Techrunner
asked on
ISE Posture with Sophos VPN clients
We have Sophos Firewalls and we are looking at rolling out Cisco ISE to implement Device Posture for SSL VPN Clients,
The concerning issue is how to perform device posturing for Sophos SSL Remote Access VPN Clients because Sophos cannot integrated with Cisco ISE
Any advice on this, please ?
Thanks
The concerning issue is how to perform device posturing for Sophos SSL Remote Access VPN Clients because Sophos cannot integrated with Cisco ISE
Any advice on this, please ?
Thanks
There's no way you can do anything easily or user-friendly with posture in your scenario. You can assess it, but you can't take action based on it unless you get the client to connect twice. This is because your firewall doesn't support CoA (change of authorization).
ASKER
Thanks
So what could be best alternative solution in such case even though users are required to login twice?
So what could be best alternative solution in such case even though users are required to login twice?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Cisco design team has advised to install vASA behind Sophos Firewall just for SSL VPN and move the users from ASA and integrate with ISE for Anyconnect.
I am not sure how much this design is validated. Appreciating your kind suggestion.
I am not sure how much this design is validated. Appreciating your kind suggestion.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes. HTTPS passed through to the ASAv would be perfect. Ensure the ASAv uses the Sophos as its default route for internet-bound traffic and a static route or routing protocol (if the Sophos supports it) for LAN-side subnets/resources.
ASKER
ASAv would have sub-interfaces (outside & inside) connected to Sophos. Default route as Sophos on outside interface and static route to LAN subnets next-hop Sophos on inside interface.
Thats correct ?
Thats correct ?
Yes, sounds good.
ASKER
Thanks for the great as usual