- About This Guide
- Index
- Glossary
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring Clientless SSL VPN
- Configuring AnyConnect VPN Client Connections
- Configuring AnyConnect Host Scan
Configuring AnyConnect Host Scan
The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operating system, anti-virus, anti-spyware, and firewall software installed on the host. The Host Scan application gathers this information.
Using the secure desktop manager tool in the Adaptive Security Device Manager (ASDM), you can create a prelogin policy which evaluates the operating system, anti-virus, anti-spyware, and firewall software Host Scan identifies. Based on the result of the prelogin policy’s evaluation, you can control which hosts are allowed to create a remote access connection to the security appliance.
The Host Scan support chart contains the product name and version information for the anti-virus, anti-spyware, and firewall applications you use in your prelogin policies. We deliver Host Scan and the Host Scan support chart, as well as other components, in the Host Scan package.
Starting with AnyConnect Secure Mobility Client, release 3.0, Host Scan is available separately from CSD. This means you can deploy Host Scan functionality without having to install CSD and you will be able to update your Host Scan support charts by upgrading the latest Host Scan package.
Posture assessment and the AnyConnect telemetry module require Host Scan to be installed on the host.
Host Scan Dependencies and System Requirements
Dependencies
The AnyConnect Secure Mobility Client with the posture module requires these minimum ASA components:
These AnyConnect features require that you install the posture module.
System Requirements
The posture module can be installed on any of these platforms:
Licensing
These are the AnyConnect licensing requirements for the posture module:
Host Scan Packaging
You can load the Host Scan package on to the ASA in one of these ways:
- You can upload it as a standalone package: hostscan-version.pkg
- You can upload it by uploading an AnyConnect Secure Mobility package: anyconnect-NGC-win-version-k9.pkg
- You can upload it by uploading a Cisco Secure Desktop package: csd_version-k9.pkg
Installing and Enabling Host Scan on the ASA
These tasks describe installing and enabling Host Scan on the ASA:
- Installing or Upgrading Host Scan
- Enabling or Disabling a Host Scan
- Viewing the Host Scan Version Enabled on the ASA
- Uninstalling Host Scan
- Assigning AnyConnect Feature Modules to Group Policies
Installing or Upgrading Host Scan
Use this procedure to install or upgrade the Host Scan package and enable it using the command line interface for the ASA.
Prerequisites
Detailed Steps
Enabling or Disabling a Host Scan
These commands enable or disable an installed Host Scan image using the command line interface of the ASA.
Prerequisites
Log on to the ASA and enter global configuration mode. In global configuration mode, the ASA displays this prompt: hostname(config)#
Detailed Steps for Enabling Host Scan
Detailed Steps for Disabling Host Scan
|
|
|
---|---|---|
|
||
|
Disables Host Scan for all installed Host Scan packages. Note Before you uninstall the enabled Host Scan image, you must first disable Host Scan using this command. |
Viewing the Host Scan Version Enabled on the ASA
Use this procedure to determine the enabled Host Scan version using ASA’s command line interface.
Prerequisites
Log on to the ASA and enter privileged exec mode. In privileged exec mode, the ASA displays this prompt: hostname#
|
|
---|---|
|
Uninstalling Host Scan
Uninstalling Host Scan package removes it from view on the ASDM interface and prevents the ASA from deploying it even if Host Scan or CSD is enabled. Uninstalling Host Scan does not delete the Host Scan package from the flash drive.
Prerequisites
Log on to the ASA and enter global configuration mode. In global configuration mode, the ASA displays this prompt: hostname(config)#.
Detailed Steps
Assigning AnyConnect Feature Modules to Group Policies
This procedure associates AnyConnect feature modules with a group policy. When VPN users connect to the ASA, the ASA downloads and installs these AnyConnect feature modules to their endpoint computer.
Prerequisites
Log on to the ASA and enter global configuration mode. In global configuration mode, the ASA displays this prompt: hostname(config)#
Detailed Steps
Other Important Documentation Addressing Host Scan
Once Host Scan gathers the posture credentials from the endpoint computer, you will need to understand subjects like, configuring prelogin policies, configuring dynamic access policies, and using Lua expressions to make use of the information.
These topics are covered in detail in these documents:
- Cisco Secure Desktop Configuration Guides
- Cisco Adaptive Security Device Manager Configuration Guides
See also the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.0 for more information about how Host Scan works with AnyConnect clients.