Guest

Cisco AnyConnect Secure Mobility Client

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 3.1

  • Viewing Options

  • EPUB (115.0 KB)
  • MOBI (153.1 KB)
  • PDF (177.7 KB)
  • Feedback

Table of Contents

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 3.1

Supported Operating Systems

License Options

AnyConnect Essentials and Premium Licenses

AnyConnect Mobile License

AnyConnect Flex License

Advanced Endpoint Assessment License

Cisco Secure Mobility for AnyConnect License

AnyConnect License Combinations

Features Matrix

AnyConnect Deployment and Configuration

Anyconnect Core VPN Client

Core Features

Connect and Disconnect Features

Authentication and Encryption Features

Interfaces

AnyConnect Network Access Manager

AnyConnect Secure Mobility Modules

Hostscan and Posture Assessment

Telemetry

Web Security

Reporting and Troubleshooting Modules

Customer Experience Feedback

DART

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 3.1

Published: December 13, 2012

Revised: September 3, 2014

This document identifies the AnyConnect Release 3.1 features, license requirements, and endpoint operating systems AnyConnect features supports.

Supported Operating Systems

Cisco AnyConnect Secure Mobility Client 3.1 supports the following operating systems.

Operating System
Version

Windows

Windows 8.1 Update 1 x86(32-bit) and x64(64-bit), as of 3.1.05170

Windows 8.1 x86(32-bit) and x64(64-bit), as of 3.1.04072

Windows 8 x86(32-bit) and x64(64-bit), as of 3.1.02026

Windows 7 x86(32-bit) and x64(64-bit)

Windows Vista x86(32-bit) and x64(64-bit)

Windows XP SP3 x86(32-bit)

Windows XP SP2 x64 (64-bit)

Mac

Mac OS X 10.9 x86(32-bit) and x64(64-bit)

Mac OS X 10.8 x86(32-bit) and x64(64-bit)

Mac OS X 10.7 x86(32-bit) and x64(64-bit)

Mac OS X 10.6 x86(32-bit) and x64(64-bit)

Linux

Red Hat 6 (32-bit)* and (64-bit)

Ubuntu 11.10 (32-bit only)* and Ubuntu 12.x (64-bit)

* In the upcoming AnyConnect 3.2 release, support for Linux 32-bit will be phased out.


Note After April 8, 2014, Microsoft will no longer provide new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates for Windows XP (http://www.microsoft.com/en-us/windows/endofsupport.aspx). On the same date, Cisco will stop providing customer support for AnyConnect releases running on Windows XP, and we will not offer Windows XP as a supported operation system for future AnyConnect releases.


See the Release Notes for Cisco AnyConnect Secure Mobility Client, Release 3.1 for OS requirements and support notes.

See the Feature Matrix below for license information and operating system limitations that apply to AnyConnect modules and features.

License Options

The AnyConnect Secure Mobility client requires license activation to support VPN sessions and web security. The license(s) required depend on the AnyConnect VPN Client and Secure Mobility features that will be used, and the number of sessions you want to support. One or more of the following AnyConnect licenses may be required for your deployment:

License
Description
Applied to:

AnyConnect Essentials

Supports basic AnyConnect features for SSL and IPSec VPN connections. This license specifies the maximum number of remote access sessions supported at a time.

Cisco ASA 8.2(x) or later.

AnyConnect Premium

Supports all basic AnyConnect Essentials features plus Premium AnyConnect client features such as browser-based VPN access, and Cisco Secure Desktop, and Hostscan/Posture module functions. This license specifies the maximum number of remote access sessions supported at a time, this license type can also be shared.

Cisco ASA 8.0(x) or later.

AnyConnect Mobile

Supports AnyConnect mobile access to the security appliance. It is available as an addition to, and requires, either an AnyConnect Essentials or an AnyConnect Premium license.

Cisco ASA 8.0(x) or later.

AnyConnect Flex

A flex license provides business continuity support for all licensed features.

Cisco ASA 8.0(x) or later

Advanced Endpoint Assessment

Enables advanced endpoint assessment capabilities such as auto-remediation. Requires an activated AnyConnect Premium license.

Cisco ASA

Cisco Secure Mobility for AnyConnect

Supports web security features provided by the Cisco IronPort Web Security Appliance (WSA). The license name depends on the AnyConnect license activated on the ASA, Essentials or Premium. A Cisco IronPort Web Security Appliance license is also required.

Cisco WSA 7.0 or later.

Cisco Secure Mobility for Cisco Cloud Web Security

Supports security features provided with the AnyConnect Web Security module allowing roaming users to be protected by Cisco Cloud Web Security (ScanSafe). This license is required in addition to Cisco Cloud Web Security Web Filtering and/or Cisco Cloud Web Security Malware Scanning license.

 

AnyConnect Essentials and Premium Licenses

  • You can activate either an AnyConnect Essentials license or an AnyConnect Premium license on a Cisco ASA 8.2(x) or later, but you cannot activate both licenses together. Some features require later versions of the ASA, as indicated in the Features Table. Choose the license you will activate based on the AnyConnect Secure Mobility features you will use.
  • In addition to AnyConnect connectivity, an AnyConnect Essentials license activated on the ASA supports sessions established using Cisco’s legacy VPN client and full tunneling access to enterprise applications. Clientless VPN access and Cisco Secure Desktop are not available with an AnyConnect Essentials license.
  • An ASA activated with an AnyConnect Premium license supports all access allowed by the AnyConnect Essentials license plus the following AnyConnect premium features:

Clientless VPN access: Allows a remote user to use a browser to establish a VPN session, and lets specific applications use the browser to access that session.

Cisco Secure Desktop: For both browser-based and AnyConnect sessions.

Post Log-in Always-on VPN: Establishes a VPN session automatically after the user logs in to a computer. For more information, see Always-on VPN . This feature also includes a Connect Failure policy and Captive Portal Hotspot Detection and Remediation.


Note You can also enable always-on by activating a Cisco Secure Mobility for AnyConnect license on the WSA with an AnyConnect Essentials license on the ASA.


Endpoint assessment: Ensures that your choice of antivirus software versions, antispyware versions, associated update definitions, firewall software versions, and corporate property verification checks comply with policies to qualify a session to be granted access to the VPN.

Endpoint remediation requires an Advanced Endpoint Assessment License in addition to the AnyConnect Premium License as described below.

Quarantine: Uses Dynamic Access Policies to quarantine non-compliant AnyConnect users. You can notify users with a custom message.

  • Neither the AnyConnect Essentials or Premium license is required for:

The Network Access Manager module. It is licensed without charge for use with Cisco wireless access points, wireless LAN controllers, switches, and RADIUS servers. A current SmartNet contract is required on the related Cisco equipment.

The DART module and Customer Feedback function.

AnyConnect Mobile License

The activation of an AnyConnect Mobile license on the ASA supports mobile access but does not provide support for AnyConnect features. This option is available with either an AnyConnect Essentials or an AnyConnect Premium license.

AnyConnect 3.1 does not currently support mobile devices. You must activate this license on the ASA if you expect connectivity from Android or Apple iOS devices running older versions of AnyConnect.

AnyConnect Flex License

An AnyConnect Flex license provides business continuity support for licensed features only. Business continuity increases the number of licensed remote access VPN sessions to prepare for temporary spikes in usage during cataclysmic events such as pandemics. Each Flex license is ASA-specific and provides support for sixty days. The count can consist of both contiguous and noncontiguous days.

Advanced Endpoint Assessment License

You must activate an Advanced Endpoint Assessment license in conjunction with an AnyConnect Premium license. It allows the initiation of endpoint remediation.

Endpoint remediation is initiated when a connection has been disallowed by Dynamic Access Policies (DAPs) on the ASA. Endpoint remediation attempts to remediate various aspects of antivirus, antispyware, and personal firewall protection on the endpoint, only if that software allows a separate application to initiate remediation. If the endpoint remediation is successful, DAP allows a subsequent connection.

Cisco Secure Mobility for AnyConnect License

A Cisco Secure Mobility for AnyConnect license activated on the WSA provides services for browser-based SSL sessions and AnyConnect VPN sessions such as:

  • Malware defense.
  • Acceptable use policy enforcement.
  • Data leakage prevention for the web.
  • Protection for the endpoint from websites found to be unsafe by granting or denying all HTTP and HTTPS requests.
  • Administrator access to Internet usage reports for all VPN sessions.

The Cisco Secure Mobility for AnyConnect license must be activated as follows:

  • A Cisco Secure Mobility for AnyConnect Premium license activation on the WSA requires activation of either an AnyConnect Premium or an AnyConnect Essentials license on the ASA.
  • A Cisco Secure Mobility for AnyConnect Essentials license activation on the WSA requires activation of an AnyConnect Essentials license on the ASA. You cannot use a Cisco Secure Mobility for AnyConnect Essentials license activated on a WSA in combination with an AnyConnect Premium license activated on an ASA.

Note Post Log-in Always-on VPN, a Premium feature, is enabled by activating a Cisco Secure Mobility for AnyConnect license on the WSA with an AnyConnect Essentials license on the ASA.


  • The Cisco Secure Mobility for AnyConnect license activated on the WSA must match or exceed the number of VPN sessions supported by the AnyConnect license activated on the ASA.

This Cisco Secure Mobility license for AnyConnect, Premium or Essentials, is in addition to the activated Cisco IronPort Web Security Appliance license.

For more information, see the Cisco IronPort Web Security Appliances Introduction .

AnyConnect License Combinations

 

Sessions License
License Option
Basic Access
Mobile Access
Client-
less Access
Post Log-in Always-on VPN
Malware Defense, Acceptable Use Policy Enforcement, and Data Leakage Prevention on the Web
Endpoint Assess-
ment
Endpoint Reme-
diation

AnyConnect Essentials

(base license)

 

 

 

 

 

 

 

+

AnyConnect Mobile

 

 

 

 

 

 

 

+

Cisco Secure Mobility for AnyConnect Essentials

 

 

 

 

 

 

 

+

AnyConnect Flex1

 

 

 

 

 

 

 

AnyConnect Premium SSL VPN Edition

(base license)

 

 

 

 

 

 

 

+

AnyConnect Mobile

 

 

 

 

 

 

 

+

Cisco Secure Mobility for AnyConnect Premium

 

 

 

 

 

 

 

+

Advanced Endpoint Assessment

 

 

 

 

 

 

 

+

AnyConnect Flex 1

 

 

 

 

 

 

 

1.A flex license provides business continuity support for mobile access, malware defense, acceptable use policy enforcement, data leakage prevention on the web, and endpoint remediation features only if those features are licensed.

Features Matrix

AnyConnect 3.1 modules and features, with their minimum release requirements, license requirements and supported operating systems. are listed in the following sections:

Core Features

Connect and Disconnect Features

Authentication and Encryption Features

Interfaces

Hostscan and Posture Assessment

Telemetry

Web Security

Customer Experience Feedback

DART

AnyConnect Deployment and Configuration

 

Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux

Deferred Upgrades

3.1

ASA 9.0

ASDM 7.0

Essentials

yes

yes

yes

Windows Services Lockdown

3.0

ASA 8.0(4)

ASDM 6.4(1)

Essentials

yes

no

no

Update Policy, Software and Profile Lock

3.0

ASA 8.0(4)

ASDM 6.4(1)

Essentials

yes

yes

yes

Auto Update

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

yes

Web Launch

(32 bit browsers only)

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

yes

Pre-deployment

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

yes

Auto Update Client Profiles

3.0

ASA 8.0(4)

ASDM 6.4(1)

Essentials

yes

yes

yes

Anyconnect Profile Editor

3.0

ASA 8.4(1)

ASDM 6.4(1)

Essentials

yes

yes

yes

User Controllable Features

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

no

Anyconnect Core VPN Client

Core Features

Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux

SSL (TLS & DTLS)

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

yes

TLS Compression

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

yes

DTLS fallback to TLS

3.0

ASA 8.4.2.8

ASDM 6.3(1)

Essentials

yes

yes

yes

IPsec/IKEv2

3.0

ASA 8.4(1)

ASDM 6.4(1)

Essentials

yes

yes

yes

Split tunneling

2.5

ASA 8.0(x)

ASDM 6.3(1)

Essentials

yes

yes

no

Split DNS

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

no

Ignore Browser Proxy

2.5

ASA 8.3(1)

ASDM 6.3(1)

Essentials

yes

yes

no

Proxy Auto Config (PAC) file generation

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

no

no

Internet Explorer tab lockdown

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

no

no

Optimal Gateway Selection

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

no

Global Site Selector (GSS) compatibility

3.0.3050

ASA 8.0(4)

ASDM 6.4(1)

Essentials

yes

yes

yes

Local LAN Access

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

yes

Tethered device access via client firewall rules, for synchronization

2.5

ASA 8.3(1)

ASDM 6.3(1)

Essentials

yes

yes

yes

Local printer access via client firewall rules

2.5

ASA 8.3(1)

ASDM 6.3(1)

Essentials

yes

yes

yes

IPv6

3.1

ASA 9.0

ASDM 7.0

Essentials

yes: Vista & 7

no: XP

yes

no

Connect and Disconnect Features

Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux

Simultaneous Clientless & AnyConnect connections

2.5

ASA8.0(4)

ASDM 6.3(1)

Premium

yes

yes

yes

Start Before Logon (SBL)

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes: Vista & 7

no: XP

no

no

Run script on connect & disconnect

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

yes

Minimize on connect

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

yes

Auto connect on start

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

yes

Auto reconnect (disconnect on system suspend, reconnect on system resume)

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

no

Remote User VPN Establishment (permitted or denied)

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

no

no

Logon Enforcement (terminate VPN session if another user logs in)

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

no

no

Retain VPN session (when user logs off, and then when this or another user logs in)

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

no

no

Trusted Network Detection (TND)

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

no

Always on (VPN must be connected to access network)

2.5

ASA 8.0(4)

ASDM 6.3(1)

(Essentials and WSA Secure Mobility) or Premium

yes

yes

no

Always on exemption via DAP

2.5

ASA 8.3(1)

ASDM 6.3(1)

(Essentials and WSA Secure Mobility) or Premium

yes

yes

no

Connect Failure Policy (internet access allowed or disallowed if VPN connection fails)

2.5

ASA 8.0(4)

ASDM 6.3(1)

(Essentials and WSA Secure Mobility) or Premium

yes

yes

no

Captive Portal Detection and Remediation

2.5

ASA 8.0(4)

ASDM 6.3(1)

(Essentials and WSA Secure Mobility) or Premium

yes

yes

no

Authentication and Encryption Features

Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux

Certificate only authentication

2.5

ASA 8.0(4)

ASDM 8.3(1)

Essentials

yes

yes

yes

RSA SecurID /SoftID integration

2.5

Essentials

yes

no

no

Smartcard support

2.5

Essentials

yes

yes

no

SCEP (requires Posture Module if Machine ID is used)

2.5

Essentials

yes

yes

no

List & select certificates

2.5

Essentials

yes

no

no

FIPS

2.5

Essentials

yes

yes

yes

SHA-2 for IPsec IKEv2 (Digital Signatures, Integrity, & PRF)

3.0

ASA 8.0(4)

ASDM 6.4(1)

Essentials

yes

yes

yes

Strong Encryption (AES-256 & 3des-168)

3.0

Essentials

yes

yes

yes

NSA Suite-B (IPsec only)

3.1

ASA 9.0

ASDM 7.0

Premium?

yes: Vista & 7

no: XP

yes

yes

NGE not including NSA Suite B (IPsec only)

3.1

Essentials

yes: Vista & 7

no: XP

yes

yes

Interfaces

Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux

GUI

2.5

ASA 8.0(4)

ASDM 8.3(1)

Essentials

yes

yes

yes

Command Line

2.5

yes

yes

yes

API

2.5

yes

yes

yes

Microsoft Component Object Module (COM)

2.5

yes

no

no

Localization of User Messages

2.5

yes

yes

no

Custom MSI transforms

2.5

yes

no

no

User defined resource files

2.5

yes

yes

no

Client Help

3.1

ASA 9.0

ASDM 7.0

yes

yes

yes

AnyConnect Network Access Manager

Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux

Core

3.0

ASA 8.4(1)

ASDM 6.4(1)

No AnyConnect License Required, SmartNet Contract Required

yes:Vista & 7

yes: XP (32-bit only)

no

no

Wired support IEEE 802.3

3.0

yes

Wireless support IEEE 802.11

3.0

yes

Pre-logon & Single Sign on Authentication

3.0

yes

IEEE 802.1X

3.0

yes

IEEE 802.1AE MACsec

3.0

yes

EAP methods

3.0

yes

FIPS 140-2 Level 1

3.0

yes

Mobile Broadband support

3.1

ASA 8.4(1)

ASDM 7.0

yes: Win 7 only

IPv6

3.1

ASA 9.0

ASDM 7.0

yes: Vista & 7 only

NGE and NSA Suite-B

3.1

yes: Vista & 7

yes: XP (32-bit only)

AnyConnect Secure Mobility Modules

Hostscan and Posture Assessment

Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux

Endpoint Assessment

2.5

ASA 8.0(4)

ASDM 6.3(1)

Premuim

yes

yes

yes

Endpoint Remediation

2.5

Premium and Advanced Endpoint Assessment

yes

yes

yes

Quarantine

2.5

Premium and Advanced Endpoint Assessment

yes

yes

yes

Quarantine status & terminate message

2.5

ASA 8.3(1)

ASDM 6.3(1)

Premium and Advanced Endpoint Assessment

yes

yes

yes

Hostscan Package Update

3.0

ASA 8.4(1)

ASDM 6.4(1)

Premium

yes

yes

yes

Keystroke Logger Detection

3.0

Premium

yes:x86 (32-bit) only

no

no

Host Emulation Detection

3.0

Premium

yes:x86 (32-bit) and (64-bit)

no

no

Cache Cleaner

3.0

Premium

yes:x86 (32-bit) only

yes:x86 (32-bit) only

yes

Telemetry

Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux

Telemetry

3.0

ASA 8.4(1)

ASDM 6.4(1)

WSA 7.0

(see below)

yes

no

no

Telemetry License Requirements

(Cisco Secure Mobility for AnyConnect Essentials and AnyConnect Essentials) or (Cisco Secure Mobility for AnyConnect Premium and (AnyConnect Essentials or AnyConnect Premium)

Web Security

Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux

Core

3.0

ASA 8.4(1)

ASDM 6.4(1)

(see below)

Yes: Vista & 7

Yes: XP x86 (32-bit) only

yes

no

Cloud-Hosted Configuration

3.0.4

Secure Trusted Network Detection

3.1

ASA 8.4(1)

ASDM 7.0

Dynamic Configuration Elements

3.1

Fail Close / Fail Open Policy

3.1

Web Security License Requirements:

(AnyConnect Essentials or AnyConnect Premium) and Cisco Secure Mobility for Cisco Cloud Web Security and (Cisco Cloud Web Security Web Filtering or Cisco Cloud Web Security Malware Scanning)

Reporting and Troubleshooting Modules

Customer Experience Feedback

Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux

Customer Experience Feedback

3.1

ASA 8.4(1)

ASDM 7.0

Essentials

yes

yes

no

DART

Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux

VPN logs

2.5

ASA 8.0(4)

ASDM 6.3(1)

Essentials

yes

yes

yes

NAM logs

3.0

ASA 8.4(1)

ASDM 6.4(1)

yes

no

no

Posture Assessment logs

3.0

yes

yes

yes

Telemetry logs

3.0

yes

no

no

Web Security logs

3.0

yes

yes

no