Cisco Secure Desktop is somewhat of a puzzle for me. On one hand it offers a great deal of functionality but on the other hand it doesn’t always work exactly as you would expect (more to come on this in Part 2). As a general overview, Cisco Secure Desktop features the following configurations/options.
Allows the configuration of what I call a “policy tree”. A user must meet all of the policy requirements prior to even being shown the logon screen. You can check the OS, files, registry, certificates, and IP addresses during the pre-login policy check.
Scans the workstation attempting to access the WebVPN portal and captures information such as Anti Virus software, version, time of last update, etc. The base license can detect the information and the “Advanced endpoint assessment” licensed units can remediate the issues. You use DAPs (Dynamic Access Policies) to determine the result of the host scan findings.
Pretty straightforward here. Allows you to configure IE cache cleaning settings
Secure Desktop Vault
Creates a virtual secure desktop vault instance on a users workstation. It uses a small piece of the hard drive to store the vault and encrypts it. I have yet to see anyone using this and since I myself don’t see a great business case to deploy such a tool, I won’t be discussing it much at this point.
Lets you scan the computer for keystroke loggers and other items such as computer emulation.
In this post we’ll just discuss how to load the CSD image onto the ASA and configure it for use with WebVPN. In the remaining posts on this topic we’ll walk through various configurations as well some pros and cons of the CSD system. Please note that just by loading the CSD image and configuring WebVPN to use CSD the end user experience WILL change. Most notably the users will see CSD when they access the WebVPN portal URL. Instead of seeing the login prompt when you browse to the external interface on 443, you’ll instead see CSD loading as shown below.
And if you have never used CSD before you will most likely receive the following installation prompt for the CSD Internet Explorer add-on.
If you select “Don’t Install” it will try and install using Java which usually works without prompting (pending what security settings you have defined in IE). So the bottom line is that in a Windows environment it will usually find a way to get its components installed. We will discuss what those components are and where they are stored in part 2 of this series.
The default configuration options include the use of the browser cache cleaner. After the CSD installer runs and you get to the WebVPN logon prompt you’ll notice the CSD icon in the windows tray as shown below. We’ll get more into the cache cleaner in later posts but for now just know that by default it gets configured to use when you install CSD on the ASA.
Now that we know the consequences of our actions lets get to the installation. The first step is to import a CSD image to flash, then we can configure WebVPN to use it.
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them
Import the CSD image onto your ASA’s flash
ASA# copy tftp://<TFTP Server IP>/CSD/<CSD Package name> flash
Configure WebVPN with the image and enable CSD
ASA(config-webvpn)# csd image flash:<CSD Package name>
ASA(config-webvpn)# csd enable
That’s it. Now that CSD is installed and configured within WebVPN you should start seeing the default behavior as explained above. Through the rest of this series of posts we’ll discuss CSD pros and cons, configuration options, and some of the more not so well known pieces of CSD.