Cisco Secure Desktop Configuration Guide for VPN 3000 Concentrator Series and Catalyst 6500 Series WebVPN Services Module Administrators, Release 3.1.1
Frequently Asked Questions
Downloads: This chapterpdf (PDF - 174.0 KB) The complete bookPDF (PDF - 1.48 MB) | Feedback

Frequently Asked Questions

Table Of Contents

Frequently Asked Questions

General Questions

Timeout Questions

Vault and Secure Desktop Questions

System Detection Questions

Security Questions

Networking and Firewall Questions

Frequently Asked Questions

General Questions

The following questions address a broad range of CSD functions:

Can I use Fast User Switching on Windows XP?

The Secure Desktop does not support Fast User Switching because only one instance of the CSD software can run on the same computer.

Which Java Virtual Machine is used by the Secure Desktop and the Cache Cleaner?

CSD checks Internet Explorer to determine which Java Virtual Machine (JVM) has been configured for that particular machine, and uses JVM to install the CSD components.

When do modified settings apply to the Cache Cleaner and the Secure Desktop?

When you modify the settings in the Secure Desktop Manager, you must deploy those settings by clicking the Save button within the Secure Desktop Manager. The settings take effect the next time that a user starts either the Cache Cleaner application or the Secure Desktop application.

Do I need Administrator privileges to use the CSD features?

Privileges are not required, but they are recommended.

Does the Secure Desktop Manager support Japanese character encodings?

The Secure Desktop Manager supports encoding such as the Shift_JIS. However, you must set the browser to enable character encoding (View | Encoding or View | Character Encoding).

What does transparent handling of e-mail applications mean?

The use of the term transparent means that the Secure Desktop handles e-mail applications the same way that the local desktop handles them.

Which applications does the Secure Desktop handle transparently?

Secure Desktop provides transparent handling of Outlook, Outlook Express, Eudora, and Notes.

Timeout Questions

The following questions address timeout settings with the Secure Desktop and the Cache Cleaner:

How does the time-out setting work on the Secure Desktop?

The time-out setting is independent of the desktop on which the user is operating. If you set a time-out of 1 minute and the remote user switches to the Local Desktop and works there beyond the 1-minute setting, the Secure Desktop closes at the end of the minute. Depending upon other settings, CSD saves the data to a Vault or erases it from the disk. Also, CSD uninstalls the Secure Desktop software if you configure it to do so.

Do Macintosh and Linux have a timeout setting?

Yes, you can set a time-out for the Macintosh & Linux Cache Cleaner.

Vault and Secure Desktop Questions

The following questions address the use of the Secure Desktop and Vault features:

Does Secure Desktop completely eliminate the risk that data will be left behind on a system?

No. CSD diligently works to remove data from a remote system. However, Microsoft operating system limitations or installed malicious software may prevent CSD from completely removing all traces of a session from a remote system.

Can I use uninstallation and Vault reuse with the Secure Desktop?

No; if you uninstall the application, the Secure Desktop always automatically deletes the vault. To avoid unintended results, do not configure both of these options simultaneously.

If I enable Vault reuse, how large is the download the second time?

When you enable Vault reuse, the majority of the program is downloaded. The next time the end user reaches the site, only a small application downloads (approximately 40 KB in size).

How does an end user use the Vault after downloading it the first time?

Once you have downloaded and installed the Secure Desktop, it appears as an entry in the Start menu. Users who want to reuse the Vault can click Start | Programs | Cisco Secure Desktop and enter the password with which they protected the Vault.

Can I run multiple Secure Desktops at the same time?

The current release does not support multiple Secure Desktops.

System Detection Questions

The following questions address System Detection:

Can CSD detect all keystroke loggers?

CSD works diligently to detect keystroke loggers. There may be instances where CSD is unable to detect a particular keystroke logger, including but not limited to hardware keystroke logging devices.

For System Detection, what is the AND/OR relationship among the various settings?

System Detection is either enabled or disabled. If it is enabled, you can then enable or disable each of following categories:

Antivirus software

Antispyware software

Personal firewall software

Service packs

If you enable more than one category, the end user's computer must pass in each category to pass the System Detection check. An "AND" relationship is present among the enabled categories.

The options within each category have an "OR" relationship. You can specify that any one of a list of antivirus software programs be running, and even if you have checked all of them as possible candidates, having just one of them running is enough to satisfy this requirement.

The same "OR" logic applies to personal firewalls and service packs.

Which software does System Detection support?

Refer to "VPN Feature Policy" for the complete list of software applications supported by System Detection.

Security Questions

The following questions address the Secure Desktop and the Cache Cleaner security settings and encryption level.

What security settings do I need to set on user computers?

The following Internet Explorer settings are required for CSD. Use these settings as a guideline for other browsers:

To access and launch the executable page:

Scripting > Active scripting > Enable

Downloads > File download > Enable

To launch ActiveX:

Scripting > Active scripting > Enable

ActiveX controls and plug-ins > Download signed ActiveX controls > Enable

ActiveX controls and plug-ins > Run ActiveX controls and plug-ins > Enable

To launch Java using the Microsoft Virtual Machine:

Scripting > Active scripting > Enable

Scripting > Scripting of Java applets > Enable

ActiveX controls and plug-ins > Download signed ActiveX controls > Enable

Microsoft VM > Java permissions > High, medium or low safety

What kind of encryption do the Secure Desktop and Cache Cleaner use?

CSD encrypts data with 168-bit 3DES. Erasure of the cache meets U.S. Department of Defense standards.

Data Encryption Standard (DES) is an algorithm for protecting data using private encryption keys. DES-CBC is the Cipher Block Chaining (CBC) mode of DES, a stronger form of encryption; it applies an exclusive OR to each block of data with the previous block and then encrypts the data using the DES encryption key. 3DES or Triple DES, the strongest form of encryption, uses different keys to encrypt each data block three times.

How long can the password be for Vault reuse?

The password can be up to 127 characters, and can include any combination of upper and lower case letters, plus numbers and punctuation symbols.

What happens when the cache is cleaned, either by the Cache Cleaner or the Secure Desktop?

The Cache Cleaner or the Secure Desktop sanitizes the system, disabling or erasing all data that was downloaded, inserted, or created in the browser including file downloads, configuration changes, cached browser information, entered passwords, and auto-completed information.

Networking and Firewall Questions

The following questions address networking aspects of the Secure Desktop and the Cache Cleaner, and their interaction with personal firewalls such as Sygate Security Agent and Sygate Personal Firewall:

Does the Secure Desktop or Cache Cleaner detect a second network card for location determination?

No, they detect only the IP address of the first network card.

I am using a personal firewall. What application must I "Allow" to access the network?

You must allow the program main.exe to access the network.