Cisco Secure Desktop Configuration Guide for VPN 3000 Concentrator Series and Catalyst 6500 Series WebVPN Services Module Administrators, Release 3.1.1
Tutorial
Downloads: This chapterpdf (PDF - 211.0KB) The complete bookPDF (PDF - 1.48MB) | Feedback

Tutorial

Table Of Contents

Tutorial

Step One: Define Windows Locations

Step Two: Define Windows Location Identification

Work

Home

Insecure

Step Three: Configure Windows Location Modules

Work

Home

Insecure

Step Four: Configure Windows Location Features

Work

Home

Insecure

Step Five: Configure Windows CE Features

Step Six: Configure Macintosh and Linux Features

Step Seven: Save the Settings

Step Eight: Enable CSD (VPN 3000 Concentrator Series Only)


Tutorial


CSD is a highly customizable suite of security tools that you can deploy in many different ways to secure remote systems and enforce your company's network security polices. This chapter steps you through a configuration to help you understand the following:

How to deploy CSD

Which security decisions you need to make to best accommodate your users and secure your network


Note The instructions in this chapter introduce you to the CSD configuration settings. Subsequent chapters reinforce these instructions with detailed descriptions.


The following sections guide you through the CSD configuration sequence:

Step One: Define Windows Locations

Step Two: Define Windows Location Identification

Step Three: Configure Windows Location Modules

Step Four: Configure Windows Location Features

Step Five: Configure Windows CE Features

Step Six: Configure Macintosh and Linux Features

Step Seven: Save the Settings

Step Eight: Enable CSD (VPN 3000 Concentrator Series Only)

Step One: Define Windows Locations

Begin configuring CSD by defining Windows locations. Windows locations apply to supported Microsoft Windows clients only; they do not apply to Macintosh and Linux clients.

Locations let you deploy an appropriate secure environment to hosts that connect through the VPN. They let you increase security on hosts that you determine are likely to be insecure, and offer flexibility to clients you determine are secure. You can restrict user privileges when they connect from unknown computers. You can also deploy the Secure Desktop and Cache Cleaner modules on insecure hosts to wipe clean session information that might contain confidential company information. We recommend that you consider the different types of hosts that will connect through the VPN, before you determine the criteria needed to secure those hosts and the security policies to assign to those criteria.

This tutorial describes how to configure three example locations: "Work," "Home," and "Insecure." "Work" is for those connecting to the VPN from a workstation in the office, "Home" is for those working from home, and "Insecure" is for those who do not meet the criteria for either, such as those connecting from a cybercafé.

In this tutorial, "Work" provides clients with full access, "Home" provides some flexibility, and "Insecure" restricts access. This tutorial defines the locations as follows:

Work

Identified by a registry entry

Secure Desktop and Cache Cleaner are disabled

Full access: all features ON

Home

Identified by a certificate given by the administrator

Secure Desktop and Vault Reuse are enabled, with no timeout

Advanced features require company antivirus software, company antispyware, company firewall, and Windows 2000 Service Pack 4 or Windows XP

Check for keystroke logger

Insecure

No identification

Cache Cleaner

All features disabled except web browsing

To create the three locations:


Step 1 Click Windows Location Settings in the menu on the left side of the CSD Manager window. The Windows Location Settings window opens.

Step 2 Type the following names in the Location name field, and click Add after typing each one:

Work

Home

Insecure


CSD evaluates client connections against the location entries in the order listed on the Windows Location Settings window. CSD grants privileges to a client PC based on the first location definition it matches. Our example includes "Work," "Home," and "Insecure" in that order; to assign privileges to a host, CSD first determines whether it is a "Work" host. If it is not, it determines whether it is a "Home" host. If it is not, it assigns the privileges associated with the "Insecure" location.

To change the order of the evaluation, choose a location name and click Move Up or Move Down.


Note Click Save next to "Settings Modified" to save the configuration changes before continuing.


Step Two: Define Windows Location Identification

For each Windows location, define the criteria used to identify the location and the security modules to be deployed for that location. Specify this information by clicking on the location name in the menu on the left side of the CSD Manager. An Identification window lets you enable the identification criteria for the location: certificate, IP address range, and file/registry. The "Use Module" attribute at the bottom of the window lets you enable or disable the Secure Desktop or Cache Cleaner modules for the associated location.

Work

Identify clients in the "Work" location by registry entry as follows:


Step 1 Click the name Work in the menu on the left.

The Identification window opens.

Step 2 Check Enable identification using Registry or File criteria.

Step 3 Add a registry criteria such as, "HKEY_LOCAL_MACHINE\SOFTWARE\Company exists."

Step 4 Do not deploy a security module because the hosts in this location are inside the office; uncheck both Secure Desktop and Cache Cleaner next to "Use Module."


Home

Identify clients in the "Home" location by a certificate given by the administrator to users who connect from home, as follows:


Step 1 Click the name Home in the menu on the left.

Step 2 Check Enable identification using certificate criteria.

Step 3 Complete the Issued to and Issued By fields of the certificate.

Step 4 Check Secure Desktop next to "Use Module."


Insecure

Do not specify any criteria for the final location entry, "Insecure." It applies to all clients that do not match the criteria specified in the previous location entries. Enable the Cache Cleaner module for these clients, as follows:


Step 1 Click the name Insecure in the menu on the left.

Step 2 Check Cache Cleaner next to "Use Module."



Note Click Save next to "Settings Modified" to save the configuration changes before continuing.


Step Three: Configure Windows Location Modules

This section describes how to customize the CSD deployment for each location. Each location in the menu has six options: VPN Feature Policy, Keystroke Logger, Cache Cleaner, Secure Desktop General, Secure Desktop Settings, and Secure Desktop Browser.

If you selected Cache Cleaner next to "Use Module" in the location configuration, configure the Cache Cleaner. If you selected Secure Desktop, configure both the Secure Desktop and Cache Cleaner because CSD supports only the Cache Cleaner on Windows 98 machines.

Work

Because you assigned neither the Secure Desktop and Cache Cleaner security modules to the location entry named "Work," do not configure the associated VPN Feature Policy, Keystroke Logger, Cache Cleaner, Secure Desktop General, Secure Desktop Settings, and Secure Desktop Browser settings.

Home

Use the Secure Desktop for the "Home" location and allow vault reuse, no timeout, access to printing, and the command prompt. Also, allow connections using the Cache Cleaner for Windows 98 hosts. Set up the "Home" location with these settings as follows:


Step 1 Click Cache Cleaner under "Home."

The Cache Cleaner window opens.

a. Uncheck Launch cleanup upon inactivity timeout.

b. Uncheck Disable cancellation of cleaning.

See the option descriptions in "Cache Cleaner for Windows" for more information about the settings in this window.

Step 2 Click Secure Desktop General under "Home."

The Secure Desktop General window opens (Figure 5-1).

Figure 5-1 Secure Desktop General Window

a. Check Enable switching between Secure Desktop and Local Desktop.

b. Check Enable Vault Reuse.

c. Uncheck Enable Secure Desktop inactivity timeout.

With this attribute unchecked, the timeout has no effect.

See the option descriptions in "Secure Desktop General" for more information about the settings in this window.

Step 3 Click Secure Desktop Settings under "Home."

The Secure Desktop window opens.

Uncheck all options in this window except for Allow e-mail applications to work transparently.

See the option descriptions in "Secure Desktop Settings" for more information about the settings in this window.


Insecure

Use the default Cache Cleaner settings for the "Insecure" location. Assign or confirm the associated Cache Cleaner settings as follows:


Step 1 Click Cache Cleaner under "Insecure."

The Cache Cleaner window opens.

Step 2 Check Launch cleanup upon inactivity timeout.

When checked, this option forces a timeout if the user leaves the computer without logging out.

Step 3 Set Timeout after to 5 minutes.



Note Click Save next to "Settings Modified" to save the configuration changes before continuing.


Step Four: Configure Windows Location Features

CSD creates security modules for each location when you create it. Refer to the following sections to specify the level of access for each location.

Work

Provide full access to users in the "Work" location as follows:


Step 1 Click VPN Feature Policy under "Work."

Step 2 Set the following attributes to ON to ensure users connecting from the office environment have access to all of the VPN features:

Web Browsing

File Access

Port Forwarding

Full Tunneling


Home

Users connecting from home have advanced features like File Access, Port Forwarding, and Full Tunneling only if they meet the company network policies for antivirus software, antispyware, firewall software, and Windows 2000 Service Pack 4 or Windows XP. Provide users in the "Home" location with this level of access as follows:


Step 1 Click VPN Feature Policy under "Home."

Step 2 Set Web Browsing to ON.

Step 3 Set File Access to ON if criteria are matched.

Step 4 Click the ellipses (...) button under "Web Browsing."

A dialog window opens.

Step 5 Check AntiVirus and choose the antivirus software.


Note To choose multiple options for a given field in this window, Control-click them.


Step 6 Check Anti-spyware and choose the antispyware software.

Step 7 Check Firewall and choose the firewall software.

Step 8 Check OS and choose 2000 SP4, XP no SP, XP SP1, and XP SP2.

Step 9 Click OK.

Step 10 Repeat Steps 3 to 9 for Port Forwarding and Full Tunneling.


Insecure

These instructions grant web browsing access only, and only if the Secure Desktop is active. Provide this level of access to users in the "Insecure" location as follows:


Step 1 Click VPN Feature Policy under "Insecure."

Step 2 Set Web Browsing to ON if criteria are matched.

Step 3 Click the ellipses (...) button under "Web Browsing."

A dialog window opens.

Step 4 Check AntiVirus and choose the antivirus software.


Note To choose multiple options for a given field in this window, Control-click them.


Step 5 Check Firewall and choose the company firewall software.

Step 6 Check Anti-spyware and choose the antispyware software.

Step 7 Check OS and choose 2000 SP4, XP no SP, XP SP1, and XP SP2.

Step 8 Check Feature and choose Cache Cleaner.

Step 9 Click OK.

Step 10 Make sure File Access, Port Forwarding, and Full Tunneling are unchecked.

Step 11 Click OK.

See the option descriptions in "VPN Feature Policy" for more information.



Note Click Save next to "Settings Modified" to save the configuration changes before continuing.


Step Five: Configure Windows CE Features

CSD provides limited features and restrictions for Windows CE clients. The following instructions explain how to grant or restrict web browsing and file access privileges to these clients.

Configure CSD for Windows CE clients as follows:


Step 1 Click Windows CE.

The Windows CE window opens.

Step 2 Set Web Browsing to ON.

Step 3 Set File Access to ON.


See the option descriptions in "Setting Up CSD for Microsoft Windows CE Clients" for more information about the settings in this window.


Note Click Save next to "Settings Modified" to save the configuration changes before continuing.


Step Six: Configure Macintosh and Linux Features

CSD handles Macintosh and Linux systems differently from Windows. Instead of using different settings per location, all Macintosh and Linux hosts use the same settings. (Hosts connecting from both secure and insecure locations connect with the same settings.) The following instructions explain how to grant only web browsing access privileges with a global timeout.

Configure the Macintosh and Linux cache cleaner as follows:


Step 1 Click Mac & Linux Cache Cleaner.

The Cache Cleaner - Mac & Linux window opens.

Step 2 Check Launch cleanup upon global timeout.

Step 3 Set the Timeout after value to 5 minutes.

Step 4 Check Let user reset timeout.

Step 5 Set Web Browsing to ON.

Step 6 Set File Access to ON.

Step 7 Set Port Forwarding to OFF.

See the option descriptions in "Setting Up CSD for Macintosh and Linux Clients" for more information about the settings in this window.



Note Be sure to follow the instructions in the next section before leaving the Desktop Manager.


Step Seven: Save the Settings

After you configure the CSD suite, be sure to click Save in the upper left corner of the Secure Desktop Manager window (Figure 5-2).

Figure 5-2 Save Needed Indicator


Caution Navigating away from the Secure Desktop Manager window without saving results in the loss of all Secure Desktop Manager configuration changes.

The Secure Desktop Manager Save button provides a different Save function than that provided by the VPN Concentrator Manager.

Step Eight: Enable CSD (VPN 3000 Concentrator Series Only)


Note You must enable CSD on the Catalyst 6500 Series WebVPN Services Module before configuring it; therefore, these instructions apply only to the VPN 3000 Concentrator Series.


By default, the VPN 3000 Concentrator disables support for CSD. We recommend that you complete and verify the CSD configuration before you enable it.


Caution You lose any unsaved configuration changes you made to CSD if you follow the instruction in Step 1. Be sure to save the CSD configuration before proceeding.

Enable or disable VPN 3000 Concentrator support for CSD as follows:


Step 1 Choose Configuration | Tunneling and Security | WebVPN | Secure Desktop | Setup in the VPN Concentrator Manager.

The selected radio button indicates the current Enable/Disable setting.

Step 2 Click Enable Secure Desktop.

Step 3 Click Save Needed.

Step 4 Click OK.


The VPN Manager replaces "Save Needed" with "Save" to indicate it saved the VPN 3000 Concentrator configuration you modified.