Manage Machine Tunnels

A Secure Access VPN machine tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end user. You can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint OS login scripts that require corporate network connectivity also benefit from this feature. For this tunnel to be created without user interaction, certificate-based authentication is used.

Table of Contents

• About the VPN Machine Tunnel
• Limitations
• Configure the VPN Machine Tunnel
• What to do Next

The Secure Access machine tunnel allows administrators to have the Cisco Secure Client connected without user intervention prior to when the user logs in. Secure Access machine tunnel is triggered when the endpoint is off-premise and disconnected from a user-initiated VPN. The Secure Access VPN machine tunnel is transparent to the end user and disconnects automatically when the user initiates VPN.

About the VPN Machine Tunnel

The Secure Client VPN agent service is automatically started upon system boot-up. It detects that the machine tunnel feature is enabled (via the VPN profile), therefore it launches the management client application to initiate a machine tunnel connection. The management client application uses the host entry from the VPN profile to initiate the connection. Then the VPN tunnel is established as usual, with one exception: no software update is performed during a machine tunnel connection since the machine tunnel is meant to be transparent to the user.

The user initiates a VPN tunnel via the Secure Client, which triggers the machine tunnel termination. Upon machine tunnel termination, the user tunnel establishment continues as usual.

The user disconnects the VPN tunnel, which triggers the automatic re-establishment of the machine tunnel.

For information about viewing connection events filtered by machine tunnel, see View the Remote Access Log Report.

Limitations

• A machine tunnel user with the email address [email protected] needs to be provisioned. For more information, see What to do Next.
• User interaction is not supported.
• Certificate-based authentication through Machine Certificate Store (Windows) is only supported.
• Strict Server Certificate checking is enforced.
• A private proxy is not supported.
• A public proxy is not supported (ProxyNative value is supported on platforms where Native Proxy settings are not retrieved from the browser).
• Secure Client Customization Scripts are not supported.

Configure the VPN Machine Tunnel

This section describes how to configure the Secure Access as the VPN gateway to accept connections from Secure Client through the VPN machine tunnel.

The following topics explain how to configure remote access VPN profiles.

Table of Contents

• Prerequisites
• Step 1 – General Settings
• Step 2 – Authentication for Machine Certificate
• Step 3 – Traffic Steering (Split Tunnel)
• Step 4 – Cisco Secure Client Configuration

Prerequisites

• Full Admin role in Secure Access. See Manage User Roles.

Step 1 – General Settings

Configure the general settings, including the domain and the protocols this machine tunnel will use.

1. Navigate to Connect > End User Connectivity > Virtual Private Network.
2. In the VPN Profiles pane, click Manage Machine Tunnel.

3. Enter the Default Domain.
4. Choose a DNS Server from the drop-down, or click Addto add a new DNS server pair.
   The DNS server mapped through the Manage IP Pool page is set as the default server. Selecting another DNS server overwrites this default server.
5. Select the protocol that this machine tunnel will use:
   • TLS/DTLS
   • IPSec (IKEv2)
     At least one protocol must be selected.
6. Optionally, check Include protocol to enforce client bypass protocol.

Step 2 – Authentication for Machine Certificate

The machine tunnel is transparent to the end user and disconnects automatically when the user initiates a VPN session. For this tunnel to be created without user interaction, certificate-based authentication is used.

1. Choose CA certificates from the list, or click Upload CA certificates, which can then be used by the machine tunnel as a machine certificate to authenticate devices.

   

2. Click Next to configure the Traffic Steering.

Step 3 – Traffic Steering (Split Tunnel)

For Traffic Steering (Split Tunnel), you can configure a machine tunnel to maintain a full tunnel connection to Secure Access, or configure it to use a split tunnel connection to direct traffic through the VPN only if necessary.

1. For Tunnel Mode, choose either:

   • Connect to Secure Access to direct all traffic through the tunnel; or,

     

   • Bypass Secure Access to direct all traffic outside the tunnel.

     

2. Depending on your selection, you can Add Exceptions to steer traffic inside or outside the tunnel. You can enter comma-separated IPs, domains, and network spaces.

3. For DNS Mode, you can accept the default mode or, depending on your selection, choose to Tunnel all DNS traffic or Split DNS traffic.
   When Split DNS is chosen, DNS names matching the configured DNS Names will be routed over the encrypted Secure Client connection for resolution. Any that do not match the configured DNS Names are routed via the local physical interface for the resolution.

4. Click Next to configure the Cisco Secure Client.

Step 4 – Cisco Secure Client Configuration

You can modify a subset of Cisco Secure Client settings based on the needs of a particular VPN machine tunnel.

1. Review the options presented on the Cisco Secure Client Configuration tab.

   

2. Configure the options that are specific to your machine tunnel:

   • Local LAN Access—Allows the user complete access to the local LAN connected to the remote computer
     during the VPN session to Secure Access.
     Note: Enabling local LAN access can potentially create a security weakness from the
     public network through the user computer into the corporate network.
   • Disable Captive Portal Detection—When Cisco Secure Client receives a certificate with a common
     name that does not match the Secure Access name, a captive portal is detected. This behavior
     prompts the user to authenticate. Some users using self signed certificates may want to enable connection
     to corporate resources behind an HTTP captive portal and should thus mark the Disable Captive Portal
     Detection checkbox. The administrator can also determine if they want the option to be user configurable
     and mark the checkbox accordingly. If user configurable is selected, the checkbox appears on the
     Preferences tab of the Cisco Secure Client UI.
   • Suspend Secure Client during suspended standby— (Windows Only) Available only for devices that
     support Connected Standby. During Connected Standby, the operating system throttles system process,
     which can impact how packets are processed. With this option, you can disable VPN traffic when the
     system enters Connected Standby mode. The feature is disabled by default.
   • Captive Portal Remediation Browser Failover—Allows the end user to use an external browser (after
     closing the Cisco Secure Client browser) for captive portal remediation.
   • Allow Local Proxy Connections—By default, Cisco Secure Client lets Windows users establish a VPN
     session through a transparent or non-transparent proxy service on the local PC. Uncheck this parameter
     if you want to disable support for local proxy connections. Some examples of elements that provide a
     transparent proxy service include acceleration software provided by some wireless data cards, and network
     components on some antivirus software.
   • Automatic VPN Policy (Windows and macOS only)—Enables Trusted Network Detection allowing
     Cisco Secure Client to automatically manage when to start or stop a VPN connection according to the
     Trusted Network Policy and Untrusted Network Policy. If disabled, VPN connections can only be started
     and stopped manually. Setting an Automatic VPN Policy does not prevent users from manually controlling
     a VPN connection.
     • Trusted Network Policy—Action Cisco Secure Client automatically takes on the VPN connection
       when the user is inside the corporate network (the trusted network).
       • Disconnect (Default)—Disconnects the VPN connection upon the detection of the trusted
         network.
       • Connect—Initiates a VPN connection upon the detection of the trusted network.
       • Do Nothing—Takes no action in the untrusted network. Setting both the Trusted Network
         Policy and Untrusted Network Policy to Do Nothing disables Trusted Network Detection.
       • Pause—Cisco Secure Client suspends the VPN session instead of disconnecting it if a user
         enters a network configured as trusted after establishing a VPN session outside the trusted
         network. When the user goes outside the trusted network again, Cisco Secure Client resumes
         the session. This feature is for the user’s convenience because it eliminates the need to establish
         a new VPN session after leaving a trusted network.
     • Untrusted Network Policy—Cisco Secure Client starts the VPN connection when the user is outside
       the corporate network (the untrusted network). This feature encourages greater security awareness
       by initiating a VPN connection when the user is outside the trusted network.
       • Connect (Default)—Initiates the VPN connection upon the detection of an untrusted network.
       • Do Nothing—Takes no action in the trusted network. This option disables Always-On VPN.
         Setting both the Trusted Network Policy and Untrusted Network Policy to Do Nothing disables
         Trusted Network Detection.
     • Trusted DNS Domains—DNS suffixes (a string separated by commas) that a network interface may have when the client is in the trusted network. For example: ''.cisco.com.
       Note: Wildcards ('*') are not supported for DNS suffixes.
     • Trusted DNS Servers—DNS server addresses (IP addresses separated by commas) that a network
       interface may have when the client is in the trusted network. For example: 192.168.1.2, 2001:DB8::1.
       Note: Wildcards ('*') are not supported for DNS server addresses.

3. Distinguished Name—Specifies distinguished names (DNs) for exact match criteria in
   choosing acceptable client certificates. When you add multiple Distinguished Names, each certificate is
   checked against all entries, and all of them must match.
   Note: A maximum of 10 distinguished names are allowed.

   • Name—The distinguished name (DN) to use for matching:
     • CN—Subject Common Name
     • C—Subject Country
     • DC—Domain Component
     • DNQ—Subject Dn Qualifier
     • EA—Subject Email Address
     • GENQ—Subject Gen Qualifier
     • GN—Subject Given Name
     • I—Subject Initials
     • L—Subject City
     • N—Subject Unstruct Name
     • O—Subject Company
     • OU—Subject Department
     • SN—Subject Sur Name
     • SP—Subject State
     • ST—Subject State
     • T—Subject Title
     • ISSUER-CN—Issuer Common Name
     • ISSUER-DC—Issuer Component
     • ISSUER-SN—Issuer Sur Name
     • ISSUER-GN—Issuer Given Name
     • ISSUER-N—Issuer Unstruct Name
     • ISSUER-I—Issuer Initials
     • ISSUER-GENQ—Issuer Gen Qualifier
     • ISSUER-DNQ—Issuer Dn Qualifier
     • ISSUER-C—Issuer Country
     • ISSUER-L—Issuer City
     • ISSUER-SP—Issuer State
     • ISSUER-ST—Issuer State
     • ISSUER-O—Issuer Company
     • ISSUER-OU—Issuer Department
     • ISSUER-T—Issuer Title
     • ISSUER-EA—Issuer Email Address

4. Click Save to complete the VPN machine tunnel.

What to do Next

You need to associate the machine tunnel with remote access VPN users. This is done by provisioning a machine tunnel user with a specific email ([email protected]) from your organization's identity provider (IdP), such as Active Directory. Secure Access supports various methods to provision users and groups.

Table of Contents

• Prerequisites
• Procedure
• View Provisioned Users and Groups in Secure Access

Prerequisites

• Full Admin user role. For more information, see Manage Accounts.
• An identity provider (IdP) configured and integrated with Secure Access. For more information, see Manage Users and Groups.
• A configured machine tunnel applied to a VPN profile.

Procedure

To add the new machine tunnel user, provision the user through your supported identity provider (IdP). This example shows a manual upload of a CSV file.

1. Navigate to Connect > Users and Groups > Users and click Provision Users.
2. For Provisioning Method, click Manual Upload to provision the new machine tunnel user in your organization.

3. Click Download to save the Secure Access import template to your local system. The template is a CSV file that supports the following format:

   DN,sn,givenName,userPrincipalName,mail,memberOf
   

   Note that DN and memberOF are not required. For complete information, see CSV File Format.
4. Add the machine tunnel user to the Secure Access CSV template file, and then upload the CSV file to Secure Access.

For example:

DN,sn,givenName,userPrincipalName,mail,memberOf
machineUser,6,[email protected],[email protected],adminGroup

5. Click Done.
   Once added, users and user groups can then be added to an access rule.

View Provisioned Users and Groups in Secure Access

1. Navigate to Connect > Users and Groups to view the users and groups provisioned in your organization.
   1. See View User Details
   2. See View Group Details

---

Add VPN Profiles <Manage Machine Tunnels> Manage Internet Security