32-18
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices
Configuring an SSL VPN Policy (IOS)
Creating Cisco Secure Desktop Configuration Objects
Cisco Secure Desktop (CSD) Configuration objects define the settings you want to use if you enable
Secure Desktop in an SSL VPN policy for an IOS device (see Configuring an SSL VPN Policy (IOS),
page 32-14). For ASA devices, the feature is set up as part of the Dynamic Access Policy (see
Understanding Dynamic Access Policies, page 31-1 and Configuring Cisco Secure Desktop Policies on
ASA Devices, page 31-8).
Cisco Secure Desktop (CSD) provides a reliable means of eliminating all traces of sensitive data by
providing a single, secure location for session activity and removal on the client system. CSD provides
a session-based interface where sensitive data is shared only for the duration of an SSL VPN session.
All session information is encrypted, and all traces of the session data are removed from the remote
client when the session is terminated, even if the connection terminates abruptly.
About Windows Locations
Windows locations let you determine how clients connect to your virtual private network, and protect it
accordingly. For example, clients connecting from within a workplace LAN on a 10.x.x.x network
behind a NAT device are an unlikely risk for exposing confidential information. For these clients, you
might set up a CSD Windows Location named Work that is specified by IP addresses on the 10.x.x.x
network, and disable both the Cache Cleaner and the Secure Desktop function for this location.
In contrast, users’ home PCs might be considered more at risk to viruses due to their mixed use. For these
clients, you might set up a location named Home that is specified by a corporate-supplied certificate that
employees install on their home PCs. This location would require the presence of antivirus software and
specific, supported operating systems to grant full access to the network.
Alternatively, for untrusted locations such as Internet cafes, you might set up a location named
“Insecure” that has no matching criteria (thus making it the default for clients that do not match other
locations). This location would require full Secure Desktop functions, and include a short timeout period
to prevent access by unauthorized users. If you create a location and do not specify criteria, make sure
it is the last entry in the Locations list.
User Groups The user groups that will be used in your SSL VPN policy. User groups
define the resources available to users when connecting to an SSL VPN
gateway. The table shows whether full client, CIFS file access, and thin
client is enabled for the group.
To add a user group, click Add Row to open a list of existing user
group policy objects from which you can select the group. If the
desired group does not already exist, click the Create button below
the available groups list and create it. For more information about
user group objects, see Add or Edit User Group Dialog Box,
page 33-58.
To edit a user group, select it and click the Edit Row button.
To delete a user group, select it and click the Delete Row button.
This deletes the group only from the policy, it does not delete the
user group policy object.
Table32-6 SSL VPN Context Editor General Tab (IOS) (Continued)
Element Description