASAv from the bookmarks. This runs the Cisco Secure Desktop and leads to a login page. Log in
using specific vertical credentials, that is, username: doctor, dean, captain or manager and password: C1sco12345.
26. Click Continue on the welcome banner. This displays the dCloud employee VPN Portal.
NOTE: The portal banner now displays employee instead of contractor, and the font is blue instead of red. Employees have a
distinctly independent and different portal customization applied as compared to contractors. Employees have access to a different
set of resources, that is, Citrix and a CIFS share to a different machine, as well as additional SSH access using smart tunnels.
At this point in the demonstration, the employee is still accessing the VPN from a personal non-corporate asset. The clientless
VPN portal offers no way for the employee to launch AnyConnect from inside the portal. The employee on a non-corporate asset
has no access to AnyConnect.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 27
Cisco dCloud
27. Click the yellow exclamation point and read the message indicating you are an employee on a personal machine. Click
Close.
NOTE: The employee has access to more resources than the contractor.
28. Click the bookmark for the vertical specific portal. In the image below, it is the Healthcare Portal, since the login used the
doctor credentials.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 27
Cisco dCloud
29. From the portal page, click the General Resources. As an employee on a personal machine, the user can access this
resource.
30. Click the back button on the browser and select Internal Resources. The Internal Resources page allows access to the
employee on a personal machine.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 27
Cisco dCloud
31. Click the link for Medical Records. The employee is blocked from accessing the records since they are using a personal
machine.
NOTE: The screen shots display the healthcare portal. The Internal Resources and Internal Records links vary for the other three
verticals, but all follow the same general pattern. There is always a General Resources section, an Internal Resources section, and
within the internal resources, and one or more Internal Records type of links. Check Table 2 - Available Portals for information on
alternative log in credentials.
32. Click Back. Click the browser Home icon in the upper right hand corner to return to the dCloud Employee VPN portal.
33. Click the Citrix Storefront bookmark to be automatically logged into Citrix storefront.
NOTE: This link uses SSO (single sign on), and you are automatically logged into Citrix with the same credentials used to login to
the clientless VPN, that is, doctor, dean, captain or manager.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 27
Cisco dCloud
34. Click the dCloud Desktop icon to launch the Citrix receiver. You will receive a connection error (this is a known bug more
information here https://tools.cisco.com/bugsearch/bug/CSCuy51258/), so close the pop up window and click the dCloud
Desktop icon again. You are automatically logged into the VDI desktop.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 27
Cisco dCloud
35. After the desktop is shown, log off from the VDI desktop by selecting Log off from the Start Menu. You are returned to the
Citrix Storefront screen.
36. Click Apps from the bottom of the screen. This displays the published appsCalculator, Notepad and Paint.
37. Click one of the apps. The Citrix receiver opens and you may experience a flash reminiscent of a user logging into the
desktop. This process usually takes about 10 seconds.
NOTE: There may be a delay while the application opens. Be patient. The application may also open only in the taskbar of WKST1
initially. You may have to click the application in the taskbar to make it visible.
NOTE: It is important that you wait at least 30 seconds after closing the application. This is necessary so that the user is properly
logged out of the VDI desktop.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 27
Cisco dCloud
39. At the top right of the screen, click the arrow next to the username and click Log Off.
40. Click the Cisco Clientless VPN Home button in the upper right to return to the dCloud Employee VPN portal.
41. Click VDI Desktop C: Share to demonstrate the user has access to the C: fileshare on the VDI desktop.
NOTE: The user is not prompted for log in credentials. The CIFS share uses single sign-on.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 27
Cisco dCloud
42. Click Application Access from the left column. Confirm that the message reads Smart Tunnel has been started. Minimize,
but do not close, Firefox.
NOTE: The clientless VPN session must remain open for the smart tunnels to function. If you close Firefox, the clientless VPN
session ends, and the smart tunnels are torn down.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 27
Cisco dCloud
NOTE: The Application Access area shows information related to any smart tunnels that enabled for the clientless VPN. Smart
tunnels allow us to tunnel specific application traffic securely over the clientless SSL VPN connection, in order to give those
specific applications direct access to internal resources. The ASA is able to securely proxy the connection between the clientless
VPN user and the internal network resource.
In this demonstration, smart tunnels are configured for the Microsoft Windows RDP client and the PuTTY application. When the
user logs into the clientless VPN, and they launch the Windows RDP client or PuTTY, the network traffic from those applications is
securely sent over the SSL VPN connection to the ASA. The ASA then proxies the connection between the client and the
accessed internal resource.
An often-voiced concern with smart tunnel technology is verifying restrictions in place to stop a user from accessing restricted
resources on the internal network. Web ACLs help solve that by limiting the specific resources accessible through smart tunnels.
Throughout this demonstration, the contractor has a smart tunnel for both the RDP client and PuTTY, and Web ACLs are applied
in the ASA dynamic access policy (DAP) to limit access to resources.
For example, the contractor may use the RDP client ONLY to access the AD1 server, and may use PuTTY ONLY to access the
linux web server via SSH. Attempting to use those applications for other purposes will not be successful. Smart tunnels provide the
flexibility to use full applications separate from the clientless portal to gain access to internal resources, but at the same time,
provide the ability to limit what specific resources those applications access.
43. From the Wkst1 desktop, double click the PuTTY icon. Double click the Portals Linux Machine saved session to open an
SSH session to the portals server.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 27
Cisco dCloud
44. Log in using the credentials username: linuxuser and password: C1sco12345.
45. At the prompt, enter who and note that the IP address shown is 198.19.10.100.
NOTE: The linux who command displays current system logins, including the IP address. When connecting to this machine
through the smart tunnel, the IP address shown is 198.19.10.100. That is the inside interface of the ASA. Since the ASA is acting
as proxy for the SSH connection between the user and the linux machine, the linux machine recognizes the user as connecting
from 198.19.10.100.
As an employee, the WebACL applied to the clientless session now allows PuTTY smart tunnel access to both the linux web
server and the ISE server.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 27
Cisco dCloud
47. From the Wkst1 desktop, double click the PuTTY icon again. Double click the ISE saved session to open an SSH session to
ISE.
48. Log in using the credentials username: admin and password: C1sco12345.
49. At the prompt, enter the show users command and click Enter. Note that the IP address shown is 198.19.10.100.
NOTE: The show users command displays current system logins, including the IP address from which the user is logged in. When
connecting to this machine through the smart tunnel, the IP address shown is 198.19.10.100. That is the inside interface of the
ASA. Since the ASA is acting as proxy for the SSH connection between the user and the ISE, the ISE machine recognizes the user
as connecting from 198.19.10.100.
51. From the Wkst1 desktop, double click the RDP shortcut for any user vertical (Healthcare.rdp, Education.rdp, Federal.rdp or
Corporate.rdp). This opens an RDP session to the VDI desktop to demonstrate RDP access through the smart tunnel.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 27
Cisco dCloud
52. Scroll down in the window and select Logoff from the Start menu to close the RDP session.
53. Return to the Firefox window and click the word Logout to close the VPN portal session. Click X to close the Firefox window.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 27