ASVPN - Cisco Advanced SSL VPN
In this exclusive course, you will explore advanced SSL VPN topics including:
- Customer requirements (clientless vs. client-based)
- Certificates, including self-signed certificates, Microsoft Certificate Services, and default certificates
- Connection profiles, group policies, and how they interact
- How to combat brute-force attempts by using mutual authentication with digital certificates and user credentials
You'll push the boundaries of advanced topics by examining POST parameters on our Exchange OWA server and enabling auto sign-on. You'll examine and configure available plug-ins and contrast the concept to using smart tunnels, and you'll learn to check for registry and OS watermarks and create antivirus and firewall requirements.
You'll examine the newest features of AnyConnect 3.0, including Trusted Network Detection (TND) and firewall features in the client login scripts, and you will learn to skin your AnyConnect client with custom logos and settings to offer a rich feature set to your users.
You will cover Cisco Secure Desktop (CSD) topics in detail, and then you'll tie the components together by feeding the results of the policy checks into Dynamic Access Policies (DAPs) and examining the relationship between DAPs and group policies. You will take the configuration a step further by enabling Lightweight Directory Access Protocol (LDAP) authentication within a DAP. You will add a few web-type Access Control Lists (ACLs) to the mix and discover how the various components all work together.
You will wrap up the week by testing your knowledge with various troubleshooting tickets to fix a broken VPN design.
Objectives
- Client-based vs. clientless VPN solutions
- Using ASA 8.4 code for SSL VPN
- Basic and advanced features within the CiscAnyConnect client version 3.0, including firewall policy push, TND, login scripts, and profile editor in ASDM
- Relationship between tunnel groups, group and user policies, connection profiles, and dynamic access policies
- Kerberos Constrained Delegation (KCD) for VPN authentication
- Basic and advanced features of the Clientless WebVPN solution, including smart tunnels, Web ACLs, plug-ins, autsign-on, bookmarks, and portal customization
- Features and benefits of CSD and the fundamental differences between the pre-login policies and HostScan
- How tuse CSD tintegrate Endpoint Assessment (EA) and Advanced Endpoint Assessment (AEA)
- Configure DAPs
- Enrolling the ASA with a third-party Certificate Authority (CA) and retrieval based on user-based certificates tprovide mutual authentication
- How the username credential can be automatically populated and how the connection profile can be chosen automatically using the pre-fill and certificate mapping features in the ASA
- Troubleshooting SSL VPNs
Who Can Take This Course
Anyone, including system engineers and network designers, administrators, engineers, and managers, seeking to learn the latest features of AnyConnect 3.0
Prerequisites
- Skills and knowledge equivalent to those learned in any firewall fundamentals course, including SNAF, SNAA, FIREWALL, VPN, ASAE, or ASA Lab Camp
- Working knowledge of the Microsoft Windows operating system, including Microsoft Internet Explorer or Firefox
- Fundamental understanding of SSL and certificates
Follow-On Courses
There are no follow-ons for this course.
Certification Programs
This course is part of the following programs
Course Content
1. Feature Mapping and Scenario
- SSL Technology
- Clientless SSL Feature
- AnyConnect Feature
- Group Deployment Type (Clientless vs. AnyConnect)
- License Requirements for Suggested Solution
2. Initializing ASA and Preparing for PKI and AAA Support
- Basic ASA Configuration
- Validating Licenses
- Generating Self-Signed Certificate to be used with ASDM
- Enrolling Digital Certificate from CA Server to be used for SSL VPN Access
- Configuring Integration with AAA Servers (RADIUS, LDAP)
- Logging
3. Connection Profile and Group Policy Configuration
- Creating Connection Profiles and Group Policies
- Configuring Group Policy
- Creating Bookmarks
4. Enhanced Clientless WebVPN Features
- Plug-Ins
- Uploading the RDP Plug-In
- Configuring Smart Tunnels
- Auto Sign-On for HTTP/S Resources
- Auto Sign-On for Forms-Based Authentication
- KCD
- Microsoft Extensions to KCD for VPN Authentication
- Portal Customization
5. Enhanced AnyConnect Client Features
- AnyConnect 3.0 Features
- AnyConnect Secure Mobility
- Trusted Network Detection
- Always-On VPN
- Login Script
- AnyConnect Client Profile Configuration
- AnyConnect Diagnostics
6. CSD and Pre-Login Assessment
- Install and Configure CSD
- Configure and Manage
- Test and Troubleshoot CSD Issues
7. HostScan and DAPs
- DAP Attributes
- Configuring DAP
- Using EA Policies with DAP
- Working with Policy Objects
8. Securing Resources with Web-Type and Networks ACLs
- Feature Overview
- Configuring and Applying Web-Type ACLs
- Configuring and Applying Network-Based ACLs
9. CSD Endpoint Assessment
- Configuring CSD for Advanced HostScan
- Configuring DAP Policy to Utilize Advanced HostScan
- Testing and Troubleshooting the Configuration
10. Certificate-Based Authentication
- Obtain a User Certificate
- Configure VPN Authentication with Client Certificates
- Configure Connection Profile Selection
- Configure Group Policy Selection
- Configure LDAP Attribute Maps for Authorization Settings
- Two-Factor Authentication
- Test and Verify the Configuration
11. Advanced Troubleshooting
- SSL VPN Troubleshooting
- AnyConnect Troubleshooting
- Clientless SSL VPN Troubleshooting
12. Scaling SSL VPN
- Configuring Load Balancing
- Monitoring
- Verifying and Troubleshooting
- Configuring a Shared License
Labs
Lab 1: Lab Environment
Lab 2: Initializing the ASA and Preparing for PKI and AAA Support
- Obtain Remote Access to the System
- Bootstrap the ASA to a Baseline Configuration
- Create a Self-Signed Certificate
- Create a Certificate Request
- AAA Server Setup
- Verify the ASA Configuration
Lab 3: Configuring Basic Clientless and Client-Based SSL VPNs
- Create Connection Profiles, IP Pools, and Group Policies
- Assign Certificate to the Outside Interface
- Connection Method Configuration
- Create Bookmarks
- Prepare for ASDM
- Verify the ASA Configuration
Lab 4: Enhanced Clientless WebVPN Features
- Configure RDP and SSH Plug-Ins for Application Access
- Investigate the Use of Smart Tunnels
- Use Auto Sign-On to Allow the Passing of Credentials
- Verify the ASA Configuration
Lab 5: Enhanced AnyConnect Client Features
- Discover Profile Editor
- Configure TND (Trusted Network Detection)
- Investigate Using Login Scripts
- Configure the Firewall in AnyConnect
- Verify the ASA Configuration
Lab 6: CSD Deployment and Pre-Login Assessments
- Installing CSD
- Pre-Login Watermark Checks (Registry, OS)
- Secure Vault Isolation (Keystroke Logger, Vault Password)
Lab 7: HostScan and Dynamic Access Policies
- HostScan Watermarks
- DAP Configuration for Corporate Assets
- LDAP Authorization with DAPs
- Contractor Access Using DAPs
- Verify the ASA Configuration
Lab 8: Securing Resources with Web-Type ACLs
- Create Permissive ACLs
- Create Restrictive ACLs
- Assign the ACLs to the IT-Dept DAP
- Verify the ASA Configuration
Lab 9: CSD Endpoint Assessment
- Configure and Test a Basic EA (Firewall and AV Check)
- Configure and Test an AEA (Firewall Rules Push, AV Update)
Lab 10: Certificate-Based Authentication
- Configure Mutual Authentication using a Microsoft CA
- Troubleshoot Certificate Issues
Lab 11: Advanced Troubleshooting
- Walk-Through Packet Tracer and Debugs
- Basic Troubleshooting with Packet Capture
- Trouble Ticket Scenarios
| |
Corporate training |
Quality can only be experienced, not described.
|
|
CCIE Bootcamp Schedule |
CCIE R&S 10-DAY BOOTCAMP
CCIE SERVICE PROVIDER V3.0 10-DAY BOOTCAMP
CCIE SECURITY V4.0 10-DAY BOOTCAMP
CCIE VOICE 10-DAY BOOTCAMP
|
|