31-10
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
Dynamic Access Page (ASA)
The editor contains these main items (select them in the table of contents):
Prelogin Policies—This is a decision tree. When a user attempts a connection, the user’s system is
evaluated against your rules and the first rule that matches is applied. Typically, you create policies
for secure locations, home locations, and insecure public locations. You can make your checks based
on registry information, the presence of specific files or certificates, the workstation’s operating
system, or IP address.
All editing is done through the right-click menu. Right click on boxes or + signs to activate related
settings, if any.
For end nodes, you can select these options:
Access Denied—Workstations that match your criteria are prevented from accessing the
network.
Policy—You want to define a specific admission policy at this point. After naming the policy,
it is added to the table of contents. Select each item in the policy and configure its settings.
Subsequence—You want to perform additional checks. Enter the name of the next decision tree
that you want to evaluate for this workstation.
Host scan—You can specify a set of registry entries, file names, and process names, which form a
part of the basic host scan. The host scan occurs after the prelogin assessment but before the
assignment of a dynamic access policy. Following the basic host scan, the security appliance uses
the login credentials, the host scan results, prelogin policy, and other criteria you configure to assign
a dynamic access policy. You can also enable:
Endpoint Assessment—The remote workstation scans for a large collection of antivirus,
antispyware, and personal firewall applications, and associated updates.
Advanced Endpoint Assessment—Includes all of the Endpoint Assessment features, and lets
you configure an attempt to update noncompliant workstations to meet the version requirements
you specify. You must purchase and install a license for this feature before you can configure it.
Dynamic Access Page (ASA)
Use the Dynamic Access page to view the dynamic access policies (DAP) defined on the security
appliance. From this page, you can create, edit, or delete DAPs.
Use the Cisco Secure Desktop section to enable and download the Cisco Secure Desktop (CSD) software
on the selected ASA device. Cisco Secure Desktop provides a single, secure location for session activity
and removal on the client system, ensuring that sensitive data is shared only for the duration of an SSL
VPN session.
Note The CSD client software must be installed and activated on a device in order for an SSL VPN policy to
work properly.
Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic
Access policy, an ASA device checks for Group policies that specify the setting.