Secure Remote Worker for On-Prem Design Guide

Updated:November 2, 2021
Updated:November 2, 2021
 

 

Scope

In Scope

Cisco Secure Remote Worker (SRW) design guide covers the following components:

     Cisco Secure VPN (formerly known as AnyConnect Mobility Client)

     Secure connection using remote access VPN termination on Cisco hardware appliances

    Secure Firewall (Firepower Threat Defense on Firepower 4100)

     Authentication

    LDAP

    Duo (Two-factor authentication)

     Threat Protection

    Cisco Umbrella Roaming Security Module

    Cisco Secure Endpoint (AMP) Enabler (formerly AMP for Endpoints)

Out of scope

This document does not cover the following topics:

     Firepower Threat Defense (FTD) Installation

     Firepower Management Console (FMC) Installation

     Identity Services Engine (ISE)

     Windows Server setup

     Initial Duo installation

     VPNless access to private applications (Duo Network Gateway)

     Policy Enforcement in Cisco Umbrella

     Cisco Meraki MX

     Cisco Adaptive Security Appliance (ASA)

Introduction

Today’s distributed workforce continues to grow, and new challenges arise for businesses of all sizes. The need to have secure remote workers access cloud, private data centers, and public internet resources is even more important now than it has been in the past. While the benefits of these resources are immense, so are the risks that come with using them.

The IT teams need to be able to trust that their users can access all these resources with minimal interactions, while being as secure as possible. To do this, we need to protect the endpoints users will be on, the connection from these devices, validate their identity, and protect data from threats.

Graphical user interfaceDescription automatically generated

Figure 1.              Cisco Remote Access VPN on premises with Cisco Secure Firewall

Secure Remote Worker Architecture

Remote workers access enterprise resources using Internet connections protected by remote access VPN (RAVPN). Internet edge is an essential segment in the enterprise network, where the corporate network meets the public Internet. The SAFE Model identifies the Internet edge as one of the places in the network (PINs). SAFE simplifies complexity across the enterprise by implementing a model that focuses on the areas that a company must secure. This model treats each area holistically, focusing on today’s threats and the capabilities needed to secure each area against those threats. Cisco has deployed, tested, and validated critical designs. These solutions provide guidance and best practices that ensure effective, secure remote access to the resources.

DiagramDescription automatically generated

Figure 2.              Key to SAFE organizes the complexity of holistic security into PINs & Secure Domain

 

The Internet edge is the highest-risk PIN because it is the primary ingress for public traffic and the primary egress point to the Internet. Simultaneously, it is the critical resource that businesses need in today’s Internet-based economy. SAFE matches up defensive capabilities against the categories of threats today. SAFE simplifies security by starting with business flows, then addressing their respective threats with corresponding security capabilities, architectures, and designs. SAFE provides guidance that is holistic and understandable.

ChartDescription automatically generated

Figure 3.              SAFE Architecture and Design Guides

 

More information about how Cisco SAFE simplifies security, along with other CVDs, can be found here.

Secure Remote Worker Business Flows

Business Flow: SAFE uses the concept of business flows to simplify the identification of threats, and this enables the selection of capabilities necessary to protect them. The Secure Remote Worker design guide focuses on remote users accessing applications hosted in a secured environment. There is a secondary focus on securing the user when accessing internet resources, however, more in depth details are explored in the Cisco Secure Access Service Edge (SASE) Design Guide.

Graphical user interface, text, application, emailDescription automatically generated

Figure 4.              Remote Access VPN Business Flows

 

Threat Capabilities: Not all business flows have the same requirements. Some use cases are subject to a smaller attack vector and therefore require less security. Some have multiple vectors and require more. Evaluating the business flow by analyzing the attack surfaces provides the information needed to determine and apply the correct capabilities for flow specific and effective security. This process also allows for the application of capabilities to address risk and administrative policy requirements. For more information regarding SAFE capabilities, refer to the SAFE Overview Guide.

Graphical user interfaceDescription automatically generated

Figure 5.              Threat Capabilities for business flows

Solution Overview

Today’s companies are investing in enabling their workforce to have a secure remote connection to the resources hosted in their private data centers. This Cisco validated design guide (CVD) addresses a specific use case of secure remote workers covered in the Secure Remote Worker SAFE Design Guide. The secure remote worker solution uses the Cisco Secure VPN, Cisco Secure Firewall, Cisco Secure Access by Duo, Cisco Umbrella, and Cisco Secure Endpoint.

Remote access VPN key capabilities for traffic and threat management

Static Split Tunnel versus Dynamic Split Tunnel

The default behavior of a VPN client is to tunnel all traffic. The client sends everything through the tunnel unless the split tunnel is defined. Split tunnels are of two types static and dynamic.

DiagramDescription automatically generated

Figure 6.              Remote employee accessing resources hosted in the data center (tunnel-all)

Static Split Tunnel

Static split tunneling involves defining the IP addresses of hosts and networks that should be included in or excluded from the remote access VPN tunnel. The limitation of the static split tunnel is that it is based on IP addresses defined in the split tunnel ACL. You can enhance split tunneling by defining dynamic split tunneling.

Dynamic Split Tunnel

With dynamic split tunneling, you can fine-tune split tunneling based on DNS domain names. Because the IP addresses associated with full-qualified domain names (FQDN) can change or simply differ based on region, defining split tunneling based on DNS names provides a more dynamic definition of which traffic should, or should not, be included in the remote access VPN tunnel. If any addresses returned for excluded domain names are within the address pool included in the VPN, those addresses will then be excluded.

DiagramDescription automatically generated with medium confidence

Figure 7.              Traffic destined for private subnets/domains are sent through the VPN tunnel, other traffic goes direct to the Internet

VPN with a split tunnel

Cisco Secure VPN modules provide protection when users are on a VPN with a split tunnel enabled.

     Cisco Umbrella Roaming Module continues to provide cloud delivered security through Cisco Umbrella to traffic not destined for the VPN tunnel

     Cisco Secure Endpoint enabler continues to provide anti-virus and malware protection

     Cisco Secure Access by Duo continues to provide MFA for applications

Graphical user interfaceDescription automatically generated

Figure 8.              Remote worker is on VPN (split tunnel)

No VPN connection

Cisco Secure VPN modules provide protection when users are not on a VPN.

     Cisco Umbrella Roaming Module continues to provide cloud delivered security through Cisco Umbrella

     Cisco Secure Endpoint continues to provide anti-virus and malware protection

     Cisco Secure Access by Duo continues to provide MFA for applications

Graphical user interfaceDescription automatically generated

Figure 9.              Remote worker is not connected to VPN

Target Audience

This document provides best practices and recommended solutions for remote workers accessing resources hosted in on-prem infrastructures. This solution brings together a secure architecture that includes Cisco Secure VPN Mobility Client, Cisco Secure Access by Duo, Cisco Umbrella, and Cisco Secure Endpoint to protect remote access workers even when the user is on an untrusted network. In addition to validated designs, this Cisco Validated Design (CVD) also provides recommended step-by-step configurations.

The target audience for this CVD are Solution Architects responsible for designing a secure environment for remote workers and the implementation team responsible for deploying security.

Product Overview

This Cisco Validated Design guide (CVD) covers the following devices and modules to extend security to remote workers.

Devices / Modules

Functionality

Cisco Secure VPN Mobility Client

VPN Client for endpoints

Cisco Secure Firewall (FTD)

VPN Gateway / VPN concentrator

Cisco Secure Access by Duo

Multi-factor authentication

Cisco Umbrella Roaming Security Module

Cloud delivered security

Cisco Secure Endpoint Enabler

Anti-Virus and Malware protection for endpoints

Cisco Secure Access by Duo

Cisco Secure Access by Duo is a user-friendly, scalable way to keep business ahead of ever-changing security threats by implementing part of the Zero Trust security model. Multi-factor authentication from Duo protects the network by using a second source of validation, like a phone or token, to verify user identity before granting access. Duo is engineered to provide a simple, streamlined login experience for every remote user. As a cloud-based solution, it integrates easily with your existing technology and provides administration, visibility, and monitoring.

Cisco Secure Access by Duo integrates with Cisco FTD VPN to add two-factor authentication for Secure VPN logins. Duo supports two-factor authentication for FTD using RADIUS authentication. With this configuration, end-users receive an automatic push or phone call for multi-factor authentication after submitting their primary credentials using the Secure VPN Mobility Client. Users may append a different factor selection to their password entry.

Cisco Secure VPN (formerly AnyConnect Secure Mobility Client)

Cisco Secure VPN empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization. It provides a consistent user experience across devices, both on and off premises, without creating a headache for your IT teams. Simplify management with a single agent.

Note:       Strong encryption license is required in smart account

Components of the Cisco secure remote worker solution

Figure 10.          Components of the Cisco Secure VPN Client

Cisco Umbrella Roaming Security Module

Cisco Umbrella Roaming Security module for Cisco Secure VPN provides always-on security on any network, anywhere, any time. The Roaming Security module enforces security through Umbrella’s Secure Internet Gateway (SIG). Cisco Umbrella SIG unifies multiple functions in a single solution that traditionally required a set of on-premises security appliances (firewalls, proxies, gateways) or single function cloud-based security solutions. Umbrella provides real-time visibility and control for all internet activity both on and off your network or VPN.

License requirement to enable Umbrella Roaming Security Module:

License

Functionality

Cisco Umbrella Roaming service

Enable Umbrella connectivity to roaming clients

The same Umbrella Roaming Security module is used regardless of the subscription. Subscription is required to enable features.

Cisco Umbrella Packages

Cisco Secure Endpoint (AMP) Enabler

Cisco Secure VPN AMP Enabler module is used as a medium for deploying Cisco Secure Endpoint, formerly Advanced Malware Protection (AMP). This approach provides the roaming workforce with an additional security agent that acts as an anti-virus and malware protection system. It detects potential malware threats, removes those threats, and protects the devices from compromise. Cisco Secure Endpoint protects the user both on and off the network or VPN.

Secure Endpoint License Comparison

Product

License

Cisco Secure Endpoint license

Essential, Advantage or Premier

Cisco Secure Firewall

The Cisco Secure Firewall running Firepower Threat Defense (FTD) helps you prevent breaches, get visibility to stop threats fast, and automate operations to save time. A next-generation firewall is a network security device that provides capabilities beyond a traditional, stateful firewall by adding capabilities like virtual private network (VPN), application visibility and control (AVC), Next-Generation IPS (NGIPS), URL filtering, and advanced malware protection. Cisco FTD is available on hardware and as a virtual appliance.

Cisco FTD has the following flexible management and configuration options:

Management Options

Detail

Firepower management center (FMC)

Centralized Manager

Firepower Device Manager (FDM)

On-box manager

Cisco Defense Orchestrator (CDO)

Cloud-based (multi-device manager)

Application Programing Interface (API)

Configuration, monitoring and orchestration

 

This design guide makes use of Cisco FMC to configure the firewalls.

Note:       Licensing requirements for RAVPN can be found in Appendix A. The FTDs in this environment use AnyConnect Plus licenses.

Security Integrations

Each product in the Cisco product portfolio has a unique role to play when deploying an RAVPN solution. A key component of this deployment guide is to provide guidance on the integration of these products into a cohesive security solution. In this guide:

     Cisco FTDs are configured to accept VPN connections from Cisco Secure VPN clients

     Cisco Secure Access by Duo is installed to validate the identity of connections from Cisco Secure VPN clients

     Upon successful connection to the VPN, the Cisco Umbrella Roaming Security module is delivered to the clients for cloud security protection when not using the VPN tunnel

     Upon successful connection to the VPN, the Cisco Secure Endpoint package is delivered to the clients for anti-virus and malware protection

A picture containing graphical user interfaceDescription automatically generated

Figure 11.          Cisco Security Integration for Secure Remote Worker

Note:       Cisco Secure Access by Duo, Umbrella, and Secure Endpoint offer EU (European Union) based locations for customers having to follow EU rules.

Policy Setup for Secure VPN Client Modules

Before doing the Remote Worker deployment steps, the policies for the VPN modules need to be set up first.  This will reduce the number of steps in the deployment section and remove unnecessary overhead during that process.

Umbrella

This policy will be applied to any remote workers that are roaming. For this guide, only Umbrella DNS will be used. For a more in-depth Umbrella solution, including Web security, Data Loss Prevention and Remote Browser Isolation see the Cisco Umbrella Security Policy details here.

Step 1. Go to Policies -> Management -> DNS Policies

Graphical user interface, applicationDescription automatically generated

Step 2. Add a new policy on the top right

Graphical user interface, applicationDescription automatically generated

Step 3. Leave everything as the default and click next

TableDescription automatically generated with medium confidence

Note:       For more information on Umbrella best practices for policy creation, go here.

Step 4. Add roaming computers to the policy and click next

Graphical user interface, applicationDescription automatically generated

Note:       For more information on Umbrella Policy precedence, go here.

Step 5. Leave the next page with all the defaults and click next

Graphical user interface, text, applicationDescription automatically generated

Note:       For more information on Umbrella Security Categories, go here.

Step 6. Change the Content Access to Moderate and click next

Graphical user interface, applicationDescription automatically generated

Note:       For more information on managing Umbrella Content categories go here.

Step 7. The Control Applications section can be left as is, click on next

Graphical user interface, applicationDescription automatically generated

Note:       For more information on Umbrella Application categories, go here.

Step 8. Apply a Destination List to your roaming users. For this design guide, the destination list has been left as default. Click next

Graphical user interface, text, application, emailDescription automatically generated

Note:       For more information on managing Umbrella Destination Lists, go here.

Step 9. File Analysis in Umbrella is out of scope for this design guide and therefore is disabled. Click next

Graphical user interface, text, application, emailDescription automatically generated

Note:       For more information on Umbrella File analysis, go here.

Step 10.        Leave the block page as the default

Graphical user interface, text, application, emailDescription automatically generated

Note:       For more information on Umbrella Block pages, go here.

Step 11.        On the policy summary page, give the policy a meaningful name and click on Save

A picture containing rectangleDescription automatically generated

Secure Endpoint

A Secure Endpoint group needs to be created for an AnyConnect module to be created. These steps go over creating that group.

Step 1. Go to Management -> Groups

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 2. Click on create group on the right side

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 3. Give the new group a meaningful name and leave everything as the default, then Save

Graphical user interface, text, applicationDescription automatically generated

Remote Worker Deployment

Version Information

Product

Version

Cisco Firepower Threat Defense

7.0

Cisco Secure VPN

4.10.03

Cisco Umbrella

N/A

Cisco Secure Endpoint Connector

7.2.11

Cisco Secure Access by Duo

N/A

 

Network Topology

DiagramDescription automatically generated

Figure 12.          Cisco Remote Access VPN On-Prem Architecture

Cisco Firepower Threat Defense

The deployment steps in this design guide assume that the FTD devices are managed by FMC, have been deployed as a High Availability Pair and are accessible over the WAN network. For installation and deployment guides:

Firewall Management Center Virtual Getting Started Guide

Cisco Firepower 4100 Getting Started Guide

Cisco Firepower Split Tunneling Configuration

High Availability for Firepower Threat Defense

Note:       This design guide uses the Firepower 4110 for testing and validation. The version needed for your environment may change depending on access requirements. For performance information see the Cisco Firepower 4100 Series Data Sheet.

Once they have been installed, the interfaces, routing, NAT (Network Address Translation), and policy can be applied to the devices.

Interfaces

Typically, a minimum of two interfaces must be configured to have a system that passes meaningful traffic. Normally, you would have an outside interface that faces the upstream router or internet, and one or more inside interfaces for your organizations network(s). For this design guide, the outside interface is used as the ingress interface for VPN connections and the inside interface is used to denote the link to the rest of the network.

For more information on the configuration of Interfaces in Firewall Management Center go here.

Outside Interface

Step 1. Go to Devices -> Device Management in the FMC

Graphical user interface, applicationDescription automatically generated

Step 2. Click on the FTD or HA (High Availability) pair name

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 3. Go to the Interfaces tab

A picture containing graphical user interfaceDescription automatically generated

Step 4. Edit the interface that is going to the outside using the pencil icon on the right side. In this case it is port-channel1.

Related image, diagram or screenshot

Step 5. Give it a meaningful name. This guide uses outside.

Graphical user interface, applicationDescription automatically generated

Step 6. In the security zone section, open the dropdown and create a new zone

Step 7. Give it a meaningful name. This guide uses outside. Click OK. This will create a new zone.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 8. Verify that the new zone was created and is filled in on the dropdown

A picture containing rectangleDescription automatically generated

Step 9. Go to the IPv4 tab

Graphical user interface, text, applicationDescription automatically generated

Step 10.        Fill in the publicly addressable IP address for your company with a netmask of 255.255.255.254.

Graphical user interface, applicationDescription automatically generated 

Step 11.        Click OK. Verify the interface information is on the device interface page.

Related image, diagram or screenshot

Step 12.        Click on Save on the top right to save this configuration

A picture containing diagramDescription automatically generated

Inside Interface

Step 1. For the inside interface, repeat the same steps taken for the outside interface.

Graphical user interface, applicationDescription automatically generated

Step 2. Set the internal IP address to be the gateway for all the internal IPs.

Graphical user interface, text, applicationDescription automatically generated

Step 3. Click Ok, verify the information is in the interfaces tab and then save the configuration on the top right.

Routing

Cisco FTD supports several Internet protocols for routing:

     Enhanced Interior Gateway Routing Protocol (EIGRP)

     Open Shortest Path First (OSPF)

     Routing Information Protocol (RIP)

     Border Gateway Protocol (BGP)

This design guide was validated using static routing, however, more details on setting up dynamic routing on Firewall Management Center can be found here.

Step 1. Go to Devices -> Device Management in the FMC

Graphical user interface, applicationDescription automatically generated

Step 2. Click on the FTD or HA pair name

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 3. Go to the Routing tab then to the Static Route section

Graphical user interface, applicationDescription automatically generated

Step 4. Click on Add Route

Step 5. Select the outside interface, then create a new Available Network

Step 6. Give it a meaningful name, this guide will use internet, change the network radio button to Network, fill in 0.0.0.0/0 and Save

Graphical user interfaceDescription automatically generated

Step 7. Add the network that was created to the Selected Network section using the Add button

Graphical user interface, applicationDescription automatically generated

Step 8. Create a new gateway by pressing the plus (+) symbol

Step 9. Give it a meaningful name. This guide uses internetGw. Fill in the host box with the outside interfaces next hop and click Save

Graphical user interface, applicationDescription automatically generated

Step 10.        Verify the information is in the static route page and save the config on the top right of FMC

Related image, diagram or screenshot

NAT

For this design guide, it is assumed that the Cisco FTD pair used for VPN access is also being used as the Internet Edge for the network. To facilitate this, NAT must be deployed for all internal traffic to reach the Internet. This will be used for application updates, on-site workers, FMC, and any other needs of different applications that may need the Internet.

Note:       If the Internet edge is located in another part of the network, skip this step, and create a route between the VPN firewall and the edge router(s).

For additional information on NAT go here.

Step 1. Go to Devices -> NAT

Graphical user interface, text, applicationDescription automatically generated

Step 2. Create a new policy using the Threat Defense NAT option

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 3. Add a meaningful Name to the policy, Add the FTD device to the Selected Devices section, and click Save

Graphical user interface, applicationDescription automatically generated

Step 4. Edit the new NAT policy using the pencil icon and create a new rule on the right side

Step 5. Make the NAT rule a Manual NAT Rule with a Type Dynamic

Graphical user interfaceDescription automatically generated

Step 6. In the Translation tab, change the Original Source to any, Original Destination to Address and Translated Source to Destination Interface IP

Graphical user interface, text, applicationDescription automatically generated

Step 7. In the Interface Objects tab, add inside to Source Interface Objects and outside to the Destination Interface Objects, then Save

Graphical user interface, applicationDescription automatically generated

Step 8. Verify the rule is in the rule list and click Save on the top right

Related image, diagram or screenshot

Policy

If you created a basic Block all traffic access control policy when you registered the FTD with the FMC, then you need to add rules to the policy to allow traffic through the device. If NAT was configured in the previous section, this procedure will show you how to create a rule that allows internal devices to communicate to the Internet, Policies to allow traffic from the VPN subnet to the internal network will be shown later in the document.

For more advanced security rules, see the Firewall Management Center Configuration Guide.

Step 1. Go to Policies -> Access Control

Graphical user interface, text, application, emailDescription automatically generated

Step 2. Create a new policy on the right and give it a meaningful name. Add the FTD device to the selected devices and click Save.

Graphical user interface, applicationDescription automatically generated

Step 3. Edit the new policy using the pencil icon and click + Add Rule

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 4. Add a meaningful Name to the policy, with the action Allow

Graphical user interface, text, applicationDescription automatically generated

Step 5. On the Networks tab, Add your internal address scheme to the Source Networks. Save the rule

Graphical user interface, text, applicationDescription automatically generated

Step 6. Verify there are two rules, a default deny and an allow for all internal traffic to get out. Save this policy

A screenshot of a computerDescription automatically generated

Deploy

Step 1. Go to Deploy -> Deployment

Graphical user interface, applicationDescription automatically generated

Step 2. Verify there is the FTD pending a deployment

Related image, diagram or screenshot

Step 3. Select the FTD and deploy

Related image, diagram or screenshot

Step 4. FTD initial setup is finished once it has successfully deployed

Related image, diagram or screenshot

Cisco Secure Access by Duo

To install the authentication proxy, please follow the Cisco Firepower Threat Defense VPN with AnyConnect document.

Auth Proxy

The auth proxy config should look like this:

Text, letterDescription automatically generated

Directory Sync

So that we do not need to make a new user each time someone needs to login, we can make use of the Duo Directory Sync. This allows Duo to get the users and groups from the AD server using the authentication proxy. You can setup the Directory Sync using these directions.

Note:       Since the authentication proxy has already been installed, you can add a new cloud section to the configuration instead of installing a second authentication proxy.

The authentication proxy configuration file should now look like this:

Text, letterDescription automatically generated

Duo Security Policy

We will change the policy for the FTD VPN application was created in Duo so that it will only allow connections from specific IP addresses and block all others.

Step 1. In the Duo administration dashboard go to Applications

Graphical user interface, text, applicationDescription automatically generated

Step 2. Select the application that is used to protect VPN connection to the FTD

Step 3. Go to Policy and in the Application Policy section, click edit

Graphical user interface, text, application, emailDescription automatically generated

Step 4. Under User Location, click the search bar and choose the countries that will be enabled for VPN access. Next to All other countries, choose Deny access.

Graphical user interface, text, websiteDescription automatically generated

Step 5. Click Save Policy.

Cisco Secure VPN

Cisco Secure VPN allows employees to access a company’s internal resources while remote and ensures those connections are secure.

The following deployment steps will cover:

     Downloading the Secure VPN files and adding them to FMC

     Navigating the Remote Access VPN wizard, including the integrations of Umbrella, Duo and Secure Endpoint.

File Download

Step 1. Download the Secure VPN (AnyConnect) files: https://software.cisco.com/download/home/286281283/type/282364313/release/4.10.03104

Note:       For this design guide the windows and mac headend files are used, however, download any others you may need for your specific needs.

Step 2. Additionally, download the Profile Editor (Windows only) to make modifications to the Secure VPN package that will be attached to FMC.

Related image, diagram or screenshot

Related image, diagram or screenshot

Related image, diagram or screenshot

Step 3. Upload to

Upload Files to FMC

Step 1. Go to Objects -> Object Management

Graphical user interface, applicationDescription automatically generated

Step 2. Go to VPN -> AnyConnect File

Graphical user interface, text, applicationDescription automatically generated

Step 3. Click Add AnyConnect File

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 4. Provide a meaningful Name to the file.

Step 5. Click Browse and add the windows headend file that was downloaded in the previous section.

Step 6. Select AnyConnect Client Image as the file type.

Step 7. Click Save.

Graphical user interface, applicationDescription automatically generated

Step 8. Repeat as necessary for each of the operating systems that was downloaded.

Remote Access Policy Wizard

Step 1. Go to Devices -> Remote Access

Graphical user interface, text, applicationDescription automatically generated

Step 2. Click Add on the top right, bringing you to a RA VPN Wizard

Graphical user interface, text, applicationDescription automatically generated

Step 3. Give the policy a meaningful name. Check the protocols you would like to use (this guide is using SSL) and add the FTD device to the Selected Devices section. Go to the next page

Graphical user interface, applicationDescription automatically generated

Step 4. In the Connection Profile make sure the authentication method is AAA Only, the authentication server is set to the Duo Authentication proxy that was created earlier.

Graphical user interface, text, applicationDescription automatically generated

Step 5. In the Client Address Assignment, edit the IPv4 pool and add a new one

Graphical user interface, text, application, emailDescription automatically generated

Step 6. Give the address pool a meaningful name. Enter a network range and netmask to be assigned to your remote users. Click Save

Graphical user interface, text, application, emailDescription automatically generated

Step 7. Add the newly created pool to the Selected IPv4 Pools section. Click Ok

Graphical user interface, applicationDescription automatically generated

Step 8. Leave everything else as is and click next

Graphical user interface, text, applicationDescription automatically generated

Step 9. Select the AnyConnect images that were downloaded in the previous section. Click Next

Graphical user interface, text, application, emailDescription automatically generated

Step 10.        Set the network interface to outside

Graphical user interface, text, application, emailDescription automatically generated

Step 11.        In the Device Certificates section, add a new certificate

Note:       Obtaining a certificate for the FTD, also known as PKI enrollment, is explained in Firepower Threat Defense Certificate-Based Authentication. This chapter contains a full description of configuring, enrolling, and maintaining certificates in FMC.

Step 12.        Give the certificate a meaningful Name. This design guide makes use of a PKCS12 File from Active Directory. Add the certificate option that best suits your network from the note above. Click Save

Graphical user interfaceDescription automatically generated

Step 13.        Click Next

Graphical user interface, text, application, emailDescription automatically generated

Step 14.        Verify the information is correct on the last page and click finish

Split Tunneling

In this guide only traffic that is destined for our internal network will be sent down the VPN tunnel

Step 1. Go to Devices -> Remote Access and edit the VPN profile that was created in the previous section

Step 2. Edit the group policy and go to the Split Tunneling section

Graphical user interface, applicationDescription automatically generated

Step 3. Change the IPv4 and IPv6 split tunneling dropdowns to tunnel networks specified below.

Graphical user interface, text, application, emailDescription automatically generated

Step 4. Create a new Standard Access List by clicking on the plus sign

Step 5. Give it a meaningful name and click on the Add button.

Graphical user interface, text, applicationDescription automatically generated

Step 6. Leave it as an allow and add the subnet(s) for your internal network into the Selected Network box.

Graphical user interface, text, applicationDescription automatically generated

Step 7. Click on Add, then Save the configuration

Step 8. The new ACL that was created should fill in the access list box

Graphical user interface, text, applicationDescription automatically generated

Step 9. Save the group policy, save the VPN profile, and save the policy.

Step 10.        Go to Policies -> Access Control and edit the policy attached to the VPN FTD

Step 11.        Create a new allow rule and give it a meaningful name

Graphical user interface, applicationDescription automatically generated

Step 12.        Add the outside zone to the source zones and inside zone to the destination zones.

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 13.        On the Networks tab, add the VPN address pool to the source networks and the internal net to destination address.

Graphical user interface, text, applicationDescription automatically generated

Step 14.        Click Save

Cisco Umbrella Roaming Security module

The Cisco Umbrella Roaming Security module will be used to protect users while on or off the VPN

Download umbrella roaming security profile

Step 1. Login into your umbrella account at dashboard.umbrella.com

Step 2. Go to Deployments -> Roaming Computers

Graphical user interface, applicationDescription automatically generated

Step 3. Click on the Roaming Client download button

Graphical user interface, applicationDescription automatically generated

Step 4. Download the module profile at the bottom of the download window

Graphical user interface, text, application, emailDescription automatically generated

Step 5. It should download as OrgInfo.json

Graphical user interface, textDescription automatically generated

Add profile to VPN profile

Step 6. On the FMC, go to Devices -> Remote Access VPN and edit the VPN policy created previously

Step 7. Edit the connection profile that was created in the previous steps, then edit the Group Policy

Graphical user interface, text, applicationDescription automatically generated

Step 8. Go to the AnyConnect tab and then to Client Modules

Graphical user interface, text, application, emailDescription automatically generated

Step 9. Click the plus sign to add a new module

Graphical user interface, applicationDescription automatically generated

Step 10.        Change the Client Module to Umbrella Roaming Security

Graphical user interface, text, application, chat or text messageDescription automatically generated

Step 11.        Then click on the plus sign to add a new profile

Graphical user interface, text, applicationDescription automatically generated

Step 12.        Give it a meaningful name and browse to the OrgInfo.json file. Click Save

Graphical user interface, text, applicationDescription automatically generated

Step 13.        Make sure the profile is the new one that was created with the Umbrella orgInfo file and check the Enable Module Download box

Graphical user interface, applicationDescription automatically generated

Step 14.        Click Add

Cisco Secure Endpoint Connector

Secure Endpoint connector will be used to secure the roaming client from malicious files and activity.

Download Connector

Step 1. Go to Management -> Download Connector

Graphical user interface, text, applicationDescription automatically generated

Step 2. Select the group that was created earlier in this guide

Graphical user interface, applicationDescription automatically generated

Step 3. Show the URL for the windows and mac connectors, then copy them to a notepad file for future use

Graphical user interface, text, application, emailDescription automatically generated

 

Create AMP Profile

Step 1. Install the AnyConnect profile editor that was downloaded in the AnyConnect headend file steps

Related image, diagram or screenshot

Step 2. After it has been installed, open the AMP Enabler Profile Editor

Graphical user interface, applicationDescription automatically generated

Step 3. Leave the radio on Install AMP Enabler and put the two URLs (uniform resource locators) for the connectors in their respective boxes

Graphical user interface, text, application, emailDescription automatically generated

Note:       If the check fails, paste the URL into a browser and see if it downloads. If it does, then you may save this configuration

Step 4. Save the profile and accept the message about the URLs (uniform resource locators) being invalid

Graphical user interface, application, websiteDescription automatically generated

Step 5. The file should now be saved as amp-enabler.xml in your documents folder

Related image, diagram or screenshot

Add AMP enabler to the RA VPN profile

Step 1. Go back to the RAVPN for Client Modules on the FMC

Step 2. Click the plus sign to add a New Module

Step 3. Change the client module to AMP Enabler and add a new profile.

Step 4. Give it a meaningful name and upload the amp-enabler xml file. Click Save

Step 5. Check the Enable Module Download box and click on Add.

Graphical user interface, applicationDescription automatically generated

Step 6. Click on Save, Save, and Save once more

Step 7. Deploy these changes

Related image, diagram or screenshot

Step 8. Connect to the VPN and make sure the modules get installed

Graphical user interface, applicationDescription automatically generated

Validation Testing

Test Case 1– Cisco Duo two-factor authentication (2FA)

Step 1. On a roaming device, open AnyConnect Secure Mobility Client

A screenshot of a computerDescription automatically generated with low confidence

Step 2. Select the network to be connected to and press Connect.

Graphical user interface, text, applicationDescription automatically generated

Step 3. Enter the credentials for a valid user and press OK.

Graphical user interface, applicationDescription automatically generated

Step 4. If configured correctly, you will get a Duo push notification

A screenshot of a social media postDescription automatically generated

Step 5. Approve the request and finish the connection

Graphical user interface, applicationDescription automatically generated

Test Case 2 – Cisco Umbrella Roaming Security Module (DNS layer protection)

Step 1. Open AnyConnect Secure Mobility Client and verify the Roaming Security module is active

A screenshot of a computerDescription automatically generated with medium confidence

Step 2. Open any browser and connect to 4shared.com. Verify it has been blocked.

Graphical user interface, text, applicationDescription automatically generated

Test Case 3 – Cisco Secure Endpoint AMP enabler (File blocking)

Step 1. Verify the AMP enabler is installed

Graphical user interface, applicationDescription automatically generated

Step 2. Go to eicar.org

TextDescription automatically generated with low confidence

Step 3. Download the eicar.com file

Graphical user interface, application, tableDescription automatically generated with medium confidence

Step 4. After saving the file, it should either fail or be removed immediately

Graphical user interfaceDescription automatically generated with medium confidence

Step 5. In the Secure Endpoint Dashboard, navigate to the Analysis -> Event page

Step 6. There should be a block for the file in the events

Related image, diagram or screenshot

Test Case 4 – Geolocation blocking

This test will validate that the geo block in Duo is successfully blocking connection attempts from devices outside of the geographical range set in Duo.

Step 1. Connect to the VPN from a region that is allowed to connect and login.

Step 2. A Duo prompt should be pushed to the device and allow access

Step 3. Check the Duo reports page, there should be a User approved connection

TextDescription automatically generated

Step 4. Disconnect and attempt to connect from a region that has not been enabled by your organization.

Note:       If you do not have a means of testing with a device outside of your region, temporarily change the allow list to block the current region you are in to test that a region block will be successful.

Step 5. A Duo prompt should not come up and it should continue to ask for login information.

Graphical user interface, text, applicationDescription automatically generated

Step 6. Check the Duo reports page, there should be a block with a reason of Location restricted

A picture containing applicationDescription automatically generated

Appendix

Appendix A - Licensing information

This section defines the packaging structure and licensing information for the Cisco Secure VPN. The following Secure VPN licenses are available:

     Plus subscription license

     Plus perpetual license

     Apex subscription license

     VPN only perpetual license

Subscription licenses are term-based licenses available in terms of 12 to 60 months (about 5 years).

Perpetual licenses are permanent licenses.

Plus license includes basic VPN services such as device and per-application VPN, trusted network detection, basic device context collection, FIPS compliance, Network Access Manager 802.1X supplicant, the Cloud Web Security module, and the Cisco Umbrella Roaming module. The existing Secure VPN customers should think of AnyConnect Plus like the previous AnyConnect Essentials.

Apex license includes more advanced services such as endpoint posture checks (host scan through FTD VPN, or ISE Posture through the Cisco Identity Services Engine), network visibility, next-generation VPN encryption, and clientless remote access VPN as well as all the capabilities of AnyConnect Plus. The existing Secure VPN customers should think of AnyConnect Apex like the previous AnyConnect Premium and Premium Shared Licenses.

     Clientless (browser-based) VPN termination on the Cisco Adaptive Security Appliance

     VPN compliance and posture agent in conjunction with the Cisco Adaptive Security Appliance

     Unified compliance and posture agent in conjunction with the Cisco Identity Services Engine 1.3 or later

     Next-generation encryption (Suite B) with Secure VPN and third-party (non-Secure VPN) IKEv2 VPN clients

     Network Visibility Module

     All Plus services described above

VPN-only licenses are perpetual based, clientless, and may only be used on a single FTD. The web security module, cisco umbrella roaming, ISE posture, network visibility is not supported. VPN-only license provides the following functionality:

     VPN functionality for PC and mobile platforms, including per-application VPN on mobile platforms, Cisco phone VPN, and third-party (non-Secure VPN) IKEv2 VPN clients

     Clientless (browser-based) VPN termination on the Cisco Adaptive Security Appliance

     VPN-only compliance and posture agent in conjunction with the Cisco Adaptive Security Appliance

     FIPS compliance

     Next-generation encryption (Suite B) with Secure VPN and third-party (non-Secure VPN) IKEv2 VPN clients

The Secure VPN Licenses are supported on the following platforms:

     Cisco Adaptive Security Appliance (Physical and Virtual)

     Cisco Next-Generation Firewall (Physical and Virtual)

Appendix B - Acronyms

Acronym

Definition

ACL

Access control list

AD

Active Directory

AMP

Advanced Malware Protection

AMP4E

Advanced Malware Protection for Endpoints

ASAv

Adaptive Security Virtual Appliance

ASDM

Adaptive Security Appliance Device Manager

AVC

Application Visibility and Control

CDO

Cisco Defense Orchestrator

CVD

Cisco Validated Design

FDM

Firepower Device Manager

FMC

Firewall Management Center

FQDN

Fully Qualified Domain Name / Domain Name System (DNS) Name

FTD

Firepower Threat Defense

MFA

Multi Factor Authentication

PIN

Place in network

RAVPN

Remote Access Virtual Private Network

VPN

Virtual Private Network

 

Appendix C - References

Secure Remote Worker for AWS Design Guide

Secure Remote Worker for Azure Design Guide

Cisco Secure Firewall

Cisco Firepower 4100 Series Data Sheet

Cisco Firepower 9300 Series Data Sheet

Firewall Management Center Virtual Getting Started Guide

Cisco Firepower 4100 Getting Started Guide

Cisco Firepower 9300 Getting Started Guide

Cisco Firepower Split Tunneling Configuration

High Availability for Firepower Threat Defense

Cisco AnyConnect Secure Mobility Client

Cisco AnyConnect Secure Mobility License Ordering Guide

Cisco Umbrella Module for AnyConnect

Duo for Cisco AnyConnect VPN with ASA or Firepower

Appendix D - Feedback

If you have feedback on this design guide or any of the Cisco Security design guides, please send an email to ask-security-cvd@cisco.com