CiscoASA Workspot Configuration Guide 2.1 · Cisco ASA and Workspot Overview ... Cisco ASA...

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

Workspot, Inc. 1/27/2015

This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons. Version 2.1 pg. 1 of 16

Cisco ASA and Workspot Overview The Cisco Adaptive Security Appliance (ASA) provides organizations with secure, high performance connectivity and protects critical assets for maximum productivity. Once the Cisco ASA is installed, Workspot can be quickly and easily implemented as no additional on-premise hardware or software required. The Workspot Client connects to the Cisco ASA using the Clientless SSL VPN feature.

For more information on the Cisco ASA, go to: http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/index.html

The Workspot Client runs on mobile devices; Workspot Control, a corresponding cloud-based administration console is used to manage configuration and policies for the environment.

For more information on Workspot, go to: http://www.workspot.com

Products and Versions Tested The information and screens in this guide are based on the following:

• Cisco Adaptive Security Appliance 5510 • Cisco Adaptive Security Appliance Software Version 9.2 • Cisco Adaptive Security Device Manager Version 6.2(5)

Prerequisites and Configuration Notes The following are general prerequisites for this guide: • The Cisco ASA must be running version 8.0 or later, and should be installed and

configured for network connectivity and basic operations, including an AAA Server Group with an authentication server such as Microsoft Active Directory (AD).

• AnyConnect Apex Licenses o One Apex license for each Workspot user. Apex licenses are based on the

number of users regardless of how often they connect or how many devices they use. Contact Cisco or your reseller for more information on Apex license requirements.

o If the ASA currently has AnyConnect Plus licenses, Cisco provides trial Apex licenses for one month with the ability to renew for an additional month. See the Cisco Self-Service Trial l icenses section for more information.

o When using older Cisco ASA models (prior to Apex licensing), AnyConnect Premium licenses are required. All ASA models include two Premium licenses (supporting two concurrent users) that can be used for testing if the ASA is not configured for Cisco Essentials.


• Cisco ASDM administrator access to the ASA. • DNS names or IP addresses for internal web apps, CIFS file shares and Remote

Desktop Services (RDS) servers. Configuring the Cisco ASA for Workspot includes:

• Creating a new Connection Profile • Creating a new AAA Server Group (optional) • Creating a new Group Policy enabling Clientless SSL VPN • Configuring Group URL • Testing the configuration through a web browser

Cisco ASA Configuration for Workspot These steps outline the basic configuration of a Cisco ASA to support Workspot. Sign into the Cisco ASDM utility and configure a Clientless SSL VPN Connection profile as follows.

1. Create a new Connection Profile. Go to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profi les then click Add.


2. Enter a Name, then select an existing AAA Server Group, enter the DNS parameters as necessary for the network environment, then configure a new Group Policy - under Default Group Policy, click Manage. Note: If an existing AAA Server Group uses an LDAP server configured with an LDAP Attribute Map, then a new AAA Server Group with a LDAP server without the attribute map is required. See the Troubleshooting section for more information.


3. Then click Add to add a new Group Policy.

4. Enter a Name, click More Options, then uncheck the Tunnel Protocols: Inherit and check Clientless SSL VPN to enable the webvpn tunnel protocol.


5. File access is typically enabled by default, click OK to save the Internal Group Policy and proceed to the next step. If file access is not enabled, select Portal , then uncheck all File Access Control settings under Inherit and check Enable settings, then click OK to save.


6. Click OK on the Configure Group Policy dialog to save the policy.

7. On the Connection Profile dialog, click the [+] on Advanced then Clientless SSL VPN . Click Add under Group URL then enter the custom URL. (This URL will be used in Workspot Control VPN configuration.) Then click OK to save the Group URL and then OK again to save the Connection Profile.


8. Click Apply to apply the changes to the running Cisco ASA configuration.


Testing the Configuration To test the configuration, use any standard browser and go to the URL associated with the Cisco ASA, e.g. https://vpn.mycompany.com/mobile. Enter your Username and Password then click Login.


After a successful login, the Cisco Clientless Portal home page is shown as follows. See Troubleshooting if the Portal page is not shown. If the cifs:// option appears in the Address dropdown, then file access has been enabled. If cifs:// is not available, go back to make the changes outlined in step 5 to enable file access.

Note that Web and File browsing and bookmarks are for testing purposes and are not required for Workspot. The Cisco ASA is now properly configured for Clientless SSL VPN.


Configure the Cisco VPN in Workspot Control The custom URL as configured in the Cisco ASA should be entered into the Workspot Control VPN configuration by adding a new network.


Troubleshooting If Cisco AnyConnect client download page (as show below) appears instead of the Cisco Clientless Portal, this may indicate that the LDAP Attribute Map is configured.

Verify that Cisco Apex (shown as Premium) licenses are enabled. Enter the show run command on the Cisco ASA and check the configuration for the no anyconnect-essentials command in the webvpn section.

Cisco ASA Configuration … webvpn enable backup enable outside no anyconnect-essentials …

If the no anyconnect-essentials is present; then a LDAP Attribute Map is configured in the authentication server in server group used for the Workspot Connection Profile. Create a new AAA Server Group with the same authentication settings and specify the


LDAP Attribute Map to be –None--.

Cisco Self-Service Trial l icenses Cisco provides one month trial licenses for all premium features. These licenses will have max simultaneous premium, mobile, phone and advanced endpoint assessment enabled. These licenses can be renewed once. Follow the same steps below for extending the trial for another month. These are time-based licenses so applying a new license will overwrite the original.


Note: These licenses cannot be used for the Cisco ASAv (virtual appliance).

Open browser and navigate to http://www.cisco.com/go/license. Log into your Cisco account.

Continue to the next page by clicking on Continue to Product License Registration.


On the main Product License Registration; select Get Other Licenses to bring the dropdown menu then select Demo and Evaluation.

Get Demo and Evaluation Licenses screen will appear, step 1. Select Security Products as Product Family then select AnyConnect Plus/Apex (ASA) Demo License as Product. Click Next to continue.


For step 2, enter the Serial Number from the output from ‘show version’ and enter any amount for ‘How many users do you intend to support in your environment?’ field (this WILL NOT affect the license count). Click Next.

For step 3, confirm Send To email and Serial Number. Click Submit.


You should receive an email with an activation key. Follow the steps to apply:

1. Start Cisco ASA command line 2. Activate the license key with:

> activation-key xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 3. Enable premium functionality with:

> webvpn > no anyconnect-essentials

CiscoASA Workspot Configuration Guide 2.1 · Cisco ASA and Workspot Overview ... Cisco ASA...

Documents

Transcript of CiscoASA Workspot Configuration Guide 2.1 · Cisco ASA and Workspot Overview ... Cisco ASA...