How to configure Cisco AnyConnect to send streaming data
šØāš»
Most companies have a virtual private network (VPN) to allow users to remotely access the corporate network, but this leaves a blind spot on the network – until now.
What is Cisco AnyConnect?
AnyConnect is Cisco’s secure VPN client and is being hailed as a next generation VPN client. While a lot of VPN clients only provide endpoint VPN access, AnyConnect Secure Mobility Client provides a number of modules that allow users and businesses to do more. What also makes AnyConnect special is that it has utilities that help with security regarding who to connect and how to connect; You can read about these units here. This is great and could alleviate some concerns, but there is still a question about visibility.
So what can we see?
Depending on the device and monitoring points, we can usually only see the start and end points of VPN tunnels. This leaves a large gap in the middle. Even if we can see the contact information, we are missing some useful details.
What if we could see the username, source, DNS suffix, and even the operating system of the device the user is connecting from? Well, thanks to AnyConnect and nvzFlow (IPFIX) from Cisco, we can! You can read more about it in this blog written by my colleague Justin.
How do we get the flows to the collector?
First, there are some requirements that we must meet.
You will need Cisco AnyConnect 4.2.0 or higher, an AnyConnect APEX license, and ASDM 7.5.1 or higher. Then we can move on to the fun stuff.
One thing to note is that the AnyConnect configuration is saved to an XML file that contains information about the pool’s IP address and port number. It must be properly configured in the NVM client profile. For correct operation of the NVM module, the XML file must be located in the following directory:
- For Windows 7 and later: %ALLUSERSPROFILE%CiscoCisco AnyConnect Secure Mobility ClientNVM
- For MAC OSX: /opt/cisco/anyconnect/nvm
If the profile is on a Cisco ASA/ISE, it will be sent automatically with the AnyConnect deployment. Here is an example XML profile from the Cisco website:
<Ų xml version = "1.0" encoding = "UTF-8"Ų> –
An NVM profile can also be created using the Cisco ASDM or AnyConnect Profile Editor. If you would like guidance on setting up the profile through ASDM or ISE, you can follow this Cisco guide. It explains how to send streams to Splunk, but the principle is the same.
Importance: If you end your configuration here, each end user will appear in Scrutinizer as their own source. As you can imagine, if you have hundreds or thousands of VPN users, this will quickly become a huge problem.
To prevent this, you can use our replication tool. Create a profile and edit it to send all the exporters (or end users in this case) to go to the Replicator to Scrutinizer as the collector’s IP. For example, let’s say my Replicator’s IP is 10.1.3.86. I’d like to configure my XML profile to send nvzFlows to 10.1.3.86 on port 2055. Once I see the streams in my Replicator, I’ll point them to the profile and make sure the profile is set to send streams from IP 10.1.3.86. This way I don’t have hundreds of individual IP addresses.
Hooray for the streams!
our end! Now you have context rich data about your VPN users! If you want to try out our Scrutinizer or even our Replicator, head over to our download page. You can also reach out if you need help obtaining configuration settings for your Cisco AnyConnect clients.
Joanna specializes in tech support here at Plixer. During the work day, Joanna works with clients from all over the world to solve their technical issues to ensure they are working with the latest and greatest that Plixer has to offer. Joanna may have a BFA in History from the University of Southern Maine, but that hasn’t slowed her passion for technology and working with it practically. Outside of work, she enjoys video games, living history, gardening, crafting, and working with her second home, The Brick Store Museum, here in Kennebunk.
Related
ranking
I am often exposed to new network devices and the ways they support and configure streaming monitoring technologies. So Iā¦
[ad_1]
Don’t forget to share this post with friends !
