Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5
Introduction to the AnyConnect Secure Mobility Client
Downloads: This chapterpdf (PDF - 379.0KB) The complete bookPDF (PDF - 5.12MB) | Feedback

Introduction to the AnyConnect Secure Mobility Client

Table Of Contents

Introduction to the AnyConnect Secure Mobility Client

Remote User Interface

Standalone and WebLaunch Options

AnyConnect Licensing Options

Files and Components

Installing Start Before Logon Components (Windows Only)

AnyConnect Profile Files Installed on the Local Computer

User Preferences Files Installed on the Local Computer

Configuration and Deployment Overview

AnyConnect Secure Mobility Feature Configuration Guidelines

API

Installing Host Scan


Introduction to the AnyConnect Secure Mobility Client


The Cisco AnyConnect Secure Mobility client is the next-generation VPN client, providing remote users with secure VPN connections to the Cisco 5500 Series Adaptive Security Appliance (ASA) running version ASA 8.0(2) or later and Adaptive Security Device Manager (ASDM) software version 6.1(3) or later. AnyConnect provides end users with a connectivity experience that is intelligent, seamless and always-on, with secure mobility across today's proliferating managed and unmanaged mobile devices.

Deployable from the ASA or from Enterprise Software Deployment Systems

AnyConnect can be deployed to remote users from the ASA or using enterprise software deployment systems. When deployed from the ASA, remote users make an initial SSL connection to the ASA by entering the IP address or DNS name in their browser of an ASA configured to accept clientless SSL VPN connections. The ASA presents a login screen in the browser window, and if the user satisfies the login and authentication, downloads the client that matches the computer operating system. After downloading, the client installs and configures itself and establishes an SSL connection to the ASA.

Customizable and Translatable

You can customize the AnyConnect to display your own corporate image to remote users. You can rebrand AnyConnect by replacing our default GUI components, deploy a transform you create for more extensive rebranding, or deploy your own client GUI that uses the AnyConnect API. You can also translate messages displayed by AnyConnect or the installer program in the language preferred by the remote user.

Easily Configured

Using ASDM, you can easily configure AnyConnect features in the client profile—an XML file that provides basic information about connection setup, as well as advanced features such as Start Before Logon (SBL). For some features, you also need to configure the ASA. The ASA deploys the profile during AnyConnect installation and updates.

This chapter includes the following sections:

Remote User Interface

Standalone and WebLaunch Options

Files and Components

Configuration and Deployment Overview

API

Remote User Interface

Remote users see the AnyConnect user interface (Figure 1-1). The Connection tab provides a drop-down list of profiles for connecting to remote systems. You can optionally configure a banner message to appear on the Connection tab. The status line at the bottom of the interface shows the status of the connection.

Figure 1-1 Connection Tab

If you do not have certificates set up, you might see the dialog box shown in Figure 1-2.

Figure 1-2 Security Alert Dialog Box


Note This dialog box opens only if the correct certificate is not deployed. You can click Yes to bypass the certificate requirement.


The Security Alert dialog box appears only on the first connection attempt to a given ASA. After the connection is successfully established, the "thumbprint" of the server certificate is saved in the preferences file, so the user is not prompted on subsequent connections to the same ASA.

If the user switches to a different ASA and back, the Security Alert dialog box appears again.

You can control whether the client caches the certificate thumbprint by deploying a local policy file—an XML file that specifies more client security parameters. With a local policy, the client does not cache the thumbprint by default. The user receives the Security Alert dialog box every time they connect to the ASA with an invalid certificate. For more information on the local policy, see Chapter 4 "Enabling FIPS and Additional Security in the Local Policy".

Table 1-1 shows the circumstances and results when the Security Alert dialog box appears. For more information about security alerts, see Adding a Security Certificate in Response to Browser Alert Windows, in Chapter 2 "Configuring the Security Appliance to Deploy AnyConnect".

Table 1-1 Certificate, Security Alert, and Connection Status

Certificate Status
Does Security Alert Appear?
AnyConnect Connection Status

Server certificate sent to AnyConnect from the ASA is independently verifiable and the certificate has no serious errors.

No

Success

Server certificate sent to AnyConnect from the ASA is not independently verifiable and the certificate contains serious errors.

No

Failure

Server certificate sent to AnyConnect from the ASA is not independently verifiable and the certificate does not contain serious errors.

Yes

Because AnyConnect cannot verify the certificate, it is still a security concern. AnyConnect asks the user whether to continue with the connection attempt.


Figure 1-3 shows the Statistics tab, including current connection information.

Figure 1-3 Statistics Tab

Clicking Details opens the Statistics Details window (Figure 1-4).

Figure 1-4 Statistics Tab > Statistics Details

The options available in this window depend on the packages that are loaded on the client PC. If an option is not available, its radio button is not active and a "(Not Installed)" indicator appears next to the option name in the dialog box. The options are as follows:

Clicking Reset resets the connection information to zero. AnyConnect immediately begins collecting new data.

Clicking Export Stats... saves the connection statistics to a text file for later analysis and debugging.

Clicking Troubleshoot... Launches the DART (Diagnostic AnyConnect Reporting Tool) wizard which bundles specified log files and diagnostic information that can be used for analyzing and debugging the AnyConnect connection. See Using DART to Gather Troubleshooting Information for information about the DART package.

The Route Details tab (Figure 1-5) shows the secured and non-secured routes for this connection.

Figure 1-5 User Interface, Statistics Tab > Route Details


Note A Secured Routes entry with the destination 0.0.0.0 and the subnet mask 0.0.0.0 means that all traffic is tunneled.


See Viewing Detailed Statistical Information for information about using the Export and View Log buttons for connection monitoring.

The About tab (Figure 1-6) shows version, copyright, and documentary information about AnyConnect.

Figure 1-6 About Tab

Standalone and WebLaunch Options

The user can use AnyConnect in the following modes:

Standalone mode—Lets the user establish an AnyConnect connection without the need to use a web browser. If you have permanently installed AnyConnect on the user's PC, the user can run in standalone mode. In standalone mode, a user opens AnyConnect just like any other application and enters the username and password credentials into the fields of the AnyConnect GUI. Depending on how you configure the system, the user might also be required to select a group. When the connection is established, the ASA checks the version of AnyConnect on the user's PC and, if necessary, downloads the latest version.

WebLaunch mode—Lets the user enter the URL of the ASA in the Address or Location field of a browser using the https protocol. The user then enters the username and password information on a Logon screen and selects the group and clicks Submit. If you have specified a banner, that information appears, and the user acknowledges the banner by clicking Continue.

The portal window appears. To start AnyConnect, the user clicks Start AnyConnect on the main pane. A series of documentary windows appears. When the Connection Established dialog box appears, the connection is working, and the user can proceed with online activities.

Whether connecting via standalone mode or WebLaunch mode, the AnyConnect package must be installed on the ASA in order for the AnyConnect to connect. This ensures that the ASA is the single point of enforcement as to which versions of AnyConnect can establish a session, even if you deploy AnyConnect with an enterprise software deployment system. When you load an AnyConnect package on the ASA, you enforce a policy that only versions as new as the one loaded can connect. AnyConnect upgrades itself when it connects to the ASA.

AnyConnect Licensing Options

AnyConnect requires an AnyConnect Essentials license or an AnyConnect Premium SSL VPN Edition license to specify the maximum number of remote access sessions supported at a time. Either license supports the basic AnyConnect features.

Table 1-2 shows the licenses you can combine with the Essentials and Premium licenses.

Table 1-2 Advanced AnyConnect License Options

Sessions License
License Option
Post Log-in Always-on VPN
Malware Defense, Acceptable Use Policy Enforcement, and Data Leakage Prevention on the Web
Clientless Access
Endpoint Assessment
Endpoint Remediation
Business Continuity

AnyConnect Essentials

(base license)

 

 

 

 

   

Cisco Secure Mobility for AnyConnect Essentials

 

 

 

 

AnyConnect Premium SSL VPN Edition

(base license)

 

   

Cisco Secure Mobility for AnyConnect Premium

 

 

Advanced Endpoint Assessment

 

 

Flex1

1 A flex license provides business continuity support for malware defense, acceptable use policy enforcement, data leakage prevention on the web, and endpoint remediation features only if those features are licensed.


The AnyConnect Essentials, AnyConnect Premium SSL VPN Edition, Advanced Endpoint Assessment, and Flex licenses require activation on a Cisco adaptive security appliance (ASA) running 8.0(x) or later; however, some features require later versions of the ASA.

The Cisco Secure Mobility licenses requires activation on a Cisco IronPort Web Security Appliance (WSA) running 7.0 or later.

The activation of an AnyConnect Mobile license on the ASA supports mobile access, but does not provide support for the features in this table. It is available as an option with either an AnyConnect Essentials or an AnyConnect Premium SSL VPN Edition license.

For a list of the features available with either an AnyConnect Essentials license or AnyConnect Premium SSL VPN Edition license, see the Basic Features table.

The features enabled by the optional licenses shown in Table 1-2 are as follows:

Post Log-in Always-on VPN establishes a VPN session automatically after the user logs in to a computer. For more information, see Post Log-in Always-on VPN. This feature also includes a Connect Failure Policy for Always-on VPN and Captive Portal Remediation.

Malware defense, acceptable use policy enforcement and data leakage prevention for the web are features provided by the Cisco IronPort Web Security Appliance (WSA). For more information, see the Cisco IronPort Web Security Appliances Introduction.

Clientless access lets you use a browser to establish a VPN session and lets specific applications use the browser to access that session.

Endpoint assessment ensures that your choice of antivirus software versions, antispyware versions, associated update definitions, firewall software versions, and corporate property verification checks comply with policies to qualify a session to be granted access to the VPN.

Endpoint remediation attempts to resolve endpoint failures to satisfy corporate requirements for antivirus, antispyware, firewall software, and definitions file requirements.

Business continuity increases the number of licensed remote access VPN sessions to prepare for temporary spikes in usage during cataclysmic events such as pandemics. Each flex license is ASA-specific and provides support for sixty days. The count can consist of both contiguous and noncontiguous days.

Cisco Secure Remote Access: VPN Licensing Overview provides brief descriptions of the AnyConnect license options and example SKUs.

For a detailed list of the AnyConnect features, license and release requirements, and the endpoint OSs supported for each feature, see AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 2.5.

Files and Components

The installation and configuration consists of two parts: what you have to do on the ASA, and what you have to do on the remote computer. The AnyConnect software is built into the ASA Release 8.0(1) and later. You can decide whether to make the AnyConnect software permanently resident on the remote PC, or whether to have it resident only for the duration of the connection.

AnyConnect can be loaded on the security appliance and automatically deployed to remote users when they log in to the ASA, or it can be installed as an application on PCs by a network administrator using standard software deployment mechanisms.

To get the AnyConnect files and API package, go to http://www.cisco.com/cgi-bin/tablebuild.pl/anyconnect.

Installing Start Before Logon Components (Windows Only)

If you configure an ASA for WebLaunch of AnyConnect, the client orders the component sequence automatically. Otherwise, the Start Before Logon components must be installed after the core client has been installed. If you are pre-deploying the client and the Start Before Logon components using the MSI files (for example, you are at a big company that has its own software deployment—Altiris or Active Directory or SMS), you must specify the components in the correct sequence.

AnyConnect Profile Files Installed on the Local Computer

AnyConnect downloads the following AnyConnect profile files on the local computer:

Table 1-3 Profile Files on the Endpoint

File
Description

anyfilename.xml

AnyConnect profile. This file specifies the features and attribute values configured for a particular user type.

AnyConnectProfile.tmpl

Example client profile provided with the AnyConnect software.

AnyConnectProfile.xsd

Defines the XML schema format. AnyConnect uses this file to validate the profile.


AnyConnect downloads these three files to the same directory, as follows:

Table 1-4 Paths to the Profile Files on the Endpoint 

OS
Directory Path

Windows 7 and Vista

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\

Windows XP

C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile\

Windows Mobile

C:\Program Files\Cisco AnyConnect VPN Client

Mac OS X and Linux

/opt/cisco/vpn/profile/


User Preferences Files Installed on the Local Computer

Some profile settings are stored locally on the user computer in a user preferences file or a global preferences file. The user file has information the client needs to display user-controllable settings in the Preferences tab of the client GUI and information about the last connection, such as the user, the group, and the host.

The global file has information about user-controllable settings to be able to apply those settings before login (since there is no user). For example, the client needs to know if Start Before Logon and/or AutoConnect On Start are enabled before login.

Table 1-5 shows the filenames and installed paths for preferences files on the client computer:

Table 1-5 User Preferences Files and Installed Paths

Operating System
Type
File and Path

Windows Vista
Windows 7

User

C:\Users\username\AppData\Local\Cisco\
Cisco AnyConnect VPN Client\preferences.xml

Global

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\
preferences_global.xml

Windows XP

User

C:\Documents and Settings\username\Local Settings\ApplicationData\
Cisco\Cisco AnyConnect VPN Client\preferences.xml

Global

C:\Documents and Settings\AllUsers\Application Data\Cisco\
Cisco AnyConnect VPN Client\preferences_global.xml

Mac OS X

User

/Users/username/.anyconnect

Global

/opt/cisco/vpn/.anyconnect_global

Linux

User

/home/username/.anyconnect

Global

/opt/cisco/vpn/.anyconnect_global


Configuration and Deployment Overview

Use the AnyConnect Profile editor to configure the AnyConnect features in the profile file; then configure the ASA to download this file along with AnyConnect client automatically when users make a VPN connection to the ASA with a browser. The profile file drives the display in the user interface and defines the names and addresses of host computers. By creating and assigning different profiles to group policies configured on the ASA, you can differentiate access to these features. Following assignment to the respective group policies, the ASA automatically pushes the profile assigned to the user upon connection setup.

Profiles provide basic information about connection setup, and users cannot manage or modify them. The profile is an XML file that lets you identify the secure gateway (ASA) hosts that you want to make accessible. In addition, the profile conveys additional connection attributes and constraints on a user.

Usually, a user has a single profile file. This profile contains all the hosts needed by a user, and additional settings as needed. In some cases, you might want to provide more than one profile for a given user. For example, someone who works from multiple locations might need more than one profile. Be aware, however, that some of the profile settings, such as Start Before Login, control the connection experience at a global level. Other settings, such as those unique to a particular host, depend on the host selected.

Alternatively, you can use an enterprise software deployment system to install the profile file and client as an application on computers for later access. This alternative method is the only method supported for Windows Mobile devices.

AnyConnect Secure Mobility Feature Configuration Guidelines

AnyConnect Secure Mobility is a set of features you can configure to optimize the security of the VPN endpoints. To configure all of the AnyConnect secure mobility client options, refer to the following sections:


Step 1 Go to the "Configuring the ASA for WSA Support of the AnyConnect Secure Mobility Solution" section.

Step 2 Use the Cisco AnyConnect Secure Mobility Solution Guide as a guide to configuring a WSA to support AnyConnect.

Step 3 Use the AnyConnect Profile Editor to configure the following features:

"Trusted Network Detection" section

"Post Log-in Always-on VPN" section

"Disconnect Button for Always-on VPN" section

"Connect Failure Policy for Always-on VPN" section

"Captive Portal Hotspot Detection and Remediation" section

"Configuring Certificate Enrollment using SCEP" section


API

Use the Application Programming Interface (API) if you want to automate a VPN connection with AnyConnect from another application, including the following:

Preferences

Set tunnel-group method

The API package contains documentation, source files, and library files to support a C++ interface for AnyConnect. There are libraries and example programs that can be used for building AnyConnect on Windows, Linux and Mac OS X. The API package includes project files (Makefiles) for the Windows platform. For other platforms, a platform-specific script shows how to compile the example code. You can link your application (GUI, CLI, or embedded application) with these files and libraries.

Installing Host Scan

To reduce the chances of intranet infection by hosts establishing VPN connections, you can configure Host Scan to download and check for antivirus, antispyware, and firewall software (and associated definitions file updates as a condition for the establishment of an SSL session). Host Scan is part of Cisco Secure Desktop (CSD).


Note Host Scan and some third-party firewalls can interfere with the firewall function optionally deployed by the group policy.


Although CSD works with AnyConnect, it is a different product and is beyond the scope of this document. To learn about and install CSD, see the Release Notes for Cisco Secure Desktop and the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators.