Table Of Contents
Release Notes for Cisco AnyConnect VPN Client,
Version 2.1Security Appliances and Software Supported
Interoperability Considerations
AnyConnect Client and Cisco Secure Desktop
Upgrading to AnyConnect Release 2.1
New Features and Enhancements in Release 2.1
AnyConnect with Start Before Logon Supports Cisco Secure Desktop 3.2.1
Improved User Experience During Download and Installation
Localization for Mac OS X Systems
AnyConnect Support for Smartcards and PPP
Support for RSA SecurID Software Token Client Software
New AnyConnect Client Disconnect Behavior
SDI Token (SoftID) Integration
Comparing Native SDI with RADIUS SDI
Categories of SDI Authentication Exchanges
Normal SDI Authentication Login
New User, Clear PIN, and New PIN Modes
"Next Passcode" and "Next Token Code" Challenges
Ensuring RADIUS/SDI Proxy Compatibility with the AnyConnect Client
AnyConnect Client and RADIUS/SDI Server Interaction
Configuring the Security Appliance to Support RADIUS/SDI Messages
Where to Find the AnyConnect Client Files for Installation
Before You Install the AnyConnect Client
Ensuring Automatic Installation of AnyConnect Clients
AnyConnect Client and New Windows 2000 Installations
Adding a Security Appliance to the List of Trusted Sites (IE)
Adding a Security Certificate in Response to Browser Alert Windows
Installing the AnyConnect Client on a System Running Windows
Installing the AnyConnect Client on a System Running Linux
Installing the AnyConnect Client on a System Running MAC OSX
Using the AnyConnect CLI Commands
Loading the AnyConnect Client and Configuring the Security Appliance with ASDM
Loading the AnyConnect Client and Configuring the Security Appliance with CLI
Disabling Permanent Client Installation
Enabling AnyConnect Client Profile Downloads
Enabling Start Before Logon for the AnyConnect Client
CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop
Uninstalling the Cisco AnyConnect VPN Client
Internet Explorer Proxy With the AnyConnect Client
Setting the Secure Connection (Lock) Icon
Cisco Security Agent Version Requirements
PC Wireless Client Configurations
Certificate Revocation List Processing
Zyxel Modem SSH Incompatibility
Dynamic Install Fails on Windows Vista When Running Low-rights Internet Explorer
AnyConnect Fails to Establish a DTLS Tunnel When Using RC4-MD5 Encryption
Linux Client Weblaunch Requires an Account with Sudo Access
msvcp60.dll Must Be Available for Installation of the AnyConnect Client
Secure VPN Via Windows Remote Desktop Is Now Supported
AnyConnect Start Before Logon GINA Might Not Appear on Login Screen after Reboot
When Using a Client-Side Proxy and Full Tunneling, the Proxy Should Be Reset
Linux-Specific AnyConnect Client Issue
Setting the AnyConnect Pre-Login Banner
AnyConnect Requires That the ASA Be Configured to Accept TLSv1 Traffic
Mac OS X and Linux Clients Might Disconnect If a Security Appliance Failover Occurs
IPv6 AnyConnect Failover is Not Supported for the Security Appliance
Framed IP Address Is Not Available in a Start Accounting Request
AnyConnect Split-tunneling Now Works on Windows Vista
Selecting Crypto Toolkits for AnyConnect on Windows Platforms
First User Message for Double-byte Languages Does Not Translate Correctly
Ensuring Reliable DTLS Connections Through Third-Party Firewalls
No AnyConnect Confirmation Dialog for Cisco Secure Desktop Users
AnyConnect OpenSSL Libraries Have Been Updated to 0.9.8f
Firewall Blocks DTLS (UDP) Traffic if Idle for 40 Seconds
Optionally Disable Tearing Down Tunnel Upon Smartcard Removal
Upgrading Standalone AnyConnect Client for Windows Vista Shows Activity Indication
SSL VPN Clients Do Not Support Split DNS
Synchronizing a Mobile Device to a PC While a Tunnel Is Active
Open Caveats in Cisco AnyConnect VPN Client, Release 2.1
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support & Documentation Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Release Notes for Cisco AnyConnect VPN Client,
Version 2.1
Part Number: OL-14893-03
Introduction
These release notes are for the Cisco AnyConnect VPN Client, Version 2.1, which provides remote users with secure VPN connections to the Cisco ASA 5500 Series Adaptive Security Appliance using the Secure Socket Layer (SSL) protocol.
The AnyConnect client provides remote end users running Microsoft Vista, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco SSL VPN client, and supports applications and functions unavailable to a clientless, browser-based SSL VPN connection. In addition, the AnyConnect client supports IPv6 over an IPv4 network.
The client can be loaded on the security appliance and automatically downloaded to remote users when they log in, or it can be manually installed as an application on PCs by a network administrator. The client includes the ability to create user profiles that are displayed in the user interface and define the names and addresses of host computers.
The AnyConnect client can be installed manually on the remote PC by the system administrator. It can also be loaded onto the security appliance and made ready for download to remote users. After downloading, it can automatically uninstall itself after the connection terminates, or it can remain on the remote PC for future SSL VPN connections.
This release supports only the SSL protocol. This release does not include IPSec support.
These release notes describe new features, limitations and restrictions, open and resolved caveats, and related documentation. They also include procedures you should follow before loading this release. The section Usage Notes describes interoperability considerations and other issues you should be aware of when installing and using the AnyConnect client. Read these release notes carefully prior to installing this software.
Contents
This document includes the following sections:
New Features and Enhancements in Release 2.1
Cisco Product Security Overview
Obtaining Technical Assistance
Obtaining Additional Publications and Information
Feature Overview
The Cisco AnyConnect VPN Client provides remote users with secure VPN connections to the Cisco 5500 Series Adaptive Security Appliance.
Additional features of the AnyConnect client include:
•
Datagram Transport Layer Security (DTLS) with SSL connections—Avoids latency and bandwidth problems associated with some SSL-only connections and improves the performance of real-time applications that are sensitive to packet delays. DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. For detailed information about DTLS, see RFC 4347 (http://www.ietf.org/rfc/rfc4347.txt).
•
•
•
•
•
•
•
•
•
•
•
•
•
System Requirements
The following table indicates the system requirements to install the Cisco AnyConnect VPN Client on each of the supported platforms.
•
•
•
Computer with a Pentium®-class processor or greater.
In addition, x64 or x86 processors are supported for Windows XP and Windows Vista.
•
•
–
–
–
•
The following Linux distributions have been tested and are known to work with the AnyConnect Client, while following the requirements listed in this document:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
gdk: required 2.0.0,
libpango: required 1.0.•
•
Mac OS X, Version 10.4 or later
Macintosh computer1
50 MB hard disk space
1 The AnyConnect VPN Client is not compatible with Parallels Desktop for Mac.
If you are using Internet Explorer, use version 5.0, Service Pack 2 or later.
Note
Security Appliances and Software Supported
The Cisco AnyConnect VPN Client supports all Cisco Adaptive Security Appliance models. It does not support PIX devices. Table 1 shows the Cisco ASA 5500 Adaptive Security Appliance software images that support the AnyConnect client.
Interoperability Considerations
This section describes how the AnyConnect VPN Client interoperates with other software. The AnyConnect client can be loaded on the security appliance and automatically deployed to remote users when they log in to the security appliance, or it can be installed as an application on PCs by a network administrator using standard software deployment mechanisms. You can use a text editor to create user profiles as XML files. These profiles drive the display in the user interface and define the names and addresses of host computers.
AnyConnect Client and Cisco Secure Desktop
Table 2 shows the interoperability of the AnyConnect Client modes with Cisco Secure Desktop modules on remote computers.
Table 2 AnyConnect Client and Cisco Secure Desktop Interoperability
Standalone
Microsoft Windows Vista
Yes
Yes
-
-
Microsoft Windows XP
Yes
Yes
Yes
-
Microsoft Windows 2000
Yes
Yes
Yes
-
Apple Macintosh OS X 10.4 (PowerPC or Intel)
Yes
Yes
-
-
Linux
Yes
Yes
-
-
WebLaunch
Microsoft Windows Vista
Yes
Yes
-
Yes
Microsoft Windows XP
Yes
Yes
Yes
Yes
Apple Macintosh OS X 10.4 (PowerPC or Intel)
Yes
Yes
Yes
Yes
Linux
Yes
Yes
Yes
Yes
1 By default, the Start Before Logon (SBL) feature of AnyConnect Client is disabled. Cisco Secure Desktop, Release 3.2(1), interoperates with AnyConnect Client, regardless of whether SBL is enabled. Cisco Secure Desktop. Release 3.2(0) modules are not interoperable with AnyConnect Client if SBL is enabled.
2 Includes both English and non-English support of 32-bit Microsoft operating systems. Cisco Secure Desktop does not support the 64-bit versions.
AnyConnect and PIX
PIX does not support SSL VPN connections, either clientless or AnyConnect.
AnyConnect and IOS
Certain features of the Cisco AnyConnect VPN Client are supported in conjunction with IOS routers with SSL VPN support. Please see the IOS SSL VPN Feature Guide for specific details.
Upgrading to AnyConnect Release 2.1
This section contains information about upgrading from the Cisco SSL VPN client to Cisco AnyConnect VPN Client, Release 2.1.
Before You Begin
Be aware of the considerations listed in the Usage Notes, section of these Release Notes before you upgrade. These are known product behaviors, and knowing about them at the beginning of the process should expedite the upgrade. Where appropriate, the number of the caveat documenting the issue appears at the end of the item. See the "Caveats" section for a list of open and resolved caveats.
New Features and Enhancements in Release 2.1
Cisco AnyConnect VPN Client, Release 2.1, offers the following new features.
AnyConnect with Start Before Logon Supports Cisco Secure Desktop 3.2.1
Release 2.1 of the AnyConnect client supports Release 3.2.1 of Cisco Secure Desktop, regardless of whether the Start Before Logon feature is enabled. In AnyConnect Release 2.0, the AnyConnect Client interoperated with Cisco Secure Desktop only if Start Before Logon was disabled (CSCsk56633,CSCsk56582).
Improved User Experience During Download and Installation
AnyConnect 2.1 is optimized to shorten the time required for download and installation. This effect is most noticeable on lower-speed connections.
Localization for Mac OS X Systems
Localization capability is now available on Mac OS X systems, as well as on Windows systems.
AnyConnect Support for Smartcards and PPP
The Cisco AnyConnect VPN Client supports Smartcards on Windows operating systems, via the Windows Crypto API (CAPI) interface, and on Mac OS X, version 10.4 or higher. On the Mac, the Smartcard must be able to work with Keychain. While Cisco can validate compatibility with only a subset of the available cards, readers, and drivers on the market, testing has shown to be compatible with Smartcards that meet these requirements. If a particular combination is not functioning with AnyConnect but meets the above specifications, we recommend contacting your Smartcard manufacturer to determine whether there are known defects in the product implementation.
The Cisco AnyConnect VPN Client provides compatibility with IP/Ethernet over Point-to-Point Protocol (PPP) environments. Most DUN/RAS connectivity options that provide PPP support function with the client, although Cisco cannot guarantee interoperability with those environments not specifically validated. For some environments, split tunneling might be required to allow the connectivity protocol to continue to communicate after a VPN session has been established.
The only differences the user sees are the status bar strings that appear while the client is processing the user's input. These strings are feedback to the user to let the user know what is going on. One other possibility is an error message that might occur when the USB token and RSA DLL do not function correctly (CSCsi69205).
Support for RSA SecurID Software Token Client Software
Cisco AnyConnect VPN Client supports integration of SDI token software on Windows 2000 and Windows XP systems. AnyConnect does not support multiple tokens imported into the RSA Secure ID Software Token client software, and AnyConnect does not support SofToken II, by Secure Computing Corporation. For a fuller description, see SDI Token (SoftID) Integration (CSCsi00707).
Remote User Interface
Figure 1 shows the Cisco AnyConnect VPN Client user interface. The Connection tab provides a drop-down list of profiles for connecting to remote systems.
Figure 1 Cisco AnyConnect VPN Client User Interface, Connection Tab
Figure 2 shows the Statistics tab, including current connection information.
Figure 2 Cisco AnyConnect VPN Client User Interface, Statistics Tab
New AnyConnect Client Disconnect Behavior
If you click Disconnect, the AnyConnect client, Release 2.1, terminates the connection, and the status bar at the bottom of the dialog box, and the AnyConnect GUI displays a login dialog box with a "Connect to" field. To reconnect, the remote user must select the server to connect to and the group name, and enter the username, if necessary, and the password, PIN, or Passcode, as appropriate and click Select.
SDI Token (SoftID) Integration
Cisco AnyConnect VPN Client, Release 2.1, integrates support for RSA SecurID client software running on Windows XP and Windows 2000 platforms. This support allows IT administrators to make strong authentication a convenient part of doing business. RSA SecurID software authenticators reduce the number of items a user has to manage for safe and secure access to corporate assets. RSA SecurID Software Tokens residing on a remote device generate a random, one-time-use passcode that changes every 60 seconds. The term SDI stands for Security Dynamics, Inc. technology, which refers to this one-time password generation technology that uses hardware and software tokens.
Note
Comparing Native SDI with RADIUS SDI
The network administrator can configure the secure gateway to allow SDI authentication in either of the following modes:
•
•
In Release 2.1, except for one case, described later, Native SDI and RADIUS SDI appear identical to the remote user. Because the SDI messages are configurable on the SDI server, the message text (see Table 3) on the security appliance must match the message text on the SDI server. Otherwise, the prompts displayed to the remote client user might not be appropriate for the action required during authentication. The AnyConnect client might fail to respond and authentication might fail.
RADIUS SDI challenges, with minor exceptions, essentially mirror native SDI exchanges. Since both ultimately communicate with the SDI server, the information needed from the client and the order in which that information is requested is the same. Except where noted, the remainder of this section deals with native SDI.
When a remote user using RADIUS SDI authentication connects to the security appliance with the AnyConnect VPN client and attempts to authenticate using an RSA SecurID token, the security appliance communicates with the RADIUS server, which in turn, communicates with the SDI server about the authentication.
For more information about configuring the ASA to ensure AnyConnect client compatibility, see Ensuring RADIUS/SDI Proxy Compatibility with the AnyConnect Client.
Using SDI Authentication
In the AnyConnect client, Release 2.1, the login (challenge) dialog box changes to match the type of authentication configured for the tunnel group to which the user belongs. The input fields of the login dialog box clearly indicate what kind of input is required for authentication. Users who rely on username/password authentication see a dialog box like that in Figure 3.
Figure 3 Username/Password Authentication Login Dialog Box
Users who use RSA SecurID hardware or software tokens see input fields indicating whether the user should enter a passcode or a PIN, and the status line at the bottom of the dialog box provides further information about the requirements. The user enters a software token PIN or passcode directly into the AnyConnect user interface. See Figure 4.
Figure 4 PIN and Passcode Dialog Boxes
The appearance of the initial login dialog box depends on the secure gateway settings: the user can access the secure gateway either through the main login page, the main index URL, or through a tunnel-group login page, a tunnel group URL (URL/tunnel-group). To access the secure gateway via the main login page, the "Allow user to select connection" check box must be set in the secure gateway's SSL VPN Connection Profiles. In either case, the secure gateway sends the client a login page. The main login page contains a drop-down box in which the user selects a tunnel group; the tunnel-group login page does not since the tunnel-group is specified in the URL.
Starting with AnyConnect Release 2.1, in the case of a main login page (with a drop-down tunnel-group list), the authentication type of the default tunnel group determines the initial setting for the password input field label. For example, if the default tunnel group uses SDI authentication, the field label is "Passcode"; but if the default tunnel group uses NTLM authentication, the field label is "Password". In Release 2.1, the field label is not dynamically updated with the user selection of a different tunnel group. For a tunnel-group login page, the field label matches the tunnel-group requirements.
Also starting with AnyConnect Release 2.1, the client supports input of RSA SecurID Software Token PINs in the password input field. If the RSA SecurID Software Token software is installed and the tunnel-group authentication type is SDI, the field label is "Passcode" and the status bar states "Enter a username and passcode or software token PIN." and the user may enter a PIN. If a PIN is used, subsequent consecutive logins for the same tunnel group and username have the field label "PIN". The client retrieves the passcode from the RSA SecurID Software Token DLL using the entered PIN. With each successful authentication, the client saves the tunnel group, the username, and auhentication type, and the saved tunnel group becomes the new default tunnel group.
The AnyConnect client accepts passcodes for any SDI authentication. Even when the password input label is "PIN", the user may still enter a passcode as instructed by the status bar. The client sends the passcode to the secure gateway as is. If a passcode is used, subsequent consecutive logins for the same tunnel group and username have the field label "Passcode".
Categories of SDI Authentication Exchanges
All SDI authentication exchanges fall into one of the following categories:
•
•
•
•
•
Normal SDI Authentication Login
A normal login challenge is always the first challenge. The SDI authentication user must provide a user name and token passcode (or PIN, in the case of a software token) in the username and passcode or PIN fields, respectively. The client returns the information to the secure gateway (central-site device), and the secure gateway verifies the authentication with the authentication server (SDI or SDI via RADIUS proxy).
If the authentication server accepts the authentication request, the secure gateway sends a success page back to the client, and the authentication exchange is complete.
If the passcode is not accepted, the authentication fails, and the secure gateway sends a new login challenge page, along with an error message. If the passcode failure threshold on the SDI server has been reached, then the SDI server places the token into next token code mode. See "Next Passcode" and "Next Token Code" Challenges.
New User, Clear PIN, and New PIN Modes
The PIN can be cleared only on the SDI server and only by the network administrator.
In the New User, Clear PIN, and New PIN modes, the AnyConnect client caches the user-created PIN or system-assigned PIN for later use in the "next passcode" login challenge.
Clear PIN mode and New User mode are identical from the point of view of the remote user and are both treated the same by the secure gateway. In both cases, the remote user either must enter a new PIN or be assigned a new PIN by the SDI server. The only difference is in the user response to the initial challenge.
For New PIN mode, the existing PIN is used to generate the passcode, as it would be in any normal challenge. For Clear PIN mode, no in is used at all for hardware tokens, with the user entering just a token code. A PIN Of eight consecutive zeros is used to generate a passcode for RSA software tokens. In either case, the SDI server administrator must inform the user of what, if any, PIN value to use.
Adding a new user to an SDI server has the same result as clearing the PIN of an existing user. In both cases, the user must either provide a new PIN or be assigned a new PIN by the SDI server. In these modes, for hardware tokens, the user enters just a token code from the RSA device. In either case, the SDI server administrator must inform the user of what, if any, PIN value to use.
Getting a New PIN
If there is no current PIN, the SDI server requires that one of the following conditions be met, depending on how the system is configured:
•
•
•
By default, the system simply assigns a PIN. If the SDI server is configured to allow the remote user to choose whether to create a PIN or have the system assign a PIN, the login screen presents a drop-down menu showing the options (Figure 5).
Figure 5 New PIN Creation or Generation Selection Dialog Box
The status line provides a prompt message. In either case, the user must remember the new PIN for future login authentications.
Creating a New PIN
If the user chooses to create a new PIN and clicks Continue, the AnyConnect client presents a dialog box on which to enter that PIN (Figure 6). The PIN must be a number from 4 to 8 digits long.
Figure 6 Creating a New PIN
For a user-created PIN, after entering and confirming the new PIN, the user clicks Continue. Because the PIN is a type of password, anything the user enters into these input fields is displayed as asterisks. With RADIUS proxy, the PIN confirmation is a separate challenge, subsequent to the original dialog box. The client sends the new PIN to the secure gateway, and the secure gateway continues with a "next passcode" challenge.
For a system-assigned PIN, if the SDI server accepts the passcode that the user enters on the login page, then the secure gateway sends the client the system-assigned passcode. The user must click Continue. The client sends a response back to the secure gateway, indicating that the user has seen the new PIN, and the system continues with a "next passcode' challenge.
In both cases, the user must remember the PIN for subsequent login authentications.
"Next Passcode" and "Next Token Code" Challenges
For a "next passcode" challenge, the client uses the PIN value cached during the creation or assignment of a new PIN to retrieve the next passcode from the RSA SecurID Software Token DLL and return it to the secure gateway without prompting the user. Similarly, in the case of a "next Token Code" challenge for a software token, the client retrieves the next Token Code from the RSA SecurID Software Token DLL.
Ensuring RADIUS/SDI Proxy Compatibility with the AnyConnect Client
This section describes procedures to ensure that the AnyConnect client using RSA SecureID Software tokens can properly respond to user prompts delivered to the client through a RADIUS server proxying to an SDI server or servers. This section contains the following topics:
•
•
AnyConnect Client and RADIUS/SDI Server Interaction
When a remote user connects to the security appliance with the AnyConnect client and attempts to authenticate using an RSA SecurID token, the security appliance communicates with the RADIUS server, which in turn, communicates with the SDI server about the authentication.
During authentication, the RADIUS server presents access challenge messages to the security appliance. Within these challenge messages are reply messages containing text from the SDI server. The message text is different when the security appliance is communicating directly with an SDI server than when communicating through the RADIUS proxy. Therefore, in order to appear as a native SDI server to the AnyConnect client, the security appliance must interpret the messages from the RADIUS server.
Also, because the SDI messages are configurable on the SDI server, the message text on the security appliance must match (in whole or in part) the message text on the SDI server. Otherwise, the prompts displayed to the remote client user may not be appropriate for the action required during authentication. The AnyConnect client may fail to respond and authentication may fail.
The following section describes how to configure the security appliance to ensure successful authentication between the client and the SDI server:
Configuring the Security Appliance to Support RADIUS/SDI Messages
The following section describes the steps to configure the security appliance to interpret SDI-specific RADIUS reply messages and prompt the AnyConnect user for the appropriate action. Each step has information for both ASDM and CLI.
Step 1
ASDM Procedure
Go to Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles. The Edit SSL VPN Connection Profile window displays (Figure 7).
Check Enable the display of SecurID messages on the login screen.
Figure 7 Edit SSL VPN Connection Profile Screen
CLI Procedure
Use the proxy-auth sdi command from tunnel-group webvpn configuration mode. For example:
hostname(config)# tunnel-group sales webvpn attributeshostname(tunnel-group-webvpn)# proxy-auth sdiStep 2
The default message text used by the security appliance is the default message text used by Cisco Secure Access Control Server (ACS). If you are using Cisco Secure ACS, and it is using the default message text, you do not need to configure the message text on the security appliance. Otherwise, configure the messages to ensure the message text matches.
Table 3 shows the message code, the default RADIUS reply message text, and the function of each message. Because the security appliance searches for strings in the order that they appear in the table, you must ensure that the string you use for the message text is not a subset of another string.
For example, "new PIN" is a subset of the default message text for both new-pin-sup and next-ccode-and-reauth. If you configure new-pin-sup as "new PIN", when the security appliance receives "new PIN with the next card code" from the RADIUS server, it will match the text to the new-pin-sup code instead of the next-ccode-and-reauth code.
Table 3
SDI Opcodes, Default Message Text, and Message Function
ASDM Procedure
Go to Configuration > Remote Access VPN > AAA Server Groups. The Add AAA Server window displays (Figure 8).
In the SDI Messages area, click Message Table to expand the table and view the messages. Double-click a message text field to edit the message.
Figure 8 Configuring RADIUS SDI Messages
CLI Procedure
Use the proxy-auth_map sdi command from tunnel-group webvpn configuration mode. The following example enters aaa-server-host mode and changes the text for the RADIUS reply message new-pin-sup:
hostname(config)# aaa-server radius_sales host 10.10.10.1hostname(config-aaa-server-host)# proxy-auth_map sdi new-pin-sup "This is your new PIN"
Installation Notes
This section contains procedures for installing the AnyConnect client software on the ASA5500 using the Adaptive Security Device Manager (ASDM) or the CLI command interface.
Without a previously-installed client, remote users enter the IP address or DNS name in their browser of an interface configured to accept clientless SSL VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, users must enter the URL in the form https://<address>.
Note
After entering the URL, the browser connects to that interface and displays the login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the client, it uploads the client that matches the operating system of the remote computer. After uploading, the client installs and configures itself, establishes a secure SSL connection and either remains or uninstalls itself (depending on the security appliance configuration) when the connection terminates.
In the case of a previously-installed client, when the user authenticates, the security appliance examines the revision of the client, and upgrades the client as necessary.
When the client negotiates an SSL VPN connection with the security appliance, it connects using Transport Layer Security (TLS). The client can also negotiate a simultaneous Datagram Transport Layer Security (DTLS) connection. DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
The AnyConnect client can be downloaded from the security appliance, or it can be installed manually on the remote PC by the system administrator. For more information about configuring the AnyConnect client, see the Cisco 5500 Series Adaptive Security Appliance CLI Configuration Guide.
The security appliance uploads the client based on the group policy or username attributes of the user establishing the connection. You can configure the security appliance to automatically download the client, or you can configure it to prompt the remote user about whether to download the client. In the latter case, if the user does not respond, you can configure the security appliance to either download the client after a timeout period or present the login page.
The installation and configuration consists of two parts: what you have to do on the security appliance, and what you have to do on the remote PC. The AnyConnect client software is built into the ASA Release 8.0(1) and later. You can decide whether to make the AnyConnect client software permanently resident on the remote PC, or whether to have it resident only for the duration of the connection.
Note
This section describes installation-specific issues and procedures for AnyConnect client Release 2.1, and contains the following sections:
•
•
•
•
•
•
•
•
Where to Find the AnyConnect Client Files for Installation
All of the AnyConnect clients are located in the same place: http://www.cisco.com/pcgi-bin/tablebuild.pl/anyconnect
Before You Install the AnyConnect Client
The following sections contain recommendations to ensure successful AnyConnect client installation, as well as tips about certificates, Cisco Security Agent (CSA), adding trusted sites, and responding to browser alerts:
•
•
•
•
Ensuring Automatic Installation of AnyConnect Clients
The following recommendations and caveats apply to the automatic installation of AnyConnect client software on client PCs:
•
–
–
The procedure varies by browser. See the procedures that follow this section.
–
•
Current shipping versions of CSA do not have a built-in rule that is compatible with the AnyConnect client. You can create the following rule using CSA version 5.0 or later by following these steps:
Step 1
Priority Allow, no Log, Description: "Cisco Secure Tunneling Browsers, read/write vpnweb.ocx"Applications in the following class: "Cisco Secure Tunneling Client - Controlled Web Browsers"Attempt: Read file, Write FileOn any of these files: @SYSTEM\vpnweb.ocx
Step 2
**\vpndownloader.exe@program_files\**\Cisco\Cisco AnyConnect VPN Client\vpndownloader.exeThis rule will be built into a future version of CSA.
•
AnyConnect Client and New Windows 2000 Installations
In rare circumstances, if you install the AnyConnect client on a computer that has a new or clean Windows 2000 installation, the AnyConnect client might fail to connect, and your computer might display the following message:
The required system DLL (filename) is not present on the system.This could occur if the computer does not have the file MSVCP60.dll or MSVCRT.dll located in the winnt\system32 directory. For more information about this problem, see the Microsoft Knowledge Base, article 259403, at http://support.microsoft.com/kb/259403.
Adding a Security Appliance to the List of Trusted Sites (IE)
To add a security appliance to the list of trusted sites, use Microsoft Internet Explorer and do the following steps.
Note
Step 1
The Internet Options window opens.
Step 2
Step 3
Step 4
The Trusted Sites window opens.
Step 5
Step 6
Step 7
The Trusted Sites window closes.
Step 8
For information on how to use Microsoft Active Directory to add the security appliance to the list of trusted sites for Internet Explorer, see Appendix B of Cisco AnyConnect VPN Client Administrator Guide.
Adding a Security Certificate in Response to Browser Alert Windows
This section explains how to install a self-signed certificate as a trusted root certificate on a client in response to the browser alert windows.
In Response to a Microsoft Internet Explorer "Security Alert" Window
The following procedure explains how to install a self-signed certificate as a trusted root certificate on a client in response to a Microsoft Internet Explorer Security Alert window. This window opens when you establish a Microsoft Internet Explorer connection to a security appliance that is not recognized as a trusted site. The upper half of the Security Alert window shows the following text:
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate. The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.Install the certificate as a trusted root certificate as follows:
Step 1
The Certificate window opens.
Step 2
The Certificate Import Wizard Welcome opens.
Step 3
The Certificate Import Wizard - Certificate Store window opens.
Step 4
Step 5
The Certificate Import Wizard - Completing window opens.
Step 6
Step 7
The Certificate Import Wizard window indicates the import is successful.
Step 8
Step 9
Step 10
The security appliance window opens, signifying the certificate is trusted.
In Response to a Netscape, Mozilla, or Firefox "Certified by an Unknown Authority" Window
The following procedure explains how to install a self-signed certificate as a trusted root certificate on a client in response to a "Web Site Certified by an Unknown Authority" window. This window opens when you establish a Netscape, Mozilla, or Firefox connection to a security appliance that is not recognized as a trusted site. This window shows the following text:
Unable to verify the identity of <Hostname_or_IP_address> as a trusted site.Install the certificate as a trusted root certificate as follows:
Step 1
The Certificate Viewer window opens.
Step 2
Step 3
The security appliance window opens, signifying the certificate is trusted.
Installing the AnyConnect Client on a System Running Windows
To install the AnyConnect client on a PC running Windows, follow these steps. We suggest you accept the defaults unless your system administrator has instructed otherwise.
Note
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Installing the AnyConnect Client on a System Running Linux
To install the AnyConnect client on a system Running Linux, follow these steps:
Step 1
tar xvzf AnyConnect-Linux-Release-2.1.xxxx.tar.gzThe files necessary for installation are placed in the folder ciscovpn.
Step 2
[root@linuxhost]# cd ciscovpn[root@linuxhost]# ./vpn_install.shThe client installs in the directory /opt/cisco/vpn. This script also installs the daemon vpnagentd and sets it up as a service that is automatically started when the system boots.
After installing the client, you can start the client manually with the Linux command /opt/cisco/vpn/bin/vpnui or with the client CLI command /opt/cisco/vpn/bin/vpn.
Installing the AnyConnect Client on a System Running MAC OSX
The AnyConnect client image for MAC OSX is a DMG disk image installation package. To install the AnyConnect client on a System Running MAC OSX, follow these steps:
Step 1
Step 2
Step 3
Step 4
The installation is complete.
Using the AnyConnect CLI Commands
The Cisco AnyConnect VPN Client provides a command line interface (CLI) for users who prefer to issue commands instead of using the graphical user interface. The following sections describe how to launch the CLI command prompt.
For Windows
To launch the CLI command prompt and issue commands on a Windows system, locate the file vpncli.exe in the Windows folder C:\Program Files\Cisco\Cisco AnyConnect VPN Client. Double-click the file vpncli.exe.
For Linux
To launch the CLI command prompt and issue commands on a Linux system, locate the file vpn in the folder /opt/cisco/vpn/bin/. Execute the file vpn.
You can run the CLI in interactive mode, in which it provides its own prompt, or you can run it with the commands on the command line. Table 4 shows the CLI commands.
The following examples shows the user establishing and terminating a connection from the command line:
/opt/cisco/vpn/bin/vpn connect 1.2.3.4Establishes a connection to a security appliance with the address 1.2.3.4.
/opt/cisco/vpn/bin/vpn connect some_asa_aliasEstablishes a connection to a security appliance by reading the profile and looking up the alias some_asa_alias in order to find its address.
/opt/cisco/vpn/bin/vpn statsDisplays statistics about the vpn connection.
/opt/cisco/vpn/bin/vpn disconnectDisconnect the vpn session if it exists.
Loading the AnyConnect Client and Configuring the Security Appliance with ASDM
Loading the client on the security appliance consists of copying a client image to the security appliance and identifying the file to the security appliance as a client image. With multiple clients, you must also assign the order that the security appliance uploads the clients to the remote PC. Perform the following steps to install the client:
Step 1
Step 2
Step 3
This panel lists any AnyConnect client files that have been identified as AnyConnect client images. The order in which they appear in the table reflects the order that they download to the remote computer.
Figure 9 SSL VPN Client Settings Panel
To add an AnyConnect client image, Click Add in the SSL VPN Client Images area. The Add SSL VPN Client Image dialog appears (Figure 10).
Figure 10 Add SSL VPN Client Image Dialog
If you already have an image located in the flash memory of the security appliance, you can enter the name of the image in the Flash SVC Image field, and click OK. The SSL VPN Client Images panel now shows the AnyConnect client images you identified (Figure 11).
Figure 11 SSL VPN Client Panel with AnyConnect Client Images
Step 4
This establishes the order in which the security appliance uploads them to the remote computer. It uploads the AnyConnect client image at the top of the list of images first. Therefore, you should move the image used by the most commonly-encountered operating system to the top of the list.
Step 5
Figure 12 Enable SSL VPN Client Check Box
Step 6
To create an IP address pool, choose Network Access > Address Management > Address Pools. Click Add. The Add IP Pool dialog appears (Figure 13).
Figure 13 Add IP Pool Dialog
Enter the name of the new IP address pool. Enter the starting and ending IP addresses, and enter the subnet mask and click OK.
Step 7
Figure 14 Connection Address Pool Assignment
Highlight a connection in the table, and click Edit. The Edit SSL VPN Connection dialog appears.
Click Select in the Client Address Assignment area. The Select Address Pool dialog appears (Figure 15), containing available address pools. Select a pool and click OK.
Figure 15 Select Address Pool Dialog
Step 8
Choose Network Access > Group Policies from the navigation pane. Highlight the group policy in the Group Policy table, and click Edit.
The Edit Internal Group Policy dialog appears (Figure 16):
Figure 16 Edit Internal Group Policy, General Tab
Check the SVC check box to include SSL VPN as a tunneling protocol.
Step 9
Figure 17 SSL VPN Client Features
Configure the following features on the SSL VPN Client tab:
Keep Installer on Client System—Enable to allow permanent client installation on the remote computer. Enabling disables the automatic uninstalling feature of the client. The client remains installed on the remote computer for subsequent connections, reducing the connection time for the remote user.
Compression—Compression increases the communications performance between the security appliance and the client by reducing the size of the packets being transferred.
Datagram TLS—Datagram Transport Layer Security (DTLS) allows the CVC establishing an SSL VPN connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.
Keepalive Messages—Enter an number, from 15 to 600 seconds, in the Interval field to enable and adjust the interval of keepalive messages to ensure that an connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the interval also ensures that the client does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.
MTU—Adjust the Ma
Guest
