You want to implement a VPN with an alwayson fail close policy for Cisco AnyConnect clients.Which of the following does Cisco recommend that you do? (Select the best answer.)
- Start with a fail open policy, and implement fail close in phases.
- Start with the fail close policy, and implement fail open as necessary.
- Implement always-on, and leave the failure policy at the default setting.
- Implement always-on with a fail open policy, and enable the Disconnect button.
Cisco recommends that you start with a fail open policy and implement fail close in phases if you want to implement a virtual private network (VPN) with an always on fail close policy. The always on feature enables Cisco AnyConnect clients to establish a VPN session automatically whenever the client detects that the host is connected to an untrusted network. For example, a laptop that is used both on a corporate LAN and for remote work might be configured to automatically connect to the corporate VPN whenever the laptop is not directly connected to the corporate LAN. However, any number of problems could prevent the client from actually establishing a connection to the VPN.
There are two types of connect failure policies that you can enable for Cisco AnyConnect always on clients. The fail open policy allows the client to complete a connection to the local network for access to the Internet or local resources. However, because a VPN session has not been established, the security of the AnyConnect device that is connected to the remote network could be compromised.
The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client except to local devices and devices that are available by using split tunneling. This extra layer of security could prevent the user from accessing the Internet and thus could compromise productivity if the user relies on Internet access to complete work related tasks. Because the fail closed policy is so restrictive, Cisco recommends implementing it by using a phased approach that includes initially implementing fail open and surveying user activity for AnyConnect issues that might prevent seamless connections.
There is no need to enable the Disconnect button, because the button is enabled by default when the always on feature is enabled. The Disconnect button enables users to manually disconnect from a VPN session that has been automatically established by the AnyConnect client. The Disconnect button can be disabled by an administrator.
Cisco does not recommend leaving the failure policy at the default setting if you want to implement a fail close policy. The fail close policy is the default failure policy when connect failure policies are enabled.