End-to-End Remote Access VPN Configuration Process for an FDM-Managed Device
This section provides the end-to-end procedure for configuring Remote Access Virtual Private Network (RA VPN) on an FDM-managed device onboarded to Security Cloud Control.
To enable remote access VPN for your clients, you need to configure several separate items. The following procedure provides the end-to-end process.
Procedure
Step 1 | Enable two licenses.
| ||
Step 2 | Configure Certificates. Certificates are required to authenticate SSL connections between the clients and the device. You can use the pre-defined DefaultInternalCertificate for the VPN or create your own. If you use an encrypted connection for the directory realm used for authentication, you must upload a trusted CA certificate. For more information on certificates and how to upload them, see Configuring Certificates. | ||
Step 3 | Configure the identity source used for authenticating remote users. You can use the following sources to authenticate users attempting to connect to your network using RA VPN. Additionally, you can use client certificates for authentication, either alone or in conjunction with an identity source.
| ||
Step 4 | (Optional.) Create New RA VPN Group Policies. The group policy defines user-related attributes. You can configure group policies to provide differential access to resources based on group membership. Alternatively, use the default policy for all connections. | ||
Step 5 | |||
Step 6 | |||
Step 7 | |||
Step 8 | |||
Step 9 | (Optional.) Enable the identity policy and configure a rule for passive authentication. If you enable passive user authentication, users who logged in through the remote access VPN will be shown in the dashboards, and they will also be available as traffic-matching criteria in policies. If you do not enable passive authentication, RA VPN users will be available only if they match an active authentication policy. You must enable the identity policy to get any username information in the dashboards or for traffic matching. See Configure Identity Policies. |
Important | If you change the Remote Access VPN configuration by using a local manager like Secure Firewall device manager, the Configuration Status of that device in Security Cloud Control shows "Conflict Detected". See Out-of-Band Changes on an FDM-Managed Device. You can Resolve Configuration Conflicts on this FDM-managed device. |
What to do next
Once the RA VPN configuration is downloaded to the FDM-managed devices, the users can connect to your network from a remote location using a computer or other supported iOS or Android device connected to the Internet. You can monitor live AnyConnect Remote Access Virtual Private Network (RA VPN) sessions from all onboarded RA VPN head-ends in your tenant. See Monitoring Remote Access Virtual Private Network.