This is part 1 of a 3-part series.

1. Cisco Management Tunnel
2. Cisco Management Tunnel - NDES Setup
3. Cisco Management Tunnel - ASA Setup.

When the Covid-19 pandemic started, our organization sent everyone to work from home. Of course, with everyone on VPN and not continually connected, like in the office, that’s posed some problems for login scripts, and some of our automated processes like WSUS patch deployment, NTP time sync and SCCM. I recently heard this was an issue - I’m not sure why the sysadmins didn’t raise it sooner - and did some research into ways I can address those problems for our team. We use Cisco AnyConnect for VPN, and AnyConnect has two features that seemed to meet our needs:

• AnyConnect Start Before Login (SBL) In essence, this forces the user to authenticate to VPN before signing to their machine with domain credentials. This would mean that a VPN connection exists before the user sign in, which should address login script issues.
• AnyConnect Management VPN In this scenario, a VPN Management Tunnel would establish whenever the user/computer is disconnected from VPN. If the user reauthenticates, the Management Tunnel drops as the VPN connection is already present. Certificates are used for authentication. This would address our ability to patch machines that are powered on but not signed into VPN, and it sounds like it’d help with login scripts too.

Here’s how Cisco describes the Management Tunnel feature in Configure AnyConnect Management VPN Tunnel on ASA:

Background Information A management VPN tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end-user. You can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint OS login scripts that require corporate network connectivity also benefits from this feature.

AnyConnect Management Tunnel allows administrators to have AnyConnect connected without user intervention prior to the user log in. AnyConnect Management tunnel can work in conjunction with Trusted Network Detection and therefore is triggered only when the endpoint is off-premise and disconnected from User-initiated VPN. AnyConnect Management tunnel is transparent to the end-user and disconnects automatically when the user initiates VPN.

Working of Management Tunnel AnyConnect VPN agent service is automatically started upon system boot-up. It detects that the management tunnel feature is enabled (via the management VPN profile), therefore it launches the management client application to initiate a management tunnel connection. The management client application uses the host entry from the management VPN profile to initiate the connection. Then the VPN tunnel is established as usual, with one exception: no software update is performed during a management tunnel connection since the management tunnel is meant to be transparent to the user.

The user initiates a VPN tunnel via the AnyConnect UI, which triggers the management tunnel termination. Upon management tunnel termination, the user tunnel establishment continues as usual.

The user disconnects the VPN tunnel, which triggers the automatic re-establishment of the management tunnel.

Limitations

• User interaction is not supported.
• Certificate-based authentication through Machine Certificate Store (Windows) is only supported.
• Strict Server Certificate checking is enforced.
• Private Proxy is not supported.
• A public proxy is not supported (ProxyNative value is supported on platforms where Native Proxy settings are not retrieved from the browser).
• AnyConnect Customization Scripts are not supported.

The biggest risk I see to deploying either of these is how it might be affected by our web filtering proxy.

There’s really only one way to find out how/if this will work, and that’s to set it up! I’ll do that in Cisco Management Tunnel - NDES Setup.