In my mission to deploy an always on VPN except for our local networks I'm thinking since all of our sites are site-to-site connected then anywhere you go in the agency is a trusted network, no?
In the profile editor I put in our trusted domains i.e. domain.org and *.domain.org, I also put in the two DNS servers by IP. We also use Azure SSO I figured out what needed to be excluded for that and it seems to be okay, except since my office is not at the main VPN hub, I'm at once of the spokes, the client isn't thinking that this location is a trusted network.
Thoughts? Am I not seeing something that is in plain sight?
A trusted network is your company's network, an untrusted network is any other network (your home, a shopping mall, etc.)
My question is stated with some sarcasm because how you define it is also how I define but my AnyConnect profile doesn't "trust" my network and is forcing VPN connection and I'm trying to figure out why.
Or in a world of Zero Trust implicit Trust no longer exists. Your network is already compromised.
It's described quite nicely in the docs:
Apart from that it's not really easy to troubleshoot your issued without further knowledge about your environment.
Let's say I put in trusted dns domains; i.e. domain.org,*.domain.org
For trusted DNS servers I put in the internal IP's, 192.168.0.19,192.168.1.7 (should I use fqdn's for those?)
We don't have internal servers that have SSL certificates installed. Is this an absolute necessity?
Yes: "You must have a secure web server that is accessible with a trusted certificate to be considered trusted."
We set up a web server internally and applied our SSL certificate to it. In the VPN Profile Editor we add it as a trusted server and to my pleasant surprise it pulls the certificate hash that it is supposed to. I save the profile and move it over to my test machine. Upon reboot; it's still not seeing the network as a trusted network. Granted our site is site-to-site VPN'd back to the host site that has the trusted web server. Is that not enough?