Connecting by VPN?

There are two methods, well roughly, to connect via VPNaaS (Don’t panic this just means the headend is now in the cloud)

• DTLS uses UDP 443 (Yes that 443) this matters as who blocks 443? Invented by Cisco, apparently.
• ikeV2 Ipsec tunels. UDP 500 and 4500. Important as it is the only current method that supports always on VPN What is this? Well it blocks all network (not just internet access) unless the VPN is connected, apart from the locations you specify. This could be used to ensure all traffic escaping to the internet is secure, but allowing AV updates to occur. Note: posturing.

User Identity Support

Allows zero trust principles to be followed, allowing ‘least privileged access’ aka user can only access parts of the network they should be accessing.

• SAML This redirect occurs in the AnyConnect VPN browser window, it enforces the user to identify and authenticate themselves for each connection. Y0ou can use MFA, fingerprints and whatever else your SAML provider supports to identify and authenticate users.
• Certificate based Authentication. This bypasses the tedious user process of typing, remembering passwords, being challenged for MFA and having to find a phone. Instead a (or multiple if you feel the need) Certificate Authority certificate (the one that signs your user and machine certificates) is/are uploaded to the Secure Access dashboard and AnyConnect/Secure Access verifies that a signed certificate or certificates are present. Crucially, it also authenticates the user based on the selected field.