Table Of Contents
AnyConnect SSL VPN Client Web Deployment
This guide describes how to use ASDM version 6.0 to configure the ASA 5500 Series Adaptive Security Appliance to deploy the AnyConnect SSL VPN client.
How AnyConnect Client Deployment Works
The Cisco AnyConnect VPN Client provides secure SSL connections to the security appliance for remote users. Without a previously-installed client, remote users enter the IP address in their browser of an interface configured to accept SSL VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, users must enter the URL in the form https://<address>.
After entering the URL, the browser connects to that interface and displays the login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the client, it downloads the client that matches the operating system of the remote computer. After downloading, the client installs and configures itself, establishes a secure SSL connection and either remains or uninstalls itself (depending on the security appliance configuration) when the connection terminates.
In the case of a previously installed client, when the user authenticates, the security appliance examines the revision of the client, and upgrades the client as necessary.
When the client negotiates an SSL VPN connection with the security appliance, it connects using Transport Layer Security (TLS), and optionally, Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
The AnyConnect client can be downloaded from the security appliance, or it can be installed manually on the remote PC by the system administrator. For more information about installing the client manually, see the Cisco AnyConnect VPN Client Administrator Guide.
The security appliance downloads the client based on the group policy or username attributes of the user establishing the connection. You can configure the security appliance to automatically download the client, or you can configure it to prompt the remote user about whether to download the client. In the latter case, if the user does not respond, you can configure the security appliance to either download the client after a timeout period or present the login page.
To prepare the security appliance to deploy the AnyConnect client, complete these steps:
Step 1 Download the latest AnyConnect client package from Cisco.com.
The Software Download Page is located at:
Step 2 Specify the AnyConnect client package file as an SSL VPN client.
Navigate to Configuration > Remote Access VPN > Network Access > Advanced > SSL VPN > Client Settings. The SSL VPN Client Settings panel displays. (Figure 1).
This panel lists AnyConnect client files that have been identified as client images. The order in which they appear in the table reflects the order the security appliance downloads them to the remote computer.
To add a client image, click Add in the SSL VPN Client Images area. Enter the name of the file you downloaded from Cisco.com and click Upload. You can also browse your computer for the file.
If you load multiple client images, the security appliance downloads the image at the top of the list first. To reduce download time, you should move the image used by the most commonly-encountered operating system to the top. You can do this by clicking on an image name in the table and using the up and down arrow buttons to change the position of an image within the list.
Figure 1 Specify AnyConnect Client Images
Step 3 Configure a method of address assignment.
You can use DHCP, and/or user-assigned addressing. You can also create a local IP address pool and assign the pool to a tunnel group. This guide uses the popular address pools method as an example.
Navigate to Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools (Figure 2). Enter address pool information in the Add IP Pool window.
Figure 2 Add IP Pool Dialog
Step 4 Enable client download and assign the address pool in a connection profile.
Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. Follow the arrows in (Figure 3) to enable the AnyConnect client and then assign an address pool.
Figure 3 Enable SSL VPN Client Download
Step 5 Specify SSL VPN as a permitted VPN tunneling protocol for a group policy.
Navigate to Configuration > Remote Access VPN > Network (Client) Access > Group Policies. The Group Policies panel displays. Follow the arrows in Figure 4 to enable SSL VPN for the group.
Figure 4 Specify SSL VPN as a Tunneling Protocol