AnyConnect - 'VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established'
KB ID 0000546 Dtd 20/12/11
Problem
If you connect to to a client via RDP then try and run the AnyConnect client you will see this error.
This, behaviour is default, and despite me trawling the internet to find a solution (most posts quote changing the local AnyConnectProfile.tmpl file, this file does not exist using Version 3 (I was using v 3.0.4235).
Solution
To solve this problem we need to create an AnyConnect profile, load the profile into the firewall, then associate that profile with your AnyConnect group policy.
1. First download the AnyConnect Profile Editor from Cisco. (Note: You will need a valid CCOaccount and a registered support agreement/SmartNet).
If you cannot download the software here's a profile (I've already created) you can use. If you are going to use this, jump to step 5.
2. Once you have installed the profile editor, launch the "VPN Profile Editor".
3. The setting we want is listed under Windows VPN Establishment, and needs setting to "AllowRemoteUsers", In addition I'm going to set Windows Logon Enforcement to "SingleLocalLogon".
AllowRemoteUsers: Lets remote users bring up the VPN, if this forces routing to disconnect you, it will auto terminate the VPN.
SingleLocalLogon: Allows multiple remote logons but only one local logon.
4. Save the profile somewhere you can locate it quickly.
5. Connect to the firewalls ASDM > Tools > File Management > File Transfer > Between Local PC and Flash.
6. Browse your local PC for the profile you created earlier > Hit the "Right Arrow" to upload it > This can take a few minutes, depending on your proximity to the firewall.
7. Make sure the file uploads correctly > Close.
8. To associate this profile with your AnyConnect//SSL Group Policy, click Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Locate the policy in use for your AnyConnect clients > Edit > Advanced > SSL VPN Client > Locate the "Client Profile to Download" section and uncheck the inherit button.
9. Click New > Browse Flash > Locate the profile you uploaded earlier.
10. OK > OK > Apply > Save the changes by clicking File > Save running configuration to flash.
11. Then reconnect with your AnyConnect Mobility Client software.
No comments:
Post a Comment