Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1
Configuring Host Scan and the Posture Module
Downloads: This chapterpdf (PDF - 294.0KB) The complete bookPDF (PDF - 6.96MB) | Feedback

Table of Contents

Configuring HostScan

HostScan Workflow

Features Enabled with the AnyConnect Posture Module

Prelogin Assessment

Prelogin Policies

Keystroke Logger Detection

Host Emulation Detection

Keystroke Logger Detection and Host Emulation Detection Supported Operating Systems

Cache Cleaner

HostScan

Basic HostScan Functionality

Endpoint Assessment

Advanced Endpoint Assessment - Antivirus, Antispyware, and Firewall Remediation

HostScan Support Charts

Configuring Antivirus Applications for HostScan

Integration with Dynamic Access Policies

Difference Between the Posture Module and the Standalone HostScan Package

AnyConnect Posture Module Dependencies and System Requirements

Dependencies

HostScan, CSD, and AnyConnect Secure Mobility Client Interoperability

System Requirements

Licensing

Entering an Activation Key to Support Advanced Endpoint Assessment

HostScan Packaging

Which HostScan Image Gets Enabled When There is More than One Loaded on the ASA?

Deploying the AnyConnect Posture Module and HostScan

Pre-Deploying the AnyConnect Posture Module

Installing and Enabling HostScan on the ASA

Downloading the Latest HostScan Engine Update

Installing or Upgrading HostScan

Enabling or Disabling HostScan on the ASA

Enabling or Disabling CSD on the ASA

HostScan and CSD Upgrades and Downgrades

Determining the HostScan Image Enabled on the ASA

Uninstalling HostScan

Uninstalling the HostScan Package

Uninstalling CSD from the ASA

Assigning AnyConnect Posture Module to a Group Policy

HostScan Logging

Configuring the Logging Level for All Posture Module Components

Posture Module Log Files and Locations

Using a BIOS Serial Number in a DAP

Specifying the BIOS as a DAP Endpoint Attribute

How to Obtain BIOS Serial Numbers

Configuring HostScan

The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operating system, antivirus, antispyware, and firewall software installed on the host. The HostScan application, which is among the components delivered by the posture module, is the application that gathers this information.

In the adaptive security appliance (ASA), you can create a policy that evaluates endpoint attributes such as operating system, IP address, registry entries, local certificates, and filenames. Based on the result of the policy’s evaluation, you can control which hosts are allowed to create a remote access connection to the security appliance.

Starting with AnyConnect 3.0, the HostScan package becomes a shared component of the AnyConnect Secure Mobility client and Cisco Secure Desktop (CSD). Previously, the HostScan package was one of several components available only by installing CSD.

The purpose of separating the HostScan package from CSD is to allow you to update HostScan support charts more frequently than it was possible when they were delivered as part of CSD. The HostScan support charts contain the product name and version information of the antivirus, antispyware, and firewall applications used to assign Dynamic Access Policies (DAPs). We deliver the HostScan application and the HostScan support charts, as well as other components, in the HostScan package.

The standalone HostScan package and the HostScan package delivered with the posture module provide the same functionality. We provide a separate HostScan package so that you can update the HostScan support charts easily.

The HostScan package can now be delivered in one of three ways: with the AnyConnect Posture Module, with CSD, or as a standalone package. There are two types of AnyConnect posture modules: one version is pushed down by the ASA along with the AnyConnect installation and the other is configured as a pre-deployment module. The pre-deployment module can be installed on endpoints before they make their initial connection to the ASA.

In addition to identifying operating system, antivirus, antispyware, and firewall software installed on the endpoint, the host scan package delivers the components to perform an assessment, identify keystroke loggers, and detect host emulation and virtual machines running on the endpoint. Keystroke logger detection, host emulation and virtual machine detection were also features of CSD that are now included in the HostScan package.

Still, the HostScan package is not a replacement for CSD. Customers that want cache cleaning or the Secure Vault will need to install and enable CSD in addition to the HostScan package. See http://www.cisco.com/en/US/products/ps6742/products_installation_and_configuration_guides_list.html to learn about the Secure Vault feature in the CSD Configuration Guides.

You can install, uninstall, enable, and disable HostScan using the ASA’s Adaptive Security Device Manager (ASDM) or command line interface. You can configure policies using the Secure Desktop Manager tool on the ASDM.

Posture assessment and the AnyConnect telemetry module require HostScan to be installed on the host.

This chapter contains the following sections:

HostScan Workflow

HostScan works with the ASA to protect the corporate network as described in the workflow that follows:

1. The remote device attempts to establish an AnyConnect Client session with the ASA.

2. The ASA downloads HostScan to the endpoint ensuring that the ASA and the endpoint are using the same version of HostScan. The version of HostScan on the endpoint could either be upgraded or downgraded to match the version of HostScan on the ASA.

3. The prelogin assessment checks for the following on the endpoint:

Operating system

Presence or absence of any files you specify.

Presence or absence of any registry keys you specify. This check applies only if the computer is running Microsoft Windows.

Presence of any digital certificates you specify. This check also applies only if the computer is running Microsoft Windows.

IPv4 or IPv6 addresses within a range you specify.

4. As the endpoint undergoes the prelogin assessment, host scan gathers antivirus, firewall, and antispyware version information.

5. One of the following occurs, depending on the result of the prelogin assessment:

The endpoint attributes do not meet the requirements of the prelogin assessment and the Login Denied message appears on the endpoint. In this case, interaction between the ASA and the endpoint stops.

The endpoint attributes meet the requirements of the prelogin assessment. The prelogin assessment assigns a prelogin policy name to the endpoint and reports the name of the prelogin policy to the ASA. In this case, interation between the ASA and the endpoint continues.

6. HostScan checks for keystroke loggers and host emulation on the remote computer, based on the configuration of the policy the remote computer was assigned after the assessment.

7. Antivirus, firewall, or antispyware remediation occurs if it is warranted and you have a license for Advanced Endpoint Assessment.

8. The user logs in.

9. The ASA typically uses the authentication data gathered in 3. along with any configured endpoint attribute criteria gathered in 4. , which can include such values as the policy and HostScan results, to apply a dynamic access policy to the session.

10. Following the termination of the user session, HostScan terminates, and Cache Cleaner performs its cleanup functions.


 

Features Enabled with the AnyConnect Posture Module

Prelogin Assessment

The assessment runs after the user connects to the ASA, but before the user logs in. This assessment can check the remote device for files, digital certificates, the OS, IP address, and Microsoft Windows registry keys.

Secure Desktop Manager, the administrator interface to HostScan, provides a graphical sequence editor to simplify the configuration of the assessment module.

When configuring the assessment module, the HostScan administrator creates branches of nodes called sequences . Each sequence begins with the Start node, followed by an endpoint check. The result of the check determines whether to perform another endpoint check or to terminate the sequence with an end node.

The end node determines whether to display a Login Denied message, assign a policy to the device, or perform a secondary set of checks called a subsequence. A subsequence is a continuation of a sequence, typically consisting of more endpoint checks and an end node. This feature is useful to do the following:

  • Reuse a sequence of checks in some cases but not others.
  • Create a set of conditions that have an overall purpose that you want to document by using the subsequence name.
  • Limit the horizontal space occupied by the graphical sequence editor.

Figure 5-1 Example of a Completed Assessment

 

Prelogin Policies

The results of the checks of the assessment configured in the graphical sequence editor, Figure 5-1, determine whether the assessment results in the assignment of a particular policy or a denied remote access connection.

As you create each policy, Secure Desktop Manager adds a menu named after the policy. Each of the policy menus let you assign unique settings to the policy. These settings determine whether Keystroke Logger Detection, Host Emulation Detection, or Cache Cleaner installs on remote devices that match the criteria assigned to the policy. Administrators typically assign these modules to non-corporate computers to prevent access to corporate data and files after the session is over.

For a complete discussion of configuring HostScan and policies, refer to these chapters of the Cisco Secure Desktop Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators, Release 3.6 :

Figure 5-2 Policies

 

Keystroke Logger Detection


Caution This section describes a feature that has been deprecated. Cisco stopped developing Keystroke Logger Detection (KSL) on November 20, 2012.

For more information, see the deprecation field notice "Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection Features Are Deprecated."

You can configure selected policies to scan for processes or modules that record keystrokes entered by the user, and deny VPN access if a suspected keystroke logging application is present.

By default, keystroke logger detection is disabled for each policy. You can use Secure Desktop Manager to enable or disable keystroke logger detection. You can specify the keystroke loggers that are safe or let the remote user interactively approve the ones that the scan identifies as a condition for running Cache Cleaner or HostScan on the remote computer.

If you enable it, keystroke logger detection downloads with Cache Cleaner or HostScan onto the remote computer. Following the download, keystroke logger detection runs only if the OS is Windows and the user login has administrator privileges.

The associated module runs only if the scan is clear, or only if you assign administrative control to the user and the user approves of the applications the scan identifies.


Note Keystroke logger detection applies to both user mode and kernel mode loggers as long as the end-user is logged in with administrator privileges.


Keystroke logger detection runs only on 32-bit Microsoft Windows OS’s. See the “Keystroke Logger Detection and Host Emulation Detection Supported Operating Systems” section.

Keystroke logger detection may be unable to detect every potentially malicious keystroke logger. It does not detect hardware keystroke logging devices.

Host Emulation Detection


Caution This section describes a feature that has been deprecated. Cisco stopped developing Host Emulation Detection on November 20, 2012.

For more information, see the deprecation field notice "Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection Features Are Deprecated."

Host emulation detection, another feature of policies, determines whether a remote Microsoft Windows operating system is running over virtualization software. You can use Secure Desktop Manager to enable or disable this feature, and deny access if a host emulator is present or report the detection to the user and let the user decide whether to continue or terminate.

By default, host emulation detection is disabled for each policy. If you enable it, it downloads with Secure Desktop, Cache Cleaner, or HostScan onto the remote computer. Following the download, host emulation detection runs first, along with keystroke logger detection if it is configured to do so. The associated module then runs if either of the following conditions are true:

  • The host is not running over an emulator (or virtualization software).
  • You did not configure it to always deny access, and the user approves of the detected host emulator.

See the “Keystroke Logger Detection and Host Emulation Detection Supported Operating Systems” section.

Keystroke Logger Detection and Host Emulation Detection Supported Operating Systems

Keystroke Logger Detection runs on the following operating systems:

  • Windows 7 x86 (32-bit)
  • Windows Vista SP1 and SP2 x86 (32-bit)
  • Windows XP SP3 x86 (32-bit)

Host Emulation Detection runs on the following operating systems:

  • Windows 7 x86 (32-bit) and x64 (64-bit)
  • Windows Vista SP1 and SP2 x86 (32-bit) and x64 (64-bit) Windows XP SP3 x86 (32-bit) and x64 (64-bit)

Cache Cleaner


Caution This section describes a feature that has been deprecated. Cisco stopped developing Cache Cleaner on November 20, 2012.

For more information, see the deprecation field notice "Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection Features Are Deprecated."

Cache cleaner attempts to eliminate the information from the browser cache at the end of a clientless SSL VPN session or after web-launching an AnyConnect Client session. This information includes entered passwords, auto-completed text, files cached by the browser, browser configuration changes made during the session, and cookies. Cache Cleaner is an alternative to Secure Desktop (Vault). It is functionally more limited but has the flexibility to support more operating systems.

Cache Cleaner runs on Microsoft Windows, Apple Mac OS, and Linux. For detailed system requirements, see the Cisco Secure Desktop Release Notes .

This is a typical sequence of events when Cache Cleaner has been deployed and the endpoint attempts to create a clientless SSL VPN connection or attempts to launch AnyConnect using web launch:


Step 1 The endpoint connects to the ASA when the user enters its URL in a browser.

Step 2 Hostscan performs the assessment.

Step 3 Assuming that the endpoint passes the assessment, AnyConnect authentication begins. The user may enter a password or use a certificate to authenticate.

Step 4 For users running Internet Explorer without Clean the whole cache in addition to the current session cache (IE only) enabled, or for users running Safari or Firefox, the Cache Cleaner takes a snapshot of the browser’s cache approximately one minute after the user authenticates.

Step 5 As the user works, the browser caches information.

Step 6 When users logout of the VPN session:

  • For users running Internet Explorer with Clean the whole cache in addition to the current session cache (IE only) enabled, Cache Cleaner attempts to delete the browser’s entire cache.
  • For users running Internet Explorer without Clean the whole cache in addition to the current session cache (IE only) enabled, or running Safari or Firefox, Cache Cleaner attempts to delete all of the browser’s cache and then Cache Cleaner restores the snapshot it took of the cache.

To prevent any sensitive information from being restored on the computer, we recommend that you manually clean the browser’s cache, after your session and then close the browser.


Note We recommend that Cache Cleaner be configured with the Clean the whole cache in addition to the current session cache (IE only) option enabled.


HostScan

HostScan is a package that installs on the remote device after the user connects to the ASA and before the user logs in. HostScan consists of any combination of the Basic HostScan module, Endpoint Assessment module, and Advanced Endpoint Assessment module based on the configuration set by the CSD administrator. HostScan runs on Microsoft Windows, Apple Mac OS X, and Linux. For detailed requirements, see System Requirements .

The HostScan package is bundled in these software packages:

  • Cisco Secure Desktop (CSD). The ASA can deploy the HostScan package to the endpoint if CSD is enabled.
  • AnyConnect package. The ASA can deploy the HostScan package to the endpoint if the AnyConnect package is configued as the HostScan package and HostScan is enabled.
  • A pre-deployed posture module.

Note If HostScan was installed on the endpoint as part of a pre-deployed posture module but a HostScan package is not enabled on the ASA; when the endpoint connects to the ASA, the HostScan package on the endpoint will not perform endpoint assessment.


Basic HostScan Functionality

HostScan automatically identifies operating systems and service packs on any remote device establishing a Cisco clientless SSL VPN or AnyConnect client session and when CSD or HostScan/CSD is enabled on the ASA.

You can also configure HostScan to inspect the endpoint, for specific processes, files, registry keys, digital certificates, and IP addresses using the Secure Desktop manager. Secure Desktop manager is integrated with Adaptive Security Device Manager (ASDM) on the ASA.

HostScan performs all of these inspections before full tunnel establishment.

After HostScan gathers from the endpoint the operating system and service pack information along with the processes, files, registry keys, digital certificates, and IP addresses you configured it to gather, it sends this information to the ASA where it can be used to distinguish between corporate-owned, personal, and public computers. The information can also be used in assessments. See Prelogin Assessment for more information.

HostScan also automatically returns the following additional values for evaluation against configured DAP endpoint criteria:

  • Microsoft Windows, Mac OS, and Linux builds
  • Listening ports active on a connecting host running Microsoft Windows
  • CSD components installed on the connecting host
  • Microsoft Knowledge Base numbers (KBs)

For more information about DAP and Lua expressions see Integration with Dynamic Access Policies and Chapter 7, “Using Match Criteria to Configure Dynamic Access Policies” in Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.

Endpoint Assessment

Endpoint Assessment is a HostScan extension that examines the remote computer for a large collection of antivirus and antispyware applications, associated definitions updates, and firewalls. You can use this feature to combine endpoint criteria to satisfy your requirements before the ASA assigns a specific dynamic access policy (DAP) to the session. See Chapter 7, “Using Match Criteria to Configure Dynamic Access Policies” in Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators for more information on DAPs.

Advanced Endpoint Assessment - Antivirus, Antispyware, and Firewall Remediation

With the purchase of an Advanced Endpoint Assessment license installed on the ASA, you can use these advanced features of HostScan:

Remediation

On Windows, Mac OS X, and Linux desktops, Advanced Endpoint Assessment can attempt to initiate remediation of various aspects of antivirus, antispyware and personal firewall protection if that software allows a separate application to initiate remediation.

Antivirus —Advanced Endpoint Assessment can attempt to remediate these components of antivirus software:

  • Force File System Protection — If the antivirus software is disabled, Advanced Endpoint Assessment can enable it.
  • Force Virus Definitions Update — If the antivirus definitions have not been updated in the number of days defined by the Advanced Endpoint Assessment configuration, Advanced Endpoint Assessment can attempt to initiate an update of virus definitions.

Antispyware — If the antispyware definitions have not been updated in the number of days defined by the Advanced Endpoint Assessment configuration, Advanced Endpoint Assessment can attempt to initiate an update of antispyware definitions.

Personal Firewall — The Advanced Endpoint Assessment module can attempt to reconfigure firewall settings and rules if they do not meet the requirements defined in the Advanced Endpoint Assessment configuration.

  • The firewall can be enabled or disabled.
  • Applications can be prevented from running or allowed to run.
  • Ports can be blocked or opened.

Note Not all personal firewalls support this feature.


If the end-user disables antivirus or personal firewall, after successfully establishing the VPN connection, our Advanced Endpoint Assessment feature will attempt to re-enable that application within approximately 60 seconds.

HostScan Support Charts

The HostScan support charts contain the product name and version information for the antivirus, antispyware, and firewall applications you use in your dynamic access policies.

In this release of the AnyConnect Secure Mobility Client, the HostScan package can be uploaded separately from Cisco Secure Desktop (CSD). This means you can deploy HostScan functionality without having to install CSD, and you are able to update your HostScan support charts by upgrading to the latest HostScan package.

You can download the HostScan support charts from cisco.com, here: http://www.cisco.com/en/US/products/ps10884/products_device_support_tables_list.html

These support charts can be viewed using Microsoft Excel, Microsoft Excel Viewer, or OpenOffice. Browsers such as Firefox, Chrome, and Safari provide the best download experience.

Configuring Antivirus Applications for HostScan

Before installing the posture module or HostScan package, configure your antivirus software to “white-list” or make security exceptions for the HostScan applications below. Antivirus applications can misinterpret the behavior of these applications as malicious.

  • cscan.exe
  • ciscod.exe
  • cstub.exe

Integration with Dynamic Access Policies

The ASA integrates the HostScan features into dynamic access policies (DAPs). Depending on the configuration, the ASA uses one or more endpoint attribute values in combination with optional AAA attribute values as conditions for assigning a DAP. The HostScan features supported by the endpoint attributes of DAPs include OS detection, policies, basic HostScan results, and endpoint assessment.


Note In order to enable HostScan features, you must have an AnyConnect Premium license installed on the ASA.


As an administrator, you can specify a single attribute or combine attributes that form the conditions required to assign a DAP to a session. The DAP provides network access at the level that is appropriate for the endpoint AAA attribute value. The ASA applies a DAP when all of its configured endpoint criteria are satisfied.


Note For a complete discussion about how you configure DAPs on the ASA using ASDM, find the Adaptive Security Device Manager (ASDM) Configuration Guide for your version of ASDM and read the chapter on “Configuring Dynamic Access Policies”.


Difference Between the Posture Module and the Standalone HostScan Package

The AnyConnect Posture Module can be deployed by the ASA to the endpoint, or it can be installed on the endpoint using a pre-deployment kit before the endpoint makes its initial connection to the ASA.

The posture module contains the HostScan package, assessment, keystroke logger detection, host emulation detection, and cache cleaner, as well as a few other modules that the HostScan application requires. Deploying the posture module allows HostScan to run privileged operations even when the user on the endpoint is not an administrator, and it allows other AnyConnect modules to start using HostScan.

The standalone HostScan package delivers the HostScan engine, assessment module, keystroke logger detection and host emulation detection.

AnyConnect Posture Module Dependencies and System Requirements

The AnyConnect posture module contains the HostScan package and other components.

Dependencies

The AnyConnect Secure Mobility Client with the posture module requires these minimum ASA components:

  • ASA 8.4
  • ASDM 6.4

These AnyConnect features require that you install the posture module.

  • HostScan
  • SCEP authentication
  • AnyConnect Telemetry Module

HostScan, CSD, and AnyConnect Secure Mobility Client Interoperability


Caution If you deploy HostScan with the AnyConnect Secure Mobility Client, version 3.0.x, the AnyConnect Secure Mobility Client requires HostScan to have the same version number, or a later version number, than itself.

If you have Cisco Secure Desktop (CSD) version 3.5, or earlier, enabled on the ASA and you do not upgrade the HostScan package to match or exceed the version of AnyConnect Secure Mobility Client 3.0.x you are deploying, assessments will fail, and users will be unable to establish a VPN session. This will happen even if the AnyConnect 3.0.x posture module is pre-deployed to the endpoint because the ASA will automatically downgrade the HostScan package on the endpoint to match the HostScan package enabled on the ASA.

AnyConnect 2.5.3005 and earlier is not compatible with any version of HostScan.

System Requirements

The posture module can be installed on any of these platforms:

  • Windows XP (x86 and x86 running on x64)
  • Windows Vista (x86 and x86 running on x64)
  • Windows 7 (x86 and x86 running on x64)
  • Mac OS X 10.6, 10.7, 10.8, and 10.9 (32-bit and 32-bit running on 64-bit)
  • Red Hat Enterprise Linux 6.x (64-bit) and Red Hat Enterprise Linux 5.x (32-bit and 32-bit running on 64-bit)

Note HostScan is a 32-bit application and requires the core 32-bit libraries to be installed on 64-bit Linux operating systems. HostScan does not provide these 32-bit libraries at the time it is installed. Customers need to install the 32-bit libraries on the endpoints themselves, if they are not already provisioned.


Licensing

These are the AnyConnect licensing requirements:

  • An AnyConnect Premium license is required for all features delivered with HostScan including basic HostScan, endpoint assessment, and advanced endpoint assessment.
  • The Advanced Endpoint Assessment license is an additional license required for remediation

Entering an Activation Key to Support Advanced Endpoint Assessment

Advanced Endpoint Assessment includes all of the Endpoint Assessment features and lets you configure an attempt to update noncompliant computers to meet version requirements. You can use ASDM to activate a key to support Advanced Endpoint Assessment after acquiring it from Cisco, as follows:


Step 1 Choose Configuration > Device Management > Licensing > Activation Key .

Step 2 Enter the key in the New Activation Key field.

Step 3 Click Update Activation Key .

Step 4 Choose File > Save Running Configuration to Flash .

An Advanced Endpoint Assessment entry appears and the Configure button becomes active in the HostScan Extensions area of the Configuration > Remote Access VPN > Secure Desktop Manager > HostScan pane, which is accessible only if CSD is enabled.


 

HostScan Packaging

You can load the HostScan package on to the ASA in one of these ways:

  • You can upload it by uploading an AnyConnect Secure Mobility package: anyconnect-win-version-k9.pkg
  • You can upload it by uploading a Cisco Secure Desktop package: csd_version-k9.pkg
  • You can upload it as a standalone package: hostscan-version- k9 .pkg

 

Table 5-1 HostScan Packages You Load to the ASA

File
Description

anyconnect-win- version -k9.pkg

This package contains all the Cisco AnyConnect Secure Mobility Client features including the hostscan- version -k9.pkg file.

csd_ version -k9.pkg

This file contains all Cisco Secure Desktop features including HostScan software as well as the HostScan support charts, secure desktop (Vault), cache cleaner, key stroke logger detection, and host emulation detection.

hostscan- version -k9.pkg

This file contains the HostScan image, HostScan support charts, assessment module, cache cleaner, keystroke logger detection and host emulation detection.

Which HostScan Image Gets Enabled When There is More than One Loaded on the ASA?

The HostScan image is delivered with the HostScan package. It can be deployed to the endpoint from the standalone HostScan package, the full AnyConnect Secure Mobility Client package, and Cisco Secure Desktop. Depending on what licenses you have installed on your ASA, you may have all of these packages loaded on your ASA. In that case, the ASA enables the image that you specified as the HostScan image first and if you have not specified one, the ASA enables the HostScan functionality from Cisco Secure Desktop. See the “Installing or Upgrading HostScan” section.

If you uninstall the HostScan package, the ASA cannot enable its HostScan image.

These scenarios describe which HostScan package the ASA distributes when it has more than one loaded.

Under These Conditions
The ASA Distributes this Package

You upload a standalone HostScan package to the ASA.

You desginate it as the HostScan image.

You enable CSD/hostscan.

ASA distributes the standalone HostScan package.

You upload a standalone HostScan package on the ASA.

You designate it as the HostScan image.

You uploade a CSD image on the ASA.

You enable CSD/hostscan.

ASA distributes the standalone HostScan package.

You upload a HostScan image on the ASA.

You do not enable it.

You upload a CSD image on the ASA.

You enable CSD/hostscan.

The ASA distributes the standalone HostScan image because it was not uninstalled.

You upload an AnyConnect Secure Mobility Client package on the ASA.

You designate it as the HostScan image.

The ASA distributes the HostScan image from that package.

You upload an AnyConnect Secure Mobility Client package file on the ASA.

You do not specify it as the HostScan image.

You have also uploaded a HostScan package or a CSD package to the ASA.

You enable CSD/hostscan.

The ASA distributes the installed HostScan package or CSD package.

The ASA does not distribute the HostScan package associated with that AnyConnect package.

Deploying the AnyConnect Posture Module and HostScan

There are two different deployment scenarios for the posture module and HostScan.

Pre-deployment

Using the pre-deployment method, you install the AnyConnect client and posture module before the endpoint attempts to make a connection to the ASA. The pre-deployment posture module package contains every component, library, and support chart that could be used to gather posture attributes as well as the applications that provide you with the features described in the “Features Enabled with the AnyConnect Posture Module” section. If you pre-deploy to the endpoint the same version of the AnyConnect client and posture module installed on the ASA, no additional posture module files are pushed down from the ASA when the endpoint connects to the ASA.

Web-deployment

Using the web-deployment method, when the endpoint connects to the ASA, the ASA pushes the AnyConnect client and posture module down to the endpoint. To make the download as fast and efficient as possible, the ASA only downloads the essential posture module files.

When the endpoint connects again, the essential posture module files determine what other libraries or files it needs to perform an endpoint assessment and retrieves those files from the ASA. For example, the posture module may retrieve a HostScan support chart of all Norton anti-virus software because a version of Norton anti-virus is running on the endpoint. After the posture module retrieves the additional files it needs, it performs the endpoint assessment and forwards the attributes to the ASA. Assuming the endpoint attributes are sufficient to satisfy a dynamic access policy (DAP) rule, the ASA allows the endpoint to connect. As a result of satisfying the DAP, the ASA could be configured to push the remainder of the posture module to the endpoint or not.

If you do not want the entire posture module web-deployed to the endpoint, you can perform a limited web-deployment where only one posture file is downloaded to the endpoint, and it requests only the HostScan libraries it needs to perform endpoint assessment. In this scenario, you will have very short downloads times from the ASA to the endpoint, but you will lose the ability to perform Advanced Endpoint Assessment and perform such tasks as antivirus, antispyware, or firewall remediation tasks.

Pre-Deploying the AnyConnect Posture Module

When you pre-deploy the posture module, you install it on the endpoint before the AnyConnect client makes its initial connection to the ASA.

You need to install the AnyConnect Secure Mobility Client on the endpoint before you install the posture module. See Chapter 2, “Deploying AnyConnect Client Profiles” for instructions on installing the AnyConnect Secure Mobility Client and the posture module using web-deployment and pre-deployment methods.

Table 5-2 lists the posture module pre-deployment kits:

 

Table 5-2 Posture Module Pre-Deployment Kits

File
Description

Windows

anyconnect-posture-win- version -pre-deploy-k9.msi

Linux

anyconnect-linux- version -posture-k9.tar.gz

Mac OS X

anyconnect-macosx-posture-i386- version -i386-k9.dmg

Installing and Enabling HostScan on the ASA

These tasks describe installing and enabling HostScan on the ASA:

Downloading the Latest HostScan Engine Update

To download the latest Cisco HostScan Engine Updates, you must be a registered user of Cisco.com.


Step 1 Click this link to reach the software download area for Cisco VPN Client Tools:

http://www.cisco.com/cisco/software/release.html?mdfid=282414594&flowid=4470&softwareid=282364364&release=Engine%20Updates&relind=AVAILABLE&rellifecycle=&reltype=latest

Step 2 Expand Latest Releases in the product directory tree.

Step 3 Click Engine Updates.

Step 4 In the column on the right, find the latest version of hostscan_3.0.xxxx-k9.pkg and click Download Now.

Step 5 Enter your cisco.com credentials and click Login .

Step 6 Click Proceed with Download.

Step 7 Read the End User License Agreement and click Agree .

Step 8 Select a download manager option and click the download link to proceed with the download.


 

Installing or Upgrading HostScan

Use this procedure to upload, or upgrade, and enable a new HostScan image on the ASA. Use the image to enable HostScan functionality for AnyConnect or upgrade the HostScan support charts for an existing deployment of Cisco Secure Desktop (CSD).

You can specify a standalone HostScan package or an AnyConnect Secure Mobility Client version 3.0 or later package in the field.

If you previously uploaded a CSD image to the ASA, the HostScan image you specify will upgrade or downgrade the existing HostScan files that were delivered with that CSD package.

You do not need to restart the security appliance after you install or upgrade HostScan; however, you must exit and restart Adaptive Security Device Manager (ASDM) to access the Secure Desktop Manager tool in ASDM.


Note HostScan requires an AnyConnect Secure Mobility Client premium license.



Step 1 Download the latest version of the HostScan package using Downloading the Latest HostScan Engine Update.


Note You will need to have an account on Cisco.com and be logged in to download the software.


Step 2 Open ASDM and choose Configuration > Remote Access VPN > HostScan Image. ASDM opens the HostScan Image panel (Figure 5-3).

Figure 5-3 HostScan Image Panel

 

 

Step 3 Click Upload to prepare to transfer a copy of the HostScan package from your computer to a drive on the ASA.

Step 4 In the Upload Image dialog box, click Browse Local Files to search for the HostScan package on your local computer.

Step 5 Select the hostscan_ version .pkg file or anyconnect-win-version-k9.pkg file you downloaded in Step 1 and click Select . The path to the file you selected is in the Local File Path field and the Flash File System Path field reflects the destination path of the HostScan package. If your ASA has more than one flash drive, you can edit the Flash File System Path to indicate another flash drive.

Step 6 Click Upload File . ASDM transfers a copy of the file to the flash card. An Information dialog box displays the following message:

File has been uploaded to flash successfully.
 

Step 7 Click OK .

Step 8 In the Use Uploaded Image dialog, click OK to use the HostScan package file you just uploaded as the current image.

Step 9 Check Enable HostScan/CSD if it is not already checked.

Step 10 Click Apply .


Note If AnyConnect Essentials is enabled on the ASA, you receive a message that HostScan and CSD will not work with it. You have the choice to Disable or Keep AnyConnect Essentials.


Step 11 Click Save.


 

Enabling or Disabling HostScan on the ASA

When you first upload or upgrade a HostScan image using ASDM, you enable the image as part of that procedure. See the “Installing and Enabling HostScan on the ASA” section.

Otherwise, to enable or disable a HostScan image using ASDM, follow this procedure:


Step 1 Open ASDM and choose Configuration > Remote Access VPN > HostScan Image. ASDM opens the HostScan Image panel (Figure 5-3).

Step 2 Check Enable HostScan/CSD to enable HostScan or uncheck Enable HostScan/CSD to disable HostScan.

Step 3 Click Apply .

Step 4 Click Save .


 

Enabling or Disabling CSD on the ASA

Enabling Cisco Secure Desktop (CSD) loads the CSD configuration file and data.xml from the flash device to the running configuration. Disabling CSD does not alter the CSD configuration.

Use ASDM to enable or disable CSD as follows:


Step 1 Choose Configuration > Remote Access VPN > Secure Desktop Manager > Setup .

ASDM opens the Setup pane (Figure 5-3).


Note The Secure Desktop Image field displays the image (and version) that is currently installed. The Enable Secure Desktop check box indicates whether CSD is enabled.


Step 2 Check Enable Secure Desktop to enable CSD or uncheck Enable Secure Desktop to disable CSD.

Step 3 Close ASDM. A window displays the following message:

The configuration has been modified. Do you want to save the running configuration to flash memory?

Step 4 Click Save . ASDM saves the configuration and closes.


 

HostScan and CSD Upgrades and Downgrades

The ASA automatically distributes the enabled HostScan package to the endpoint whether that package is the standalone HostScan package, the package included with AnyConnect Secure Mobility Client, or the package included with Cisco Secure Desktop. If the endpoint has an older version of the HostScan package installed, the package on the endpoint gets upgraded; if the endpoint has a newer version of the HostScan package, the endpoint package gets downgraded.

Determining the HostScan Image Enabled on the ASA

Open ASDM and select Configuration > Remote Access VPN > HostScan Image.

If there is a HostScan image designated in the HostScan Image location field, and the Enable HostScan/CSD box is checked, the version of that image is the HostScan version being used by the ASA.

If the HostScan Image filed is empty, and the Enable HostScan/CSD box is checked, select Configuration > Remote Access VPN > Secure Desktop Manager. The version of CSD in the Secure Desktop Image Location field is the HostScan version being used by the ASA.

Uninstalling HostScan

Uninstalling the HostScan Package

Uninstalling the HostScan package removes it from view on the ASDM interface and prevents the ASA from deploying it even if HostScan or CSD is enabled. Uninstalling HostScan does not delete the HostScan package from the flash drive.

Use this procedure to uninstall HostScan on the security appliance:


Step 1 Open ASDM and select Configuration > Remote Access VPN > HostScan Image .

Step 2 In the HostScan Image pane, click Uninstall . ASDM removes the text from the Location text box.

Step 3 Click Save .


 

Uninstalling CSD from the ASA

Uninstalling Cisco Secure Desktop (CSD) removes the CSD configuration file, data.xml, from the desktop directory on the flash card . If you want to retain the file, copy it using an alternative name or download it to your workstation before you uninstall CSD.

Use this procedure to uninstall CSD on the security appliance:


Step 1 Open ASDM and choose Configuration > Remote Access VPN > Secure Desktop Manager > Setup .

ASDM opens the Setup pane (Figure 5-3).

Step 2 Click Uninstall .

A confirmation window displays the following message:

Do you want to delete disk0:/csd_<n>.<n>.*.pkg and all CSD data files?
 

Step 3 Click Yes .

ASDM removes the text from the Location text box and removes the Secure Desktop Manager menu options below Setup.

Step 4 Close ASDM. A window displays the following message:

The configuration has been modified. Do you want to save the running configuration to flash memory?
 

Step 5 Click Save . ASDM saves the configuration and closes.


 

Assigning AnyConnect Posture Module to a Group Policy


Step 1 Open ASDM and choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies.

Step 2 In the Group Policies panel, click Add to create a new group policy or select the group policy to which you want to assign the HostScan package and click Edit.

Step 3 In the Edit Internal Group Policy panel, expand the Advanced navigation tree on the left side of the panel and select AnyConnect Client.

Step 4 Uncheck the Optional Client Modules to Download Inherit checkbox.

Step 5 In the Optional Client Modules to Download drop down menu, check the AnyConnect Posture Module and click OK.

Step 6 Click OK.


 

HostScan Logging

HostScan logs to the Event Viewer on Windows platforms, and syslog on non-windows platforms. In the Event Viewer all logs will be in their own “Cisco AnyConnect Secure Mobility Client Posture” folder.

Configuring the Logging Level for All Posture Module Components

By default, components in the posture module log “Error” severity level events. Use these instructions to change the logging severity level for all components of the posture module.

The posture module installs the cscan.log file in the user’s home folder. The cscan.log file shows only the entries from the last VPN session. Each time the user connects to the ASA, HostScan overwrites the entries in this file with new logging data.

To view or change the posture logging level:


Step 1 From the ASDM interface select Configuration > Remote Access VPN > Secure Desktop Manager > Global Settings . The Global Settings panel opens.

 

Step 2 Set the Logging Level using the Logging Level Definitions in the panel as a guide.

Step 3 Click Apply All to save the changes to the running configuration.


 


Note If HostScan is disabled for a particular connection profile, HostScan logging does not occur for users of that connection profile.


Posture Module Log Files and Locations

Posture module components output up to three logs based on your operating system, privilege level, and launching mechanism (Web Launch or AnyConnect):

  • cstub.log - Captures logging when AnyConnect web launch is used.
  • libcsd.log - Created by the AnyConnect thread that uses the HostScan API. Debugging entries would be made in this log depending on the logging level configuration.
  • cscan.log - Created by the scanning executable (cscan.exe) and is the main log for posture and HostScan. Debugging entries would be made in this log depending on the logging level configuration.

The posture module puts these log files in the user’s home folder. The location is dependent on the operating system and VPN method.

Cisco Technical Assistant Center (TAC) uses these log files to debug problems if the need arises. You will not need to review these files. Should Cisco TAC need them, you will be asked to provide them with a DART Bundle. The DART utility will collect all the necessary AnyConnect configuration and log files and store them in a compressed file which you will then send to TAC. See the “Using DART to Gather Troubleshooting Information” section for more information about DART.

Using a BIOS Serial Number in a DAP

HostScan can retrieve the BIOS serial number of a host. You can use a Dynamic Access Policy (DAP) to allow or prevent a VPN connection to the ASA based on that BIOS serial number.

Specifying the BIOS as a DAP Endpoint Attribute


Step 1 Log on to ASDM.

Step 2 Select Configuration > Remote Access VPN > Network (Client) Access or Clientless SSL VPN Access > Dynamic Access Policies .

Step 3 In the Configure Dynamic Access Policies panel, click Add or Edit to configure BIOS as a DAP Endpoint Attribute.

Step 4 To the right of the Endpoint ID table, click Add .

Step 5 In the Endpoint Attribute Type field, select Device .

Step 6 Check the BIOS Serial Number checkbox, select = (equals) or != (not equals), and enter the BIOS number in the BIOS Serial Number field.

 

Step 7 Click OK to save changes in the Endpoint Attribute dialog box.

Step 8 Click OK to save your changes to the Edit Dynamic Access Policy.

Step 9 Click Apply to save your changes to the Dynamic Access Policy.

Step 10 Click Save .


 

How to Obtain BIOS Serial Numbers

These resources explain how to obtain the BIOS Serial number on various endpoints.

/usr/bin/hal-get-property --udi /org/freedesktop/Hal/devices/computer --key system.hardware.serial