Optional AnyConnect Configuration and Management
Modifying and Deleting Connection Entries
Modifying a Connection EntryProcedure
Change a VPN connection entry to correct a configuration error or comply with an IT policy change.
You cannot modify the description or server address of connection entries downloaded from a secure gateway.
Deleting Connection EntriesProcedure
This procedure deletes a manually configured VPN connection entry.
The only way to remove a connection entry imported from a VPN secure gateway is to remove the downloaded AnyConnect profile that contains the connection entries.
About Certificates on Your Android Device
Certificates are used to digitally identify each end of the VPN connection: the secure gateway, or the server, and the AnyConnect client, or the user. A server certificate identifies the secure gateway to AnyConnect, and a user certificate identifies the AnyConnect user to the secure gateway. Certificates are obtained from and verified by Certificate Authorities (CAs).
When establishing a connection, AnyConnect always expects a server certificate from the secure gateway. The secure gateway expects a certificate from AnyConnect only if it has been configured to do so. Expecting the AnyConnect user to manually enter credentials is another way to authenticate a VPN connection. In fact, the secure gateway can be configured to authenticate AnyConnect users with a digital certificate, with manually entered credentials, or with both. Certificate-only authentication allows VPNs to connect without user intervention.
Distribution to and use of certificates by, the secure gateway and your device, are directed by your administrator. Follow directions provided by your administrator to import, use, and manage server and user certificates for AnyConnect VPNs. Information and procedures in this document related to certificates and certificate management are provided for your understanding and reference.
AnyConnect stores both user and server certificates for authentication in its own certificate store on the Android device. The AnyConnect certificate store is managed from thescreen; you can also view Android System certificates here.
About User CertificatesIn order for you, the AnyConnect user, to authenticate to the secure gateway using a digital certificate, you need a user certificate in the AnyConnect certificate store on your device. User certificates are imported using one of the following methods, as directed by your administrator:
- Imported automatically after clicking a hyperlink provided by your administrator in an e-mail or on a web page.
- Imported manually by you from the device's file system, from the device's credential storage, or from a network server.
- Imported when connecting to a secure gateway that has been configured by your administrator to provide you with a certificate.
Once imported, the certificate can be associated with a particular connection entry or selected automatically during connection establishment to authenticate.
You can delete user certificates from the AnyConnect store if they are no longer needed for authentication.Related Concepts
About Server Certificates
A server certificate received from the secure gateway during connection establishment automatically authenticates that server to AnyConnect, if and only if it is valid and trusted. Otherwise:
- A valid, but untrusted server certificate can be reviewed, authorized, and imported to the AnyConnect certificate store. Once a server certificate is imported into the AnyConnect store, subsequent connections made to the server using this digital certificate are automatically accepted.
- An invalid certificate cannot be imported into the AnyConnect store. It can be accepted to complete the current connection, but this is not recommended.
Server certificates in the AnyConnect store can be deleted if they are no longer needed for authentication.
View user and server certificates that have been imported into the AnyConnect certificate store, and Android system certificates.
Deleting a Single CertificateProcedure
Specifying Application Preferences
Changing the AnyConnect ThemeProcedure
AnyConnect provides the following themes:
- Cisco Default Theme (default)—Color contrast, emphasizing shades of blue.
- Android—Android-like alternative to the Cisco default theme.
The assignment of the Android theme to AnyConnect has issues such as the whiteout of field values on some devices. Reapply the default theme if the Android theme is difficult to use.
Launching AnyConnect at StartupProcedure
You have control over when AnyConnect launches on your device. By default, AnyConnect does not automatically launch at device startup. If checked, Launch at Startup is enabled.
Launch at Startup is automatically enabled if a profile specifying Trusted Network Detection is download or imported.
Hiding the AnyConnect Status Bar Icon
Controlling External Use of AnyConnectProcedure
The External Control application preference specifies how the AnyConnect application responds to external URI requests. External requests create connection entries; connect or disconnect a VPN; and import client profiles, certificates, or localization files.
External requests are URIs, typically provided by your administrator in e-mails or on web pages. Your administrator will instruct you to set this preference to one the following values:
Blocking Untrusted ServersProcedure
This application setting determines if AnyConnect blocks connections when it cannot identify the secure gateway. This protection is ON by default; it can be turned OFF, but this is not recommended.
AnyConnect uses the certificate received from the server to verify its identify. If there is a certificate error due to an expired or invalid date, wrong key usage, or a name mismatch, the connection is blocked.
When this setting is ON, a blocking Untrusted VPN Server! notification alerts you to this security threat.
Setting FIPS ModeFIPS Mode makes use of Federal Information Processing Standards (FIPS) cryptography algorithms for all VPN connections.Before You BeginProcedure
Your administrator will inform you if you need to enable FIPS mode on your mobile device for connectivity to your network.
Setting Trusted Network Detection
Trusted Network Detection (TND) allows automatic initiation of a VPN connection when the device is outside of a trusted network and automatic suspension of the VPN connection when the device returns to a trusted network.
Your administrator enables this feature, defines which networks are trusted or untrusted, and determines AnyConnect behavior when it detects network transitions. For example, your administrator may configure TND to automatically connect while you are on your home network and then disconnect when you move into the corporate network.
If this feature has been enabled by your administrator, you are given the option to disable it on your own device. Keep in mind that this feature is provided for you convenience, automatically connecting and disconnecting the VPN so that you do not have to do so manually. Enable TND to reinstate this functionally.
TND does not interfere with your ability to manually establish a VPN connection or disconnect a VPN connection started while on a trusted network. TND disconnects the VPN session only if the device first connects (automatically or manually) in an untrusted network and then moves into a trusted network.Before You BeginProcedure
Trusted Network Detection requires the AnyConnect app to be running. If you have exited the application usingor forced the app to stop using the Android settings, AnyConnect will be unable to detect a trusted network.
The Trusted Network Detection feature is not available in the AnyConnect ICS+ package, the Android VPN Framework package. It is only available in the brand-specific and rooted AnyConnect packages.
Using AnyConnect Widgets
About AnyConnect Widgets
AnyConnect provides widgets to add to your home screen:
- The smallest widget is the same size as the AnyConnect apps icon. The color of the bar below the icon reflects the VPN status. Tap the widget to connect to or disconnect from the current VPN connection.
- The larger widget shows the AnyConnect icon and name, the current VPN connection, and the VPN status. Tap the widget to connect to or disconnect from the VPN connection.
Placing a Widget on your Android Home WindowProcedure
The instructions for placing a widget may vary, depending on the device and the Android version that you are using. Example instructions are provided.
Managing the AnyConnect Client Profile
About AnyConnect Client Profiles
The AnyConnect VPN Client Profile is an XML file that specifies client behavior and identifies VPN connections. Each connection entry in the VPN Client Profile specifies a secure gateway that is accessible to this device, as well as other connection attributes, policies, and constraints. These connection entries, in addition to the VPN connections that you configured locally on the device, are listed on the AnyConnect home screen to choose from when initiating a VPN connection.
AnyConnect retains only one VPN Client Profile on the Android device at a time. The following are some key scenarios that cause the current profile, if it exists, to be replaced or deleted:
- Manually importing a profile replaces the current profile with the imported profile.
- Upon startup of an automatic or manual VPN connection, the new connection’s profile replaces the current profile.
- If a VPN connection does not have a profile associated with it, the existing profile is deleted upon startup of that VPN.
View or delete the AnyConnect profile currently on the device, or import a new one.
Viewing the AnyConnect ProfileProcedure
Importing an AnyConnect ProfileBefore You BeginProcedure
A profile file must be present on the Android device to import it in this way. Your administrator provides you with the name of the profile file to be installed on your device.
Removing the AnyConnect ProfileProcedure
About Android Device Localization
Upon AnyConnect installation, your Android device is localized if the specified device's locale matches one of the packaged language translations. The following language translations are included in the AnyConnect package:
- Czech (cs-cz)
- German (de-de)
- Latin American Spanish (es-co)
- Canadian French (fr-ca)
- Japanese (ja-jp)
- Korean (ko-kr)
- Polish (pl-pl)
- Simplified Chinese (zh-cn)
The displayed language is determined by the locale specified in. AnyConnect uses the language specification, then the region specification, to determine the best match. For example, after installation, a French-Switzerland (fr-ch) locale setting results in a French-Canadian (fr-ca) display.
AnyConnect UIs and messages are translated as soon as AnyConnect starts. The selected localization is noted as Active in the AnyConnectscreen.
After installation, localization data for languages not supported in the AnyConnect package is imported by:
- Clicking on a hyperlink provided to you by an administrator that has been defined to import localization data. Your administrator can provide a hyperlink in e-mail, or on a web page, that imports localization data when clicked. This method uses the AnyConnect URI handler, a feature available to administrators for simplifying AnyConnect configuration and management.
You must allow this AnyConnect activity by setting External Control to either Prompt or Enable within the AnyConnect settings. See Controlling External Use of AnyConnect for how to set this.
- Connecting to a secure gateway that an administrator has configured to provide downloadable localization data upon VPN connection. If this method is to be used, your administrator will provide you with appropriate VPN connection information or a predefined connection entry in the XML profile. Upon VPN connection, localization data is downloaded to your device and put into play immediately.
- Manually imported using the Import Localization option on the AnyConnect Localization Management Activity Screen.
Managing Localization Data
Importing Localization Data from a ServerProcedure
Restoring Localization Data
Exiting AnyConnect terminates the current VPN connection and stops all AnyConnect processes. Use this action sparingly, other apps or processes on your device may be using the current VPN connection and exiting AnyConnect may adversely affect their operation.
From the AnyConnect home window, tap .
In the event that AnyConnect is unable to gracefully exit all of its processes, you will be detoured to the Android application management screen to manually terminate AnyConnect by tapping Force Stop.