Embed Size (px)
Citation preview
AnyConnect HostScan
The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identifythe operating system, anti-virus, anti-spyware, and firewall software installed on the host. The HostScanapplication gathers this information. Posture assessment requires HostScan to be installed on the host.
Using the secure desktop manager tool in the Adaptive Security Device Manager (ASDM), you can createa prelogin policy which evaluates the operating system, anti-virus, anti-spyware, and firewall software HostScan identifies. Based on the result of the prelogin policy’s evaluation, you can control which hosts areallowed to create a remote access connection to the security appliance.
TheHostScan support chart contains the product name and version information for the anti-virus, anti-spyware,and firewall applications you use in your prelogin policies. We deliver HostScan and the HostScan supportchart, as well as other components, in the HostScan package.
Starting with AnyConnect Secure Mobility Client, release 3.0, HostScan is available separately from CSD.This means you can deploy HostScan functionality without having to install CSD and you will be able toupdate your HostScan support charts by upgrading the latest HostScan package.
• Prerequisites for HostScan, page 1
• Licensing for Host Scan, page 2
• HostScan Packaging, page 2
• Install or Upgrade Host Scan, page 3
• Enable or Disable HostScan, page 4
• View the HostScan Version Enabled on the ASA, page 4
• Uninstall HostScan, page 5
• Assign AnyConnect Feature Modules to Group Policies, page 5
• HostScan Related Documentation, page 7
Prerequisites for HostScanThe AnyConnect Secure Mobility Client with the posture module requires these minimum ASA components:
• ASA 8.4
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.5 1
• ASDM 6.4
These AnyConnect features require that you install the posture module.
• SCEP authentication
• AnyConnect Telemetry Module
The posture module can be installed on any of these platforms:
• Windows 7 (x86 and x86 running on x64) or later
• Mac OS X 10.5,10.6 (32-bit and 32-bit running on 64-bit) or later
• Linux (32-bit and 32-bit running on 64-bit)
• Windows Mobile
Licensing for Host ScanThese are the AnyConnect licensing requirements for the posture module:
• AnyConnect Apex for basic Host Scan.
• AnyConnect Plus is required for
◦Remediation
◦Mobile Device Management
HostScan PackagingYou can load the HostScan package on to the ASA in one of these ways:
• You can upload it as a standalone package: hostscan-version.pkg
• You can upload it by uploading an AnyConnect Secure Mobility package:anyconnect-NGC-win-version-k9.pkg
DescriptionFile
This file contains the HostScan software as well as the HostScanlibrary and support charts.
hostscan-version.pkg
This package contains all the Cisco AnyConnect SecureMobility Client features including the hostscan-version.pkg file.
anyconnect-NGC-win-version-k9.pkg
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.52
AnyConnect HostScanLicensing for Host Scan
Install or Upgrade Host ScanUse this procedure to install or upgrade the Host Scan package and enable it using the command line interfacefor the ASA.
Before You Begin
If you are attempting to upgrade to HostScan version 4.6.x or greater from a 4.3.x version or earlier, youwill receive an error message due to the fact that all existing AV/AS/FW DAP policies and LUA script(s)that you have previously established are incompatible with HostScan 4.6.x or greater.
There is a one time migration procedure that must be done to adapt your configuration. This procedureinvolves leaving this dialog box to migrate your configuration to be compatible with Hostscan 4.4.x beforesaving this configuration. Abort this procedure and refer to the http://www.cisco.com/c/en/us/td/docs/security/asa/migration/guide/HostscanMigration43x-46x.html for detailed instructions. Briefly, migrationinvolves navigating to the ASDM DAP policy page to review and manually delete the incompatibleAV/AS/FW attributes, and then reviewing and rewriting LUA scripts.
Note
• Log on to the ASA and enter global configurationmode. In global configurationmode, the ASA displaysthis prompt: hostname(config)#
• Upload the hostscan_version-k9.pkg file or anyconnect-NGC-win-version-k9.pkg file to the ASA.
Procedure
Step 1 Enter webvpn configuration mode.
Example:
hostname(config)# webvpn
Step 2 Specify the path to the package you want to designate as the Host Scan image. You can specify a standaloneHost Scan package or an AnyConnect Secure Mobility Client package as the Host Scan package.hostscan image path
Example:
ASAName(webvpn)#hostscan image disk0:/ hostscan-3.6.0-k9.pkgASAName(webvpn)#hostscan image disk0:/anyconnect-NGC-win-3.0.0327-k9.pkg
For all operating systems, Windows, Linux, and Mac OS X, customers need to upload theanyconnect-NGC-win-version-k9.pkg file in order for the endpoints to install Host Scan.
Note
Step 3 Enable the Host Scan image you designated in the previous step.
Example:
ASAName(webvpn)#hostscan enable
Step 4 Save the running configuration to flash. After successfully saving the new configuration to flash memory,you receive the message [OK].
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.5 3
AnyConnect HostScanInstall or Upgrade Host Scan
Example:
hostname(webvpn)# write memory
Enable or Disable HostScanThese commands enable or disable an installed HostScan image using the command line interface of the ASA.
Before You Begin
Log on to the ASA and enter global configuration mode. In global configuration mode, the ASA displays thisprompt: hostname(config)#
Procedure
Step 1 Enter webvpn configuration mode.
Example:webvpn
Step 2 Enable the standalone HostScan image or the HostScan image in the AnyConnect Secure Mobility Clientpackage if they have not been uninstalled from your ASA.hostscan enable
Step 3 Disable HostScan for all installed HostScan packages.Before you uninstall the enabledHostScan image, youmust first disable HostScan using this command.Note
no hostscan enable
View the HostScan Version Enabled on the ASAUse this procedure to determine the enabled HostScan version using ASA’s command line interface.
Before You Begin
Log on to the ASA and enter privileged exec mode. In privileged exec mode, the ASA displays this prompt:hostname#
Procedure
Show the version of HostScan enabled on the ASA.show webvpn hostscan
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.54
AnyConnect HostScanEnable or Disable HostScan
Uninstall HostScanUninstalling HostScan package removes it from view on the ASDM interface and prevents the ASA fromdeploying it even if HostScan or CSD is enabled. Uninstalling HostScan does not delete the HostScan packagefrom the flash drive.
Before You Begin
Log on to the ASA and enter global configuration mode. In global configuration mode, the ASA displays thisprompt: hostname(config)#.
Procedure
Step 1 Enter webvpn configuration mode.webvpn
Step 2 Disable the HostScan image you want to uninstall.no hostscanenable
Step 3 Specify the path to the HostScan image youwant to uninstall. A standaloneHostScan package or anAnyConnectSecure Mobility Client package may have been designated as the HostScan package.no hostscan image path
Example:
hostname(webvpn)#no hostscan image disk0:/hostscan-3.6.0-k9.pkghostname(webvpn)#no hostscan image disk0:/anyconnect-NGC-win-3.0.0327-k9.pkg
Step 4 Save the running configuration to flash.After successfully saving the new configuration to flash memory, youreceive the message [OK].write memory
Assign AnyConnect Feature Modules to Group PoliciesThis procedure associates AnyConnect feature modules with a group policy. When VPN users connect to theASA, the ASA downloads and installs these AnyConnect feature modules to their endpoint computer.
Before You Begin
Log on to the ASA and enter global configuration mode. In global configuration mode, the ASA displays thisprompt: hostname(config)#
Procedure
Step 1 Adds an internal group policy for Network Client Accessgroup-policy name internal
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.5 5
AnyConnect HostScanUninstall HostScan
Example:
hostname(config)# group-policy PostureModuleGroup internal
Step 2 Edit the new group policy. After entering the command, you receive the prompt for group policy configurationmode, hostname(config-group-policy)#.group-policy name attributes
Example:hostname(config)# group-policy PostureModuleGroup attributes
Step 3 Enter group policy webvpn configuration mode. After you enter the command, the ASA returns this prompt:hostname(config-group-webvpn)#webvpn
Step 4 Configure the group policy to download AnyConnect feature modules for all users in the group.anyconnect modules value AnyConnect Module Name
The value of the anyconnect module command can contain one or more of the following values. Whenspecifying more than one module, separate the values with a comma:
AnyConnect Module Namevalue
AnyConnect DART (Diagnostics and Reporting Tool)dart
AnyConnect SBL (Start Before Logon)vpngina
AnyConnect Web Security Modulewebsecurity
AnyConnect Telemetry Moduletelemetry
AnyConnect Posture Moduleposture
AnyConnect Network Access Managernam
Used by itself to remove all AnyConnect modules from the group policy.none
Example:
hostname(config-group-webvpn)# anyconnect modules value websecurity,telemetry,posture
To remove one of the modules, re-send the command specifying only the module values you want to keep.For example, this command removes the websecurity module:
hostname(config-group-webvpn)# anyconnect modules value telemetry,posture
Step 5 Save the running configuration to flash.After successfully saving the new configuration to flash memory, you receive the message [OK] and the ASAreturns you to this prompt hostname(config-group-webvpn)#
write memory
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.56
AnyConnect HostScanAssign AnyConnect Feature Modules to Group Policies
HostScan Related DocumentationOnce HostScan gathers the posture credentials from the endpoint computer, you will need to understandsubjects like configuring dynamic access policies and using LUA expressions to make use of the information.
These topics are covered in detail in these documents:
• Cisco Secure Desktop Configuration Guides
• Cisco Adaptive Security Device Manager Configuration Guides
See also the Cisco AnyConnect Secure Mobility Client Administrator Guide for more information about howHostScan works with AnyConnect clients.
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.5 7
AnyConnect HostScanHostScan Related Documentation
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.58
AnyConnect HostScanHostScan Related Documentation
