Presentation is loading. Please wait.

Presentation is loading. Please wait.

AnyConnect PerApp VPN. AnyConnect PerApp VPN Differentiate Mobile Access Connect Only Approved Applications Over VPN AnyConnect Per App Mobile User.

Published byMitchell Perkins Modified over 7 years ago

Similar presentations

Presentation on theme: "AnyConnect PerApp VPN. AnyConnect PerApp VPN Differentiate Mobile Access Connect Only Approved Applications Over VPN AnyConnect Per App Mobile User."— Presentation transcript:

1

2 AnyConnect PerApp VPN

3 Differentiate Mobile Access
Connect Only Approved Applications Over VPN AnyConnect Per App Mobile User AnyConnect v4.0 Plus or Apex license. ASA or later to configure Per App VPN tunneling . Cisco Enterprise Application Selector tool available on CCO Jabber Salesforce Facebook LinkedIn ASA Apple iOS 8.3 > MDM requirement Android ICS+ & Samsung Knox 2.0 MDM optional Cisco ASA Configuration and Enforcement of Per App policy Support for unmanaged devices (BYOD/ no MDM) Application Selector tool creates per app policy for ASA Capabilities Benefits Provide highly secure remote access for selected applications by user, role, device, etc. (Per App VPN) Reduce the potential for non-approved applications to compromise enterprise data Support a range of remote users and endpoints (employees, partners, contractors), streamlining IT operations AnyConnect provides highly secure access for select enterprise mobile applications through a Per App VPN, eliminating non-approved applications from accessing and potentially compromising company networks and data. It delivers more granular control by helping to ensure that data transmitted by approved applications travels through the VPN and that other applications (such as Facebook) do not. So it protects an employee’s privacy. And it’s role-based. So, depending on your role in the organization (employee, partner, or contractor) your application access can vary through the VPN. The Per App VPN feature can thus support a range of different types of mobile users. This is currently available on Apple iOS devices. NOTES: Think of it as application-based split-tunneling. A traditional system tunneling IP/Route is table-based. Per App tunneling is based on the application only. This uses a system-based Per App infrastructure Simplifies tunnel configuration Currently supports: Apple iOS Samsung KNOX (Android) Policy-based configuration: App Store support Support for unmanaged mobile devices (BYOD access / no MDM): AC configures and validates apps Integrates with MDM pushed Per App VPN configuration AC validates apps With some limitations No UDP for iOS yet

4 Minimum Requirements for Per App VPN
ASA 5500-X, 5505, Virtual ASA with ASA code 9.3.1> Latest ASDM at the time of release of ASA 9.3.1> Latest release of Cisco AnyConnect® 4.x iOS 8.x or later Samsung KNOX 2.x Android device

5 Per App VPN Solution Components
Per App VPN Agent (iOS and Samsung Knox) Per App VPN Gateway (Cisco® ASA 5500X >) Per App VPN Tunneling AnyConnect 4.0 for mobile devices has been enhanced to provide Per App VPN tunneling in addition to traditional system-tunneling. Traditional VPN system tunneling, as a full-tunneling or split-tunneling configuration, directs packets over the tunnel or in the clear based on the destination address. Per App VPN tunneling, operating at Layer 7, directs data over the tunnel or in the clear based on the originating app. Per App VPN is essentially split tunneling that allows only data from approved apps to reach the enterprise network. In Per App VPN tunneling mode, a connection is established automatically for a specific set of apps on the mobile device. The set of apps which AnyConnect will tunnel data for is defined by the administrator on the ASA headend using the AnyConnect Enterprise Application Selector tool and the ASA Custom Attributes mechanism. This list of identified and approved apps is sent to the AnyConnect client and used to enforce Per App VPN tunneling on the device. For all other apps not on the list, data is sent outside of the tunnel or in the clear. If you are using a mobile device manager in your environment to configure and control mobile devices on your network, it must configure mobile devices to tunnel the same list of apps that AnyConnect is configured to tunnel. A discrepancy in the set of tunneled apps between the ASA headend and the mobile device manager may cause unexpected app behavior. AnyConnect determines which mode it will operate in based on configuration information received from the ASA headend. Specifically, the presence or absence of a Per App VPN custom attribute in the group policy or dynamic access policy (DAP) associated with the connection when the session is being established. If the Per App VPN list is present, AnyConnect will operate in Per App VPN mode. If it is absent, AnyConnect will operate in system-tunneling mode. Highly Secure App-Based VPN Plus Context: Real-time context collection Gateway: Headend for Per-App VPN

6 Allows application policy enforcement by Cisco® ASA and Cisco AnyConnect®
Allows wildcard application package identifiers to equal com.anybird.* Policy provisioned by third-party MDM vendor The lifetime of VPN is not necessarily in users’ control Configure by MDM - Airwatch, Mobile IRON Allows only application validation. For example, if someone is trying to tunnel Angry Birds with an AppID of X, drop it Allows wildcard application identifiers anything with com.cisco.* allow traffic to traverse the tunnel. Lifetime of VPN not necessarily in users control? Per App Managed

7 Per App Managed Flow Enterprise Network VPN Mobile Device ASA
Request Connect Authorization Challenge Credentials/ACIDex DAP to Per App Policy Configure with AC/AMP Profile MDM servers are able to push PerApp VPN configurations when managing devices. When devices are managed, the AnyConnect VPN client must behave as an application filter and perform some validation of the application prior to allowing the traffic to be tunneled. This validation must be based on a PerApp policy provided by the secure gateway. Applications not present on the PerApp policy must not have their packets forwarded on to the gateway. Devices may be configured to auto-launch VPN when an application is launched. When supported by the platform, the AnyConnect VPN client should support this auto-launch with as little user involvement as possible. If auto-launch is not supported, then the user will need to initiate the VPN connection. AnyConnect may not have the ability to determine or be aware that there is a pre-existing MDM Per App configuration. AnyConnect must be able to handle cases where the MDM Per App configuration is not inclusive of the list sent by the ASA. When unable to configure application policies, the client must fall back to enforcing validation. For the managed case, the user may not be allowed to disconnect the tunnel. If the tunnel is user-initiated, then this should be remembered and disconnect allowed. If, however, the tunnel was –itiated, then the user should not be allowed to disconnect the tunnel. Apply policy from third-party MDM Is the traffic valid? Enforce app meets policy from ASA configuration Valid Application Traffic

8 Managed (MDM) Per App VPN iOS Use Case
Requirements Cisco AnyConnect® Enterprise Application Selector Tool Cisco® ASA or newer ASDM 7.3.1 AnyConnect custom attribute enhancement AnyConnect or newer This capability must be used in conjunction with an MDM or EMM vendor  A Plus or Apex license Note: Android is also supported in the managed (MDM) use case

9 MDM Per App The per app policy permits three apps

10 Policy Pushed to User by MDM
A per app policy with three permitted apps is pushed to the user’s device

11 Cisco AnyConnect Enterprise Application Selector Tool Use This Tool to Create the Per App Policy Applied to Cisco ASA Tool availability: cisco.com with Cisco AnyConnect® Import from iTunes, installed locally on the admin’s machine Creates a base64 blob discernable only by the Cisco® ASA

12 Cisco AnyConnect Enterprise Application Selector
iOS policy Importing from a disk requires iTunes be locally installed with desired apps Manual rule configuration if app ID is known: IE; com.cisco.jabberIM

13 Select Apps to Be Added to the Policy Use iTunes on a Local Disk

14 Completed Per App Policy Used by the ASA to Enforce Per App VPN
The content of the per app policy will first be compressed and then Base64-encoded. The per app policy will be delivered as a custom attribute, which is provided by the Cisco® ASA in the aggregate authentication configuration message. Copy Base64 Blob to the ASA using ASDM or CLI.

15 Per App ASA and ASDM Configuration Cisco AnyConnect Custom Attribute

16 Per App ASA and ASDM Configuration Cisco AnyConnect Custom Name (Policy)
Copy and paste the Base64 Blob from the application selector tool here This policy can be applied to either a group policy or dynamic access policy

17 Applying the Per App Policy to the Dynamic Access Policy

18 Applying the Per App Policy to the Group Policy

19 Testing an iPad Managed Per App VPN
User establishes a tunnel to the Cisco® ASA based on the installed profile User authenticates to the ASA The user can optionally receive a banner from the DAP Click on the active profile and “Advanced” to view the app rules App rules provide insight into the permitted apps

20 Per App Unmanaged (Android Only)
Requires fully-qualified application package identifiers to equal com.anybird.fly away Same enforcement as a managed use case The lifetime of VPN is in the user’s control Policy provisioned by the Cisco® ASA and AnyConnect® (No MDM needed) Configuration may be persisted between connections Devices that are not managed by MDM used to connect to corporate VPN service is a common occurrence.  Users may not wish to have their devices managed (i.e. BYOD) yet still wish to access corporate resources.   In an unmanaged case, opaque blobs (ASA custom attributes) will be sent and configured by AnyConnect on the mobile device. Hence, the Per App configuration will be derived from the Per App policy provided by the ASA.  The Per App policy is provided as part of the tunnel configuration parameters sent from the ASA. The Per App policy will be used both to "configure" which applications are tunneled and "validate" the application when it attempts to pass traffic. Per App policy is sourced by the ASA and may contain a device targeted policy as determined by DAP.  Once the tunnel is initiated by a user or app, AnyConnect will provide ACIDEx data (for example, device type, OS) upon request to be used for DAP processing. The DAP-configured Per App policy will allow admins to determine the appropriate policy for a particular device. Prior to a VPN session, a device may or may not be pre-configured with application rules so the client must be able to handle these cases. The Per App policy may be configured to persist beyond the lifetime of the connection.  Persisting the policy may be used to allow for a better user experience such as triggering a VPN connection upon application launch (on-demand VPN). For the unmanaged device, on-demand-like behavior can improve user experience and battery lifetime.  For example, on Samsung Knox the unmanaged configuration will otherwise put the OS into an always-on VPN configuration where the tunnel is always active.  This is detrimental for battery life, etc. For the unmanaged case the user must be allowed to disconnect the tunnel. Per App Unmanaged (Android Only)

21 Per App Unmanaged Flow Enterprise Network Request Connect
VPN, Mobile Device ASA Enterprise Network Request Connect Authorization Challenge Credentials/ACIDex DAP to Per App Policy Configuration with Per App Policy It cannot be expected that all customers will employ MDM with VPN Per App configuration for user devices. For the unmanaged devices, the AnyConnect client will be required to configure the device for Per App tunneling. The Per App configuration will be derived from the Per App policy provided by the ASA. The Per App policy will be used both to configure which applications are tunneled and validate the application when it attempts to pass traffic. The device must support configuration of Per App rules at tunnel configuration time. The Per App policy is provided as part of the tunnel configuration parameters sent from the ASA. Prior to a VPN session, a device may or may not be pre-configured with application rules so the client must be able to handle these cases. The Per App policy may be configured to persist beyond the lifetime of the connection. Persisting the policy may be used to allow for a better user experience such as triggering a VPN connection upon application launch. For the unmanaged case the user must be allowed to disconnect the tunnel. Applied Policy Sent from ASA Is the traffic valid? Enforce App Meets Policy from ASA Configuration Valid Application Traffic

22 Unmanaged Per App VPN Use Case Android Only
A Cisco AnyConnect® client will be required to configure the device for Per App tunneling. The Per App configuration will be derived from the Per App policy provided by the ASA. The Per App policy will be used both to configure which applications are tunneled and validate the application when it attempts to pass traffic. AnyConnect ICS+ AnyConnect for Samsung KNOX Android 4.x ICS+ Android 5.0 Lolipop Android 4.3 + Note: If not using KNOX, it is recommended to use Cisco® AnyConnect ICS+ on Samsung devices

23 AnyConnect Enterprise Application Selector Tool (Android) Obtain Android App ID from Google Play
Example: Google Chrome equals com.android.chrome

24 Android Add Rule Known App ID
1 3 2 An Add Rule allows the admin to manually enter in the known app IDs Optional parameters Minimum version - The minimum version of the chosen app as specified in the package's manifest attribute is android:versionCode. Match certificate ID - This is a digest of the application signing certificate. Allow shared UID - The default value is true. If it is set to false, applications with an android:sharedUserId attribute specified in the package manifest will not match this rule, and will be prevented from accessing the tunnel.

25 Android Import from Disk
Another option for Android is to import the apps from the local disk. There are third-party tools that allow you to download the apps in the apk format. We do not recommend, nor do we support, any of these available tools. The original intent of the import from the local disk option is for cases where in-house apps are developed and not available on Google Play. After the policy is complete you will copy and paste the policy in its Base64 format to either a DAP or a group policy. Unmanaged Per App both configures and validates the device and the apps permitted to traverse the tunnel.

26 ASDM and ASA Per App Configuration
Configuration > Remote Access VPN > Network (Client) Access > Advanced > Cisco AnyConnect® Custom Attributes Defined once and used for all per app policies

27 ASMD and ASA Per App Configuration
Configuration > Remote Access VPN > Network (Client) Access > Advanced > Cisco AnyConnect® Custom Attribute Names Per app policies are defined here and used by dynamic access policies (DAPs) or group-policies. A customer may have several different per app policies applied to DAPs or group-policies.

28 ASDM and ASA Per App Configuration - DAP
Edit an existing DAP or create a new DAP and apply the per app policy.

29 ASDM and ASA Per App Configuration - DAP
Apply the per app policy to the access/authorization policy attributes section of the dynamic access policy. Note: This simple DAP is configured to match on both Android and iOS devices.

30 Testing Android Unmanaged Per App VPN
AnyConnect displays the policy. According to the policy only these 3 apps are permitted to traverse the tunnel Chrome Browser Citrix Receiver Microsoft RDP App This connection is configured to use a certificate for authentication to the Cisco Adaptive Security Appliance (ASA) which makes the session establishment seamless for the user. Note: Certificate Authentication is only of several ways to authenticate to the ASA. This banner is the result of the Dynamic Access Policy assigned to the session. We optionally added text to indicate what apps are permitted to traverse the tunnel.

31 Where Is This Applied on the ASA?
 1. webvpn Command for the "Attribute Type":       anyconnect-custom-attr <AttributeType> description <AttributeTypesDescription>                NOTE: The AttriburteType MUST be lower case and called: perapp       anyconnect-custom-attr perapp description Used for Apple iOS PerApp VPN functionality       2. Global Command - This defines the "Attribute Name" and its "Value" (Opaque Blob):       (syntex) anyconnect-custom-data <AttributeType> <AttributeName> <AttributeNamesValue>       anyconnect-custom-data perapp iOSPerAppVPN ThisIsTheWhiteListBlob1       anyconnect-custom-data perapp iOSPerAppVPN ThisIsTheWhiteListBlob2       anyconnect-custom-data perapp DroidPerAppVPN ThisIsTheWhiteListBlobForAndroid1       anyconnect-custom-data perapp DroidPerAppVPN ThisIsTheWhiteListBlobForAndroid2 3. Group-Policy Command - This CLI is used to set the value of a custom AnyConnect® attribute in a group policy:       group-p iOSPerAppVPN att         (syntex) anyconnect-custom <AttributeType> value <AttributeName (which maps to the OpaqueBlob)>          anyconnect-custom perapp value iOSPerAppVPN 4. Dynamic-Access-Policy Command - This CLI is used to set the value of a custom AnyConnect attribute in a DAP record:       dynamic-access-policy-record AppleiOSPerAppVPN          anyconnect-custom <AttributeType> value <AttributeName (which maps to the OpaqueBlob)> Why does the iOSPerAppVPN have blob1 and blob 2?

32 Cisco AnyConnect Application Selector Tool
This tool supports policy generation for both Android and Apple iOS devices for Per App VPN.

33 Installing the AnyConnect Enterprise Application Selector
Download from cisco.com Install the

Download ppt "AnyConnect PerApp VPN. AnyConnect PerApp VPN Differentiate Mobile Access Connect Only Approved Applications Over VPN AnyConnect Per App Mobile User."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Designing Enterprise Mobility Cortado Corporate Server.

Designing Enterprise Mobility Cortado Corporate Server.
Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.

Securing Remote Network Access FirePass ®. Business Case VirginiaCORIS is an initiative to modernize the way that offender information is managed, to.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
© 2009 VMware Inc. All rights reserved VMware Updates Orlando VMware User Group – April 2011 Ryan Johnson VMware, Inc. Technical Account Manager Professional.

© 2009 VMware Inc. All rights reserved VMware Updates Orlando VMware User Group – April 2011 Ryan Johnson VMware, Inc. Technical Account Manager Professional.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.

IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Tradedoubler & Mobile Mobile web & app tracking technical overview.

1 Tradedoubler & Mobile Mobile web & app tracking technical overview.
1 Thomas Lippert Senior Product Manager - Mobile What’s new in SMC 5.0.

1 Thomas Lippert Senior Product Manager - Mobile What’s new in SMC 5.0.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # 70-643) Chapter Four Windows Server 2008 Remote Desktop Services,

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.

Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 2 – 6 IP Access Lists 1.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

Similar presentations

Ads by Google