Configuration Guide
Page 4
... Certificate Criteria 5-6 Using the Certificates in Your Store to Specify Certificate Criteria 5-7 IP Criteria 5-7 Registry and File Criteria 5-8 Registry Criteria 5-9 File Criteria 5-11 Configuring the Secure Desktop for Clients that Match Location Criteria 5-13 Configuring a VPN Feature Policy for a Location 5-13 Configuring a Group-based Policy for a Location 5-...5-22 Configuring Secure Desktop General for a Location 5-23 Configuring Secure Desktop Settings for a Location 5-25 Configuring Secure Desktop Browser for a Location 5-27 Cisco Secure Desktop Configuration Guide iv OL-8607-02
... Certificate Criteria 5-6 Using the Certificates in Your Store to Specify Certificate Criteria 5-7 IP Criteria 5-7 Registry and File Criteria 5-8 Registry Criteria 5-9 File Criteria 5-11 Configuring the Secure Desktop for Clients that Match Location Criteria 5-13 Configuring a VPN Feature Policy for a Location 5-13 Configuring a Group-based Policy for a Location 5-...5-22 Configuring Secure Desktop General for a Location 5-23 Configuring Secure Desktop Settings for a Location 5-25 Configuring Secure Desktop Browser for a Location 5-27 Cisco Secure Desktop Configuration Guide iv OL-8607-02
Configuration Guide
Page 5
... the cache is used by the Cache Cleaner or the Secure Desktop? What application must I "Allow" to use the CSD features? A-2 Which applications does the Secure Desktop handle transparently? A-3 System Detection Questions A-3 Can CSD detect all keystroke loggers? A-4 Which... personal firewall applications does System Detection support? A-6 OL-8607-02 Cisco Secure Desktop Configuration Guide v A-2 Vault and Secure Desktop Questions A-3 Does Secure Desktop completely eliminate the risk that data will be for...
... the cache is used by the Cache Cleaner or the Secure Desktop? What application must I "Allow" to use the CSD features? A-2 Which applications does the Secure Desktop handle transparently? A-3 System Detection Questions A-3 Can CSD detect all keystroke loggers? A-4 Which... personal firewall applications does System Detection support? A-6 OL-8607-02 Cisco Secure Desktop Configuration Guide v A-2 Vault and Secure Desktop Questions A-3 Does Secure Desktop completely eliminate the risk that data will be for...
Configuration Guide
Page 7
...features to obtain the CSD software, and install or upgrade it. Organization and Use Table 1 describes the contents of this guide, and the titles of related documents. Table 1 Document Organization Topic Purpose Installing or Upgrading the Describes how to support Windows CE, Macintosh, and Linux clients. OL-8607-02 Cisco... for network managers and administrators, this guide describes how to install, configure, and enable Cisco Secure Desktop (CSD) on a Cisco ASA 5500 Series security appliance to provide a safe computing environment through an example configuration to provide...
...features to obtain the CSD software, and install or upgrade it. Organization and Use Table 1 describes the contents of this guide, and the titles of related documents. Table 1 Document Organization Topic Purpose Installing or Upgrading the Describes how to support Windows CE, Macintosh, and Linux clients. OL-8607-02 Cisco... for network managers and administrators, this guide describes how to install, configure, and enable Cisco Secure Desktop (CSD) on a Cisco ASA 5500 Series security appliance to provide a safe computing environment through an example configuration to provide...
Configuration Guide
Page 8
... which you to ASA for VPN 3000 Concentrator Series Administrators • Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide for the ASA 5510, ASA 5520, and ASA 5540 • Cisco Security Appliance Command Line Configuration Guide • Cisco Security Appliance Command Reference Cisco Secure Desktop Configuration Guide... access for remote clients running Microsoft Windows CE. Setting Up CSD for Microsoft Describes how to configure a VPN feature policy to material not covered in screen font. Setting Up CSD for Describes how to configure Secure Desktop and ...
... which you to ASA for VPN 3000 Concentrator Series Administrators • Cisco ASA 5500 Series Adaptive Security Appliance Getting Started Guide for the ASA 5510, ASA 5520, and ASA 5540 • Cisco Security Appliance Command Line Configuration Guide • Cisco Security Appliance Command Reference Cisco Secure Desktop Configuration Guide... access for remote clients running Microsoft Windows CE. Setting Up CSD for Microsoft Describes how to configure a VPN feature policy to material not covered in screen font. Setting Up CSD for Describes how to configure Secure Desktop and ...
Configuration Guide
Page 11
... at this URL: http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do not have a valid Cisco service contract, contact your product serial number before sending any sensitive material. by using the Product Alert Tool on Cisco.com features extensive online support resources. You ...can access the tool at this URL: http://tools.cisco.com/RPF/register/register.do not have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support...
... at this URL: http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do not have a valid Cisco service contract, contact your product serial number before sending any sensitive material. by using the Product Alert Tool on Cisco.com features extensive online support resources. You ...can access the tool at this URL: http://tools.cisco.com/RPF/register/register.do not have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide telephone support...
Configuration Guide
Page 13
... this URL: http://www.ciscopress.com • Internet Protocol Journal is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for Cisco products. About This Guide Obtaining Additional Publications and Information Severity 3 (S3)-Operational performance of the network is little or no effect...
... this URL: http://www.ciscopress.com • Internet Protocol Journal is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for Cisco products. About This Guide Obtaining Additional Publications and Information Severity 3 (S3)-Operational performance of the network is little or no effect...
Configuration Guide
Page 25
... (DoD) sanitation algorithm to reduce risks associated with robust and flexible products for enabling particular features. Cisco SSL VPN solutions provide organizations with using a U.S. However, deployments of Cisco SSL VPN using CSD, when combined with the operating system can play an important part in...privacy of information, and can ensure the total removal of all security requirements under the proposed standards. OL-8607-02 Cisco Secure Desktop Configuration Guide 3-1 CSD allows full customization of when and where it is to reduce the possibility that interoperates...
... (DoD) sanitation algorithm to reduce risks associated with robust and flexible products for enabling particular features. Cisco SSL VPN solutions provide organizations with using a U.S. However, deployments of Cisco SSL VPN using CSD, when combined with the operating system can play an important part in...privacy of information, and can ensure the total removal of all security requirements under the proposed standards. OL-8607-02 Cisco Secure Desktop Configuration Guide 3-1 CSD allows full customization of when and where it is to reduce the possibility that interoperates...
Configuration Guide
Page 26
..., Keystroke Logger, Cache Cleaner, and Secure Desktop features for that location. Figure 3-1 shows the default menu and the Secure Desktop Manager pane. For example, clients with DHCP-assigned IP addresses within a corporate address range connect from that clients are ...available in the CSDM menu: • Windows Location Settings - Figure 3-1 Secure Desktop Manager (Initial) The following initial options are connecting from the Work location. Click to determine that particular location. Cisco...
..., Keystroke Logger, Cache Cleaner, and Secure Desktop features for that location. Figure 3-1 shows the default menu and the Secure Desktop Manager pane. For example, clients with DHCP-assigned IP addresses within a corporate address range connect from that clients are ...available in the CSDM menu: • Windows Location Settings - Figure 3-1 Secure Desktop Manager (Initial) The following initial options are connecting from the Work location. Click to determine that particular location. Cisco...
Configuration Guide
Page 27
... application on the local PC to configure the Cache Cleaner and a VPN Feature Policy (enable or restrict web browsing, remote server file access, and port forwarding) for Windows CE clients. Click to the TCP/IP port of OL-8607-02 Cisco Secure Desktop Configuration Guide 3-3 Navigating the Secure Desktop Manager A location is a security...
... application on the local PC to configure the Cache Cleaner and a VPN Feature Policy (enable or restrict web browsing, remote server file access, and port forwarding) for Windows CE clients. Click to the TCP/IP port of OL-8607-02 Cisco Secure Desktop Configuration Guide 3-3 Navigating the Secure Desktop Manager A location is a security...
Configuration Guide
Page 28
..., requiring only a browser for such client connection sites as needed. It is permitted, that location only: • VPN Feature Policy-Provides System Detection before allowing the following options for configuring privileges and restrictions for keystroke logging applications on the disk by the... and XP; This option also lets you might configure a secure location to insert into the respective browser menu during the CSD session. Cisco Secure Desktop Configuration Guide 3-4 OL-8607-02 web browsing, remote server file access, port forwarding, and full VPN tunneling - Each location...
..., requiring only a browser for such client connection sites as needed. It is permitted, that location only: • VPN Feature Policy-Provides System Detection before allowing the following options for configuring privileges and restrictions for keystroke logging applications on the disk by the... and XP; This option also lets you might configure a secure location to insert into the respective browser menu during the CSD session. Cisco Secure Desktop Configuration Guide 3-4 OL-8607-02 web browsing, remote server file access, port forwarding, and full VPN tunneling - Each location...
Configuration Guide
Page 31
...Identification • Step Three: Configure Windows Location Modules • Step Four: Configure Windows Location Features • Step Five: Configure Windows CE Features • Step Six: Configure Macintosh and Linux Features Step One: Define Windows Locations Begin configuring CSD by defining Windows locations. The following : ...guide you determine are likely to be insecure, and offer flexibility to supported Microsoft Windows clients only; OL-8607-02 Cisco Secure Desktop Configuration Guide 4-1 You can deploy in many different ways to secure remote systems and enforce your network ...
...Identification • Step Three: Configure Windows Location Modules • Step Four: Configure Windows Location Features • Step Five: Configure Windows CE Features • Step Six: Configure Macintosh and Linux Features Step One: Define Windows Locations Begin configuring CSD by defining Windows locations. The following : ...guide you determine are likely to be insecure, and offer flexibility to supported Microsoft Windows clients only; OL-8607-02 Cisco Secure Desktop Configuration Guide 4-1 You can deploy in many different ways to secure remote systems and enforce your network ...
Configuration Guide
Page 32
... • Home • Insecure CSD evaluates client connections against the location entries in that is a "Home" host. If it matches. Cisco Secure Desktop Configuration Guide 4-2 OL-8607-02 This tutorial defines the locations as those connecting to the next. Identified by a certificate given by...timeout Vault Reuse lets users close the Secure Desktop and open it assigns the privileges associated with the "Insecure" location. Full access: all features ON • Home - Secure Desktop and Cache Cleaner are enabled, with full access, "Home" provides some flexibility, and "Insecure"...
... • Home • Insecure CSD evaluates client connections against the location entries in that is a "Home" host. If it matches. Cisco Secure Desktop Configuration Guide 4-2 OL-8607-02 This tutorial defines the locations as those connecting to the next. Identified by a certificate given by...timeout Vault Reuse lets users close the Secure Desktop and open it assigns the privileges associated with the "Insecure" location. Full access: all features ON • Home - Secure Desktop and Cache Cleaner are enabled, with full access, "Home" provides some flexibility, and "Insecure"...
Configuration Guide
Page 34
...Home" location and allow connections using the Cache Cleaner for the final location entry, "Insecure." Uncheck Disable cancellation of cleaning. Cisco Secure Desktop Configuration Guide 4-4 OL-8607-02 Step Three: Configure Windows Location Modules This section describes how to "Use Module."... and the command prompt. Click Secure Desktop General under "Home." See the option descriptions in the menu has six options: VPN Feature Policy, Keystroke Logger, Cache Cleaner, Secure Desktop General, Secure Desktop Settings, and Secure Desktop Browser. The Secure Desktop General pane appears...
...Home" location and allow connections using the Cache Cleaner for the final location entry, "Insecure." Uncheck Disable cancellation of cleaning. Cisco Secure Desktop Configuration Guide 4-4 OL-8607-02 Step Three: Configure Windows Location Modules This section describes how to "Use Module."... and the command prompt. Click Secure Desktop General under "Home." See the option descriptions in the menu has six options: VPN Feature Policy, Keystroke Logger, Cache Cleaner, Secure Desktop General, Secure Desktop Settings, and Secure Desktop Browser. The Secure Desktop General pane appears...
Configuration Guide
Page 36
... Four: Configure Windows Location Features CSD creates security modules for... with this level of the VPN features: • Web Browsing • File Access • Port Forwarding •... Home Users connecting from the office environment have advanced features like File Access, Port Forwarding, and Full Tunneling ...choose multiple options for each location. Step Four: Configure Windows Location Features Chapter 4 Tutorial Click Apply All to save the running CSD ... 4 Step 5 Click VPN Feature Policy under "Home." Set File Access to all of access as follows: Step...
... Four: Configure Windows Location Features CSD creates security modules for... with this level of the VPN features: • Web Browsing • File Access • Port Forwarding •... Home Users connecting from the office environment have advanced features like File Access, Port Forwarding, and Full Tunneling ...choose multiple options for each location. Step Four: Configure Windows Location Features Chapter 4 Tutorial Click Apply All to save the running CSD ... 4 Step 5 Click VPN Feature Policy under "Home." Set File Access to all of access as follows: Step...
Configuration Guide
Page 37
... SP4, XP no SP, XP SP1, and XP SP2. OL-8607-02 Cisco Secure Desktop Configuration Guide 4-7 Click the ellipses (...) button under "Insecure." Chapter 4 Tutorial Step Four: Configure Windows Location Features Step 10 Repeat Steps 3 to ON if criteria are unchecked. Check AntiVirus and... choose the antivirus software. Click Apply All to save the running CSD configuration to users in "Configuring a VPN Feature Policy for a Location" for a given field, Control-click them. Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11...
... SP4, XP no SP, XP SP1, and XP SP2. OL-8607-02 Cisco Secure Desktop Configuration Guide 4-7 Click the ellipses (...) button under "Insecure." Chapter 4 Tutorial Step Four: Configure Windows Location Features Step 10 Repeat Steps 3 to ON if criteria are unchecked. Check AntiVirus and... choose the antivirus software. Click Apply All to save the running CSD configuration to users in "Configuring a VPN Feature Policy for a Location" for a given field, Control-click them. Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11...
Configuration Guide
Page 38
... instructions explain how to grant or restrict web browsing and file access privileges to ON. Step Six: Configure Macintosh and Linux Features CSD handles Macintosh and Linux systems differently from both secure and insecure locations connect with a global timeout. Configure the Macintosh and... Linux cache cleaner as follows: Step 1 Step 2 Step 3 Click Windows CE. Cisco Secure Desktop Configuration Guide 4-8 OL-8607-02 Instead of using different settings per location, all Macintosh and Linux hosts use the same settings....
... instructions explain how to grant or restrict web browsing and file access privileges to ON. Step Six: Configure Macintosh and Linux Features CSD handles Macintosh and Linux systems differently from both secure and insecure locations connect with a global timeout. Configure the Macintosh and... Linux cache cleaner as follows: Step 1 Step 2 Step 3 Click Windows CE. Cisco Secure Desktop Configuration Guide 4-8 OL-8607-02 Instead of using different settings per location, all Macintosh and Linux hosts use the same settings....
Configuration Guide
Page 42
...the location criteria you want to require the Cache Cleaner to be present on the remote client as a criterion for assigning this location entry. Cisco Secure Desktop Configuration Guide 5-4 OL-8607-02 Note To push the Secure Desktop to all remote client PCs regardless of a particular file or.... • Cache Cleaner-Check if you want to match the location. Refer to let CSD apply the configured VPN feature policy. For example, if you specify an IP address range under "Enable identification using File or Registry criteria," only one of these files must be present on the ...
...the location criteria you want to require the Cache Cleaner to be present on the remote client as a criterion for assigning this location entry. Cisco Secure Desktop Configuration Guide 5-4 OL-8607-02 Note To push the Secure Desktop to all remote client PCs regardless of a particular file or.... • Cache Cleaner-Check if you want to match the location. Refer to let CSD apply the configured VPN feature policy. For example, if you specify an IP address range under "Enable identification using File or Registry criteria," only one of these files must be present on the ...
Configuration Guide
Page 51
... the menu on the left. OL-8607-02 Cisco Secure Desktop Configuration Guide 5-13 b. The field ... criterion appears as follows: Step 1 Click VPN Feature Policy under the name of the Compute CRC32 Checksum...match the criteria defined for a specific location: • Configuring a VPN Feature Policy for a Location • Configuring Keystroke Logger for a Location •... for a Location Configuring a VPN Feature Policy for a Location CSD applies the configured VPN feature policy if you choose neither the ...equals to configure the VPN feature policy for each location for which neither option is chosen...
... the menu on the left. OL-8607-02 Cisco Secure Desktop Configuration Guide 5-13 b. The field ... criterion appears as follows: Step 1 Click VPN Feature Policy under the name of the Compute CRC32 Checksum...match the criteria defined for a specific location: • Configuring a VPN Feature Policy for a Location • Configuring Keystroke Logger for a Location •... for a Location Configuring a VPN Feature Policy for a Location CSD applies the configured VPN feature policy if you choose neither the ...equals to configure the VPN feature policy for each location for which neither option is chosen...
Configuration Guide
Page 53
... The options within each category to require their presence as follows: OL-8607-02 Cisco Secure Desktop Configuration Guide 5-15 Your configuration of a group-based policy ends with the... list of antivirus software programs be running is not active, the client fails the VPN feature policy criteria check. Change the policy assigned to the Alternative group policy attribute to apply ... Cache Cleaner. To do so, choose the Configuration > VPN > General > Tunnel Group > Add/Edit Tunnel Group > WebVPN Access > WebVPN tab. If you cannot change the alternative group policy setting for...
... The options within each category to require their presence as follows: OL-8607-02 Cisco Secure Desktop Configuration Guide 5-15 Your configuration of a group-based policy ends with the... list of antivirus software programs be running is not active, the client fails the VPN feature policy criteria check. Change the policy assigned to the Alternative group policy attribute to apply ... Cache Cleaner. To do so, choose the Configuration > VPN > General > Tunnel Group > Add/Edit Tunnel Group > WebVPN Access > WebVPN tab. If you cannot change the alternative group policy setting for...
Configuration Guide
Page 54
...use of the Secure Desktop to connect a client application installed on a remote server. 5-16 Cisco Secure Desktop Configuration Guide OL-8607-02 CSDM includes this two such fields, one of the...System Detection for the presence of a peer application on the local PC to the TCP/IP port of a particular operating system and service pack. Note To configure settings when remote ... for the presence of antispyware software. Click Apply All to "System Detection Questions." The VPN Feature Policy pane displays the default Group-Based Policy tab (described in "Configuring a Group-based Policy...
...use of the Secure Desktop to connect a client application installed on a remote server. 5-16 Cisco Secure Desktop Configuration Guide OL-8607-02 CSDM includes this two such fields, one of the...System Detection for the presence of a peer application on the local PC to the TCP/IP port of a particular operating system and service pack. Note To configure settings when remote ... for the presence of antispyware software. Click Apply All to "System Detection Questions." The VPN Feature Policy pane displays the default Group-Based Policy tab (described in "Configuring a Group-based Policy...