Download - CiscoASA Workspot Configuration Guide 2.0
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 1/17
Workspot, Inc.1/27/2015
Workspot ConfigurationGuide for the Cisco
Adaptive Security
Appliance
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 2/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 1 of 16
Cisco ASA and Workspot Overview
The Cisco Adaptive Security Appliance (ASA) provides organizations with secure, high
performance connectivity and protects critical assets for maximum productivity. Once
the Cisco ASA is installed, Workspot can be quickly and easily implemented as no
additional on-premise hardware or software required. The Workspot Client connects tothe Cisco ASA using the Clientless SSL VPN feature.
For more information on the Cisco ASA, go to:
http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-
firewalls/index.html
The Workspot Client runs on mobile devices; Workspot Control, a corresponding cloud-
based administration console is used to manage configuration and policies for the
environment.
For more information on Workspot, go to: http://www.workspot.com
The information and screens in this guide are based on the following:
Cisco Adaptive Security Appliance 5510
Cisco Adaptive Security Appliance Software Version 9.2
Cisco Adaptive Security Device Manager Version 6.2(5)
Workspot Control 2014-10
Workspot iOS Client 2.5
Prerequisites and Configuration Notes
The following are general prerequisites for this guide:
The Cisco ASA must be running version 8.0 or later, and should be installed andconfigured for network connectivity and basic operations, including an AAA ServerGroup with an authentication server such as Microsoft Active Directory (AD).
AnyConnect Premium Licenses.o All Cisco ASA models include two licenses that can be used for testing if the
Cisco ASA is not already configured for Cisco Essentials.o Cisco provides trial licenses for one month with the ability to renew for an
additional month. See Cisco Self-Service Trial licenses. o Additional licenses based on the maximum number of peak concurrent users
will be required for production.
Cisco ASDM administrator access to the ASA.
DNS names or IP addresses for internal web apps, CIFS file shares and RemoteDesktop Services (RDS) servers.
Configuring the Cisco ASA for Workspot includes the following steps:
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 3/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 2 of 16
1. Create a new Connection Profile2. Create a new AAA Server Group (optional)3. Create a new Group Policy enabling Clientless SSL VPN4. Configure Group URL5. Testing configuration through a web browser
Cisco ASA Configuration for Workspot
The following steps outline the basic configuration of a Cisco ASA to support Workspot.
Sign into the Cisco ASDM utility and configure a Clientless SSL VPN Connection profile
as follows.
1. Create a new Connection Profile. Go to Configurat ion > Remote A ccess VPN >
Cl ient less SSL VPN Acc ess > Connect ion Prof i les then click Add.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 4/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 3 of 16
2. Enter a Name , then select an existing AAA Server Group , enter the DNSparameters as necessary for the network environment, then configure a new GroupPolicy - under Default Group Policy, click Manage.Note: If an existing AAA Server Group uses an LDAP server configured with anLDAP Attribute Map, then a new AAA Server Group with a LDAP server without the
attribute map is required. See the Troubleshooting section for more information.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 5/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 4 of 16
3. Then click Add to add a new Group Policy.
4. Enter a Name , click More Options, then uncheck the Tunnel Protocols: Inher it
and check Clientless SSL VPN to enable the webvpn tunnel protocol.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 6/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 5 of 16
5. File access is typically enabled by default, click OK to save the Internal Group Policyand proceed to the next step. If file access is not enabled, select Portal , thenuncheck all Fi le Access Con trol settings under Inherit and check Enable settings,then click OK to save.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 7/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 6 of 16
6. Click OK on the Configure Group Policy dialog to save the policy.
7. On the Connection Profile dialog, click the [+] on Advanced then Clientless SSL
VPN . Click Add under Group URL then enter the custom URL. (This URL will beused in Workspot Control VPN configuration) Then click OK to save the Group URLand then OK again to save the Connection Profile.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 8/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 7 of 16
8. Click Apply to apply the changes to the running Cisco ASA configuration.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 9/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 8 of 16
Testing the Configuration
To test the configuration, use any standard browser and go to the URL associated withthe Cisco ASA, e.g. https://vpn.mycompany.com/mobile. Enter your Username andPassword then click Login.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 10/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 9 of 16
After a successful login, the Cisco Clientless Portal home page is shown as follows. SeeTroubleshooting if the Portal page is not shown.
If the cifs:// option appears in the Address dropdown, then file access has beenenabled. If cifs:// is not available, go back to make the changes outlined in step 5 to
enable file access.
Note that Web and File Bookmarks are not required for Workspot.
The Cisco ASA is now properly configured for Clientless SSL VPN.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 11/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 10 of 16
Configure the Cisco VPN in Workspot Control
The custom URL as configured in the Cisco ASA should be entered into the WorkspotControl VPN configuration during the Express Setup or by adding a new network.
Troubleshooting
If logging into the Cisco Clientless Portal returns a Login failed (as shown below) errorand credentials are confirmed, this may indicate that Cisco Premium licenses are notenabled.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 12/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 11 of 16
Enter the show run command on the Cisco ASA and check the configuration for the noanyconnect-essentials command in the webvpn section.
…
webvpn
enable backup
enable outsideno anyconnect-essentials
…
Before enabling Cisco Premium licenses, ensure you have premium licenses installed.Cisco provides trial licenses for one month with the ability to renew for an additionalmonth. See Cisco Self-Service Trial licenses
If Cisco AnyConnect client download page (as show below) appears instead of the
Cisco Clientless Portal, this may indicate that the LDAP Attribute Map is configured.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 13/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 12 of 16
Create a new AAA Server Group with the same authentication settings and specify theLDAP Attribute Map to be --None--.
Cisco Self-Service Trial licenses
Cisco provides one month trial licenses for all premium features. These licenses will
have max simultaneous premium, mobile, phone and advanced endpoint assessment
enabled. These licenses can be renewed once. Follow the same steps below for
extending the trial for another month. These are time-based licenses so applying a new
license will overwrite the original.
Note: These licenses cannot be used for Cisco ASAv (virtual appliance).
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 14/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 13 of 16
Open browser and navigate to http://www.cisco.com/go/license. Log into your Cisco
account.
Continue to the next page by clicking on Continue to Product License Registration.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 15/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 14 of 16
On the main Product License Registration; select Get Other Licenses to bring the
dropdown menu then select Demo and Evaluation.
Get Demo and Evaluation Licenses screen will appear, step 1. Select Security
Products as Product Family then select AnyConnect Plus/Apex (ASA) Demo
License as Product. Click Next to continue.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 16/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 15 of 16
For step 2, enter the Serial Number from the output from ‘show version’ and enter any
amount for ‘How many users do you intend to support in your environment?’ field
(this WILL NOT affect the license count). Click Next.
For step 3, confirm Send To email and Serial Number . Click Submit.
8/20/2019 CiscoASA Workspot Configuration Guide 2.0
http://slidepdf.com/reader/full/ciscoasa-workspot-configuration-guide-20 17/17
This document contains Workspot proprietary information and is not to be disclosed to unauthorized persons.
Version 2.0 pg. 16 of 16
You should receive an email with an activation key. Follow the steps to apply:
1. Start Cisco ASA command line2. Activate the license key with:
> activation-key xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 3. Enable premium functionality with:
> webvpn > no anyconnect-essentials