Guest

Cisco AnyConnect Secure Mobility Solution

Cisco AnyConnect Secure Mobility Networking Solutions FAQ

  • Viewing Options

  • PDF (258.5 KB)
  • Feedback

Basics

Q. Where can I learn about Cisco AnyConnect Secure Mobility?
A. For information onCisco ® AnyConnect Secure Mobility, go to http://www.cisco.com/go/asm.This page contains overview presentations, an at-a-glance, recordings of technical talks, licensing documents, and so on.
Q. Is this solution different from Mobile User Security?
A. No. AnyConnect Secure Mobility is the official name for the internal project that was called Mobile User Security.
Q. What products does the customer need in order to useAnyConnect Secure Mobility?
A. The customer needs:

Cisco Adaptive Security Appliance (ASA) 8.3 or later

Cisco AnyConnect Secure Mobility Client 2.5 or later

Cisco IronPort® Web Security Appliance (WSA)7.0 or later

Licensing

Q. What license does the customer need to enableAnyConnect Secure Mobility?
A. The customer needs to purchase a Secure Mobility license for the WSA. As a prerequisite, the customer must have an AnyConnect license for the remote users. For more details, see the following:

How To Sell AnyConnect Secure Mobility: VoD

AnyConnect Secure Mobility Ordering Guide

Both of these are available here: http://www.cisco.com/go/asm

Q. Does the customer need AnyConnect Premium for Secure Mobility?
A. No. The AnyConnect Essentials license, combined with the Secure Mobility license on the WSA, is sufficient.
Q. My customer needs always-on VPN, but they do not have a WSA and do not intend to buy a WSA in the near future. How can they get always-on VPN?
A. In this situation, the customer can buy Cisco AnyConnect Premium to get always-on VPN. An AnyConnect Premium license gives them the right to use always-on VPN (and ASA) with a non-Cisco web gateway.
Q. How much does AnyConnect Secure Mobility cost?
A. The price for the Secure Mobility license on the WSA is available in the latest IronPort price book. Note that the Secure Mobility license must be sold for thetotalnumber of remote users (notconcurrent remote users, not the number of mobile devices, and not the in-office users).

In addition to the Secure Mobility license on the WSA, consider the following before discussing pricing with the customer:

Does the customer have all the products needed for AnyConnect Secure Mobility to work (AnyConnect licenses, ASA, and WSA)?

Are the customer's current ASAs sized appropriately for the needs of always-on VPN? See “How do I size the ASAs required for AnyConnect 2.5?” below.

Does the customer have enough AnyConnect licenses for always-on VPN?

Q. Why isn't there a single bundled price forAnyConnect Secure Mobility?
A. Cisco and IronPort have different back-end systems. As we move toward unifying these systems and price books, we will begin to look at creating solution bundles. For now, we will continue to sell WSA and AnyConnect separately.
Q. How many users should I license AnyConnect Secure Mobility for?
A. AnyConnect Secure Mobility involves user licenses on two devices: an AnyConnect license on the ASA and a Secure Mobility license on the WSA. Here are the number of users you’ll need to license:

AnyConnect license: Maximum expected concurrent VPN connections

Secure Mobility license on the WSA: Total number of remote users

For example, let’s say the customer has a total of 1000 remote users:

On the WSA, the customer will need to buy 1000 user Secure Mobility licenses.

The number of AnyConnect licenses on the ASA requires consultation with the customer. With always-on VPN, the maximum expected concurrent VPN connections is expected to be 500 to 1000. See the next question for more details.

Q. How do I size the ASAs required for AnyConnect 2.5?
A. The primary factor in sizing ASAs for AnyConnect Secure Mobility is the number of concurrent VPN connections. The Cisco ASA 5500 Series can scale from 25 to 10,000 concurrent VPN connections, depending on the model. Follow these steps to size the ASAs for your customer’s environment:

Step 1: Determine the maximum expected number of concurrent VPN connections in an always-on VPN scenario. You can use the following two guidelines to estimate this number (see also the notes below).

Guideline 1: If the customer knows the maximum expected number of concurrent VPN connections, based on a current VPN deployment, multiply the number by a factor N to account for always-on VPN. This factor is likely to fall somewhere between 2 and 4.

Guideline 2: Use the total number of remote users to estimate the maximum expected number of concurrent VPN connections. In a typical organization, assuming only one network-connected device per employee, the ratio of total remote users to maximum expected concurrent VPN connections may be somewhere between 3 to 1 and 1.5 to 1.

Step 2: Use the following link to determine the Cisco ASA 5500 Series model needed to support the maximum expected number of concurrent VPN connections: http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html.Remember to account for redundancy.

Step 3: Repeat steps 1 and 2 for each location that remote users will connect to.

Note: These guidelines are given only as a rule of thumb. The numbers will depend on several factors, such as the time zones the employees are in (for example, if half of them are in the Americas and the other half in Asia, the number of concurrent connections will be lower due to very different time zones), whether teleworkers work remotely at different times of the day, the number of devices each employee is expected to use, and thebandwidth required to deliver applications remotely. Consult the customer, and choose a conservative (larger) number.

Note: The 25 to 10,000concurrent VPN connections should not be confused with the firewall's TCP connections. The ASA supports much larger numbers for the TCP connections. Both of these numbers are documented at:http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html.

Q. How do I size the WSAs required for AnyConnect Secure Mobility?
A. The WSA hardware sizing is based on web requests per second in the customer environment. Various tools are available to find out the maximum number of requests per second that any WSA box will support. These tools, including the WSA hardware sizing guide, are available with Cisco Security Sales. If you are a Cisco Partner, contact your Cisco account manager or system engineer to get the WSA hardware sizing guide.
Q. What is the impact on latency experienced by users with always-on VPN?
A. With the always-on feature of AnyConnect 2.5, the user does not have the option to disconnect the VPN, and all traffic goes through the WSA. Therefore, it is important to measure the impact of always-on VPN on the user experience in terms of latency. Performance tests conducted by Cisco have shown that the latency difference between normal VPN and AnyConnect Secure Mobility (always-on VPN with traffic going through the WSA) is 10 percent or less. These tests were conducted with a range of ASA and WSA models. Note that it is important to correctly size the environment in order to minimize the impact of AnyConnect Secure Mobility on latency.
Q. Does the customer need a router for AnyConnect Secure Mobility?
A. The WSA’s deployment model depends on whether the customer will deploy the WSA as a transparent proxy or an explicit forward proxy. This choice in turn determines whether a router is required:

Explicit forward proxy: With an explicit forward proxy, client applications such as web browsers are aware of the web proxy and must be configured to point to a WSA. This deployment requires a connection to a standard network switch. When you deploy the web proxy in explicit forward mode, you can place it anywhere in the network.

Transparent proxy: With a transparent proxy, client applications are unaware of the web proxy and do not have to be configured to connect to it. This deployment requires a Layer 4 switch or a Web Cache Communication Protocol (WCCP) v2 device. This WCCP device can be (1) a WCCP v2 switch, (2) a WCCP v2 router, (3)a Layer 4 switch, or (4) an ASA (provided you redirect the remote user traffic to the inside interface of the ASA).

The WCCP redirection is lightweight, so it does not place any restrictions on the size of the WCCP redirection device. If a customer chooses this deployment model, it is very likely that they already have an existing device capable of WCCP redirection. You need to reuse that device, and you would not need to replace the device with a bigger box due to WCCP. The Cisco Smart Business Architecture Internet Edge Deployment Guidelists the recommended WCCP-capable devices for a 5,000- and 10,000-user organization. This guide can be accessed at:http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns982/landing_sBus_archit.html.

Use the following documentation to familiarize yourself with the deployment options for AnyConnect Secure Mobility

Cisco AnyConnect Secure Mobility Solution Guidefor various architectures supported with AnyConnect Secure Mobility

Cisco IronPort AsyncOS 7.0 for Web User Guidefor WSA deployment details

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5for AnyConnect deployment details

Cisco Smart Business Architecture web page for the following deployment documentation:

- Internet Edge Deployment Guide for enterprise customers

- Web Security Deployment Guide for midsize customers


Documentation and Demos

Q. Is there an enterprise deployment guide forAnyConnect Secure Mobility?
A. Use the following documentation:

Start with the Cisco AnyConnect Secure Mobility Solution Guide for various architectures supported with AnyConnect Secure Mobility.

Once you know the supported architectures, use the following documents for more details.

Cisco IronPort AsyncOS 7.0 for Web User Guidefor WSA deployment details

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5for AnyConnect deployment details

Cisco Smart Business Architecture web page for the following deployment documentation:

- Internet Edge Deployment Guide for enterprise customers

- Web Security Deployment Guide for midsize customers

Q. Where can I find the WSA and AnyConnect documentation?
A. WSA 7.0 documentation is available on the Cisco IronPort customer support portal: http://www.cisco.com/en/US/products/ps10164/tsd_products_support_series_home.html.
AnyConnect 2.5 documentation is available at: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/anyconnectadmin25.html.
Q. Where can I find Cisco ASA 8.3 documentation?
Q. Where can I find self-running demos of AnyConnect Secure Mobility?
A. Text Box: Printed in USA	C67-627275-00	10/10 Demos are available at: http://www.cisco.com/go/asm.