Cisco FTD (and ASA) Creating AnyConnect Profiles

KB ID 0001685

Problem

A few days ago I did an article on Deploying Cisco AnyConnect with the Cisco FTD, there I glossed over the AnyConnect profile section. For a long time now, we have been able to edit the AnyConnect profile from within the firewall (if we are running ASA code!) But for the FTD we need to take a step backwards and go back to using the ‘offline’ AnyConnect profile editor.

Solution

Firstly you need to download the offline profile editor, you will find it on the Cisco AnyConnect Mobility Client download page;

I wont insult your intelligence, the setup is straight forward;

Launch the editor, and the screen you will see is exactly the same as you would normally see while using the profile editor in a Cisco ASA, (when launched from within the ASDM).

Note: I’m not going to go though all the settings, (this post would become immense!) Typically I allow remote (RDP) connections, and set the public FDQN for my AnyConnect profile.

Once you have finished, you can simply save the settings as an XML file.

Import an AnyConnect ‘Profile XML File’ into Cisco ASA

As mentioned above with all ‘modern’ versions of the ASDM/AnyConnect client you can create and edit an AnyConnect profile directly from within the ASDM. But (for completeness) here’s how to import one you created externally, (or exported form another firewall).

Configuration >Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Import.

Import an AnyConnect ‘Profile XML File’ into Cisco FTD

Objects > AnyConnect Client Profiles > Create AnyConnect Client Profile > Give it a name > Upload.

Browse to, and select the previously created XML file > Open.

Then save and deploy the changes (this takes ages!).

You can now select this ‘profile file’ when setting up AnyConnect, or edit any existing AnyConnect Remote Access VPN configuration, and add this profile to it.

Related Articles, References, Credits, or External Links

Cisco Firepower 1010 Configuration

AnyConnect – ‘VPN establishment capability for a remote user..

KB ID 0000546 

Problem

If you connect to to a client via RDP then try and run the AnyConnect client, you will see one of these errors;

VPN establishment capability for a remote user is disabled. A VPN connection will not be established

 

VPN establishment capability from a Remote Desktop is disabled. A VPN connection will not be established

This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl  file, this file does not exist using Version 3 (I was using v 3.0.4235).

Update: With Early versions of AnyConnect version 4 it does not tell you what’s wrong, the VPN appears to connect and then disconnect quickly. If you have debugging on the firewall you will see the following;

Profile settings do not allow VPN initiation from a remote desktop.

Note: This is fixed in version 4.8 and you will se the error at the top of the page.

Solution

To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy. With modern versions of AnyConnect you can do that in the ASDM. With older versions you need to use the stand alone profile editor (see below)

Edit AnyConnect Profile With ASDM

Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Client Profile.

Give the profile a name  > Select a group policy to apply it to > OK.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

OR (older versions)

 

Apply the changes, and then save to the running configuration.

 

Edit AnyConnect Profile With Stand-Alone Profile Editor

1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCO account and a registered support agreement/SmartNet).

Update: The AnyConnect Profile Editor is now built into the ADSM, it becomes available once you have enabled any AnyConnect image. Once you have a profile created you can skip straight to  step 3, and skip all the other steps.

If you cannot download the software here’s a profile (I’ve already created) you can use. If you are going to use this, jump to step 5.

2. Once you have installed the profile editor, launch the “VPN Profile Editor”.

3. The setting we want is listed under Windows VPN Establishment, and needs setting to “AllowRemoteUsers”, In addition I’m going to set Windows Logon Enforcement to “SingleLocalLogon”.

AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.

SingleLocalLogon: Allows multiple remote logons but only one local logon.

4. Save the profile somewhere you can locate it quickly.

5. Connect to the firewalls ASDM > Tools > File Management > File Transfer > Between Local PC and Flash.

6. Browse your local PC for the profile you created earlier > Hit the “Right Arrow” to upload it > This can take a few minutes, depending on your proximity to the firewall.

7. Make sure the file uploads correctly > Close.

8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the “Client Profile to Download” section and uncheck the inherit button.

9. Click New > Browse Flash > Locate the profile you uploaded earlier.

10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.

11. Then reconnect with your AnyConnect Mobility Client software.

Related Articles, References, Credits, or External Links

Install and Configure Cisco ASA5500 AnyConnect SSL VPN 

Cisco ASA AnyConnect VPN ‘Using CLI’

KB ID 0000943

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code.

Also See Cisco ASA AnyConnect VPN ‘Using ASDM’

This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect.

Solution

1. The first job is to go get the AnyConnect client package(s), download them from Cisco, (with a current support agreement). Then copy them into the firewall via TFTP. If you are unsure how to do that see the following article.

Install and Use a TFTP Server

[box]

Petes-ASA(config)# copy tftp flash

Address or name of remote host [10.254.254.183]? 192.168.80.1

Source filename []?anyconnect-win-4.7.02036-webdeploy-k9.pkg

Destination filename [anyconnect-win-4.7.02036-webdeploy-k9.pkg]? {Enter}

Accessing tftp://192.168.80.1/anyconnect-win-4.7.02036-webdeploy-k9.pkg
.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

4807912 bytes copied in 549.790 secs (8757 bytes/sec)
Petes-ASA(config)#

[/box]

2. Create a ‘pool’ of IP addresses that the ASA will allocate to the remote clients, also create a network object that covers that pool of addresses we will use later.

[box]

Petes-ASA(config)# ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
Petes-ASA(config)# object network OBJ-ANYCONNECT-SUBNET
Petes-ASA(config-network-object)# subnet 192.168.100.0 255.255.255.0

[/box]

3. Enable webvpn, set the package to the one you uploaded earlier, then turn on AnyConnect.

[box]

Petes-ASA(config)# webvpn
Petes-ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
Petes-ASA(config-webvpn)# tunnel-group-list enable
Petes-ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 1 
Petes-ASA(config-webvpn)# anyconnect enable

[/box]

4. I’m going to create a LOCAL username and password, I suggest you do the same, then once you have proved it’s working OK, you can. change the authentication method, (see links below). I’m also going to create an ACL that we will use for split-tunneling in a minute.

[box]

Petes-ASA(config)# username PeteLong password Password123
Petes-ASA(config)# access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0

[/box]

5. Create a group policy, change the values to match your DNS server(s), and domain name accordingly.

[box]

Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE internal
Petes-ASA(config)# group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
Petes-ASA(config-group-policy)# vpn-tunnel-protocol ssl-client
Petes-ASA(config-group-policy)# dns-server value 10.0.0.10 10.0.0.11
Petes-ASA(config-group-policy)# split-tunnel-policy tunnelspecified
Petes-ASA(config-group-policy)# split-tunnel-network-list value SPLIT-TUNNEL
Petes-ASA(config-group-policy)# default-domain value petenetlive.com

[/box]

6. Create a matching tunnel-group that ties everything together.

[box]

Petes-ASA(config-group-policy)# tunnel-group ANYCONNECT-PROFILE type remote-access
Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# default-group-policy GroupPolicy_ANYCONNECT-PROFILE
Petes-ASA(config-tunnel-general)# address-pool ANYCONNECT-POOL
Petes-ASA(config-tunnel-general)# tunnel-group ANYCONNECT-PROFILE webvpn-attributes
Petes-ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable

[/box]

7. Then stop any traffic that is going to, (or coming from) the remote clients from being NATTED.

[box]

Petes-ASA(config)# nat (inside,outside) 2 source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup

[/box]

8. Save the changes.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

9. Give it a test from a remote client.

AnyConnect Commands to Copy and Paste

Simply change the values shown in red;

[box]

!
ip local pool ANYCONNECT-POOL 192.168.100.1-192.168.100.254 mask 255.255.255.0
!
object network OBJ-ANYCONNECT-SUBNET
 subnet 192.168.100.0 255.255.255.0
!
webvpn
enable outside
tunnel-group-list enable
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect enable
!
username PeteLong password Password123
!
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.0.0.0
!
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
vpn-tunnel-protocol ssl-client
dns-server value 10.0.0.10 10.0.0.11
wins-server none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
!
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
address-pool ANYCONNECT-POOL
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
!
nat (inside,outside) source static any any destination static OBJ-ANYCONNECT-SUBNET OBJ-ANYCONNECT-SUBNET no-proxy-arp route-lookup
!

[/box]

Related Articles, References, Credits, or External Links

Cisco ASA AnyConnect VPN ‘Using ASDM’

AnyConnect: Allow ‘Local’ LAN Access

Cisco AnyConnect – Essentials / Premium Licences Explained

Cisco AnyConnect – PAT External VPN Pool To An Inside Address

AnyConnect (AAA) Authentication Methods

Kerberos Authentication (Cisco ASA)

LDAP Authenticaiton (Cisco ASA)

RADIUS Authentication(Cisco ASA)

Duo 2FA Authentication (Cisco ASA)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

Windows Adding Firewall Rules With PowerShell

KB ID 0001538

Problem

There was a question on Experts Exchange this morning, the asker wanted to be able to add a ‘Trusted’ network range to their Windows Server Firewall settings as a ‘allow all ports’ rule.

Solution

You can of course add this manually in the GUI, normally I’d simply Add a Firewall Rule with a Group Policy. but the problem with that is, that’s fine if you want to open a particular TCP/UDP/ICMP port, but NOT if you want to open ALL ports. But you CAN use PowerShell like so;

[box]

New-NetFirewallRule -RemoteAddress 192.168.100.0/24 -DisplayName "Trusted Subnet" -Direction inbound -Profile Any -Action Allow

[/box]

Then you can check the settings, just as if you had created the rule in the GUI.

 

Related Articles, References, Credits, or External Links

NA

AnyConnect ‘Management VPN Tunnel’ Configuration

KB ID 0001503

Problem

With the newest version of AnyConnect (4.7) there’s an added feature called ‘Management VPN’. It’s there, so that if you have remote users who don’t VPN in very often, then you may struggle to mange them, e.g. put software updates, AV updates, SCCM packages etc. down to them. 

Before version 4.7  you could configure ‘Automatically Connect’, or ‘Start before Logon’ to handle these problems, well now you can use Management VPN. What it does is, it automatically connects (using the computer certificate to authenticate), and it automatically disconnects when a remote user brings up a normalAnyConnect VPN user  connection. When they disconnect again, the Management VPN (after a few seconds) will re-establish again.

As usual the Cisco documentation is not brilliant! So I built it out in EVE-NG to test. Here’s the Lab I used;

I’ve got a Windows 2012 R2 Server that’s doing Certificate services and DHCP, I’ve also got an external (Windows 7) client with AnyConnect 4.7 installed.

Solution

My first task was to setup normal user AnyConnect, which I secured with certificates, (user certificates), I sent the certificates out using auto-enrollment. Also while I had my certificate hat on, I generated a certificate for the outside of the ASA as well. (I didn’t  bother setting up NDES I just imported the CA Certificate eon the ASA).

Note: If you already have working AnyConnect, then you can skip this section.

Deploying Certificates via ‘Auto Enrollment’

Cisco AnyConnect – Securing with Microsoft Certificate Services

I’m also leasing my remote client’s IP addresses from my Windows DHCP server, so I’ve setup a DHCP scope on there as well (192.168.125.0/24)

As a pointer here is the config I’m using;

[box]

object network OBJ-AnyConnect-SN
 subnet 192.168.125.0 255.255.255.0
!
access-list SPLIT-TUNNEL standard permit 192.168.123.0 255.255.255.0 
!
nat (inside,outside) source static any any destination static OBJ-AnyConnect-SN OBJ-AnyConnect-SN no-proxy-arp route-lookup
!
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1
!
group-policy GP-AnyConnect internal
group-policy GP-AnyConnect attributes
 wins-server none
 dns-server value 192.168.123.10
 dhcp-network-scope 192.168.125.0
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value testrig.com
!
tunnel-group TG-AnyConnect type remote-access
tunnel-group TG-AnyConnect general-attributes
 default-group-policy GP-AnyConnect
 dhcp-server 192.168.123.10
tunnel-group TG-AnyConnect webvpn-attributes
 authentication certificate
 group-alias TG-AnyConnect enable
 group-url https://vpn.testrig.com/AnyConnect enable

[/box]

In addition, (much as I prefer to work at CLI, you need to go into the ASDM to do the following). Create a new connection profile and associate it with the group policy we just created (above).

Add to the ‘Server list‘ the URL you specified (above).

To avoid being prompted for which certificate to use, untick ‘Disable Automatic Certificate Selection’ (Yes the name makes no sense to me either!) Save the profile.

Then make sure the VPN works as expected.

Setup AnyConnect Management VPN

Prerequisites

Your ASA needs to be running newer than version 9, and your ASDM image needs to be 7.10(1) or newer.

You need to have the Anyconnect client software (4.7 or newer!)

I’ve already mentioned certificates, but you will need to have the CA certificate from the CA that’s generating your COMPUTER certificates installed and trusted, mine’s already there, as I’m already authenticating my USER certificates with it.

Add another Tunnel-Group and Group-Policy for your Management-VPN, I’ll drop back to CLI to do that (to keep things neat and tidy).

[box]

!
group-policy GP-Management-VPN internal
group-policy GP-Management-VPN attributes
 dns-server value 192.168.123.10
 dhcp-network-scope 192.168.125.0
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value testrig.com
!
tunnel-group TG-Managemet-VPN type remote-access
tunnel-group TG-Managemet-VPN general-attributes
 default-group-policy GP-Management-VPN
 dhcp-server 192.168.123.10
tunnel-group TG-Managemet-VPN webvpn-attributes
 authentication certificate
 group-alias TG-Managemet-VPN enable
 group-url https://vpn.testrig.com/Management-VPN enable
!

[/box]

Add a new connection profile, set the type to ‘AnyConnect Management VPN Profile’, and link it to the Group-Policy for your AnyConnect USER connections.

As before add an entry to the server list with the same URL you specified in the Management VPN tunnel group.

Add an Automatic VPN policy, to connect whenever you are on a network that is NOT your corporate network. Here if a client sees my server, on the same network, or gets my domain name via DHCP it WONT connect.

Additional Settings Required for Management VPN

Edit the Group-Policy you are using for Management VPN > AnyConnect Client  > Custom Attributes > Add > Create an Attribute called: ManagementTunnelAllAllowed.

Create a value for it called true/true.

In the ‘AnyConnect Client‘ section, ENABLE ‘Client Bypass Protocol’.

Your client will need to connect at least once to get the new settings, once they have when they disconnect the Management VPn will establish.

As soon as the user tunnel comes up, the Management VPN tunnel will drop.

Related Articles, References, Credits, or External Links

NA

Deploying Applications with VMware ThinApp

KB ID 0000612

Problem

ThinApp is an “Odd” VMware product, insofar as it’s got nothing to do with virtual machines or virtual technology. It’s a product that turns applications into “Stand alone” thin applications, that can be sent to a user and ran without the need for that user to have administrative access, or the need to install anything.

ThinApp was a product called Thinstall that VMware purchased and “re-badged”, you get a free copy with VMware View 5 (Premier Edition). And it ships with a copy of VMware workstation. (Not because it needs a copy, but VMware recommends you use a clean virtual machine to create your ThinApps on).

If you’ve ever used sysdiff in the past or Novell Zenworks for Desktops, you will be familiar with the process, take a ‘scan’ of a clean machine, then install application(s), then carry out another ‘scan’. The software then works out the ‘difference’ and uses that information to build a software package.

In the example below I’m going to create a stand alone version of Google Chrome, that is pre configured, and has Java already installed, and finally deploy that as a single executable file.

Solution

1. It’s recommended that you create your ThinApp on the oldest operating system that it might be deployed on, so here I’m creating a virtual machine in VMware workstation that’s running Windows XP.

2. When built remove any hardware that will not be needed, like the floppy drive, and the USB Controller (Edit > Settings).

3. Installing ThinApp is pretty straightforward, simply run the executable and follow the on screen prompts the only thing to note is; when you enter your licence key, be aware the name you enter will display on the “splash screen” as your ThinApp loads (as shown).

4. Once your reference machine is setup, take a snapshot of it, so you can roll back to this point to create further ThinApps on this clean machine (VM > Snapshot > Take Snapshot).

5. Run the ThinApp Setup Capture > Next > Prescan > This will take a few minutes > When finished simply minimise the window you are finished with it for now. Note: Don’t worry if the application you are installing requires a reboot, ThinApp is clever enough to cope with that.

6. Now install and configure the application you require, in this case Google Chrome. I’m also installing Java, and setting the default homepage to the Google search page.

7. When the application is installed to your liking, maximise (or open the capture if you’ve rebooted) and select ‘Postscan’ > OK.

Note: Before running Postscan make sure you delete any installer files downloaded, any icons from the desktop you do not want deployed in the ThinApp, and empty the recycle bin (you don’t want all that stuff captured, when creating your ThinApp).

8. Make sure only the executable you require is ticked as an entry point > Next > At the Horizon App Manage Page > Next.

9. In a domain environment you can restrict ThinApp access to particular users or groups > Next.

10. Set the isolation mode as required, for most cases it will be ‘Full’ > Next.

11. Select the option to store the sandbox in the user profile > Next > Select whether you want to provide statistics to VMware > Next.

12. You will see this screen ONLY of you are capturing a browser. This is used if you have a particular website that will only run in IE6, or Firefox etc. So that only when URL’s enters listed here are accessed (either directly or from a hyper link) the ThinApp browser will open them, all other URL’s will be opened by the default browser. It’s a cool feature but not one I’m using > Next.

13. Give your ThinApp a name > Next.

14. I’m choosing the option to embed everything into my executable, selecting this may cause a warning about icons, but I ignored and deployed with no problems > Save.

Note: You can use this page to create an MSI file to deploy via group policy if you wish.

15. After ThinApp generates the files it needs > Build.

16. Finish

17. Heres my ThinApp executable file.

18. To test I’ve copied it to a Windows 7 machine.

19. While it’s loading this is what you will see.

20. And here is my ThinApp version of Google Chrome running and pre configured.

Related Articles, References, Credits, or External Links

NA

Creating and Deploying USB Portable Applications with VMware ThinApp

KB ID 0000616 

Problem

The last time I wrote about deploying applications with ThinApp, it was geared towards getting standalone applications onto client PC’s for non admins to run, or putting them in a network share. But if you have a portable application the advantage is you can run it from portable media (Like a USB drive).

Like before I’ll convert Google Chrome to a ThinApp, but the difference is I will set the applications ‘sandbox’ to live in the same location (on the USB). Then I’ll try it out on a different machine.

Solution

1.  It’s recommended that you create your ThinApp on the oldest operating system that it might be deployed on, so here I’m creating a virtual machine in VMware workstation that’s running Windows XP.

2.  When built remove any hardware that will not be needed, like the floppy drive, and the USB Controller (Edit > Settings).

3. Installing ThinApp is pretty straightforward, simply run the executable and follow the on screen prompts the only thing to note is; when you enter your licence key, be aware that the name you enter will display on the “splash screen” as your ThinApp loads.

4. Once your reference machine is setup, take a snapshot of it, so you can roll back to this point to create further ThinApps on this clean machine (VM > Snapshot > Take Snapshot).

5. Run the ThinApp Setup Capture > Next.

6. Prescan > This will take a few minutes > When finished simply minimise the window you are finished with it for now. Note: Don’t worry if the application you are installing requires a reboot, ThinApp is clever enough to cope with that.

7. Now install and configure the application you require, in this case Google Chrome. I’m also installing Java, and setting the default homepage to the Google search page.

8. When the application is installed to your liking, maximise (or open the capture if you’ve rebooted) and select ‘Postscan’ > OK.

Note: Before running Postscan make sure you delete any installer files downloaded, any icons from the desktop you do not want deployed in the ThinApp, and empty the recycle bin (you don’t want all that stuff captured, when creating your ThinApp).

9. Make sure only the executable you require is ticked as an entry point > Next.

10. At the Horizon App Manage Page > Next.

11. In a domain environment you can restrict ThinApp access to particular users or groups > Next.

12. Set the isolation mode as required, for most cases it will be ‘Full’ > Next.

13. As you are storing the App on USB I’d suggest (though you don’t have to) set the application to save its sandbox in the same directory.

14. Select whether you want to provide statistics to VMware > Next.

15. You will see this screen ONLY if you are capturing a browser. This is used if you have a particular website that will only run in IE6, or Firefox etc. So that only when URL’s entered, listed here, are accessed (either directly or from a hyper link) the ThinApp browser will open them, all other URL’s will be opened by the default browser. It’s a cool feature but not one I’m using > Next.

16. Give your ThinApp a name > Next.

17. I’m choosing the option to embed everything into my executable, selecting this may cause a warning about icons, but I ignored and deployed with no problems > Save.

18. After ThinApp generates the files it needs > Build.

19. Finish.

20. Heres my ThinApp executable file.

21. Which I’ve copied to my USB Drive.

22. So when use the drive in another machine.

23. You can simply run the executable.

24. While the app loads it will show a splash screen like this.

25. And should load pre-configured.

 

Related Articles, References, Credits, or External Links

NA