CiscoASA Workspot Configuration Guide 2.0

8/20/2019 CiscoASA Workspot Configuration Guide 2.0

http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 1/17

Workspot, Inc.1/27/2015

Workspot ConfigurationGuide for the Cisco

Adaptive Security

Appliance



This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.

Version 2.0 pg. 1 of 16

Cisco ASA and Workspot Overview

The Cisco Adaptive Security Appliance (ASA) provides organizations with secure, high

performance connectivity and protects critical assets for maximum productivity. Once

the Cisco ASA is installed, Workspot can be quickly and easily implemented as no

additional on-premise hardware or software required. The Workspot Client connects tothe Cisco ASA using the Clientless SSL VPN feature.

For more information on the Cisco ASA, go to:

http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-

firewalls/index.html

The Workspot Client runs on mobile devices; Workspot Control, a corresponding cloud-

based administration console is used to manage configuration and policies for the

environment.

For more information on Workspot, go to: http://www.workspot.com

The information and screens in this guide are based on the following:

Cisco Adaptive Security Appliance 5510

Cisco Adaptive Security Appliance Software Version 9.2

Cisco Adaptive Security Device Manager Version 6.2(5)

Workspot Control 2014-10

Workspot iOS Client 2.5

Prerequisites and Configuration Notes

The following are general prerequisites for this guide:

The Cisco ASA must be running version 8.0 or later, and should be installed andconfigured for network connectivity and basic operations, including an AAA ServerGroup with an authentication server such as Microsoft Active Directory (AD).

AnyConnect Premium Licenses.o All Cisco ASA models include two licenses that can be used for testing if the

Cisco ASA is not already configured for Cisco Essentials.o Cisco provides trial licenses for one month with the ability to renew for an

additional month. See Cisco Self-Service Trial licenses. o Additional licenses based on the maximum number of peak concurrent users

will be required for production.

Cisco ASDM administrator access to the ASA.

DNS names or IP addresses for internal web apps, CIFS file shares and RemoteDesktop Services (RDS) servers.

Configuring the Cisco ASA for Workspot includes the following steps:

http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/index.html



http://www.workspot.com/










1. Create a new Connection Profile2. Create a new AAA Server Group (optional)3. Create a new Group Policy enabling Clientless SSL VPN4. Configure Group URL5. Testing configuration through a web browser

Cisco ASA Configuration for Workspot

The following steps outline the basic configuration of a Cisco ASA to support Workspot.

Sign into the Cisco ASDM utility and configure a Clientless SSL VPN Connection profile

as follows.

1. Create a new Connection Profile. Go to Configurat ion > Remote A ccess VPN >

Cl ient less SSL VPN Acc ess > Connect ion Prof i les then click Add.





2. Enter a Name , then select an existing AAA Server Group , enter the DNSparameters as necessary for the network environment, then configure a new GroupPolicy - under Default Group Policy, click Manage.Note: If an existing AAA Server Group uses an LDAP server configured with anLDAP Attribute Map, then a new AAA Server Group with a LDAP server without the

attribute map is required. See the Troubleshooting section for more information.





3. Then click Add to add a new Group Policy.

4. Enter a Name , click More Options, then uncheck the Tunnel Protocols: Inher it

and check Clientless SSL VPN to enable the webvpn tunnel protocol.





5. File access is typically enabled by default, click OK to save the Internal Group Policyand proceed to the next step. If file access is not enabled, select Portal , thenuncheck all Fi le Access Con trol settings under Inherit and check Enable settings,then click OK to save.





6. Click OK on the Configure Group Policy dialog to save the policy.

7. On the Connection Profile dialog, click the [+] on Advanced then Clientless SSL

VPN . Click Add under Group URL then enter the custom URL. (This URL will beused in Workspot Control VPN configuration) Then click OK to save the Group URLand then OK again to save the Connection Profile.





8. Click Apply to apply the changes to the running Cisco ASA configuration.





Testing the Configuration

To test the configuration, use any standard browser and go to the URL associated withthe Cisco ASA, e.g. https://vpn.mycompany.com/mobile. Enter your Username andPassword then click Login.





After a successful login, the Cisco Clientless Portal home page is shown as follows. SeeTroubleshooting if the Portal page is not shown.

If the cifs:// option appears in the Address dropdown, then file access has beenenabled. If cifs:// is not available, go back to make the changes outlined in step 5 to

enable file access.

Note that Web and File Bookmarks are not required for Workspot.

The Cisco ASA is now properly configured for Clientless SSL VPN.





Configure the Cisco VPN in Workspot Control

The custom URL as configured in the Cisco ASA should be entered into the WorkspotControl VPN configuration during the Express Setup or by adding a new network.

Troubleshooting

If logging into the Cisco Clientless Portal returns a Login failed (as shown below) errorand credentials are confirmed, this may indicate that Cisco Premium licenses are notenabled.





Enter the show run command on the Cisco ASA and check the configuration for the noanyconnect-essentials command in the webvpn section.

…

webvpn

enable backup

enable outsideno anyconnect-essentials

…

Before enabling Cisco Premium licenses, ensure you have premium licenses installed.Cisco provides trial licenses for one month with the ability to renew for an additionalmonth. See Cisco Self-Service Trial licenses

If Cisco AnyConnect client download page (as show below) appears instead of the

Cisco Clientless Portal, this may indicate that the LDAP Attribute Map is configured.





Create a new AAA Server Group with the same authentication settings and specify theLDAP Attribute Map to be --None--.

Cisco Self-Service Trial licenses

Cisco provides one month trial licenses for all premium features. These licenses will

have max simultaneous premium, mobile, phone and advanced endpoint assessment

enabled. These licenses can be renewed once. Follow the same steps below for

extending the trial for another month. These are time-based licenses so applying a new

license will overwrite the original.

Note: These licenses cannot be used for Cisco ASAv (virtual appliance).





Open browser and navigate to http://www.cisco.com/go/license. Log into your Cisco

account.

Continue to the next page by clicking on Continue to Product License Registration.

http://www.cisco.com/go/license








On the main Product License Registration; select Get Other Licenses to bring the

dropdown menu then select Demo and Evaluation.

Get Demo and Evaluation Licenses screen will appear, step 1. Select Security

Products as Product Family then select AnyConnect Plus/Apex (ASA) Demo

License as Product. Click Next to continue.





For step 2, enter the Serial Number from the output from ‘show version’ and enter any

amount for ‘How many users do you intend to support in your environment?’ field

(this WILL NOT affect the license count). Click Next.

For step 3, confirm Send To email and Serial Number . Click Submit.





You should receive an email with an activation key. Follow the steps to apply:

1. Start Cisco ASA command line2. Activate the license key with:

> activation-key xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 3. Enable premium functionality with:

> webvpn > no anyconnect-essentials

CiscoASA Workspot Configuration Guide 2.0

Documents

Transcript of CiscoASA Workspot Configuration Guide 2.0