Posts tagged ‘VPN’

Using Cisco AnyConnect In A Virtual Machine

September 21, 2019, 11:34 am

Using Cisco AnyConnect In A Virtual Machine is Problematic. This post details how to enable that operation from within the virtual machine.

ISSUE

When one attempts to run the vpn in a virtual they are presented with:

Cisco Failure

The actual error is:

VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established.VPN establishment capability from a remote desktop is disabled. A VPN connection will not be established.

Cisco Resolution (InComplete)

Cisco advises to resolve by changing the value WindowsVPNEstablishment to AllowRemoteUsers and references a now defunct web page.

How to enable Cisco Anyconnect VPN through Remote Desktop

Unfortunately it does not specify if that is on the server or client.

Resolution (Client)

To resolve the issue one has to intercept a downloaded file CHS-TwoFactor-VPN_client-profile.xml downloaded/modified during connection and change 1 or more settings in this file. This method was proposed by the post Bypassing Cisco AnyConnects profile settings by Joao. His method was to create a C# filewatcher which when the XML file changed, to replace it with a settings file that had WindowsVPNEstablishment as well as WindowsLogonEnforcement commented out. But I found that his code/methodology had a couple of problematic issues which could cause it to fail. Specifically the value of the key WindowsVPNEstablishment needs to be set to AllowRemoteUsers and not just commented out I document my solution below.

Xml Changes

Before

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

After

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

Note that I do not change the WindowsLogonEnforcement as advised by Joao because I am surmising that I only have one connection to coporate at a time which is in the Virtual Machine. I believe that this setting is for multiple connections(?) … so if you run into further issues, that may need to be addressed.

C# Code

Design Considerations

  • C# program which can be compiled outside of Visual Studio by C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe {filename}.cs
  • Deletes the existing initial XML file as first step. Requiring a new download by the CISCO process.
  • Watch the directory %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile for changes.
  • When change of Created is thrown, delete downloaded file and replace with backup file in the same directory which has aformentioned xml changes ready to go. 
class Program
{
    static string FileName => "CHS-TwoFactor-VPN_client-profile";
    static string Directory => @"C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile";
    static string PathedFileName => $@"{Directory}\{FileName}.xml";

    static bool HasReplaced = false;
    static void Main(string[] args)
    {
        Console.WriteLine($"Watcher started on Directory{Environment.NewLine}{Directory}");

        DeleteFile();

        var watcher = new FileSystemWatcher(Directory);
        watcher.EnableRaisingEvents = true;

        watcher.Created += Watcher_Changed;
        watcher.Changed += Watcher_Changed;
        watcher.Deleted += Watcher_Changed;

        while (!HasReplaced)
            System.Threading.Thread.Sleep(50);

        watcher.Created -= Watcher_Changed;
        watcher.Changed -= Watcher_Changed;
        watcher.Deleted -= Watcher_Changed;

        watcher = null;
    }

    private static void Watcher_Changed(object sender, FileSystemEventArgs e)
    {
        if ((e.ChangeType == WatcherChangeTypes.Created) || (e.ChangeType == WatcherChangeTypes.Changed))
        {
            switch (e.ChangeType)
            {
                case WatcherChangeTypes.Created: Console.WriteLine("Created Event"); break;
                case WatcherChangeTypes.Changed: Console.WriteLine("Changed Event"); break;
            }
            ReplaceFile();
        }
    }

    static void ReplaceFile()
    {
        DeleteFile();

        File.Copy($@"{Directory}\{FileName}.bak", $@"{Directory}\{FileName}.xml"); 

        HasReplaced = true;
        Console.WriteLine("File Replaced");
    }

    static void DeleteFile()
    {
        if (File.Exists(PathedFileName))
        {
            File.Delete(PathedFileName);
            Console.WriteLine($"Removing {FileName}.xml");
        }
    }
}

Usage

XML File

  1. In the %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile create a backup file named CHS-TwoFactor-VPN_client-profile.bak with the changes mentione in the XML Changes section.

This is used by the C# program to replace the downloaded file from Cisco at the right moment.

C# File

  1. Copy the exe (only ignore other uneeded files) generated into a directory on the virtual machine.
  2. Create a shortcut on the desktop to the file. (in Explorer Drag exe file while holding CTRL-Shift to create a link).
  3. Right Click the Link on the desktop and Run as administrator.
  4. Login through AnyConnect.

Note that the program will show status and if you want to see that status, run the program from a command shell which is run as an administrator.

Share
Tags: ,
Category: C#  |  1 Comment