Download Print this page

Advertisement

Cisco AnyConnect VPN Client
Administrator Guide
Version 2.0
Updated May 12, 2010
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Customer Order Number: OL-12950-012

Advertisement

Chapters

   Related Manuals for Cisco 5505 - ASA Firewall Edition Bundle

   Summary of Contents for Cisco 5505 - ASA Firewall Edition Bundle

  • Page 1

    Cisco AnyConnect VPN Client Administrator Guide Version 2.0 Updated May 12, 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: OL-12950-012...

  • Page 2

    OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

  • Page 3: Table Of Contents

    AnyConnect Client Features Remote User Interface Getting and Installing the Files You Need CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop Common AnyConnect VPN Client Installation and Configuration Procedures C H A P T E R Installing the AnyConnect Client...

  • Page 4

    Configuring, Enabling, and Using Other AnyConnect Features Configuring Certificate-only Authentication Using Compression Configuring the Dynamic Access Policies Feature of the Security Appliance Cisco Secure Desktop Support Enabling AnyConnect Rekey Enabling and Adjusting Dead Peer Detection Enabling AnyConnect Keepalives Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 5

    Adjusting MTU Size Using CLI Logging Off AnyConnect Client Sessions Updating AnyConnect Client and SSL VPN Client Images Sample AnyConnect Profile and XML Schema A P P E N D I X Sample AnyConnect Profile Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 6

    Sample AnyConnect Profile Schema Using Microsoft Active Directory to Add the Security Appliance to the List of Internet Explorer A P P E N D I X Trusted Sites for Domain Users N D E X Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 7

    Licensing, page 10 • Document Objectives The purpose of this guide is to help you configure the Cisco AnyConnect VPN Client parameters on the security appliance. This guide does not cover every feature, but describes only the most common configuration scenarios.

  • Page 8: About This Guide

    PCs. Installation and Configuration Procedures” Chapter 3, “Installing the Describes how to use ASDM to install the Cisco AnyConnect VPN Client on the security AnyConnect Client and appliance. Configuring the Security Appliance with ASDM”...

  • Page 9: Document Conventions

    Table 1 Document Organization (continued) Chapter/Appendix Definition Chapter 8, “Customizing and Describes how to customize and localize the end-user interface of the Cisco AnyConnect Localizing the AnyConnect VPN Client. Client” Chapter 9, “Monitoring and Describes how to monitor and maintain the Cisco AnyConnect VPN Client using the...

  • Page 10: Obtaining Documentation, Obtaining Support, And Security Guidelines

    For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...

  • Page 11: Chapter 1 Introduction

    C H A P T E R Introduction This book describes a process for getting the Cisco AnyConnect VPN Client up and running on your central-site security appliance and on your remote users’ PCs. In this context, PC refers generically to Windows, Mac, and Linux devices, but the focus in this document is primarily on Windows PC users.

  • Page 12: Remote User Interface

    Desktop functions of Cisco Secure Desktop for Windows 2000 and Windows XP. Rekey—Specifies that SSL renegotiation takes place during rekey. • The Cisco AnyConnect VPN Client can coexist with the IPSec Cisco VPN Client, but they cannot be Note used simultaneously.

  • Page 13

    Chapter 1 Introduction Remote User Interface Figure 1-1 Cisco AnyConnect VPN Client User Interface, Connection Tab If you do not have certificates set up, you might see the dialog box shown in Figure 1-2. When you see this dialog box, click Yes to connect.

  • Page 14

    For detailed information and examples of instances in which the remote user does or does not see the Security Alert dialog box, see Adding a Security Certificate in Response to Browser Security Alert Windows, page 2-4. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 15

    Cisco Secure Desktop posture assessment status. The Reset button on this tab resets the transmission statistics. The Export button lets you export the current statistics, interface, and routing table to a text file.

  • Page 16

    Chapter 1 Introduction Remote User Interface Figure 1-4 Cisco AnyConnect VPN Client User Interface, Statistics Tab, Statistics Details Tab Clicking the Route Details tab (Figure 1-5) shows the secured and non-secured routes for this connection. Figure 1-5 Cisco AnyConnect VPN Client User Interface, Statistics Tab, Route Details Tab A Secured Routes entry with the destination 0.0.0.0 and the subnet mask 0.0.0.0 means that all traffic is...

  • Page 17: Getting And Installing The Files You Need

    CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop If your remote users have Cisco Security Agent (CSA) installed, you must import new CSA policies to the remote users to enable the AnyConnect VPN Client and Cisco Secure Desktop to interoperate with the security appliance.

  • Page 18

    Chapter 1 Introduction Getting and Installing the Files You Need Retrieve the CSA policies for the AnyConnect client and Cisco Secure Desktop. You can get the files Step 1 from: The CD shipped with the security appliance. • The software download page for the ASA 5500 Series Adaptive Security Appliance at •...

  • Page 19: Chapter 2 Common Anyconnect Vpn Client Installation And Configuration Procedures

    Transport Layer Security (TLS). The client can also negotiate a simultaneous Datagram Transport Layer Security (DTLS) connection. DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 20: Before You Install The Anyconnect Client

    AnyConnect client and other SSL VPN connections on the security appliance, see “Configuring SSL VPN Connections” in Cisco Security Appliance Command Line Configuration Guide. For detailed descriptions of the commands referred to in this administrator’s guide, see the Cisco ASA 5500 Command Reference Guide for version 8.0 or later.

  • Page 21: Anyconnect Client And New Windows Installations

    DNS name, change the CN field on the security appliance certificate to that name. • The Cisco Security Agent (CSA) might display warnings during the AnyConnect client installation. Current shipping versions of CSA do not have a built-in rule that is compatible with the AnyConnect client.

  • Page 22: Adding A Security Certificate In Response To Browser Security Alert Windows

    B-1. When a user gets the server certificate for the security appliance from a globally trusted certificate authority—for example, Verisign or Cisco—the user never sees a Security Alert pop-up when connecting to that security appliance. Adding a Security Certificate in Response to Browser Security Alert Windows This section explains how to install a self-signed certificate as a trusted root certificate on a client in response to the browser alert windows.

  • Page 23

    For example, the user connects to 10.94.147.93, and the certificate received from the security appliance contains cvc-asa06.cisco.com. 10.94.147.93 and cvc-asa06.cisco.com might or might not be the same machine. The Security Alert dialog box prompts the user to approve or disapprove the certificate.

  • Page 24

    Another Security Warning window prompts “Do you want to install this certificate?” Click Yes. Step 7 The Certificate Import Wizard window indicates the import is successful. Click OK to close this window. Step 8 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 25: Replacing A Digital Certificate With A Trusted Certificate

    When users first connect using AnyConnect, they should click “View Certificate”, install this new certificate, then click “Yes” to proceed. The next time they re-connect, they do not see the security alert popup, even if the security appliance is rebooted. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 26: Installing The Anyconnect Client On A User's Pc

    See the Release Notes for the current release for the full set of operating-system-specific download sites. Double-click the MSI file. The welcome screen for the Cisco AnyConnect VPN Client Setup Wizard Step 3 displays.

  • Page 27: Installing The Anyconnect Client On A Pc Running Linux

    [root@linuxhost]# cd ciscovpn [root@linuxhost]# ./vpn_install.sh The client installs in the directory /opt/cisco/vpn. This script also installs the daemon vpnagentd and sets it up as a service that is automatically started when the system boots. After installing the client, you can start the client manually from the user interface with the Linux command /opt/cisco/vpn/bin/vpnui or with the client CLI command /opt/cisco/vpn/bin/vpn.

  • Page 28

    Chapter 2 Common AnyConnect VPN Client Installation and Configuration Procedures Installing the AnyConnect Client on a User’s PC Cisco AnyConnect VPN Client Administrator Guide 2-10 OL-12950-012...

  • Page 29: Chapter 3 Installing The Anyconnect Client And Configuring The Security Appliance With Asdm

    This panel lists any AnyConnect client files that have been identified as AnyConnect client images. The order in which they appear in the table reflects the order in which they download to the remote computer. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 30

    If you already have an image located in the flash memory of the security appliance, you can enter the name of the image in the Flash SVC Image field, and click OK. The SSL VPN Client Settings panel now shows the AnyConnect client images you identified (Figure 3-3). Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 31

    (Client) Access > SSL VPN Connection Profiles. The SSL VPN Connection Profiles panel appears (Figure 3-4). Check Enable Cisco AnyConnect VPN Client or legacy SSL VPN client access on the interfaces selected in the table below. Cisco AnyConnect VPN Client Administrator Guide...

  • Page 32

    IP address pool and assign the pool to a tunnel group. To create an IP address pool, choose Network (Client) Access > Address Management > Address Pools. Click Add. The Add IP Pool dialog appears (Figure 3-5). Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 33

    Installing the AnyConnect Client and Configuring the Security Appliance with ASDM Figure 3-5 Add IP Pool Dialog Enter the name of the new IP address pool. Enter the starting and ending IP addresses, and enter the subnet mask and click OK. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 34

    VPN Connection > Basic dialog box appears. To add a new connection profile, click Add. The Add SSL VPN Connection > Basic dialog box appears, which is identical to the Edit dialog box, except that you must supply a name for the connection profile. Then proceed as follows. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 35

    Identify SSL VPN as a permitted VPN tunneling protocol for the group or user. Choose Network (Client) Access > Group Policies from the navigation pane. Highlight the group policy in the Group Policy table, and click Edit. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 36

    Installing the AnyConnect Client and Configuring the Security Appliance with ASDM The Edit Internal Group Policy dialog appears (Figure 3-8): Figure 3-8 Edit Internal Group Policy, General Tab Check the SSL VPN Client check box to include SSL VPN as a tunneling protocol. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 37

    Using DTLS avoids latency and bandwidth problems associated with SSL connections and improves the performance of real-time applications that are sensitive to packet delays. Compression and DTLS are mutually exclusive. If you enable both, DTLS is inactive for the Note client connection. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 38

    AnyConnect Client requests downloads (from the security appliance) only of core modules that it needs for each feature that it supports. The attributes you configure on the Group Policies > Advanced > SSL VPN Client dialog box set the profile for the AnyConnect Client. Cisco AnyConnect VPN Client Administrator Guide 3-10 OL-12950-012...

  • Page 39: Installing The Anyconnect Client On A Security Appliance Using Cli

    PC. Therefore, assign the lowest number to the image used by the most commonly-encountered operating system. For example: hostname(config-webvpn)# svc image anyconnect-win-2.0.0343-k9.pkg 1 hostname(config-webvpn)# svc image anyconnect-macosx-i386-2.0.0343-k9.pkg 2 hostname(config-webvpn)# svc image anyconnect-linux-2.0.0343-k9.pkg 3 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 40: Enabling Anyconnect Client Ssl Vpn Connections Using Cli

    Installing the AnyConnect Client on a Security Appliance Using CLI Enabling AnyConnect Client SSL VPN Connections Using CLI The security appliance expands SSL VPN client and the Cisco Secure Desktop images in cache memory. Note If you receive the error message ERROR: Unable to load SVC image - increase disk space via the...

  • Page 41

    You can also specify other protocols to permit by adding the names of those protocols to this command. For more information about the vpn-tunnel-protocol command, see the command description in Cisco Security Appliance Command Reference. Cisco AnyConnect VPN Client Administrator Guide...

  • Page 42: Disabling Permanent Client Installation

    For more information about assigning users to group policies, see “Configuring Tunnel Groups, Group Policies, and Users” in Cisco Security Appliance Command Line Configuration Guide. Disabling Permanent Client Installation Disabling permanent AnyConnect client installation enables the automatic uninstalling feature of the client.

  • Page 43: Enabling Datagram Transport Layer Security (dtls) With Anyconnect (ssl) Connections

    • Enabling AnyConnect Keepalives, page 5-11 Configuring the Dynamic Access Policies Feature of the Security Appliance, page 5-15 • Cisco Secure Desktop Support, page 5-15 • Enabling AnyConnect Rekey, page 5-12 • Enabling and Adjusting Dead Peer Detection, page 5-14 •...

  • Page 44: Configuring Dtls

    SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 45: Enabling Datagram Transport Layer Security (dtls) With Anyconnect (ssl) Connections

    AnyConnect client to fall back to TLS, if necessary. Fallback to TLS occurs if the AnyConnect client cannot send data over the UPD/DTLS session, and the DPD mechanism is necessary for fallback to occur. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 46: Prompting Remote Users

    Go to Clientless SSL VPN Portal—Immediately displays the portal page for Clientless SSL VPN. • The user can still invoke the AnyConnect client from the portal by clicking Start AnyConnect Client. Download SSL VPN Client—Immediately starts downloading the AnyConnect client to the remote • user’s PC. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 47: Enabling Ipv6 Vpn Access

    VPN Policy > SSL VPN Client. Specify the module name, for example, sbl for the Start Before Logon feature, in the Optional Client Module to Download field. Separate multiple strings with commas. Figure 5-5 shows an example. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 48: Configuring, Enabling, And Using Other Anyconnect Features

    You can specify whether you want users to authenticate using AAA with a username and password or using a digital certificate (or both). When you configure certificate-only authentication, users can connect with digital certificate and are not required to provide a user ID and password. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 49

    To make this feature take effect, you must also enable AnyConnect client access on particular interfaces and ports, as needed. To do this, select Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connection Profiles. The SSL VPN Connection Profiles dialog box (Figure 5-7) appears. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 50

    SSL VPN Connection Profiles Dialog Box In the Access Interfaces area, select the check box Enable Cisco AnyConnect VPN Client or legacy SSL VPN Client access on the interfaces selected in the table below. Then select the check boxes for the interfaces on which you want to enable access.

  • Page 51: Using Compression

    For broadband connections, compression might result in poorer performance. By default, if you have not changed the compression setting globally, compression is enabled. You can configure compression globally using the CLI command compression svc command from global configuration mode. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 52: Changing Compression Globally

    Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > • VPN Policy > SSL VPN Client Figure 5-9 shows an example of configuring the compression setting for an internal group policy. Cisco AnyConnect VPN Client Administrator Guide 5-10 OL-12950-012...

  • Page 53: Enabling Anyconnect Keepalives

    Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add • or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client Cisco AnyConnect VPN Client Administrator Guide 5-11 OL-12950-012...

  • Page 54: Enabling Anyconnect Rekey

    Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client > Key Regeneration Cisco AnyConnect VPN Client Administrator Guide 5-12 OL-12950-012...

  • Page 55

    The security appliance does not currently support inline DTLS rekey. The AnyConnect client, therefore, Note treats all DTLS rekey events as though they were of the new tunnel method instead of the inline ssl type (CSCsh93610). Cisco AnyConnect VPN Client Administrator Guide 5-13 OL-12950-012...

  • Page 56: Enabling And Adjusting Dead Peer Detection

    Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client > Dead Peer Detection Figure 5-12 shows an example of configuring the Dead Peer Detection setting for an internal group policy. Cisco AnyConnect VPN Client Administrator Guide 5-14 OL-12950-012...

  • Page 57: Configuring The Dynamic Access Policies Feature Of The Security Appliance

    Configuration Guide, or Cisco Security Appliance Command Reference. Cisco Secure Desktop Support Cisco Secure Desktop validates the security of client computers requesting access to your SSL VPN, helps ensure they remain secure while they are connected, and attempts to remove traces of the session after they disconnect.

  • Page 58

    Configuring AnyConnect Features Using ASDM Configuring, Enabling, and Using Other AnyConnect Features Cisco Secure Desktop for Windows 2000 and Windows XP. There is no specific configuration of AnyConnect required to use Secure Desktop. For detailed information about configuring Cisco Secure Desktop, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators (Software Release 3.2).

  • Page 59

    • Configuring the Dynamic Access Policies Feature of the Security Appliance, page 6-6 • Configuring the Dynamic Access Policies Feature of the Security Appliance, page 6-6 Cisco Secure Desktop Support, page 6-6 • Enabling AnyConnect Rekey, page 6-6 • Enabling and Adjusting Dead Peer Detection, page 6-7 •...

  • Page 60: Enabling Dtls Globally For A Specific Port

    WebVPN portal page and waits the duration of value before taking the default action—downloading the client. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 61: Enabling Ipv6 Vpn Access

    Configure an IPv6 Tunnel default gateway. To implement this procedure, do the following steps: Configure Interfaces: Step 1 interface GigabitEthernet0/0 nameif outside security-level 0 ip address 192.168.0.1 255.255.255.0 ipv6 enable ; Needed for IPv6. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 62: Enabling Modules For Additional Anyconnect Features

    AnyConnect client feature Start Before Login: hostname(config)# group-policy telecommuters attributes hostname(config-group-policy)# webvpn hostame(config-group-webvpn)# svc modules value vpngina Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 63: Configuring, Enabling, And Using Other Anyconnect Features

    To remove the command from the configuration, use the no form of the command. In the following example, compression is disabled for all SSL VPN connections globally: hostname(config)# no compression svc Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 64: Configuring The Dynamic Access Policies Feature Of The Security Appliance

    Configuration Guide, or Cisco Security Appliance Command Reference. Cisco Secure Desktop Support Cisco Secure Desktop validates the security of client computers requesting access to your SSL VPN, helps ensure they remain secure while they are connected, and attempts to remove traces of the session after they disconnect.

  • Page 65: Enabling And Adjusting Dead Peer Detection

    The following example sets the frequency of DPD performed by the security appliance to 30 seconds, and the frequency of DPD performed by the client set to 10 seconds for the existing group-policy sales: hostname(config)# group-policy sales attributes Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 66: Enabling Anyconnect Keepalives

    In the following example, the security appliance is configured to enable the client to send keepalive messages with a frequency of 300 seconds (5 minutes), for the existing group-policy sales: hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# svc keepalive 300 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 67: Chapter 7 Configuring And Using Anyconnect Client Operating Modes And User Profiles

    Using the AnyConnect CLI Commands to Connect (Standalone Mode) The Cisco AnyConnect VPN Client provides a command line interface (CLI) for users who prefer to issue commands instead of using the graphical user interface. The following sections describe how to launch the CLI command prompt.

  • Page 68

    Displays statistics for the current connection; for example: VPN> stats [ Tunnel Information ] Time Connected:01:17:33 Client Address:192.168.23.45 Server Address:209.165.200.224 [ Tunnel Details ] Tunneling Mode:All Traffic Protocol: DTLS Protocol Cipher: RSA_AES_256_SHA1 Protocol Compression: None Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 69: Connecting Using Weblaunch

    Disconnect the vpn session if it exists. Connecting Using WebLaunch The Cisco AnyConnect VPN Client provides a browser interface for users who prefer to a graphical user interface. WebLaunch mode lets the user enter the URL of the security appliance in the Address or Location field of a browser using the https protocol.

  • Page 70: User Log In And Log Out

    In some cases, you might want to provide more than one profile for a given user. For example, someone who works from multiple locations might need more than one profile. In such cases, Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 71: Enabling Anyconnect Client Profile Downloads

    You can place a copy of your profile (for example, CiscoAnyConnectProfile.xml) in the directory: C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile The location for Windows Vista is slightly different: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile The host that appears in the Connect to combo box is the first one listed in the profile or the last host you successfully connected with.

  • Page 72

    To identify to the security appliance the client profiles file to load into cache memory, select Step 3 Configuration > Remote Access VPN > Network (Client) Access > Advanced > Client Settings (Figure 7-1). Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 73

    Add (or Edit) SSL VPN Client Profiles Dialog Box Enter the profile name and profile package names in their respective fields. To browse for a profile package name, click Browse Flash. The Browse Flash dialog box appears (Figure 7-3). Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 74

    Access > Group Policies. Select an existing group policy and click Edit or click Add to configure a new group policy. In the navigation pane, select Advanced > SSL VPN Client. The Add or Edit Internal Group Policy dialog box appears (Figure 7-4). Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 75

    VPN Policy > SSL VPN Client. To modify an existing user’s profile, select that user from the table and click Edit. To Add a new user, click Add. The Add or Edit User Account dialog box appears (Figure 7-5). Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 76: Configuring Profile Attributes

    ASDM. For validation, you can use the AnyConnectProfile.xsd found in the same directory as the profile template. See Appendix A, “Sample AnyConnect Profile and XML Schema” for a hard copy of these files. Cisco AnyConnect VPN Client Administrator Guide 7-10 OL-12950-012...

  • Page 77: Enabling Start Before Logon (sbl) For The Anyconnect Client

    In addition, the administrator must ensure that the AnyConnect profile.xml file has the <UseStartBeforeLogon> statement set to true. For example: <UseStartBeforeLogon UserControllable=“false”>true</UseStartBeforeLogon> The system must be rebooted before Start Before Logon takes effect. Cisco AnyConnect VPN Client Administrator Guide 7-11 OL-12950-012...

  • Page 78: Configuring The Serverlist Attribute

    Certificate key usage offers a set of constraints on the broad types of operations that can be performed with a given certificate. The supported set includes: DIGITAL_SIGNATURE • • NON_REPUDIATION • KEY_ENCIPHERMENT Cisco AnyConnect VPN Client Administrator Guide 7-12 OL-12950-012...

  • Page 79: Extended Certificate Key Usage Matching

    The certificate distinguished name mapping capability allows an administrator to limit the certificates that can be used by the client to those matching the specified criteria and criteria match conditions. Table 7-4 lists the supported criteria: Cisco AnyConnect VPN Client Administrator Guide 7-13 OL-12950-012...

  • Page 80

    See Appendix A, “Sample AnyConnect Profile and XML Schema,” for an example. Cisco AnyConnect VPN Client Administrator Guide 7-14 OL-12950-012...

  • Page 81: Certificate Matching Example

    Certificate Distinguished Name matching allows for exact match criteria in the choosing of acceptable client certificates. --> <DistinguishedName> <DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled"> <Name>CN</Name> <Pattern>ASASecurity</Pattern> </DistinguishedNameDefinition> <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled"> <Name>L</Name> <Pattern>Boulder</Pattern> </DistinguishedNameDefinition> </DistinguishedName> </CertificateMatch> Cisco AnyConnect VPN Client Administrator Guide 7-15 OL-12950-012...

  • Page 82

    Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring Profile Attributes Cisco AnyConnect VPN Client Administrator Guide 7-16 OL-12950-012...

  • Page 83: Chapter 8 Customizing And Localizing The Anyconnect Client

    You customize the AnyConnect Client user interface by replacing files that affect the interface with your own, custom files. For example, with a Windows installation, you can change the company logo from the default Cisco logo by replacing the file company_logo.bmp with your own file.

  • Page 84

    Icon that appears on the About tab. For Mac OS X All files for OS X are located in /Applications/Cisco AnyConnect VPN Client/Contents/Resources. Table 8-3 lists the files that you can replace and the client GUI area affected. Table 8-3...

  • Page 85: Language Translation (localization) For User Messages

    Translation Domains and Functional Areas Affected Translation Domain Functional Areas Translated AnyConnect Messages displayed on the user interface of the Cisco AnyConnect VPN Client. Messages for the Cisco Secure Desktop (CSD). customization Messages on the logon and logout pages, portal page, and all the messages customizable by the user.

  • Page 86: Configuring Language Localization Using Asdm

    Using the buttons on this pane, you can configure language translation tables that the security appliance uses to translate titles and messages associated with the portal page, the AnyConnect VPN client user interface, Cisco Secure Desktop, and plug-ins. Cisco AnyConnect VPN Client Administrator Guide...

  • Page 87

    URL or IP address where you can make changes to the table or template. Language—The language of existing Language Localization tables. • Language Localization Template—The template on which the table is based. • Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 88: Creating Or Modifying A Translation Table Using Asdm

    Edit the translation table. For each message represented by the msgid field that you want to translate, Step 4 enter the translated text between the quotes of the associated msgstr field. The example below shows the message Connected, with the Spanish text in the msgstr field: msgid "Connected" Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 89: Import/export Language Localization

    You can export a template, edit the message fields, and import the template as a new translation table, or you can export an existing translation table, edit the message fields, and re-import the table to overwrite the previous version. Figure 8-3 Import Language Localization Pane Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 90: Creating Or Modifying A Translation Table Using Cli

    Chinese language. Localization Template Name—The name of the XML file containing the message fields. The • following templates are available: AnyConnect—Messages displayed on the user interface of the Cisco AnyConnect VPN Client. – CSD—Messages for the Cisco Secure Desktop (CSD). –...

  • Page 91

    ID field (msgid) and a message string field (msgstr) for the message Clientless SSL VPN Service, which is displayed on the portal page when a Clientless user establishes a VPN connection. The complete template contains many pairs of message fields: # Copyright (C) 2007 by Cisco Systems, Inc. #, fuzzy msgid ""...

  • Page 92

    Adding languages does not ensure that your computer has a font that can display web pages in your preferred language. In addition, most web pages Cisco AnyConnect VPN Client Administrator Guide 8-10...

  • Page 93

    Import the customization template as a new object named sales, using the import webvpn Step 6 customization command from privileged EXEC mode. For example: hostname# import webvpn customization sales tftp://209.165.200.225/sales hostname# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Cisco AnyConnect VPN Client Administrator Guide 8-11 OL-12950-012...

  • Page 94

    "Please enter your username and password." msgstr "" The message string (msgstr) value should be your translation of the English string in msgid. Cisco AnyConnect VPN Client Administrator Guide 8-12 OL-12950-012...

  • Page 95

    Monitoring and Maintaining the AnyConnect Client This chapter describes some common maintenance and monitoring procedures for network administrators dealing with the Cisco AnyConnect Client. You perform these procedures on the security appliance: Viewing AnyConnect Client and SSL VPN Sessions, page 9-1 •...

  • Page 96: Adjusting Mtu Size Using Asdm

    MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead. This setting affects only the AnyConnect Client. The Cisco SSL VPN Client (SVC) is not capable of adjusting to different MTU sizes. This setting affects AnyConnect Client connections established in SSL and those established in SSL with DTLS.

  • Page 97: Logging Off Anyconnect Client Sessions

    Monitoring and Maintaining the AnyConnect Client Viewing AnyConnect Client and SSL VPN Sessions This command affects only the AnyConnect Client. The Cisco SSL VPN Client (SVC) is not capable of adjusting to different MTU sizes. The default size for this command in the default group policy is 1406. The MTU size is adjusted automatically based on the MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead.

  • Page 98: Updating Anyconnect Client And Ssl Vpn Client Images

    If the new filenames are different, uninstall the old files using the no svc image command. Then use the svc image command to assign an order to the images and cause the security appliance to load the new images. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 99: Appendix

    Sample AnyConnect Profile <?xml version="1.0" encoding="UTF-8"?> <!-- This is a sample of a Cisco AnyConnect VPN Client Profile XML file. This file is intended to be maintained by a Secure Gateway administrator and then distributed with the client software. The xml file based on this schema can be distributed to clients at any time.

  • Page 100

    <DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled"> <Name>CN</Name> <Pattern>ASASecurity</Pattern> </DistinguishedNameDefinition> <DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled"> <Name>L</Name> <Pattern>Boulder</Pattern> </DistinguishedNameDefinition> </DistinguishedName> </CertificateMatch> <!-- Collection of one or more backup servers to be used in case the user selected one fails. --> <BackupServerList> <!-- Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 101

    (private) --> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://schemas.xmlsoap.org/encoding/" targetNamespace="http://schemas.xmlsoap.org/encoding/" elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:annotation> <xs:documentation>pwd</xs:documentation> </xs:annotation> <xs:complexType name="HostEntry"> <xs:annotation> <xs:documentation>This is the data needed to attempt a connection to a specific host.</xs:documentation> </xs:annotation> <xs:sequence> <xs:element name="HostEntry" maxOccurs="unbounded"> <xs:annotation> Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 102

    </xs:sequence> </xs:complexType> <xs:complexType name="AnyConnectClientProfile"> <xs:annotation> <xs:documentation>This is the XML schema definition for the Cisco AnyConnect VPN Client Profile XML file. The VPN Client Initialization is a repository of information used to manage the Cisco VPN client software. This file is intended to be maintained by a Secure Gateway administrator and then distributed with the client software.

  • Page 103

    <xs:documentation>user must enter a pin when enrolling a certificate.</xs:documentation> </xs:annotation> </xs:enumeration> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="CertificateMatch" minOccurs="0"> <xs:annotation> <xs:documentation>This section enables the definition of various attributes that can be used to refine client certificate selection.</xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 104

    <xs:element name="HostAddress" maxOccurs="unbounded"> <xs:annotation> <xs:documentation>Can be a FQDN or IP address.</xs:documentation> </xs:annotation> </xs:element> </xs:sequence> </xs:complexType> <xs:complexType name="KeyUsage"> <xs:annotation> <xs:documentation>Certificate Key attributes that can be used for choosing acceptable client certificates.</xs:documentation> </xs:annotation> <xs:sequence> <xs:element name="MatchKey" maxOccurs="9"> Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 105

    <xs:enumeration value="ServerAuth"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.1</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ClientAuth"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.2</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="CodeSign"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.3</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="EmailProtect"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.4</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="IPSecEndSystem"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.5</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="IPSecTunnel"> <xs:annotation> <xs:documentation>1.3.6.1.5.5.7.3.6</xs:documentation> Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 106

    <xs:documentation>This element represents the set of attributes to define a single Distinguished Name mathcing definition.</xs:documentation> </xs:annotation> <xs:complexType> <xs:sequence> <xs:element name="Name"> <xs:annotation> <xs:documentation>Distinguished attribute name to be used in mathcing.</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="CN"> <xs:annotation> Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 107

    <xs:documentation>Subject Dn Qualifier</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="C"> <xs:annotation> <xs:documentation>Subject Country</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="L"> <xs:annotation> <xs:documentation>Subject City</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="SP"> <xs:annotation> <xs:documentation>Subject State</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ST"> <xs:annotation> <xs:documentation>Subject State</xs:documentation> </xs:annotation> </xs:enumeration> Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 108

    Name</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-N"> <xs:annotation> <xs:documentation>Issuer Unstruct Name</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-I"> <xs:annotation> <xs:documentation>Issuer Initials</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-GENQ"> <xs:annotation> <xs:documentation>Issuer Gen Qualifier</xs:documentation> </xs:annotation> </xs:enumeration> <xs:enumeration value="ISSUER-DNQ"> <xs:annotation> <xs:documentation>Issuer Dn Qualifier</xs:documentation> Cisco AnyConnect VPN Client Administrator Guide A-10 OL-12950-012...

  • Page 109

    <xs:annotation> <xs:documentation>Issuer Email Address</xs:documentation> </xs:annotation> </xs:enumeration> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="Pattern" nillable="false"> <xs:annotation> <xs:documentation>The string to use in the match.</xs:documentation> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:minLength value="1"/> <xs:maxLength value="30"/> <xs:whiteSpace value="collapse"/> </xs:restriction> </xs:simpleType> Cisco AnyConnect VPN Client Administrator Guide A-11 OL-12950-012...

  • Page 110

    </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> <xs:element name="AnyConnectProfile" type="ns1:AnyConnectClientProfile"> <xs:annotation> <xs:documentation>The root element representing the AnyConnect Client Profile</xs:documentation> </xs:annotation> </xs:element> <xs:simpleType name="simpleBinary"> <xs:restriction base="xs:string"> <xs:enumeration value="true"> <xs:annotation> <xs:documentation>enables the Start Before Logon feature</xs:documentation> </xs:annotation> Cisco AnyConnect VPN Client Administrator Guide A-12 OL-12950-012...

  • Page 111

    Appendix A Sample AnyConnect Profile and XML Schema Sample AnyConnect Profile Schema </xs:enumeration> <xs:enumeration value="false"> <xs:annotation> <xs:documentation>disables the Start Before Logon feature.</xs:documentation> </xs:annotation> </xs:enumeration> </xs:restriction> </xs:simpleType> </xs:schema> Cisco AnyConnect VPN Client Administrator Guide A-13 OL-12950-012...

  • Page 112

    Appendix A Sample AnyConnect Profile and XML Schema Sample AnyConnect Profile Schema Cisco AnyConnect VPN Client Administrator Guide A-14 OL-12950-012...

  • Page 113

    Right-click Security Zones and Content Ratings in the right-hand pane and click Properties. Step 10 Select Import the current security zones and privacy settings. If prompted, click Continue. Step 11 Click Modify Settings. Step 12 Select Trusted Sites and click Sites. Step 13 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 114

    Step 15 Step 16 Click Close (or OK until all dialog boxes are closed, and close any snap-in window)s. Step 17 Allow sufficient time for the policy to propagate throughout the domain or forest. Cisco AnyConnect VPN Client Administrator Guide OL-12950-012...

  • Page 115

    Linux connection commands extended certificate key usage matching Mac OS X connection commands Windows connection commands Client Profile to Download configuring with ASDM fallback from DTLS to TLS Command Line Interface configuring with ASDM Cisco AnyConnect VPN Client Administrator Guide IN-1 OL-12950-012...

  • Page 116

    CLI Netscape, certificates keepalive messages 11, 8 configuring with ASDM Keep Installer on Client System Optional Client Module to Download, configuring with ASDM ASDM key usage certificate matching certificate matching, extended Cisco AnyConnect VPN Client Administrator Guide IN-2 OL-12950-012...

  • Page 117

    Active Directory configuring features adding on individual PCs tunneling protocol enabling address assignment permanent installation user interface tunnel group customizing installing overview images user profile order logging out sessions viewing sessions Cisco AnyConnect VPN Client Administrator Guide IN-3 OL-12950-012...

  • Page 118

    IE requirement, AD trusted sites IE requirement, individual WebLaunch mode Windows AnyConnect CLI commands Windows PC, installing AnyConnect Windows Vista trusted sites requirement 4, 1 XML profile file XML schema, sample Cisco AnyConnect VPN Client Administrator Guide IN-4 OL-12950-012...

Comments to this Manuals

Symbols: 0
Latest comments: