Guest

Cisco AnyConnect VPN Client

AnyConnect with Jabber On-Demand Feature for Apple iOS Devices

Document ID: 115784

Updated: Apr 29, 2013

Contributed by Gustavo Medina and Walter Lopez, Cisco TAC Engineers. 

   Print

Introduction

The Cisco Jabber mobile client for Apple iOS devices, such as the iPhone and iPad, enable smartphones and tablets to make and receive enterprise calls with voice or voice and video over IP. The Cisco Jabber mobile client application with Apple iOS device registers and communicates with Unified Communications Manager (UCM) that uses the Session Initiation Protocol (SIP) signaling protocol.

The Cisco Jabber mobile client also enables additional features, such as corporate directory access, enterprise visual voicemail, and in some cases, enterprise instant messaging, and presence.

This document provides information and a configuration example for AnyConnect with the Jabber On-Demand feature for Apple iOS devices.

Prerequisites

The Cisco Call Manager Server should be prepared to support Cisco Jabber from Apple iOS devices. Refer to these resources for more information.


Connect On-Demand supports only certificate-authenticated connections; the certificate authentication is not covered in this document. Before you begin, be sure to:

  1. Confirm you have a valid secure socket layer (SSL) certificate installed in the mobile device.
  2. Confirm the Adaptive Security Appliance (ASA) is enrolled with a valid SSL certificate.
  3. Confirm the ASA is set up to authenticate the session with the use of certificates.

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • AnyConnect Premium or AnyConnect Essentials license.
  • AnyConnect for mobile license.

Refer to What ASA License Is Needed for IP Phone and Mobile VPN Connections? for further details.

Components Used

The System Requirements might be different dependent on the Jabber version. Refer to the Release Notes for the exact requirements.

The information in this document is compatible with these software and hardware versions:

  • Cisco Unified Communications Manager (CUCM) 7.1.5, 8.0.3, 8.5, 8.6, and 9.0
  • AnyConnect Secure Mobility Client version 2.5.5130 and later
  • Cisco ASA 5500 Series Adaptive Security Appliance Version 8.4(1) or later
  • Cisco Adaptive Security Device Manager (ASDM) Version 6.4 or later
  • iPhone model 3GS, 4, 4S, and 5
  • iPod Touch third, fourth, or fifth generation (third-generation iPod Touch requires an external microphone for calls)
  • iOS support: iOS 5,  6, and 6.1
  • iPad 2 or the iPad with Retina display

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

AnyConnect with Jabber On-Demand Feature

Many administrators like the idea that the Jabber application automatically triggers the VPN connection when it is needed.

For example, the Jabber application works fine when users are at the corporate network over wireless and VPN when AnyConnect is manually opened and connected. However, you might want to avoid user interaction and have an On-Demand feature in place.

The Jabber application first contacts the TFTP server. If it is unreachable, it then uses a DNS search to the On-Demand VPN URL defined on the TCT device in the Call Manager. It means if the client is on the corporate network, then the VPN should not be triggered. However, if the client is on an external network, then the On-Demand feature is triggered.

In order for Jabber to trigger the VPN connection automatically:

  • The same URL used on the trace collection tool (TCT) devices must be used on the AnyConnect On-Demand Domain:
  • The corporate network must not be directly available when users launch Jabber.
  • The iPhone can connect with On-Demand access with certificate-based authentication.
  • Jabber must identify a URL that is set up to launch VPN On-Demand; then you must enter the URL in the AnyConnect client; the trigger for VPN On-Demand is a failed DNS query on this domain.

In order to set up the Jabber On-Demand feature, use one of these methods:

  1. Configure CUCM to be accessed through a domain name (not an IP address) and ensure that this domain name is not resolvable outside the firewall. Include this domain in the Connect If Needed list in the AnyConnect client connection's Connect On-Demand Domain List.

  2. If you cannot use a domain name to access CUCM or cannot make the DNS lookup of that domain name that failed from outside the firewall, then you must enter a non-existent domain in the On-Demand URL (this fails a DNS query inside and outside the firewall). Then, add that domain to the Always Connect list in the AnyConnect client connection's Connect On-Demand Domain List.

Apple iOS establishes a VPN connection on behalf of an application only if all of these factors are true:

  • A VPN connection is not already established.
  • An application specifies a destination with its fully-qualified domain name (FQDN) rather than an IP address.
  • The connection entry is configured to use a valid certificate.
  • Connect On-Demand is enabled in the connection entry.
  • AnyConnect fails to match a string in the Never Connect list to the domain request.
  • Either of the following is true:
    • AnyConnect matches a string in the Always Connect list to the domain request.
    • A DNS lookup failed, and AnyConnect matches a string in the Connect if Needed list to the domain request.

User Experience, VPN Initiation on iOS

  • The remote end-user launches the Jabber Client.
  • The Jabber Client triggers On-Demand VPN, and the AnyConnect Client establishes an SSL VPN connection with the ASA VPN Gateway with Certificate-based authentication.
  • Jabber connects to the CUCM using the SSL VPN tunnel as transport method.
  • When the SSL VPN is established as a result of the On-Demand feature, the user does not see a popup or message. The only indication that the AnyConnect is connected is the VPN logo indicator in the top bar.

115784-anyconnect-jod-01.png

Important Considerations

  • Apple iOS provides mechanisms, such as On-Demand VPN, to automatically start the VPN tunnel for the user.  However, these mechanisms do not automatically close the tunnel when the user has finished their access to the corporate network.
  • Remember in AnyConnect Release 2.5.4038 and later, you can take advantage of the mobile-specific additions to the AnyConnect VPN Client Profile and configure the On-Demand attributes on the profile.
  • Users cannot manually configure Connect On-Demand in connection profiles downloaded from the ASA.
  • For the AnyConnect On-Demand XML Profile configuration, use the same URL that you entered for the CUCM On-Demand VPN URL.
  • The SSL connection between the AnyConnect and ASA should use group-url or certificate mapping in order to select to which Connection Profile (tunnel-group) it connects; the connection should not request any user interaction in order for the On-Demand feature to work.
  • Currently, Cisco Jabber IM (instant messaging) does not support the On-Demand feature. Therefore, you must manually establish the VPN connection for the IM.

Jabber On-Demand Configuration Example

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Step 1: Find the Domain

Find the domain the Jabber needs to use in order to trigger the On-Demand feature. This can be found when the Jabber application is opened on the iPhone, for example. Go to Settings > Internet Calling > TFTP Server. In this example, the value is cucm.cisco.com.

115784-anyconnect-jod-02.png

Step 2: Create the XML Profile

The next step is to create the XML Profile for the AnyConnect. Go to the Adaptive Security Device Manager (ASDM).

  1. Open the profile in the AnyConnect Client Profile Editor - On_Demand, and go to Server List.

    115784-anyconnect-jod-03.png

  2. Select the Server List and click Edit.

    115784-anyconnect-jod-04.png

  3. Check the box for Additional mobile-only settings and click Edit. The Mobile Settings window opens.

    115784-anyconnect-jod-05.png

  4. On the Mobile Settings window, check the box Connect On Demand (requires certificate authentication).

    115784-anyconnect-jod-06.png

  5. Under Match Domain or Host/On-Demand Action, include the URL for the Jabber to connect and select the correct On Demand Action dependent on your needs (Always Connect or Connect If Needed).

    115784-anyconnect-jod-07.png

Step 3: Download the XML and check the Domain(s) in the Profile

When the XML Profile is downloaded to the AnyConnect, check the domains on the iPhone and make sure the XML Profile is the same that was configured in the ASDM.

115784-anyconnect-jod-08.png

Step 4: Find the Jabber Device ID in the Communications Manager on the phone

In this example, the Device ID shows TCTIPHONE.

115784-anyconnect-jod-09.png

Step 5: Find the device in CUCM Administration

In CUCM, click Device > Phone and the list of phones connected (or configured) are displayed. In this example, TCTIPHONE is listed.

115784-anyconnect-jod-10.png

Step 6: Add the Domain to the TCT Phone

In Phone Configuration, enter the URL in the On-Demand VPN URL field.

Note: The URL must include only the domain name. Do not include a protocol or a path.

In the TCT device, define the On-Demand VPN URL field to a value that cannot be resolved externally. This is only to trigger the connection. For example, you can use "cucm.cisco.com" without https:// or http://. Also, make sure that you enter that same domain on the AnyConnect client profile.

115784-anyconnect-jod-11.png

Related Information

Updated: Apr 29, 2013
Document ID: 115784