Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5
Configuring the Security Appliance to Deploy AnyConnect
Downloads: This chapterpdf (PDF - 932.0KB) The complete bookPDF (PDF - 5.12MB) | Feedback

Configuring the Security Appliance to Deploy AnyConnect

Table Of Contents

Configuring the Security Appliance to Deploy AnyConnect

How the Security Appliance Deploys AnyConnect

Before You Install AnyConnect

Installing AnyConnect on Computers with Other Clients

Ensuring the Automatic Installation of AnyConnect

Adding a Security Appliance to the List of Trusted Sites (IE)

Adding a Security Certificate in Response to Browser Alert Windows

Ensuring Fast Connection Time when Loading Multiple AnyConnect Images

Internet Explorer Connections Tab Lockdown

Exempting AnyConnect Traffic from Network Address Translation (NAT)

Configuring the Security Appliance to Download AnyConnect

Prompting Remote Users to Download AnyConnect

Enabling Modules for Additional Features

Installing AnyConnect on a Windows Mobile Device

Installing AnyConnect on 64-bit Linux

Using the Manual Install Option on Mac OS if the Java Installer Fails

Configuring the ASA for WSA Support of the AnyConnect Secure Mobility Solution

Add or Edit MUS Access Control


Configuring the Security Appliance to Deploy AnyConnect


This chapter describes how to use ASDM to configure the ASA to deploy AnyConnect. To use CLI to configure the ASA, see the Cisco 5500 Series Adaptive Security Appliance CLI Configuration Guide.

This chapter includes the following sections:

How the Security Appliance Deploys AnyConnect

Before You Install AnyConnect

Configuring the Security Appliance to Download AnyConnect.

Installing AnyConnect on a Windows Mobile Device

Installing AnyConnect on 64-bit Linux

Using the Manual Install Option on Mac OS if the Java Installer Fails

Configuring the ASA for WSA Support of the AnyConnect Secure Mobility Solution

How the Security Appliance Deploys AnyConnect

The Cisco AnyConnect Secure Mobility client provides secure SSL connections to the ASA for remote users. Without a previously-installed client, remote users enter the IP address or DNS name in their browser of an interface configured to accept clientless SSL VPN connections. Unless the ASA is configured to redirect http:// requests to https://, users must enter the URL in the form https://<address>.

After entering the URL, the browser connects to that interface and displays the login screen. If the user satisfies the login and authentication, and the ASA identifies the user as requiring AnyConnect, it downloads the client that matches the operating system of the remote computer. After downloading, the client installs and configures itself, establishes a secure SSL connection and either remains or uninstalls itself (depending on the ASA configuration) when the connection terminates.

In the case of a previously installed client, when the user authenticates, the ASA examines the version of the client, and upgrades the client as necessary.

When AnyConnect negotiates an SSL VPN connection with the ASA, it attempts to connect using Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. If it cannot establish a DTLS connection, it falls back to Transport Layer Security (TLS).

The ASA downloads AnyConnect based on the group policy or username attributes of the user establishing the connection. You can configure the ASA to automatically download AnyConnect, or you can configure it to prompt the remote user, asking them if they want to download AnyConnect. In the latter case, if the user does not respond, you can configure the ASA to either download the AnyConnect after a timeout period or present the login page.

Before You Install AnyConnect

The following sections contain recommendations to ensure a successful AnyConnect installation, as well as tips about certificates, Cisco Security Agent (CSA), adding trusted sites, and responding to browser alerts:

Ensuring the Automatic Installation of AnyConnect

Adding a Security Appliance to the List of Trusted Sites (IE)

Adding a Security Certificate in Response to Browser Alert Windows

Ensuring Fast Connection Time when Loading Multiple AnyConnect Images

Internet Explorer Connections Tab Lockdown

Exempting AnyConnect Traffic from Network Address Translation (NAT)

Installing AnyConnect on Computers with Other Clients

You can install the AnyConnect client on a computer that already has a VPN client from another vendor. The AnyConnect installation is compatible with, and does not interfere with the other client. However, attempting to establish an AnyConnect VPN connection over an existing VPN connection of another vendor's client is not supported and users attempting this may experience unpredictable results.

Ensuring the Automatic Installation of AnyConnect

The following recommendations and caveats apply to the automatic installation of AnyConnect on endpoint computers:

To minimize user prompts during the AnyConnect setup, make sure certificate data on client PCs and on the ASA match:

If you are using a Certificate Authority (CA) for certificates on the ASA, choose one that is already configured as a trusted CA on client machines.

If you are using a self-signed certificate on the ASA, be sure to install it as a trusted root certificate on clients.

The procedure varies by browser. See the procedures that follow this section.

Make sure the Common Name (CN) in ASA certificates matches the name AnyConnect uses to connect to it. By default, the ASA certificate CN field is its IP address. If AnyConnect use a DNS name, change the CN field on the ASA certificate to that name.

If the certificate has a SAN (Subject Alternate Name) then the browser will ignore the CN value in the Subject field and look for a DNS Name entry in the SAN field.

If users connect to the ASA using its hostname, the SAN should contain the hostname and domain name of the ASA. For example, the SAN field would contain
DNS Name=hostname.domain.com.

If users connect to the ASA using its IP address, the SAN should contain the IP address of the ASA. For example, the SAN field would contain DNS Name=209.165.200.254.

The Cisco Security Agent (CSA) might display warnings during the AnyConnect installation.

Current shipping versions of CSA do not have a built-in rule that is compatible with AnyConnect. You can create the following rule using CSA version 5.0 or later by following these steps:


Step 1 In Rule Module: "Cisco Secure Tunneling Client Module", add a FACL:

Priority Allow, no Log, Description: "Cisco Secure Tunneling Browsers, read/write 
vpnweb.ocx"
Applications in the following class: "Cisco Secure Tunneling Client - Controlled Web 
Browsers"
Attempt: Read file, Write File
 
   

On any of these files: @SYSTEM\vpnweb.ocx

Step 2 Application Class: "Cisco Secure Tunneling Client - Installation Applications" add the following process names:

**\vpndownloader.exe 
@program_files\**\Cisco\Cisco AnyConnect VPN Client\vpndownloader.exe 
 
   

We recommend that Microsoft Internet Explorer (MSIE) users add the ASA to the list of trusted sites, or install Java. The latter enables the ActiveX control to install with minimal interaction from the user. This is particularly important for users of Windows XP SP2 with enhanced security. Windows Vista users must add the security appliance to the list of trusted sites in order to use the dynamic deployment feature. For more information, see Adding a Security Appliance to the List of Trusted Sites (IE).


Adding a Security Appliance to the List of Trusted Sites (IE)

To add an ASA to the list of trusted sites, use Microsoft Internet Explorer and do the following steps.


Note This is required on Windows Vista to use WebLaunch.



Step 1 Go to Tools > Internet Options.

The Internet Options window opens.

Step 2 Click the Security tab.

Step 3 Click the Trusted Sites icon.

Step 4 Click Sites.

The Trusted Sites window opens.

Step 5 Type the host name or IP address of the ASA. Use a wildcard such as https://*.yourcompany.com to allow all ASA 5500s within the yourcompany.com domain to be used to support multiple sites.

Step 6 Click Add.

Step 7 Click OK.

The Trusted Sites window closes.

Step 8 Click OK in the Internet Options window.


Adding a Security Certificate in Response to Browser Alert Windows

This section explains how to install a self-signed certificate as a trusted root certificate on a client in response to the browser alert windows.

In Response to a Microsoft Internet Explorer "Security Alert" Window

The following procedure explains how to install a self-signed certificate as a trusted root certificate on a client in response to a Microsoft Internet Explorer Security Alert window. This window opens when you establish a Microsoft Internet Explorer connection to an ASA that is not recognized as a trusted site. The upper half of the Security Alert window shows the following text:

Information you exchange with this site cannot be viewed or changed by others. 
However, there is a problem with the site's security certificate. The security 
certificate was issued by a company you have not chosen to trust. View the certificate 
to determine whether you want to trust the certifying authority.
 
   

Install the certificate as a trusted root certificate as follows:


Step 1 Click View Certificate in the Security Alert window.

The Certificate window opens.

Step 2 Click Install Certificate.

The Certificate Import Wizard Welcome opens.

Step 3 Click Next.

The Certificate Import Wizard - Certificate Store window opens.

Step 4 Select Automatically select the certificate store based on the type of certificate.

Step 5 Click Next.

The Certificate Import Wizard - Completing window opens.

Step 6 Click Finish.

Step 7 Another Security Warning window prompts "Do you want to install this certificate?" Click Yes.

The Certificate Import Wizard window indicates the import is successful.

Step 8 Click OK to close this window.

Step 9 Click OK to close the Certificate window.

Step 10 Click Yes to close the Security Alert window.

The ASA window opens, signifying the certificate is trusted.


In Response to a Netscape, Mozilla, or Firefox "Certified by an Unknown Authority" Window

The following procedure explains how to install a self-signed certificate as a trusted root certificate on a client in response to a "Web Site Certified by an Unknown Authority" window. This window opens when you establish a Netscape, Mozilla, or Firefox connection to an ASA that is not recognized as a trusted site. This window shows the following text:

Unable to verify the identity of <Hostname_or_IP_address> as a trusted site.
 
   

Install the certificate as a trusted root certificate as follows:


Step 1 Click Examine Certificate in the "Web Site Certified by an Unknown Authority" window.

The Certificate Viewer window opens.

Step 2 Click the Accept this certificate permanently option.

Step 3 Click OK.

The ASA window opens, signifying the certificate is trusted.


Ensuring Fast Connection Time when Loading Multiple AnyConnect Images

When you load multiple AnyConnect images on the ASA, you should order the images in a manner that ensures the fastest connection times for greatest number of remote users.

The security appliance downloads portions of the AnyConnect images to the remote computer until it achieves a match with the operating system. It downloads the image at the top of the ordered list first. Therefore, you should assign the image that matches the most commonly-encountered operating system used on remote computers to the top of the list.

Because mobile users have slower connection speeds, you should load the AnyConnect image for Windows Mobile at the top of the list. Alternatively, you can decrease the connection time by specifying the regular expression Windows CE to match the user agent on Windows Mobile devices. When the browser on the mobile device connects to the ASA, it includes the User-Agent string in the HTTP header. The ASA, receiving the string, immediately downloads AnyConnect for Windows Mobile without ascertaining whether the other AnyConnect images are appropriate.

To specify a regular expression, in ASDM:


Step 1 Go to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Settings.

Step 2 In the list of AnyConnect images, select and image package for Windows Mobile and click Edit.

Step 3 Click Regular expression to match user-agent and select Windows CE in the drop-down list.


Internet Explorer Connections Tab Lockdown

Under certain conditions, AnyConnect hides the Internet Explorer Tools > Internet Options > Connections tab. When exposed, this tab lets the user set proxy information. Hiding this tab prevents the user from intentionally or unintentionally circumventing the tunnel. The tab lockdown is reversed on disconnect, and it is superseded by any administrator-defined policies regarding that tab. The conditions under which this lockdown occurs are either of the following:

The ASA configuration specifies a private-side proxy.

AnyConnect uses a public-side proxy defined by Internet Explorer to establish the tunnel. In this case, the split tunneling policy on the ASA must be set to Tunnel All Networks.

Exempting AnyConnect Traffic from Network Address Translation (NAT)

If you have configured your ASA to perform network address translation (NAT), you must exempt your remote access AnyConnect client traffic from being translated so that the AnyConnect clients, internal networks, and corporate resources on a DMZ, can originate network connections to each other. Failing to exempt the AnyConnect client traffic from being translated prevents the AnyConnect clients and other corporate resources from communicating.

"Identity NAT" (also known as "NAT exemption") allows an address to be translated to itself, which effectively bypasses NAT. Identity NAT can be applied between two address pools, an address pool and a subnetwork, or two subnetworks.

This procedure illustrates how you would configure identity NAT between these hypothetical network objects in our example network topology: Engineering VPN address pool, Sales VPN address pool, inside network, a DMZ network, and the Internet. Each Identity NAT configuration requires one NAT rule.

Table 2-1 Network Addressing for Configuring Identity NAT for VPN Clients

Network or Address Pool
Network or address pool name
Range of addresses

Inside network

inside-network

10.50.50.0   - 10.50.50.255

Engineering VPN address pool

Engineering-VPN

10.60.60.1   - 10.60.60.254

Sales VPN address pool

Sales-VPN

10.70.70.1   - 10.70.70.254

DMZ network

DMZ-network

192.168.1.0  - 192.168.1.255



Step 1 Log into the ASDM and select Configuration > Firewall > NAT Rules.

Step 2 Create a NAT rule so that the hosts in the Engineering VPN address pool can reach the hosts in the Sales VPN address pool. In the NAT Rules pane, select Add > Add NAT Rule Before "Network Object" NAT rules so that the ASA evaluates this rule before other rules in the Unified NAT table. See Figure 2-1 for an example of the Add NAT rule dialog box.


Note In ASA software version 8.3, NAT rule evaluation is applied on a top-down, first match basis. Once the ASA matches a packet to a particular NAT rule it does not perform any further evaluation. It is important that you place the most specific NAT rules at the top of the Unified NAT table so that the ASA does not prematurely match them to broader NAT rules.


Figure 2-1 Add NAT rule dialog box

a. In the Match criteria: Original Packet area, configure these fields:

Source Interface: Any

Destination Interface: Any

Source Address: Click the Source Address browse button and create the network object that represents the Engineering VPN address pool. Define the object type as a Range of addresses. Do not add an automatic address translation rule. See Figure 2-2 for an example.

Destination Address: Click the Destination Address browse button and create the network object that represents the Sales VPN address pool. Define the object type as a Range of addresses. Do not add an automatic address translation rule.

Figure 2-2 Create Network Object for a VPN address pool

b. In the Action Translated Packet area, configure these fields:

Source NAT Type: Static

Source Address: Original

Destination Address: Original

Service: Original

c. In the Options area, configure these fields:

Check Enable rule.

Uncheck or leave empty the Translate DNS replies that match this rule.

Direction: Both

Description: Add a Description for this rule.

d. Click OK.

e. Click Apply. Your rule should look like rule 1 in the Unified NAT table in Figure 2-4.

CLI example:

nat source static Engineering-VPN Engineering-VPN destination static Sales-VPN Sales-VPN

f. Click Send.

Step 3 When ASA is performing NAT, in order for two hosts in the same VPN pool to connect to each other, or for those hosts to reach the Internet through the VPN tunnel, you must enable the Enable traffic between two or more hosts connected to the same interface option. To do this, in ASDM, select Configuration > Device Setup > Interfaces. At the bottom of the Interface panel, check Enable traffic between two or more hosts connected to the same interface and click Apply.

CLI example:

same-security-traffic permit inter-interface

Step 4 Create a NAT rule so that the hosts in the Engineering VPN address pool can reach other hosts in the Engineering VPN address pool. Create this rule just as you created the rule in Step 2 except that you specify the Engineering VPN address pool as both the Source address and the Destination Address in the Match criteria: Original Packet area.

Step 5 Create a NAT rule so that the Engineering VPN remote access clients can reach the "inside" network. In the NAT Rules pane, select Add > Add NAT Rule Before "Network Object" NAT rules so that this rule will be processed before other rules.

a. In the Match criteria: Original Packet area configure these fields:

Source Interface: Any

Destination Interface: Any

Source Address: Click the Source Address browse button and create a network object that represents the inside network. Define the object type as a Network of addresses. Do not add an automatic address translation rule.

Destination Address: Click the Destination Address browse button and select the network object that represents the Engineering VPN address pool.

Figure 2-3 Add inside-network object

b. In the Action: Translated Packet area, configure these fields:

Source NAT Type: Static

Source Address: Original

Destination Address: Original

Service: Original

c. In the Options area, configure these fields:

Check Enable rule.

Uncheck or leave empty the Translate DNS replies that match this rule.

Direction: Both

Description: Add a Description for this rule.

d. Click OK.

e. Click Apply. Your rule should look like rule two in the Unified NAT table in Figure 2-4.

CLI example

nat source static inside-network inside-network destination static Engineering-VPN Engineering-VPN

Step 6 Create a new rule, following the method in Step 5, to configure identity NAT for the connection between the Engineering VPN address pool and the DMZ network. Use the DMZ network as the Source Address and use the Engineering VPN address pool as the Destination address.

Step 7 Create a new NAT rule to allow the Engineering VPN address pool to access the Internet through the tunnel. In this case, you do not want to use identity NAT because you want to change the source address from a private address to an Internet routable address. To create this rule, follow this procedure:

a. In the NAT Rules pane, select Add > Add NAT Rule Before "Network Object" NAT rules so that this rule will be processed before other rules.

b. In the Match criteria: Original Packet area configure these fields:

Source Interface: Any

Destination Interface: Any. This field will be automatically populated with "outside" after you select outside as the Source Address in the Action: Translated Packet area.

Source Address: Click the Source Address browse button and select the network object that represents the Engineering VPN address pool.

Destination Address: Any.

c. In the Action: Translated Packet area, configure these fields:

Source NAT Type: Dynamic PAT (Hide)

Source Address: Click the Source Address browse button and select the outside interface.

Destination Address: Original

Service: Original

d. In the Options area, configure these fields:

Check Enable rule.

Uncheck or leave empty the Translate DNS replies that match this rule.

Direction: Both

Description: Add a Description for this rule.

e. Click OK.

f. Click Apply. Your rule should look like rule five in the Unified NAT table in Figure 2-4.

CLI example:

nat (any,outside) source dynamic Engineering-VPN interface

Figure 2-4 Unified NAT table

Step 8 After you have configured the Engineering VPN Address pool to reach itself, the Sales VPN address pool, the inside network, the DMZ network, and the Internet; you must repeat this process for the Sales VPN address pool. Use identity NAT to exempt the Sales VPN address pool traffic from undergoing network address translation between itself, the inside network, the DMZ network, and the Internet.

Step 9 From the File menu on the ASA, select Save Running Configuration to Flash to implement your identity NAT rules.


Configuring the Security Appliance to Download AnyConnect

To prepare the ASA to deploy AnyConnect, complete these steps:


Step 1 Download the latest Cisco AnyConnect Secure Mobility client package from the Cisco AnyConnect Software Download webpage.

Step 2 Specify the Cisco AnyConnect Secure Mobility client package file as an SSL VPN client. Navigate to Configuration > Remote Access VPN > Network Access > Advanced > SSL VPN > Client Settings. The SSL VPN Client Settings panel displays. (Figure 2-5), listing client files identified as AnyConnect images. The order in which they appear reflects the order the ASA downloads them to the remote computer. To add an AnyConnect image, click Add in the SSL VPN Client Images area. Enter the name of the file you downloaded from Cisco.com and click Upload. You can also navigate to the image.

Figure 2-5 Specify AnyConnect Images

Step 3 (Optional) If you are adding an AnyConnect package for Windows Mobile, specify the regular expression Windows CE to match the user agent on Windows Mobile devices. This decreases the connection time of the mobile device. When the browser on the mobile device connects to the adaptive security appliance, it includes the User-Agent string in the HTTP header. The adaptive security appliance, receiving the string, immediately downloads AnyConnect for Windows Mobile without ascertaining whether the other AnyConnect images are appropriate.

Step 4 Configure a method of address assignment.

You can use DHCP, and/or user-assigned addressing. You can also create a local IP address pool and assign the pool to a tunnel group. This guide uses the popular address pools method as an example.

Navigate to Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools (Figure 2-6). Enter address pool information in the Add IP Pool window.

Figure 2-6 Add IP Pool Dialog

Step 5 Enable the AnyConnect download and assign the address pool in a connection profile.

Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. Follow the arrows in (Figure 2-7) to enable AnyConnect and then assign an address pool.

Figure 2-7 Enable AnyConnect Download

Step 6 Specify SSL VPN as a permitted VPN tunneling protocol for a group policy.

Navigate to Configuration > Remote Access VPN > Network (Client) Access > Group Policies. The Group Policies panel displays. Follow the arrows in Figure 2-8 to enable SSL VPN for the group.

Figure 2-8 Specify SSL VPN as a Tunneling Protocol


Prompting Remote Users to Download AnyConnect

By default, the ASA does not download AnyConnect when the remote user initially connects using the browser. After users authenticate, the default clientless portal page displays a Start AnyConnect Client drawer that users can select to download AnyConnect. Alternatively, you can configure the ASA to immediately download AnyConnect without displaying the clientless portal page.

You can also configure the ASA to prompt remote users, providing a configured time period within which they can choose to download AnyConnect or go to the clientless portal page.

You can configure this feature for a group policy or user. To change these login settings, follow this procedure:


Step 1 Go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Select a group policy and click Edit. The Edit Internal Group Policy window displays (Figure 2-9).

Step 2 In the navigation pane, choose Advanced > SSL VPN Client > Login Settings. The Post Login settings display. Deselect the Inherit check box, if necessary, and select a Post Login setting.

If you choose to prompt users, specify a timeout period and select a default action to take when that period expires in the Default Post Login Selection area.

Figure 2-9 Changing Login Settings

Step 3 Click OK and be sure to apply your changes to the group policy.

Figure 2-10 shows the prompt displayed to remote users if you choose Prompt user to choose and Download SSL VPN Client:

Figure 2-10 Post Login Prompt Displayed to Remote Users


Enabling Modules for Additional Features

As you enable features on AnyConnect, it must update the modules on the VPN endpoints to use the new features. To minimize download time, AnyConnect requests downloads (from the ASA) only of modules that it needs for each feature that it supports.

To enable new features, you must specify the new module names as part of the group-policy or username configuration. To enable module download for a group policy, follow this procedure:


Step 1 Go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Choose a group policy and click Edit. The Edit Internal Group Policy window displays (Figure 2-11).

Step 2 In the navigation pane, select Advanced > SSL VPN Client. Click the Optional Client Module to Download drop-list and choose a module.

Figure 2-11 Specifying an Optional Client Module to Download

Step 3 Click OK and be sure to apply your changes to the group policy.

If you choose Start Before Logon, you must also enable this feature in the AnyConnect client profile. See Configuring VPN Features for details.


Installing AnyConnect on a Windows Mobile Device

The ASA does not support WebLaunch of AnyConnect on mobile device. Just as you can do so with corporate computers, you can pre-deploy AnyConnect on Windows Mobile devices issued to employees. Otherwise, users must download and install AnyConnect for Windows Mobile.


Note Some mobile devices have a proxy enabled by default. To ensure AnyConnect can pass data over the SSL connection, remote users may need to configure the mobile device to bypass the proxy.


Perform the following steps to download and install AnyConnect for Windows Mobile.


Step 1 Download any of the following files from the Cisco AnyConnect Download Software site to get the Cisco AnyConnect Secure Mobility client for Windows Mobile:

File containing all client installation packages: anyconnect-all-packages—AnyConnectRelease_Number-k9.zip

CAB package signed by Cisco for Windows Mobile devices: anyconnect-wince-ARMv4I-AnyConnectRelease_Number-k9.cab

ActiveSync MSI package for Windows Mobile platforms: anyconnect-wince-ARMv4I-activesync-AnyConnectRelease_Number-k9.msi

Step 2 Unzip the anyconnect-all-packages—AnyConnectRelease_Number-k9.zip file if you chose to download that file.

Step 3 Transfer the file to a corporate server if you want to provide users with a link to AnyConnect.

Step 4 Make sure the Windows Mobile device meets the system requirements in the latest Cisco AnyConnect Secure Mobility Release Notes.

Step 5 Use your preferred method to transfer the .cab or .msi file from your intranet server or local computer to the mobile device. Some examples include:

Microsoft ActiveSync over radio

HTTP, FTP, SSH, or shared files over the LAN or radio

Bluetooth

(USB) Cable

Media card transfer

Step 6 Use the mobile device to open the file you transferred, and proceed with the installation wizard.


Installing AnyConnect on 64-bit Linux

Follow these steps to install AnyConnect on x64(64-bit) versions of Ubuntu 9:


Step 1 Enter the following command to install the 32-bit compatibility library:

administrator@ubuntu-904-64:/usr/local$ sudo apt-get install ia32-libs lib32nss-mdns
 
   

Step 2 Download the 32-bit version of FireFox from http://www.mozilla.com and install it on /usr/local/firefox.

AnyConnect looks in this directory first for the NSS crypto libraries it needs.

Step 3 Enter the following command to extract the Firefox installation to the directory indicated:

administrator@ubuntu-904-64:/usr/local$ sudo tar -C /usr/local -xvjf 
~/Desktop/firefox-version.tar.bz2
 
   

Step 4 Run Firefox at least once, logged in as the user who will use AnyConnect.

Doing so creates the .mozilla/firefox profile in the user's home directory, which is required by AnyConnect to interact with the Firefox certificate store.

Step 5 Install AnyConnect in standalone mode.


Using the Manual Install Option on Mac OS if the Java Installer Fails

If you use WebLaunch to start AnyConnect on a Mac and the Java installer fails, a dialog box presents a Manual Install link. Proceed as follows:


Step 1 Click Manual Install.

A dialog box presents the option to save the vpnsetup.sh file.

Step 2 Save the vpnsetup.sh file on the Mac.

Step 3 Open a Terminal window and use the CD command to navigate to the directory containing the file saved.

Step 4 Enter the following command:

sudo /bin/sh vpnsetup.sh
 
   

The vpnsetup script starts the AnyConnect installation.

Step 5 Following the installation, choose Applications > Cisco > Cisco AnyConnect VPN Client to initiate an AnyConnect session.


Configuring the ASA for WSA Support of the AnyConnect Secure Mobility Solution

Today, users and their devices are increasingly more mobile, connecting to the Internet from several locations, such as the office, home, airport, or cafes. Traditionally, users insides the network are protected from security threats, and users outside the traditional network have no acceptable use policy enforcement, minimal protection against malware, and a higher risk of data loss.

Employers want to create flexible working environments where employees and partners can work anywhere on any device, but they also want to protect corporate interests and assets from Internet-based threats at all times (always-on security).

Traditional network and content security solutions are great for protecting users and assets behind the network firewall but are useless when users or devices are not connected to the network or when data is not routed through the security solutions.

Cisco offers AnyConnect Secure Mobility to extend the network perimeter to remote endpoints, enabling the seamless integration of web filtering services offered by the Web Security appliance. Cisco AnyConnect Secure Mobility provides an innovative new way to protect mobile users on PC-based or smart-phone platforms, providing a more seamless, always-protected experience for end users and comprehensive policy enforcement for IT administrators.

AnyConnect Secure Mobility is a collection of features across the following Cisco products:

Cisco IronPort Web Security appliance (WSA)

Cisco ASA 5500 series adaptive security appliance (ASA)

Cisco AnyConnect client

Cisco AnyConnect Secure Mobility addresses the challenges of a mobile workforce by offering the following features:

Secure, persistent connectivity. Cisco AnyConnect (with the adaptive security appliances at the headend) provides the remote access connectivity portion of AnyConnect Secure Mobility. The connection is secure because both the user and device must be authenticated and validated prior to being provided access to the network. The connection is persistent because Cisco AnyConnect is typically configured to be always-on even when roaming between networks. Although Cisco AnyConnect is always-on, it is also flexible enough to apply different policies based on location, allowing users access to the Internet in a "captive portal" situation, when users must accept terms of agreement before accessing the Internet.

Persistent security and policy enforcement. The Web Security appliance applies context-aware policies, including enforcing acceptable use policies and protection from malware for all users, including mobile (remote) users. The Web Security appliance also accepts user authentication information from the AnyConnect client, providing an automatic authentication step for the user to access web content.

Use the Mobile User Security dialog box to configure the ASA portion of this feature. AnyConnect Secure Mobility lets Cisco IronPort S-Series Web Security appliances scan Cisco AnyConnect secure mobility clients to ensure that clients are protected from malicious software and/or inappropriate sites. The client periodically checks to ensure that Cisco IronPort S-Series Web Security appliance protection is enabled.

To configure the ASA for WSA support, choose ASDM Configuration > Remote Access VPN > Network (Client) Access > Mobile User Security panel (see Figure 2-12). Click Help for detailed instructions.

Figure 2-12 AnyConnect Secure Mobility Window


Note This feature requires a release of the Cisco IronPort Web Security appliance that provides AnyConnect Secure Mobility licensing support for the Cisco AnyConnect secure mobility client. It also requires an AnyConnect release that supports the AnyConnect Secure Mobility feature.



Step 1 Specify from which host or network address the WSAs can communicate and identify the remote users using one of the following methods:

Associate by IP address. The Web Security appliance administrator specifies a range of IP addresses that it considers as assigned to remote devices. Typically, the adaptive security appliance assigns these IP addresses to devices that connect using VPN functionality. When the Web Security appliance receives a transaction from one of the configured IP addresses, it considers the user as a remote user. With this configuration, the Web Security appliance does not communicate with any adaptive security appliance.

Integrate with a Cisco ASA. The Web Security appliance administrator configures the Web Security application to communicate with one or more adaptive security appliances. The adaptive security appliance maintains an IP address-to-user mapping and communicates that information to the Web Security appliance. When the Web Proxy receives a transaction, it obtains the IP address and checks the IP address-to-user mapping to determine the user name. When you integrate with an adaptive security appliance, you can enable single sign-on for remote users. With this configuration, the Web Security appliances communicates with the adaptive security appliance.

Add—Opens the Add MUS Access Control Configuration dialog box where you can add one or more Web Security appliances that the adaptive security appliance can communicate with.

Edit—Opens the Edit MUS Access Control Configuration dialog box for the selected connection.

Delete—Removes the selected connection from the table. There is no confirmation or undo.

Step 2 If you choose to enable Mobile User Security Service, it starts the connection with the client through the VPN. When the Web Security appliance is configured to integrate with an adaptive security appliance, it tries to establish an HTTPS connection with all configured adaptive security appliances when it first starts up. When the connection is established, the Web Security appliance authenticates with the adaptive security appliance using the configured ASA access password. After successful authentication, the adaptive security appliance sends the IP address-to-user mapping to the Web Security appliance. If no WSA is present, the status is disabled.

Step 3 If you choose to enable the service, specify which port number for the service to use. The port must be between 1 and 65535 and must match the corresponding value provisioned into the WSA with the management system. The default is 11999.

Step 4 Change the WSA access password, if desired. You can change the Web Security appliance access password that is required for authentication between the adaptive security appliance and the Web Security appliance. This password must match the corresponding password configured on the Web Security appliance.

Step 5 In the WSA Access Password field, specify the shared secret password required for authentication between the ASA and WSA.

Step 6 Re-enter the specified password.

Step 7 Show WSA Sessions allows you to view session information of WSAs connected to the ASA.The host IP address of the WSA that is connected (or has been connected) and the duration of the connection is returned in a dialog box.


Add or Edit MUS Access Control

The Add or Edit MUS Access Control dialog box lets you configure MUS access.


Step 1 Use the drop-down menu to choose which interface name you are adding or editing.

Step 2 Enter either an IPv4 or IPv6 address.

Step 3 Use the drop-down menu to choose the appropriate mask.