A few days ago I did an article on Deploying Cisco AnyConnect with the Cisco FTD, there I glossed over the AnyConnect profile section. For a long time now, we have been able to edit the AnyConnect profile from within the firewall (if we are running ASA code!) But for the FTD we need to take a step backwards and go back to using the ‘offline’ AnyConnect profile editor.
Solution
Firstly you need to download the offline profile editor, you will find it on the Cisco AnyConnect Mobility Client download page;
I wont insult your intelligence, the setup is straight forward;
Launch the editor, and the screen you will see is exactly the same as you would normally see while using the profile editor in a Cisco ASA, (when launched from within the ASDM).
Note: I’m not going to go though all the settings, (this post would become immense!) Typically I allow remote (RDP) connections, and set the public FDQN for my AnyConnect profile.
Once you have finished, you can simply save the settings as an XML file.
Import an AnyConnect ‘Profile XML File’ into Cisco ASA
As mentioned above with all ‘modern’ versions of the ASDM/AnyConnect client you can create and edit an AnyConnect profile directly from within the ASDM. But (for completeness) here’s how to import one you created externally, (or exported form another firewall).
Import an AnyConnect ‘Profile XML File’ into Cisco FTD
Objects > AnyConnect Client Profiles > Create AnyConnect Client Profile > Give it a name > Upload.
Browse to, and select the previously created XML file > Open.
Then save and deploy the changes (this takes ages!).
You can now select this ‘profile file’ when setting up AnyConnect, or edit any existing AnyConnect Remote Access VPN configuration, and add this profile to it.
Related Articles, References, Credits, or External Links
If you connect to to a client via RDP then try and run the AnyConnect client, you will see one of these errors;
VPN establishment capability for a remote user is disabled. A VPN connection will not be established
VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established
This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl file, this file does not exist using Version 3 (I was using v 3.0.4235).
Update: With Early versions of AnyConnect version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;
Profile settings do not allow VPN initiation from a remote desktop.
Note: This is fixed in version 4.8 and you will se the error at the top of the page.
Solution
To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)
Edit AnyConnect Profile With ASDM
Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.
Give the profile a name > Select a group policy to apply it to > OK.
AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.
SingleLocalLogon: Allows multiple remote logons but only one local logon.
OR (older versions)
Apply the changes, and then save to the running configuration.
Edit AnyConnect Profile With Stand-Alone Profile Editor
1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).
Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to step 3, and skip all the other steps.
If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.
2. Once you have installed the profile editor, launch the “VPN Profile Editor”.
3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.
AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.
SingleLocalLogon: Allows multiple remote logons but only one local logon.
4. Save the profile somewhere you can locate it quickly.
6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.
7. Make sure the file uploads correctly > Close.
8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.
9. Click New > Browse Flash > Locate the profile you uploaded earlier.
10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.
11. Then reconnect with your AnyConnect Mobility Client software.
Related Articles, References, Credits, or External Links
While trying to connect Outlook (2016) to an Office 365 email account;
We can’t connect you
It looks like we can’t connect you to one of our services the moment. Please try again later, or contact your helpdesk if the issue persists.
0xCAA70010
{ADFS-URL}
Solution
This was happening because my ADFS server was using a ‘self-signed’ certificate (i.e. not a purchased one). This should NEVER be done in a production environment, but this is my test network, (so I refuse to spend money on certificates for testing etc!)
I cured the problem by simply importing/trusting the CA Certificate from my internal Certificate Services CA server, (that issued the ADFS servers certificate).
If you see this on a production server, with a publicly signed certificate, check that the ‘problem’ client does not need a Windows Update, to update its trusted CA Certificates, or that your certificate simply hasn’t expired, and you ‘forgot’ to renew it. If so;
This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.
Solution
1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.
2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.
[box]
Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0
[/box]
3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.
[box]
Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1
Petes-ASA(config-webvpn)# anyconnect enable
[/box]
4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.
There was a question on Experts Exchange this morning, the asker wanted to be able to add a ‘Trusted’ network range to their Windows Server Firewall settings as a ‘allow all ports’ rule.
Solution
You can of course add this manually in the GUI, normally I’d simply Add a Firewall Rule with a Group Policy. but the problem with that is, that’s fine if you want to open a particular TCP/UDP/ICMP port, but NOT if you want to open ALL ports. But you CAN use PowerShell like so;
With the newest version of AnyConnect (4.7) there’s an added feature called ‘Management VPN’. It’s there, so that if you have remote users who don’t VPN in very often, then you may struggle to mange them, e.g. put software updates, AV updates, SCCM packages etc. down to them.
Before version 4.7 you could configure ‘Automatically Connect’, or ‘Start before Logon’ to handle these problems, well now you can use Management VPN. What it does is, it automatically connects (using the computer certificate to authenticate), and it automatically disconnects when a remote user brings up a normalAnyConnect VPN user connection. When they disconnect again, the Management VPN (after a few seconds) will re-establish again.
As usual the Cisco documentation is not brilliant! So I built it out in EVE-NG to test. Here’s the Lab I used;
I’ve got a Windows 2012 R2 Server that’s doing Certificate services and DHCP, I’ve also got an external (Windows 7) client with AnyConnect 4.7 installed.
Solution
My first task was to setup normal user AnyConnect, which I secured with certificates, (user certificates), I sent the certificates out using auto-enrollment. Also while I had my certificate hat on, I generated a certificate for the outside of the ASA as well. (I didn’t bother setting up NDES I just imported the CA Certificate eon the ASA).
Note: If you already have working AnyConnect, then you can skip this section.
In addition, (much as I prefer to work at CLI, you need to go into the ASDM to do the following). Create a new connection profile and associate it with the group policy we just created (above).
Add to the ‘Server list‘ the URL you specified (above).
To avoid being prompted for which certificate to use, untick ‘Disable Automatic Certificate Selection’ (Yes the name makes no sense to me either!) Save the profile.
Then make sure the VPN works as expected.
Setup AnyConnect Management VPN
Prerequisites
Your ASA needs to be running newer than version 9, and your ASDM image needs to be 7.10(1) or newer.
You need to have the Anyconnect client software (4.7 or newer!)
I’ve already mentioned certificates, but you will need to have the CA certificate from the CA that’s generating your COMPUTER certificates installed and trusted, mine’s already there, as I’m already authenticating my USER certificates with it.
Add another Tunnel-Group and Group-Policy for your Management-VPN, I’ll drop back to CLI to do that (to keep things neat and tidy).
Add a new connection profile, set the type to ‘AnyConnect Management VPN Profile’, and link it to the Group-Policy for your AnyConnect USER connections.
As before add an entry to the server list with the same URL you specified in the Management VPN tunnel group.
Add an Automatic VPN policy, to connect whenever you are on a network that is NOT your corporate network. Here if a client sees my server, on the same network, or gets my domain name via DHCP it WONT connect.
Additional Settings Required for Management VPN
Edit the Group-Policy you are using for Management VPN > AnyConnect Client > Custom Attributes > Add > Create an Attribute called: ManagementTunnelAllAllowed.
Create a value for it called true/true.
In the ‘AnyConnect Client‘ section, ENABLE ‘Client Bypass Protocol’.
Your client will need to connect at least once to get the new settings, once they have when they disconnect the Management VPn will establish.
As soon as the user tunnel comes up, the Management VPN tunnel will drop.
Related Articles, References, Credits, or External Links
I’ve seen this asked a lot in forums, and it came up on EE again today. I’ve never had to set this up in the past, but I’ve posted the links to the correct Cisco articles when people have asked.
After the question was asked again today, I thought I’d take the time to write a decent article on how to do it.
Why would you want to do this? You might want to map/reconnect a mapped drive, or perform anything thats usually acheivable with a login script.
Solution
1. First make sure you have your script, I’m using a simple batch file but you can also use .vbs. As you can see my script just maps a drive (s:) to a network share on the machine you are looking at.
Note: I’ve used an IP address rather than a DNS name, there’s nothing wrong with using a DNS name, providing your remote AnyConnect clients are able to resolve that hostname.
Note2: I’m also embedding the username and password in the drive mapping request, This is because my AnyConnect uses LOCAL usernames and passwords on the ASA, so the server wouldn’t be able to authenticate the request.
2. To ’embed’ this script into the firewall, log into the ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > Script > Import > Give it a name > Select ‘Script runs when client connects‘ > Platform = win > Browse Local Files > Locate your batch file > OK > Import Now > OK.
3. The script wont run unless scripts are allowed in the VPN Client Profile > Note: You may, or may not already have a client VPN Profile > Navigate to Configuration > Remote Access VPN > AnyConnect Client Profile > Add (Or skip to Edit if you already have one) > Give the profile a name > Select your AnyConnect Group Policy (If you don’t know, connect with an AnyConnect client, and see what is shown under ‘Group‘) > OK.
4. Edit your policy.
5. Preferences (Part 2) > Tick ‘Enable Scripting‘ > Tick ‘User Controllable‘ (Note: this just lets a user untick enable scripting in their client software) > OK.
6. Save the changes > Apply > File > Save Running Configuration to Flash.
ThinApp is an “Odd” VMware product, insofar as it’s got nothing to do with virtual machines or virtual technology. It’s a product that turns applications into “Stand alone” thin applications, that can be sent to a user and ran without the need for that user to have administrative access, or the need to install anything.
ThinApp was a product called Thinstall that VMware purchased and “re-badged”, you get a free copy with VMware View 5 (Premier Edition). And it ships with a copy of VMware workstation. (Not because it needs a copy, but VMware recommends you use a clean virtual machine to create your ThinApps on).
If you’ve ever used sysdiff in the past or Novell Zenworks for Desktops, you will be familiar with the process, take a ‘scan’ of a clean machine, then install application(s), then carry out another ‘scan’. The software then works out the ‘difference’ and uses that information to build a software package.
In the example below I’m going to create a stand alone version of Google Chrome, that is pre configured, and has Java already installed, and finally deploy that as a single executable file.
Solution
1. It’s recommended that you create your ThinApp on the oldest operating system that it might be deployed on, so here I’m creating a virtual machine in VMware workstation that’s running Windows XP.
2. When built remove any hardware that will not be needed, like the floppy drive, and the USB Controller (Edit > Settings).
3. Installing ThinApp is pretty straightforward, simply run the executable and follow the on screen prompts the only thing to note is; when you enter your licence key, be aware the name you enter will display on the “splash screen” as your ThinApp loads (as shown).
4. Once your reference machine is setup, take a snapshot of it, so you can roll back to this point to create further ThinApps on this clean machine (VM > Snapshot > Take Snapshot).
5. Run the ThinApp Setup Capture > Next > Prescan > This will take a few minutes > When finished simply minimise the window you are finished with it for now. Note: Don’t worry if the application you are installing requires a reboot, ThinApp is clever enough to cope with that.
6. Now install and configure the application you require, in this case Google Chrome. I’m also installing Java, and setting the default homepage to the Google search page.
7. When the application is installed to your liking, maximise (or open the capture if you’ve rebooted) and select ‘Postscan’ > OK.
Note: Before running Postscan make sure you delete any installer files downloaded, any icons from the desktop you do not want deployed in the ThinApp, and empty the recycle bin (you don’t want all that stuff captured, when creating your ThinApp).
8. Make sure only the executable you require is ticked as an entry point > Next > At the Horizon App Manage Page > Next.
9. In a domain environment you can restrict ThinApp access to particular users or groups > Next.
10. Set the isolation mode as required, for most cases it will be ‘Full’ > Next.
11. Select the option to store the sandbox in the user profile > Next > Select whether you want to provide statistics to VMware > Next.
12. You will see this screen ONLY of you are capturing a browser. This is used if you have a particular website that will only run in IE6, or Firefox etc. So that only when URL’s enters listed here are accessed (either directly or from a hyper link) the ThinApp browser will open them, all other URL’s will be opened by the default browser. It’s a cool feature but not one I’m using > Next.
13. Give your ThinApp a name > Next.
14. I’m choosing the option to embed everything into my executable, selecting this may cause a warning about icons, but I ignored and deployed with no problems > Save.
Note: You can use this page to create an MSI file to deploy via group policy if you wish.
15. After ThinApp generates the files it needs > Build.
16. Finish
17. Heres my ThinApp executable file.
18. To test I’ve copied it to a Windows 7 machine.
19. While it’s loading this is what you will see.
20. And here is my ThinApp version of Google Chrome running and pre configured.
Related Articles, References, Credits, or External Links
The last time I wrote about deploying applications with ThinApp, it was geared towards getting standalone applications onto client PC’s for non admins to run, or putting them in a network share. But if you have a portable application the advantage is you can run it from portable media (Like a USB drive).
Like before I’ll convert Google Chrome to a ThinApp, but the difference is I will set the applications ‘sandbox’ to live in the same location (on the USB). Then I’ll try it out on a different machine.
Solution
1. It’s recommended that you create your ThinApp on the oldest operating system that it might be deployed on, so here I’m creating a virtual machine in VMware workstation that’s running Windows XP.
2. When built remove any hardware that will not be needed, like the floppy drive, and the USB Controller (Edit > Settings).
3. Installing ThinApp is pretty straightforward, simply run the executable and follow the on screen prompts the only thing to note is; when you enter your licence key, be aware that the name you enter will display on the “splash screen” as your ThinApp loads.
4. Once your reference machine is setup, take a snapshot of it, so you can roll back to this point to create further ThinApps on this clean machine (VM > Snapshot > Take Snapshot).
5. Run the ThinApp Setup Capture > Next.
6. Prescan > This will take a few minutes > When finished simply minimise the window you are finished with it for now. Note: Don’t worry if the application you are installing requires a reboot, ThinApp is clever enough to cope with that.
7. Now install and configure the application you require, in this case Google Chrome. I’m also installing Java, and setting the default homepage to the Google search page.
8. When the application is installed to your liking, maximise (or open the capture if you’ve rebooted) and select ‘Postscan’ > OK.
Note: Before running Postscan make sure you delete any installer files downloaded, any icons from the desktop you do not want deployed in the ThinApp, and empty the recycle bin (you don’t want all that stuff captured, when creating your ThinApp).
9. Make sure only the executable you require is ticked as an entry point > Next.
10. At the Horizon App Manage Page > Next.
11. In a domain environment you can restrict ThinApp access to particular users or groups > Next.
12. Set the isolation mode as required, for most cases it will be ‘Full’ > Next.
13. As you are storing the App on USB I’d suggest (though you don’t have to) set the application to save its sandbox in the same directory.
14. Select whether you want to provide statistics to VMware > Next.
15. You will see this screen ONLY if you are capturing a browser. This is used if you have a particular website that will only run in IE6, or Firefox etc. So that only when URL’s entered, listed here, are accessed (either directly or from a hyper link) the ThinApp browser will open them, all other URL’s will be opened by the default browser. It’s a cool feature but not one I’m using > Next.
16. Give your ThinApp a name > Next.
17. I’m choosing the option to embed everything into my executable, selecting this may cause a warning about icons, but I ignored and deployed with no problems > Save.
18. After ThinApp generates the files it needs > Build.
Usually If I’ve got a lot of user profiles and data to shift, I use the clients backup software, copying user and group permission’s is pretty easy, xcopy can do that quite happily. The problem is migrating the shares and share permissions, that’s got to be done manually, for a few folders that’s easy to do, but if they have a LOT of shared folders that can be a problem.
So heres how to migrate both the share permissions and the NTFS permissions. from one server to another.
Solution
Note: For this to work, the drive letter on the source server and the new server needs to be the same.
1. On the new server, map a drive letter the the shared drive on the old server.
2. Copy the contents of the OLD drive to the NEW drive with the following command.
xcopy x:*.* e:*.* /D /E /C /F /H /K /O /Y
3. The copy over can take some time, remember if your old server has a slow network card or you only have a 10/100 switch then it may take considerably longer. In this example I was moving approx 140GB – it took a couple of hours.
4. That gets the files over with the correct windows permissions. Lastly we need to migrate the share permissions, on the OLD server > Start > Run > Regedit > Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanserverShares > Right click the entire “Shares” Key and export it to a file. (I just called it Shares and dropped it on the old servers C: drive).
5. Now I’ve read other sites and posts that say WARNING importing this key will break shares on the new server, but that is NOT the case. If you are worried you can export the same key on the NEW server to back it up.
6. Copy the file you exported from the old server to the new server, then double click it, you will get a warning about adding/merging the file into the registry > Accept by clicking yes.
7. All being well it should say it was successful. Now simply reboot the NEW server and the shares will be recreated.
Related Articles, References, Credits, or External Links