asked on

ISE Posture with Sophos VPN clients

We have Sophos Firewalls and we are looking at rolling out Cisco ISE to implement Device Posture for SSL VPN Clients,
The concerning issue is how to perform device posturing for Sophos SSL Remote Access VPN Clients because Sophos cannot integrated with Cisco ISE

Any advice on this, please ?

Thanks

Craig Beck

There's no way you can do anything easily or user-friendly with posture in your scenario. You can assess it, but you can't take action based on it unless you get the client to connect twice. This is because your firewall doesn't support CoA (change of authorization).

Techrunner

ASKER

Thanks
So what could be best alternative solution in such case even though users are required to login twice?

ASKER CERTIFIED SOLUTION

Craig Beck

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Techrunner

ASKER

Cisco design team has advised to install vASA behind Sophos Firewall just for SSL VPN and move the users from ASA and integrate with ISE for Anyconnect.

I am not sure how much this design is validated. Appreciating your kind suggestion.

SOLUTION

Craig Beck

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Techrunner

ASKER

Thanks. So the attached design would be good.

Sophos VPN.jpg

Craig Beck

Yes. HTTPS passed through to the ASAv would be perfect. Ensure the ASAv uses the Sophos as its default route for internet-bound traffic and a static route or routing protocol (if the Sophos supports it) for LAN-side subnets/resources.

Techrunner

ASKER

ASAv would have sub-interfaces (outside & inside) connected to Sophos. Default route as Sophos on outside interface and static route to LAN subnets next-hop Sophos on inside interface.

Thats correct ?

Craig Beck

Yes, sounds good.

Techrunner

ASKER

Thanks for the great as usual