Specifies the minimum version of the AnyConnect client capable
of interpreting all of the parameters in this file. If a client running a
version of AnyConnect that is older than this version reads the file, it issues
an event log warning.
The format is acversion="<version number>".
Enables FIPS mode for the client. This setting forces the client
to only use algorithms and protocols approved by the FIPS standard.
When selected, disables the launch of the VPNDownloader.exe
module, which is responsible for detecting the presence of and updating the
local versions of dynamic content. The client does not check for dynamic
content present on the ASA, including translations, customizations, optional
modules, and core software updates.
When Bypass Downloader is selected, one of two things happens
upon client connection to an ASA:
If the VPN client profile on the ASA is different than the one
on the client, the client aborts the connection attempt.
If there is no VPN client profile on the ASA, the client makes
the VPN connection, but it uses its hard-coded VPN client profile settings.
If you configure VPN client profiles on the ASA, they must be
installed on the client before the client connects to an ASA with
BypassDownloader set to true. Because the profile can contain an administrator
defined policy, the BypassDownloader true setting is only recommended if you do
not rely on the ASA to centrally manage client profiles.
Enable CRL Check<EnableCRLCheck>
This feature is only implemented for Windows desktop. For both SSL and IPsec VPN connections, you have the option to perform Certificate Revocation List (CRL) checking. When this setting is enabled, AnyConnect retrieves the updated CRL for all certificates in the chain. AnyConnect then verifies whether the certificate in question is among those revoked certificates which should no longer be trusted; and if found to be a certificate revoked by the Certificate Authority (CA), it does not connect.
CRL checking is disabled by default. AnyConnect performs CRL checks only when Enable CRL Check is checked (or enabled), and as a result, the end user may observe the following:
If the certificate is revoked through CRL, the connection to the secure gateway fails unconditionally, even if Strict Certificate Trust is disabled in the AnyConnect Local Policy file.
If the CRL cannot be retrieved (such as due to an unreachable CRL distribution point), the connection to the secure gateway fails unconditionally, if Strict Certificate Trust is enabled in the AnyConnect Local Policy file. Otherwise, if Strict Certificate Trust is disabled, the user may be prompted to bypass the error.
AnyConnect cannot perform a CRL check when Always On is enabled. Also, if CRL distribution points are not publicly reachable, AnyConnect may encounter service disruption.
Prevents users from using a non-FIPS-compliant browser to
initiate WebLaunch. It does this by preventing the client from obtaining the
security cookie that is used to initiate an AnyConnect tunnel. The client
displays an informative message to the user.
If selected, when authenticating remote security gateways,
AnyConnect disallows any certificate that it cannot verify. Instead of
prompting the user to accept these certificates, the client fails to connect to
security gateways using self-signed certificates and displaysLocal policy prohibits the
acceptance of untrusted server certificates. A connection will not be
established.. If not selected, the client prompts the user to accept
the certificate. This is the default behavior.
We strongly recommend that you enable Strict Certificate Trust for the AnyConnect client for the following reasons:
With the increase in targeted exploits, enabling Strict Certificate Trust in the local policy helps prevent “man in the middle” attacks when users are connecting from untrusted networks such as public-access networks.
Even if you use fully verifiable and trusted certificates, the AnyConnect client, by default, allows end users to accept unverifiable certificates. If your end users are subjected to a man-in-the-middle attack, they may be prompted to accept a malicious certificate. To remove this decision from your end users, enable Strict Certificate Trust.
By design, AnyConnect does not cache sensitive information to
disk. Enabling this parameter extends this policy to any type of user
information stored in the AnyConnect preferences.
Credentials—The user name and second user name are not cached.
Thumbprints—The client and server certificate thumbprints are
CredentialsAndThumbprints—Certificate thumbprints and user names
are not cached.
All—No automatic preferences are cached.
false—All preferences are written to disk (default).
Exclude Pem File Cert Store (Linux and macOS)
Prevents the client from using the PEM file certificate store to
verify server certificates and search for client certificates.
The store uses FIPS-capable OpenSSL and has information about
where to obtain certificates for client certificate authentication. Permitting
the PEM file certificate store ensures remote users are using a FIPS-compliant
Exclude Mac Native Cert Store (macOS only)
Prevents the client from using the Mac native (keychain)
certificate store to verify server certificates and search for client
Exclude Firefox NSS Cert Store (Linux and macOS)
Prevents the client from using the Firefox NSS certificate store
to verify server certificates and search for client certificates.
The store has information about where to obtain certificates for
client certificate authentication.
Controls which headends the client can get software or profile
Allow Software Updates From
Allow or disallow software updates of the VPN core module and
other optional modules from unauthorized servers (ones not listed in the Server
Allow VPN Profile Updates
From AnyServer <AllowVPNProfileUpdatesFromAnyServer>
Allow or disallow VPN Profile updates from unauthorized servers
(ones not listed in the Server Name list).
Allow Service Profile Updates
From AnyServer <AllowServiceProfileUpdatesFromAnyServer>
Allow or disallow other service module profile updates from
unauthorized servers (ones not listed in the Server Name list).
Allow ISE Posture Profile
Updates From Any Server<AllowISEProfileUpdatesFromAnyServer>
disallow ISE Posture Profile updates from unauthorized servers (ones not listed
in the Server Name list).
Allow Compliance Module
Updates From Any
disallow Compliance Module updates from unauthorized servers (ones not listed
in the Server Name list).
Specify authorized servers in this list. These headends are
allowed full updates of all AnyConnect software and profiles upon VPN
connectivity. ServerName can be an FQDN, IP address, domain name, or wildcard
with domain name.