Solved: Re: annyconnect

sami.poles · ‎06-30-2021

Dear colleagues,

I hope you are doing well, I have some difficulties to activate the (start before logon) feature I hope anyone can help me with that.

I have two ASA Cisco Firepower Threat Defense on ASA5516-X Threat Defense V 6.4.0.7 with HA mode managed by Firewall Management Center ,what I need is a configuration steps to activate the (start before logon) feature.

Thanks in advanced.

Rob Ingram · ‎07-04-2021

@sami.poles the certificate on the ASA needs to be trusted by the computer connecting to the VPN.

Normally you'd have a certificate installed on the ASA that is signed by a public CA, such as Verisign or GoDaddy, most computers have the CAs root certificate on their computer so will trust the connection and no errors are received.

If you are using a self-signed certificate on the ASA, then no computer will trust that by default. You need to export that certificate and install on each computer, so you no longer receive a warning.

View solution in original post

Rob Ingram · ‎06-30-2021

@sami.poles

What exactly is the problem you are having?

Here is the guide to deploy SBL

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/administration/guide/b_AnyConnect_Administrator_Guide_4-9/configure_vpn.html#ID-1428-00000097

With FTD 6.4 you cannot deploy SBL modules from the FTD (like you can with ASA), this feature is available from FTD 6.7+.

You will need to pre-deploy the SBL profile configuration and module manually to the laptops.

sami.poles · ‎06-30-2021

@Rob Ingram

thanks for your fast response

I will try to configure it manually and feedback you.

Thanks a lot

sami.poles · ‎07-04-2021

@Rob Ingram

I hope you are in good health,

I tried to configure it from windows but the same error appear again find the attached file:

its required from our company.

B.R,

Sami Napoleon

Rob Ingram · ‎07-04-2021

@sami.poles certificate not trusted by the computer?

sami.poles · ‎07-04-2021

@Rob Ingram

which certificate? Did you mean cert related to ASA its signed self?

or what did you mean? And how to make it trusted?

B.R,

Rob Ingram · ‎07-04-2021

@sami.poles the certificate on the ASA needs to be trusted by the computer connecting to the VPN.

Normally you'd have a certificate installed on the ASA that is signed by a public CA, such as Verisign or GoDaddy, most computers have the CAs root certificate on their computer so will trust the connection and no errors are received.

If you are using a self-signed certificate on the ASA, then no computer will trust that by default. You need to export that certificate and install on each computer, so you no longer receive a warning.

sami.poles · ‎07-04-2021

@Rob Ingram

can you please tell me how to export the self-signed certificate because I'm trying with no hope?

B.R,

sami.poles · ‎07-04-2021

@Rob Ingram

the issue has been solved many thanks for your kind support.

B.R,

Sami Napoleon

sami.poles · ‎06-30-2021

@Rob Ingram

how can to pre-deploy the SBL profile configuration and module manually to the laptops?

Im using an annyconnect.

can you help me more?