Cisco’s Clientless SSL VPN and Cisco AnyConnect

By /

Let’s break this down to clarify how these two components work together, why you’re downloading AnyConnect after accessing a Clientless SSL VPN portal, and how this fits into the broader context of Cisco’s VPN architecture. I’ll also provide a critical perspective on the setup.

Understanding Cisco’s Clientless SSL VPN and Cisco AnyConnect

What is Cisco’s Clientless SSL VPN?

Cisco’s Clientless SSL VPN, often referred to as WebVPN, is a feature of Cisco Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) devices. It allows users to access certain corporate resources through a web browser without installing any software on their device. Here’s how it works:

  • Browser-Based Access: Users access a login portal (e.g., https://vpn3.netsolpk.com/+CSCOE+/logon.html) via a web browser.
  • Secure Gateway: The Cisco ASA/FTD acts as a secure gateway, proxying requests to internal resources (e.g., web applications, file shares) over an SSL/TLS-encrypted connection.
  • Limited Functionality: Clientless SSL VPN is typically used for lightweight access, such as:
  • Accessing web-based applications (e.g., an internal company portal).
  • File sharing (e.g., browsing a corporate file server via a web interface).
  • Launching remote desktop sessions (e.g., RDP or VNC through the browser).
  • No Client Software Required: It doesn’t require a VPN client to be installed on the user’s device, hence the term “clientless.”

The /+CSCOE+/logon.html path in your URL (https://vpn3.netsolpk.com/+CSCOE+/logon.html#form_title_text) is a clear indicator of Cisco’s Clientless SSL VPN portal. This page is generated by the ASA/FTD and serves as the entry point for users.

What is Cisco AnyConnect?

Cisco AnyConnect Secure Mobility Client is a full-featured VPN client that provides a complete VPN tunnel for secure access to a corporate network. Unlike Clientless SSL VPN, it requires software to be installed on the user’s device. Key features include:

  • Full-Tunnel VPN: AnyConnect establishes a secure, encrypted tunnel (typically over SSL/TLS or IPsec) between the user’s device and the corporate network, allowing access to all internal resources (e.g., servers, applications, databases) as if the user were on-site.
  • Broad Access: It supports a wide range of protocols and applications, not just web-based ones, making it suitable for scenarios like accessing internal databases, VoIP systems, or development environments.
  • Client Installation: AnyConnect must be installed on the user’s device, either manually or automatically via the VPN portal.

Why Both in Your Scenario?

The confusion arises because you’re accessing a Clientless SSL VPN portal (the /+CSCOE+/logon.html page) but then downloading the AnyConnect client to “dial” (establish) a full VPN connection. This is a common and intentional setup in Cisco VPN deployments. Here’s why:

  1. Clientless SSL VPN as a Bootstrap Mechanism:
  • The Clientless SSL VPN portal serves as an entry point for users to authenticate and access initial resources. In your case, it’s being used to:
    • Authenticate you via Microsoft Entra ID (as explained in the previous response, with the redirect to www.microsoftonline.com and MFA via Microsoft Authenticator).
    • Provide a secure landing page where you can download the AnyConnect client.
  • This approach ensures that users can authenticate and download the necessary software without needing AnyConnect pre-installed. It’s particularly useful for:
    • New employees or contractors who don’t yet have AnyConnect on their devices.
    • Users on unmanaged devices (e.g., personal laptops) who need to set up VPN access for the first time.
  1. Transition to Full-Tunnel VPN with AnyConnect:
  • While Clientless SSL VPN is great for lightweight access, it has limitations:
    • It only supports web-based applications or specific protocols (e.g., RDP, SSH) that the ASA/FTD can proxy.
    • It can’t provide full network access (e.g., for non-web applications like internal databases or VoIP).
  • To overcome these limitations, the organization uses the Clientless SSL VPN portal to deliver the AnyConnect client. Once you download and install AnyConnect, you can “dial” (connect) to the VPN, establishing a full-tunnel connection that routes all traffic through the corporate network.
  1. Automatic Client Provisioning:
  • Cisco ASA/FTD devices can be configured to automatically provision the AnyConnect client after successful authentication. This is likely what’s happening in your case:
    • After you authenticate via Microsoft Entra ID, the Clientless SSL VPN portal checks if AnyConnect is installed on your device.
    • If it’s not installed (or if the version is outdated), the portal presents a download link for the AnyConnect client.
    • Once installed, AnyConnect connects to the VPN server (vpn3.netsolpk.com) using the same credentials, establishing a full VPN tunnel.
  1. User Experience and Security:
  • This hybrid approach (Clientless SSL VPN for initial access, AnyConnect for full access) balances user convenience and security:
    • Convenience: Users don’t need to pre-install AnyConnect or contact IT to get started—they can download it directly from the portal after authentication.
    • Security: The Clientless SSL VPN portal ensures users are authenticated (with MFA) before they can download AnyConnect, reducing the risk of unauthorized access to the client software.

Technical Flow in Your Scenario

Here’s how the process unfolds technically:

  1. Access the Clientless SSL VPN Portal:
  • You visit https://vpn3.netsolpk.com/+CSCOE+/logon.html#form_title_text.
  • The Cisco ASA/FTD serves the Clientless SSL VPN login page.
  1. Authentication via Microsoft Entra ID:
  • The ASA/FTD is configured to use SAML or OAuth with Microsoft Entra ID as the Identity Provider (IdP).
  • You’re redirected to www.microsoftonline.com to log in with your work email and password.
  • MFA is triggered, sending an OTP to your Microsoft Authenticator app, which you approve.
  1. Return to the VPN Portal:
  • After successful authentication, Microsoft Entra ID sends a SAML token back to the ASA/FTD.
  • The Clientless SSL VPN portal grants you access, loading a landing page.
  1. AnyConnect Download:
  • The portal detects that you don’t have AnyConnect installed (or need an updated version).
  • It provides a download link for the Cisco AnyConnect client, hosted on the ASA/FTD (e.g., a file like anyconnect-win-4.10.07061-webdeploy-k9.pkg).
  • You download and install the client.
  1. Establish Full VPN Connection:
  • You launch AnyConnect, enter the VPN server address (vpn3.netsolpk.com), and log in.
  • AnyConnect reuses your SSO credentials (via SAML) or prompts for them again, depending on the configuration.
  • A full-tunnel VPN connection is established, routing your traffic through the corporate network.

Configuration on the Cisco ASA/FTD

For context, here’s how the organization likely configured this setup on their Cisco device:

  • Clientless SSL VPN Enabled:
  • The ASA/FTD has Clientless SSL VPN enabled with a connection profile (e.g., “DefaultWEBVPNGroup”).
  • The login portal is customized to redirect to Microsoft Entra ID for SAML authentication.
  • AnyConnect Deployment:
  • The AnyConnect client package is uploaded to the ASA/FTD (via ASDM or CLI).
  • Example CLI command to enable AnyConnect provisioning:
    plaintext webvpn anyconnect image disk0:/anyconnect-win-4.10.07061-webdeploy-k9.pkg 1 anyconnect enable
  • The connection profile is set to offer AnyConnect after authentication:
    plaintext group-policy GroupPolicy_DefaultWEBVPNGroup attributes vpn-tunnel-protocol ssl-clientless ssl-client webvpn anyconnect ask enable default anyconnect
  • SAML Authentication:
  • SAML is configured to use Microsoft Entra ID as the IdP:
    plaintext saml idp https://sts.windows.net/<tenant-id>/ url sign-in https://login.microsoftonline.com/<tenant-id>/saml2 trustpoint idp <certificate>

Critical Perspective

This hybrid approach is practical but has trade-offs:

  • Security Benefits:
  • Using Clientless SSL VPN for initial access ensures users are authenticated before downloading AnyConnect, reducing the risk of unauthorized client distribution.
  • MFA via Microsoft Entra ID adds a strong security layer, especially for remote access.
  • Potential Risks:
  • The Clientless SSL VPN portal has had vulnerabilities in the past (e.g., CVE-2018-0296, a path traversal issue). If the ASA/FTD isn’t patched, it could be exploited before AnyConnect is even downloaded.
  • Self-signed certificates on the VPN portal (common in Cisco setups) can confuse users, increasing the risk of man-in-the-middle attacks if users ignore browser warnings.
  • Relying on Microsoft Entra ID introduces a dependency on Microsoft’s infrastructure. An outage or breach at Microsoft could disrupt VPN access.
  • User Experience:
  • The redirect to www.microsoftonline.com and the download process can be confusing for non-technical users, leading to support tickets (e.g., “Why am I logging into Microsoft to access the VPN?”).
  • If AnyConnect fails to install (e.g., due to permissions or OS compatibility), users might be stuck with Clientless SSL VPN, which offers limited functionality.
  • Performance:
  • Clientless SSL VPN can be slower for proxying resources compared to a full-tunnel VPN, but in this case, it’s only used briefly to deliver AnyConnect, so the impact is minimal.

Why Not Just Use AnyConnect Directly?

You might wonder why the organization doesn’t skip the Clientless SSL VPN portal and have users download AnyConnect directly from a website or IT portal. Here are a few reasons:

  • Authentication Before Download: The Clientless SSL VPN portal ensures users are authenticated before they can download AnyConnect, preventing unauthorized access to the client software.
  • Centralized Management: The ASA/FTD can manage AnyConnect versions, ensuring users always get the latest client (e.g., with security patches).
  • Ease of Deployment: Users don’t need to contact IT to get the client—they can self-provision after logging in, which is especially useful for remote workers or new hires.

What You Can Do

  1. Verify the Setup: Confirm with your IT team that this hybrid approach (Clientless SSL VPN for authentication, AnyConnect for full access) is intentional. They should also verify that the ASA/FTD is running the latest firmware to mitigate known vulnerabilities.
  2. Check AnyConnect Installation: After downloading, ensure AnyConnect installs correctly. If it fails, check for errors (e.g., insufficient permissions, OS compatibility) and consult your IT team.
  3. Secure Your Connection: Once AnyConnect is installed, use it to connect directly to vpn3.netsolpk.com instead of relying on the browser portal. This reduces exposure to web-based attacks.
  4. Monitor for Issues: If the redirect or download process seems suspicious (e.g., unexpected URLs, certificate warnings), pause and verify with IT to rule out phishing or misconfiguration.

Conclusion

In your scenario, the Clientless SSL VPN portal (https://vpn3.netsolpk.com/+CSCOE+/logon.html) is used as a secure entry point to authenticate users and deliver the Cisco AnyConnect client. After authentication via Microsoft Entra ID (with MFA), the portal provides the AnyConnect client, which you then use to establish a full-tunnel VPN connection. This hybrid approach leverages the strengths of both Clientless SSL VPN (for initial access and provisioning) and AnyConnect (for comprehensive network access), but it requires careful configuration to ensure security and a smooth user experience.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top