Configure and Deploy AnyConnect Web Security through ASA

Available Languages

Download Options

  • PDF     (2.3 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.6 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (2.0 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:March 18, 2016
Document ID:200387

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Table of Contents
          Introduction
          Prerequisites
               Requirements
               Components used
          Background Information
          Configure
               Anyconnect WebSecurity deployment through ASA
          Verify
          Upgrade/Downgrade Anyconnect version
          Troubleshoot

Introduction

This document describes the deploying of AnyConnect web security module for client based VPN terminating on Cisco Adaptive Security Appliances (ASA).

Prerequisites

Requirements

There are no specific requirements for this document.

Components used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

  • Upload the Anyconnect (recommend v4.1+) image on ASA

image 1.

  • Enable the VPN profile on ASA, as shown in the image

image 2.

Configure

Anyconnect WebSecurity deployment through ASA

The steps involved in configuration are:

  • Configure Anyconnect Websecurity client profile
  • Edit Anyconnect VPN group policy
  • Set split exclusion for Web Securityand select download Web Security client module  
  • Edit Anyconnect VPN group policy and select the Web Security client profile

Step 1. Configuring Anyconnect Websecurity Client profile

Navigate to Configuration >Remove Access VPN >Network (Client) Access >Anyconnect Client Profile, click on

Add and select the AnyConnect Web Security Client Profile.

Note: The Profile Name is hard-coded on the client side, so regardless of the name configured, the ASA always pushes out Websecurity_serviceprofile.wso to the client.

Note: This is a default profile without authentication license key.

image 3.1.

Step 2. Edit the newly created profile to add authentication license key and customize the configuration.

image 4.2.

image 4.1.

image 6.

Step 3. Set split exclusion for Web Security and select download Web security client module

Edit Anyconnect VPN group policy, as shown in the image. 

image 8.

As shown in the image, set up split exclusion for Web Security.

image 15.

image 16.

  Select download Web Security client module, as shown in the image.

image 9.

Step 4. Download Web security client profile

Edit Anyconnect VPN group policy > Client Profiles to Download > Add, now choose the created Profile (as in Step 1)

image 7.

Click OK and apply the changes.

Verify

When you connect to Anyconnect VPN, ASA will push the Anyconnect webscurity module through VPN as shown in the image.

image 13.

image 10.

image 17.

If you are already logged in, its recommended to log off and then log in back for the functionality to be enabled.

Upgrade/Downgrade Anyconnect version

The deployment functionality remains unaltered if the version is upgraded. However, downgrade is not possible. So, with the current example of 4.1.x, it can be upgraded to version 4.2

The steps involved are as follows:

Step 1. Upload the latest Anyconnect package 4.2 to flash and replace 4.1 with latest file.

Under Anyconnect Client Software > Replace, and then choose the recent image file.

image 11.

Step 2. When you re-connect to Anyconnect VPN, ASA will push the latest Anyconnect module through VPN with no alterations to the web security profile.

image 3.

image 13.

Note: Downgrade is not supported.

Troubleshoot

This section provides information you can use in order to troubleshoot your configuration.

Using DART to Gather Troubleshooting Information:

DART is the AnyConnect Diagnostics and Reporting Tool that you can use to collect data useful for troubleshooting AnyConnect installation and connection problems. DART supports Windows 7, Windows Vista, Windows XP, Mac version 10.5 and 10.6, and Linux Redhat. The DART wizard runs on the computer that runs AnyConnect. It assembles the logs, status, and diagnostic information for Cisco Technical Assistance Center (TAC) analysis and does not require administrator privileges.

Although DART does not rely on any component of the AnyConnect software to run, yet you can launch it from AnyConnect, it will collect the AnyConnect log file, if it is available. Currently, DART is available as a standalone installation, or the administrator can push this application to the client PC as part of the AnyConnect dynamic download infrastructure. Once installed, the end user can start the  wizard from the Cisco folder available through the Start button.

Revision History

Revision Publish Date Comments
1.0
18-Mar-2016
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Ashok Sakthivel
    Cisco TAC Engineer
  • Nik Kale
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products