Configuration Guide
Page 2
... to Increase Your Internet Quotient, and TransPath are not intended to be actual addresses. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is a service mark of the...
... to Increase Your Internet Quotient, and TransPath are not intended to be actual addresses. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is a service mark of the...
Configuration Guide
Page 3
... Security Problems in Cisco Products x Product Alerts and Field Notices xi Obtaining Technical Assistance xi Cisco Technical Support & Documentation Website xi Submitting a Service Request xii Definitions of Service Request Severity xii Obtaining Additional Publications and Information xiii Installing or Upgrading the CSD Software 1-1 Enabling and Disabling CSD 2-1 Using CLI to Enable or Disable CSD 2-1 Using ASDM to Enable or Disable CSD 2-3 Introduction 3-1 CSD Capabilities 3-1 Navigation 3-2 Saving and Resetting the Running CSD Configuration 3-5 Tutorial 4-1 Step One...
... Security Problems in Cisco Products x Product Alerts and Field Notices xi Obtaining Technical Assistance xi Cisco Technical Support & Documentation Website xi Submitting a Service Request xii Definitions of Service Request Severity xii Obtaining Additional Publications and Information xiii Installing or Upgrading the CSD Software 1-1 Enabling and Disabling CSD 2-1 Using CLI to Enable or Disable CSD 2-1 Using ASDM to Enable or Disable CSD 2-3 Introduction 3-1 CSD Capabilities 3-1 Navigation 3-2 Saving and Resetting the Running CSD Configuration 3-5 Tutorial 4-1 Step One...
Configuration Guide
Page 5
... support? A-6 OL-8607-02 Cisco Secure Desktop Configuration Guide v A-1 Which Java Virtual Machine is the download the second time? A-2 Timeout Questions A-2 How does the timeout setting work on Windows XP? A-3 System Detection Questions A-3 Can CSD detect all keystroke loggers? A-6 How long can the password be left behind on user computers? A-6 I run multiple Secure Desktops at the same time? A-2 Which applications does the Secure Desktop handle transparently? A-3 If I "Allow" to access the network...
... support? A-6 OL-8607-02 Cisco Secure Desktop Configuration Guide v A-1 Which Java Virtual Machine is the download the second time? A-2 Timeout Questions A-2 How does the timeout setting work on Windows XP? A-3 System Detection Questions A-3 Can CSD detect all keystroke loggers? A-6 How long can the password be left behind on user computers? A-6 I run multiple Secure Desktops at the same time? A-2 Which applications does the Secure Desktop handle transparently? A-3 If I "Allow" to access the network...
Configuration Guide
Page 8
... Information for the Cisco ASA 5500 Series • Cisco ASA 5500 Series Hardware Installation Guide • Migrating to configure the Cache Cleaner and VPN feature policy Macintosh and Linux Clients for clients running Macintosh or Linux. Notes contain helpful suggestions, or references to configure Secure Desktop and Cache Cleaner support Windows Clients for remote clients running Microsoft Windows CE. Caution Means reader be careful. Conventions About This Guide Table 1 Document Organization (continued) Topic Purpose Setting Up CSD...
... Information for the Cisco ASA 5500 Series • Cisco ASA 5500 Series Hardware Installation Guide • Migrating to configure the Cache Cleaner and VPN feature policy Macintosh and Linux Clients for clients running Macintosh or Linux. Notes contain helpful suggestions, or references to configure Secure Desktop and Cache Cleaner support Windows Clients for remote clients running Microsoft Windows CE. Caution Means reader be careful. Conventions About This Guide Table 1 Document Organization (continued) Topic Purpose Setting Up CSD...
Configuration Guide
Page 9
... password, you to access Cisco Marketplace. The DVD enables you can register at this URL: http://www.cisco.com/go /marketplace/docstore Ordering Documentation You must be a registered Cisco.com user to access installation, configuration, and command guides for the Cisco ASA 5500 Series • Cisco Security Appliance Logging Configuration and System Log Messages Obtaining Documentation Cisco documentation and additional literature are available singly or by subscription. This section explains the product documentation resources that Cisco offers. Cisco...
... password, you to access Cisco Marketplace. The DVD enables you can register at this URL: http://www.cisco.com/go /marketplace/docstore Ordering Documentation You must be a registered Cisco.com user to access installation, configuration, and command guides for the Cisco ASA 5500 Series • Cisco Security Appliance Logging Configuration and System Log Messages Obtaining Documentation Cisco documentation and additional literature are available singly or by subscription. This section explains the product documentation resources that Cisco offers. Cisco...
Configuration Guide
Page 10
... encourage you to use a revoked encryption key or an expired encryption key. If you think that involve Cisco products • Register to receive security information from Cisco A current list of the Security Cisco Secure Desktop Configuration Guide x OL-8607-02 security-alert@cisco.com An emergency is either a condition in Cisco Products Cisco is under active attack or a condition for Cisco products is the one linked in real time, you can also...
... encourage you to use a revoked encryption key or an expired encryption key. If you think that involve Cisco products • Register to receive security information from Cisco A current list of the Security Cisco Secure Desktop Configuration Guide x OL-8607-02 security-alert@cisco.com An emergency is either a condition in Cisco Products Cisco is under active attack or a condition for Cisco products is the one linked in real time, you can also...
Configuration Guide
Page 11
... at this tool from the Cisco Technical Support & Documentation website by phone. You can access the tool at this page has the current PGP key ID in Cisco Product Alerts and Cisco Field Notices. by copying and pasting OL-8607-02 Cisco Secure Desktop Configuration Guide xi The Cisco Technical Support & Documentation website on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. In addition, if you want...
... at this tool from the Cisco Technical Support & Documentation website by phone. You can access the tool at this page has the current PGP key ID in Cisco Product Alerts and Cisco Field Notices. by copying and pasting OL-8607-02 Cisco Secure Desktop Configuration Guide xi The Cisco Technical Support & Documentation website on the Cisco Technical Support & Documentation website requires a Cisco.com user ID and password. In addition, if you want...
Configuration Guide
Page 25
... a remote user logs out or an SSL VPN session times out. when the session closes, CSD overwrites and attempts to remove session data using such technologies. Cisco SSL VPN solutions provide organizations with potentially malicious third party software installed. No single technology today addresses all data, especially from an untrusted system with robust and flexible products for enabling particular features. OL-8607-02 Cisco Secure Desktop Configuration Guide...
... a remote user logs out or an SSL VPN session times out. when the session closes, CSD overwrites and attempts to remove session data using such technologies. Cisco SSL VPN solutions provide organizations with potentially malicious third party software installed. No single technology today addresses all data, especially from an untrusted system with robust and flexible products for enabling particular features. OL-8607-02 Cisco Secure Desktop Configuration Guide...
Configuration Guide
Page 27
... to Microsoft Windows users only.) As an administrator, you enable or restrict web browsing and remote server file access for Windows CE clients, but does let you specify the criteria to match the client to the TCP/IP port of OL-8607-02 Cisco Secure Desktop Configuration Guide 3-3 Note Port forwarding permits the use of the Secure Desktop to connect a client application installed on the local PC to the location. however, it does support a limited set of...
... to Microsoft Windows users only.) As an administrator, you enable or restrict web browsing and remote server file access for Windows CE clients, but does let you specify the criteria to match the client to the TCP/IP port of OL-8607-02 Cisco Secure Desktop Configuration Guide 3-3 Note Port forwarding permits the use of the Secure Desktop to connect a client application installed on the local PC to the location. however, it does support a limited set of...
Configuration Guide
Page 28
...an Internet cafe). web browsing, remote server file access, port forwarding, and full VPN tunneling - but not limited to hardware keystroke logging devices. • Cache Cleaner-Attempts to disable or erase data that a user downloaded, inserted, or created in the menu, and displays the following remote access functions: web browsing, remote server file access, port forwarding, and full tunneling using a browser. Cisco Secure Desktop Configuration Guide 3-4 OL-8607-02 Typical location types include Work, Home, and Insecure (for keystroke logging applications on Windows...
...an Internet cafe). web browsing, remote server file access, port forwarding, and full VPN tunneling - but not limited to hardware keystroke logging devices. • Cache Cleaner-Attempts to disable or erase data that a user downloaded, inserted, or created in the menu, and displays the following remote access functions: web browsing, remote server file access, port forwarding, and full tunneling using a browser. Cisco Secure Desktop Configuration Guide 3-4 OL-8607-02 Typical location types include Work, Home, and Insecure (for keystroke logging applications on Windows...
Configuration Guide
Page 31
... Linux clients. they connect from unknown computers. OL-8607-02 Cisco Secure Desktop Configuration Guide 4-1 Locations let you determine the criteria needed to secure those hosts and the security policies to assign to supported Microsoft Windows clients only; Subsequent sections reinforce the instructions with the configuration procedure can restrict user privileges when they do not apply to hosts that will connect through the CSD configuration sequence: • Step One...
... Linux clients. they connect from unknown computers. OL-8607-02 Cisco Secure Desktop Configuration Guide 4-1 Locations let you determine the criteria needed to secure those hosts and the security policies to assign to supported Microsoft Windows clients only; Subsequent sections reinforce the instructions with the configuration procedure can restrict user privileges when they do not apply to hosts that will connect through the CSD configuration sequence: • Step One...
Configuration Guide
Page 32
... the administrator - All features disabled except web browsing To create the three locations: Step 1 Step 2 Choose Windows Location Settings in that is a "Work" host. Our example includes "Work," "Home," and "Insecure" in the CSD menu. CSD grants privileges to the flash device. If you enable this tutorial, "Work" provides clients with no timeout Vault Reuse lets users close the Secure Desktop and open it matches. This tutorial defines...
... the administrator - All features disabled except web browsing To create the three locations: Step 1 Step 2 Choose Windows Location Settings in that is a "Work" host. Our example includes "Work," "Home," and "Insecure" in the CSD menu. CSD grants privileges to the flash device. If you enable this tutorial, "Work" provides clients with no timeout Vault Reuse lets users close the Secure Desktop and open it matches. This tutorial defines...
Configuration Guide
Page 36
... advanced features like File Access, Port Forwarding, and Full Tunneling only if they meet the company network policies for each location. Work Provide full access to ON if criteria are matched. Step 6 Step 7 Step 8 Step 9 Check Anti-spyware and choose the antispyware software. Provide users in the "Work" location as follows: Step 1 Step 2 Step 3 Step 4 Step 5 Click VPN Feature Policy under "Home." Cisco Secure Desktop Configuration Guide 4-6 OL-8607-02 A dialog box opens. Set File Access to users in the...
... advanced features like File Access, Port Forwarding, and Full Tunneling only if they meet the company network policies for each location. Work Provide full access to ON if criteria are matched. Step 6 Step 7 Step 8 Step 9 Check Anti-spyware and choose the antispyware software. Provide users in the "Work" location as follows: Step 1 Step 2 Step 3 Step 4 Step 5 Click VPN Feature Policy under "Home." Cisco Secure Desktop Configuration Guide 4-6 OL-8607-02 A dialog box opens. Set File Access to users in the...
Configuration Guide
Page 39
... untrusted locations such as Internet cafes, you might set up a location named Home that is specified by unauthorized users. Examine the Windows Location attribute descriptions to plan a configuration that meets the security requirements of antivirus software and specific, supported operating systems to grant full access to the network. For example, clients connecting from within a workplace LAN on the 10.x.x.x network, and disable both the Cache Cleaner and...
... untrusted locations such as Internet cafes, you might set up a location named Home that is specified by unauthorized users. Examine the Windows Location attribute descriptions to plan a configuration that meets the security requirements of antivirus software and specific, supported operating systems to grant full access to the network. For example, clients connecting from within a workplace LAN on the 10.x.x.x network, and disable both the Cache Cleaner and...
Configuration Guide
Page 41
... default, this attribute is unchecked. • Full tunneling-Check to let the remote user establish a VPN tunnel with the SSL VPN Client if the Secure Desktop installation fails or the remote client PC does not match any of security, we recommend that you do not check this attribute is unchecked. • Port forwarding-Check to let the remote user connect a client application installed on the local PC to let the remote user access files on a remote server if the Secure...
... default, this attribute is unchecked. • Full tunneling-Check to let the remote user establish a VPN tunnel with the SSL VPN Client if the Secure Desktop installation fails or the remote client PC does not match any of security, we recommend that you do not check this attribute is unchecked. • Port forwarding-Check to let the remote user connect a client application installed on the local PC to let the remote user access files on a remote server if the Secure...
Configuration Guide
Page 54
... Windows Clients Step 5 Step 6 • Anti-Virus-Check to enable System Detection for the presence of the options or control-click multiple options. For each enabled security category you are as follows: • Web browsing-Permits the client to use the Secure Desktop to browse the web. • File access-Permits the use of the Secure Desktop to access files on a remote server. • Port forwarding-Permits the use of the Secure Desktop to connect a client application installed on the local...
... Windows Clients Step 5 Step 6 • Anti-Virus-Check to enable System Detection for the presence of the options or control-click multiple options. For each enabled security category you are as follows: • Web browsing-Permits the client to use the Secure Desktop to browse the web. • File access-Permits the use of the Secure Desktop to access files on a remote server. • Port forwarding-Permits the use of the Secure Desktop to connect a client application installed on the local...
Configuration Guide
Page 62
... useful if users are running CSD configuration. 5-24 Cisco Secure Desktop Configuration Guide OL-8607-02 Checking this attribute, the SVC connection becomes available to both the Secure Desktop component of desktop switching, even if you enable this feature. If you disable this option, users must enter a password (up to the remote client's disk. This attribute is a bigger issue than the deployment advantages of Defense (DoD) standard for example...
... useful if users are running CSD configuration. 5-24 Cisco Secure Desktop Configuration Guide OL-8607-02 Checking this attribute, the SVC connection becomes available to both the Secure Desktop component of desktop switching, even if you enable this feature. If you disable this option, users must enter a password (up to the remote client's disk. This attribute is a bigger issue than the deployment advantages of Defense (DoD) standard for example...
Configuration Guide
Page 70
...; Enable web browsing if Mac or Linux installation fails-Check to allow the user to reset the timeout period. • Launch cleanup upon global timeout and Timeout after which CSD launches the Cache Cleaner. Choose the number of times for CSD to set the timeout period. • Let user reset timeout-Check to allow web browsing (but disable other remote-access features) if Cache Cleaner installation fails. • Web Browsing-Check to permit the use of the Secure Desktop to connect a client application installed on a remote server...
...; Enable web browsing if Mac or Linux installation fails-Check to allow the user to reset the timeout period. • Launch cleanup upon global timeout and Timeout after which CSD launches the Cache Cleaner. Choose the number of times for CSD to set the timeout period. • Let user reset timeout-Check to allow web browsing (but disable other remote-access features) if Cache Cleaner installation fails. • Web Browsing-Check to permit the use of the Secure Desktop to connect a client application installed on a remote server...
Configuration Guide
Page 79
... Module, attribute 5-4 Locations in priority order, window 5-2 Location to add, attribute 5-2 M Mac & Linux Cache Cleaner, menu option 7-1 main.exe A-6 McAfee Personal Firewall A-4 McAfee VirusScan A-4 menu, figure 3-3 Microsoft Anti-Spyware A-4 Microsoft Virtual Machine A-5 Microsoft Windows operating systems and service packs A-5 N navigation 3-2 network card A-6 network drive access 5-25 Norton AntiVirus For Windows A-4 Norton Personal Firewall A-5 O O certificate field 5-5, 5-6, 5-7 operating systems 5-16, 5-18 P Panda AntiVirus A-4 password A-6 Cisco Secure Desktop Configuration Guide...
... Module, attribute 5-4 Locations in priority order, window 5-2 Location to add, attribute 5-2 M Mac & Linux Cache Cleaner, menu option 7-1 main.exe A-6 McAfee Personal Firewall A-4 McAfee VirusScan A-4 menu, figure 3-3 Microsoft Anti-Spyware A-4 Microsoft Virtual Machine A-5 Microsoft Windows operating systems and service packs A-5 N navigation 3-2 network card A-6 network drive access 5-25 Norton AntiVirus For Windows A-4 Norton Personal Firewall A-5 O O certificate field 5-5, 5-6, 5-7 operating systems 5-16, 5-18 P Panda AntiVirus A-4 password A-6 Cisco Secure Desktop Configuration Guide...
Configuration Guide
Page 80
... A-6 encryption type A-6 FAQs A-3, A-5 force uninstall 5-24 IN-10 Cisco Secure Desktop Configuration Guide General 3-4, 5-23 to 5-24 inactivity timeout 5-24 local desktop switch 5-23 Location Module, attribute option 5-15, 5-18 Manager establishing a session 3-2 menu, figure 3-3 multiple A-3 open web page when closing 5-24 prompt to uninstall 5-24 Settings window 3-4, 5-25 to 5-26 Use Module, attribute 5-4 security settings A-5 service packs A-5 Shift_JIS A-2 Show success message at the end of successful installation, attribute 5-22 SSL VPN Client...
... A-6 encryption type A-6 FAQs A-3, A-5 force uninstall 5-24 IN-10 Cisco Secure Desktop Configuration Guide General 3-4, 5-23 to 5-24 inactivity timeout 5-24 local desktop switch 5-23 Location Module, attribute option 5-15, 5-18 Manager establishing a session 3-2 menu, figure 3-3 multiple A-3 open web page when closing 5-24 prompt to uninstall 5-24 Settings window 3-4, 5-25 to 5-26 Use Module, attribute 5-4 security settings A-5 service packs A-5 Shift_JIS A-2 Show success message at the end of successful installation, attribute 5-22 SSL VPN Client...