Transcription
Cisco AnyConnect Secure Mobility ClientAdministrator GuidePublished: January 13, 2011Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000800 553-NETS (6387)Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALLSTATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THATSHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSEOR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s publicdomain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITHALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUTLIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OFDEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCOOR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found atwww.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1005R)Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command displayoutput, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers inillustrative content is unintentional and coincidental.Cisco AnyConnect Secure Mobility Client Administrator Guide 2011 Cisco Systems, Inc. All rights reserved.
CONTENTSAbout this GuideAudienceConventionsxviixviixviiRelated DocumentsxviiiObtaining Documentation and Submitting a Service RequestCHAPTER1Introduction to the AnyConnect Secure Mobility ClientStandalone and WebLaunch OptionsAnyConnect Licensing OptionsNetwork Access ManagerWeb Security 1-3VPN Licensing 1-31-11-21-31-3Configuration and Deployment Overview1-5AnyConnect Secure Mobility Feature Configuration GuidelinesAPI21-61-6Installing Host ScanCHAPTERxix1-6Deploying the AnyConnect Secure Mobility ClientIntroduction to the AnyConnect Client Profiles2-12-2Creating and Editing an AnyConnect Client Profile Using the Integrated AnyConnect Profile EditorDeploying AnyConnect Client Profiles 2-6Deploying AnyConnect Client Profiles from the ASA 2-6Deploying Client Profiles Created by the Standalone Profile Editor2-32-7Configuring the ASA to Web Deploy AnyConnect 2-7AnyConnect File Packages for ASA-Deployment 2-7Ensuring Successful AnyConnect Installation 2-7Minimizing User Prompts about Certificates 2-8Creating a Cisco Security Agent Rule for AnyConnect 2-8Adding the ASA to the Internet Explorer List of Trusted Sites for Vista and Windows 7Adding a Security Certificate in Response to Browser Alert Windows 2-9Ensuring Fast Connection Time when Loading Multiple AnyConnect Images 2-11Exempting AnyConnect Traffic from Network Address Translation (NAT) 2-11Configuring the ASA to Download AnyConnect 2-162-8Cisco AnyConnect Secure Mobility Client Administrator Guideiii
ContentsPrompting Remote Users to Download AnyConnectEnabling Modules for Additional Features 2-21Enabling IPsec IKEv2 Connections 2-22Predeploying an IKEv2-Enabled Client Profile2-192-24Predeploying the AnyConnect Client and Optional Modules 2-25Predeployment ISO Package File Information 2-25Predeploying to Windows Computers 2-26Deploying the ISO File 2-26Deploying the Install Utility to Users 2-27Required Order for Installing or Uninstalling AnyConnect Modules for Windows 2-28Installing Predeployed AnyConnect Modules 2-28Instructing Users to Install NAM and Web Security as Stand-Alone Applications 2-30Packaging the MSI Files for Enterprise Software Deployment Systems 2-30Upgrading Legacy Clients and Optional Modules 2-31Customizing and Localizing the Installer 2-32Predeploying to Linux and Mac OS X Computers 2-32Recommended Order for Installing or Uninstalling Modules for Linux and MAC OS X 2-32AnyConnect Requirements for Computers Running Ubuntu 9.x 64-Bit 2-33Using the Manual Install Option on Mac OS if the Java Installer Fails 2-33Predeploying AnyConnect 2.5 on a Windows Mobile Device 2-34AnyConnect File Information 2-35Filenames of Modules on the Endpoint Computer 2-35Locations to Deploy the AnyConnect Profiles 2-37User Preferences Files Installed on the Local Computer 2-38Standalone AnyConnect Profile Editor 2-38System Requirements for Standalone Profile Editor 2-38Supported Operating Systems 2-38Java Requirement 2-39Browser Requirement 2-39Required Hard Drive Space 2-39Installing the Standalone AnyConnect Profile Editor 2-39Modifying the Standalone AnyConnect Profile Editor Installation 2-42Uninstalling the Standalone AnyConnect Profile Editor 2-42Creating a Client Profile Using the Standalone Profile Editor 2-42Editing a Client Profile Using the Standalone Profile Editor 2-43Configuring the ASA for WSA Support of the AnyConnect Secure Mobility SolutionConfiguring a Proxy Server For Endpoint to WSA Traffic 2-46Cisco AnyConnect Secure Mobility Client Administrator Guideiv2-43
ContentsCHAPTER3Configuring VPN Access3-1Creating and Editing an AnyConnect ProfileDeploying the AnyConnect Profile3-23-4Configuring Start Before Logon 3-7Installing Start Before Logon Components (Windows Only) 3-8Start Before Logon Differences Between Windows Versions 3-9Enabling SBL in the AnyConnect Profile 3-10Enabling SBL on the Security Appliance 3-10Troubleshooting SBL 3-11Configuring Start Before Logon (PLAP) on Windows 7 and Vista SystemsStart Before Logon Differences in Windows OSs 3-12Installing PLAP 3-12Logging on to a Windows 7 or Windows Vista PC using PLAP 3-13Disconnecting from AnyConnect Using PLAP 3-173-12Trusted Network Detection 3-17Trusted Network Detection Requirements 3-17Configuring Trusted Network Detection 3-17TND and Users with Multiple Profiles Connecting to Multiple Security AppliancesAlways-on VPN 3-19Always-on VPN Requirements 3-20Adding Load-Balancing Backup Cluster Members to the Server ListConfiguring Always-on VPN 3-24Configuring a Policy to Exempt Users from Always-on VPN 3-24Disconnect Button for Always-on VPN 3-25Disconnect Button Requirements 3-26Enabling and Disabling the Disconnect Button3-193-233-26Connect Failure Policy for Always-on VPN 3-27Connect Failure Policy Requirements 3-28Configuring a Connect Failure Policy 3-28Captive Portal Hotspot Detection and Remediation 3-29Captive Portal Hotspot Detection 3-29Captive Portal Remediation 3-29Captive Portal Remediation Requirements 3-30Configuring Support for Captive Portal Remediation 3-30If Users Cannot Access a Captive Portal Page 3-30Client Firewall with Local Printer and Tethered Device Support 3-31Usage Notes about Firewall Behavior 3-31Deploying a Client Firewall for Local Printer Support 3-32Tethered Devices Support 3-33Cisco AnyConnect Secure Mobility Client Administrator Guidev
ContentsConfiguring Certificate Enrollment using SCEP 3-34Provisioning and Renewing Certificates Automatically or ManuallyAutomatic Certificate Requests 3-34Manual Certificate Retrieval 3-35Windows Certificate Warning 3-35Configuring SCEP to Provision and Renew Certificates 3-36Certificate Storage after SCEP Request 3-37Configuring the ASA to Support SCEP for AnyConnect 3-37Configuring Certificate Only Authentication on the ASA 3-37Configuring Certificate Expiration Notice3-343-38Configuring a Certificate Store 3-38Controlling the Certificate Store on Windows 3-39Creating a PEM Certificate Store for Mac and Linux 3-41Restrictions for PEM File Filenames 3-41Storing User Certificates 3-41Configuring Certificate Matching 3-42Certificate Key Usage Matching 3-42Extended Certificate Key Usage Matching 3-42Certificate Distinguished Name Mapping 3-43Certificate Matching Example 3-44Prompting Users to Select Authentication Certificate 3-45Users Configuring Automatic Certificate Selection in AnyConnect PreferencesConfiguring a Server List3-46Configuring a Backup Server List3-49Configuring a Windows Mobile Policy 3-49Restrictions and Limitations 3-49Configuring the Mobile Policy in the Client ProfileConfiguring Auto Connect On StartConfiguring Auto Reconnect3-503-51Local Proxy Connections 3-51Local Proxy Connections Requirements 3-52Configuring Local Proxy Connections 3-52Optimal Gateway Selection 3-52Optimal Gateway Selection Requirements 3-53Configuring Optimal Gateway Selection 3-53Writing and Deploying Scripts 3-54Scripting Requirements and LimitationsWriting, Testing, and Deploying ScriptsCisco AnyConnect Secure Mobility Client Administrator Guidevi3-553-553-503-46
ContentsConfiguring the AnyConnect Profile for ScriptingTroubleshooting Scripts 3-57Authentication Timeout Control 3-57Authentication Timeout Control RequirementsConfiguring Authentication Timeout 3-583-563-58Proxy Support 3-58Configuring the Client to Ignore Browser Proxy Settings 3-58Private Proxy 3-59Private Proxy Requirements 3-59Configuring a Group Policy to Download a Private Proxy 3-59Internet Explorer Connections Tab Lockdown 3-59Proxy Auto-Configuration File Generation for Clientless Support 3-60Allowing a Windows RDP Session to Launch a VPN Session3-60AnyConnect over L2TP or PPTP 3-61Configuring AnyConnect over L2TP or PPTP 3-62Instructing Users to Override PPP Exclusion 3-62AnyConnect Profile Editor VPN Parameter Descriptions 3-63Anyconnect Profile Editor, Preferences 3-63Anyconnect Profile Editor, Preferences Cont 3-65AnyConnect Profile Editor, Backup Servers 3-68AnyConnect Profile Editor, Certificate Matching 3-69AnyConnect Profile Editor, Certificate Enrollment 3-71AnyConnect Profile Editor, Mobile Policy 3-72AnyConnect Profile Editor, Server List 3-73AnyConnect Profile Editor, Add/Edit Server List 3-73CHAPTER4Configuring Network Access Manager (NAM)Introduction4-14-1System Requirements for NAMPre-deploying NAM4-24-2Stopping and Starting NAM4-3NAM Profile Editor 4-3Adding a New Profile4-3Configuring a Client Policy4-4Configuring an Authentication PolicyEAP 4-6Configuring Networks 4-8Defining Networks Media Types4-64-9Cisco AnyConnect Secure Mobility Client Administrator Guidevii
ContentsDefining Networks Security Level 4-11Using Authenticating Wired Networks 4-11Using an Open Network 4-13Using a Shared Key 4-13Using Authenticating WiFi Networks 4-15Defining the Networks Connection Type4-16Defining the Networks Machine or User AuthenticationConfiguring EAP-GTC 4-18Configuring EAP-TLS 4-19Configuring EAP-TTLS 4-20Configuring PEAP Options 4-21Configuring EAP-FAST Settings 4-22Defining Networks Credentials 4-24Configuring User Credentials 4-24Configuring Machine Credentials 4-27Configuring Trusted Server Validation RulesDefining Network GroupsCHAPTER5Configuring Host Scan5-1Host Scan Workflow5-24-174-294-30Features Enabled with the AnyConnect Posture Module 5-3Prelogin Assessment 5-3Prelogin Policies 5-4Keystroke Logger Detection 5-5Host Emulation Detection 5-6Keystroke Logger Detection and Host Emulation Detection Supported Operating Systems 5-6Cache Cleaner 5-6Host Scan 5-7Basic Host Scan 5-7Endpoint Assessment 5-8Advanced Endpoint Assessment - Antivirus, Antispyware, and Firewall Remediation 5-8Host Scan Support Charts 5-8Configuring Antivirus Applications for Host Scan 5-9Integration with Dynamic Access Policies 5-9Difference Between the Posture Module and the Standalone Host Scan Package5-9AnyConnect Posture Module Dependencies and System Requirements 5-10Dependencies 5-10Host Scan, CSD, and AnyConnect Secure Mobility Client Interoperability 5-10System Requirements 5-10Cisco AnyConnect Secure Mobility Client Administrator Guideviii
ContentsLicensing 5-11Entering an Activation Key to Support Advanced Endpoint Assessment5-11Host Scan Packaging 5-11Which Host Scan Image Gets Enabled When There is More than One Loaded on the ASA?5-12Deploying the AnyConnect Posture Module and Host Scan 5-12Pre-Deploying the AnyConnect Posture Module 5-13Installing and Enabling Host Scan on the ASA 5-14Installing or Upgrading Host Scan 5-14Enabling or Disabling Host Scan on the ASA 5-16Enabling or Disabling CSD on the ASA 5-16Host Scan and CSD Upgrades and Downgrades5-16Determining the Host Scan Image Enabled on the ASA5-17Uninstalling Host Scan 5-17Uninstalling the Host Scan Package 5-17Uninstalling CSD from the ASA 5-17Assigning AnyConnect Posture Module to a Group PolicyHost Scan Logging5-185-18Configuring the Logging Level for All Posture Module ComponentsPosture Module Log Files and Locations 5-195-18Using a BIOS Serial Number in a Lua Expression 5-19Expressing the BIOS in a Lua Expression 5-20Specifying the BIOS as a DAP Endpoint Attribute 5-20How to Obtain BIOS Serial Numbers 5-21Other Important DocumentationCHAPTER6Configuring Web Security5-216-1System Requirements 6-2AnyConnect Web Security Module 6-2ASA and ASDM Requirements 6-2Requirements for Beacon Server 6-2System Limitations 6-2Licensing Requirements 6-2AnyConnect License 6-2ScanCenter License 6-2User Guideline for Web Security Behavior with IPv6 Web TrafficInstalling the AnyConnect Web Security ModuleDeploying Web Security Without AnyConnect6-36-36-3Creating an AnyConnect Web Security Client Profile6-3Cisco AnyConnect Secure Mobility Client Administrator Guideix
ContentsConfiguring ScanSafe Scanning Proxies in the Client Profile 6-4Updating the Scanning Proxy List 6-5Default Scanning Proxy Settings in a Web Security Client ProfileDisplaying or Hiding Scanning Proxies from Users 6-5Selecting a Default Scanning Proxy 6-6How Users Get Connected to Scanning Proxies 6-6Specifying an HTTP Traffic Listening Port 6-7Excluding Endpoint Traffic from Web Scanning ServiceHost Exceptions 6-8Proxy Exceptions 6-9Static Exceptions 6-9User Guideline for IPv6 Web Traffic 6-106-56-7Configuring Web Scanning Service Preferences 6-10Configuring User Controls and Calculating Fastest Scanning Proxy Response TimeConfiguring Beacon Server Connections for Detect-On-LAN 6-12Configuring Detect-On-LAN6-14Configuring Authentication to the ScanSafe Scanning Proxy6-15Configuring Advanced Web Security Settings 6-17Configuring KDF Listening Port 6-18Configuring Service Communication Port 6-19Configuring Connection Timeout 6-19Configuring DNS Cache Failure Lookup 6-19Configuring Debug Settings 6-19Web Security Logging 6-20Web Security Client Profile Files 6-20Exporting the Plain Text Web Security Client Profile File 6-20Exporting the Plain Text Web Security Client Profile File for DART Bundle 6-20Editing and Importing Plain Text Web Security Client Profile Files from ASDM 6-21Exporting the Obfuscated Web Security Client Profile File 6-21Installing a Standalone Web Security Client Profile6-21Configuring Split-Tunneling for Web Security Traffic6-22Stopping and Starting the Cisco AnyConnect Web Security Agent 6-22Lockdown Option 6-22Non-Administrators Stopping and Starting the Web Security Agent ServiceCHAPTER7Configuring AnyConnect Telemetry to the WSASystem Requirements 7-1ASA and ASDM RequirementsCisco AnyConnect Secure Mobility Client Administrator Guidex7-27-16-236-10
ContentsAnyConnect Secure Mobility Client Module Requirements 7-2Requirements for Cisco IronPort Web Security Appliance InteroperabilityEnable SenderBase on Cisco IronPort Web Security Appliance 7-2Installing the AnyConnect Telemetry Module 7-3Quick-Deploy of the AnyConnect Telemetry ModuleAnyConnect Telemetry Module InteroperabilityAnyConnect VPN Module 7-5AnyConnect Posture Module 7-5Third-Party Antivirus Software 7-6Telemetry Activity History Repository7-37-57-6Telemetry Reports 7-7Possible Transference of Personal Information by Telemetry ModuleReading Telemetry Reports 7-8Telemetry Workflow 7-10URL Encryption 7-11Telemetry Report Encryption 7-12Configuring the Telemetry Client ProfileConfiguration Profile HierarchyCHAPTER87-27-77-127-13Enabling FIPS and Additional Security8-1Enabling FIPS for the AnyConnect Core VPN Client 8-2Enabling FIPS for Windows Clients using our MST File 8-2Enabling FIPS and other Local Policy Parameters with your own MST FileEnabling FIPS and Other Parameters with our Enable FIPS Tool 8-3Changing Local Policy Parameters Manually in the Local Policy 8-4Enabling Software and Profile Locks 8-5XML Tags for the Software and Profile LocksSoftware Lock Use Cases 8-8Software and Profile Lock Example 8-9AnyConnect Local Policy Parameters and ValuesLocal Policy File Example 8-138-28-78-10Enabling FIPS for the Network Access Manager 8-13Enforcing FIPS Mode in NAM 8-143eTI FIPS Certified Crypto Kernel Library (CKL) 8-14FIPS Integration 8-143eTI CKL Driver Installer 8-14Installing the 3eTI Driver 8-15Important Notes 8-15Cisco AnyConnect Secure Mobility Client Administrator Guidexi
Contents3eTI CKL Driver Installer Overview 8-15Running the Installer without Using Command-Line Options 8-17Uninstalling Previous 3eTI Driver Software 8-20Silent Driver Installation for Enterprise Deployment 8-21Installing the Driver without a Previously Installed Network AdapterManually Upgrading the 3eTI Driver Software 8-21Obtaining the 3eTI Driver Installer Software 8-26CHAPTERFulfilling Other Administrative Requirements for AnyConnect9Using Quarantine to Restrict Non-Compliant ClientsQuarantine Requirements 9-1Configuring Quarantine 9-28-219-19-1Using Microsoft Active Directory to Add the Security Appliance to the List of Internet Explorer TrustedSites for Domain Users 9-2Configuring CSA Interoperability with AnyConnect and Cisco Secure DesktopCHAPTER10Managing VPN Authentication10-1Configuring Certificate-only AuthenticationSDI Token (SoftID) Integration10-110-2Comparing Native SDI with RADIUS SDI10-2Using SDI Authentication 10-3Categories of SDI Authentication Exchanges 10-5Normal SDI Authentication Login 10-5New User, Clear PIN, and New PIN Modes 10-5Getting a New PIN 10-6“Next Passcode” and “Next Token Code” Challenges10-7Ensuring RADIUS/SDI Proxy Compatibility with AnyConnect 10-7AnyConnect and RADIUS/SDI Server Interaction 10-8Configuring the Security Appliance to Support RADIUS/SDI MessagesCHAPTER11Customizing and Localizing the AnyConnect Client and InstallerCisco AnyConnect Secure Mobility Client Administrator Guide10-811-1Customizing the AnyConnect Client 11-1Recommended Image Format for AnyConnect 3.0 and Later 11-2Replacing Individual GUI Components with your Custom ComponentsDeploying Executables That Use the Client API 11-4Customizing the GUI with a Transform 11-6Sample Transform 11-8Information for Creating your Custom Icons and Logos 11-8xii9-311-2
ContentsChanging the Default AnyConnect English Messages11-20Localizing the AnyConnect Client GUI and Installer 11-22Localizing the AnyConnect GUI 11-22Translating using the ASDM Translation Table Editor 11-23Translating by Exporting the Translation Table for Editing 11-27Localizing the AnyConnect Installer Screens 11-30Using Tools to Create Message Catalogs for Enterprise Deployment 11-32Merging a Newer Translation Template with your Translation Table 11-33CHAPTER12Managing, Monitoring, and Troubleshooting AnyConnect SessionsDisconnecting All VPN Sessions12-112-1Disconnecting Individual VPN Sessions12-2Viewing Detailed Statistical Information 12-2Viewing Statistics on a Windows Mobile Device12-2Resolving VPN Connection Issues 12-3Adjusting the MTU Size 12-3Eliminating Compression to Improve VPN Performance and Accommodate Windows MobileConnections 12-3Using DART to Gather Troubleshooting Information 12-4Getting the DART Software 12-4Installing DART 12-4Installing DART with AnyConnect 12-5Manually Installing DART on the Host 12-5Running DART on a Windows PC 12-6Installing the AnyConnect Client12-8Installing the Log Files 12-8Web Install of Log Files 12-8Standalone Install of Log Files12-9Problems Disconnecting AnyConnect or Establishing Initial ConnectionProblems Passing Traffic12-912-10Problems with AnyConnect Crashing12-11Problems Connecting to the VPN ServiceObtaining the PC’s System InformationObtaining a Systeminfo File DumpChecking the Registry File 12-1312-1212-1312-13Conflicts with Third-Party Applications 12-13Adobe and Apple—Bonjour Printing Service 12-13AT&T Communications Manager Versions 6.2 and 6.712-14Cisco AnyConnect Secure Mobility Client Administrator Guidexiii
ContentsAT&T Global Dialer 12-14Citrix Advanced Gateway Client Version 2.2.1 12-15Firewall Conflicts 12-15Juniper Odyssey Client 12-15Kaspersky AV Workstation 6.x 12-15McAfee Firewall 5 12-16Microsoft Internet Explorer 8 12-16Microsoft Routing and Remote Access Server 12-16Microsoft Windows Updates 12-17Microsoft Windows XP Service Pack 3 12-17OpenVPN Client 12-17Load Balancers 12-18Ubuntu 8.04 i386 12-18Wave EMBASSY Trust Suite 12-18Layered Service Provider (LSP) Modules and NOD32 AV 12-19LSP Symptom 2 Conflict 12-19LSP Slow Data Throughput Symptom 3 Conflict 12-19EVDO Wireless Cards and Venturi Driver 12-19DSL Routers Fail to Negotiate 12-20CheckPoint (and other Third-Party Software such as Kaspersky) 12-20Performance Issues with Virtual Machine Network Service Drivers 12-20APPENDIXAVPN XML ReferenceA-1Local Proxy ConnectionsA-2Optimal Gateway Selection (OGS)Trusted Network DetectionA-2A-3Always-on VPN and Subordinate FeaturesUsing Always-on VPN With Load BalancingStart Before LogonA-4A-6A-7AnyConnect Local Policy File Parameters and ValuesCertificate Store on WindowsRestricting Certificate Store UseA-9A-10SCEP Protocol to Provision and Renew CertificatesCertificate Matching A-12Automatic Certificate SelectionBackup Server List ParametersWindows Mobile PolicyAuto Connect On StartA-16A-16A-17A-18Cisco AnyConnect Secure Mobility Client Administrator GuidexivA-7A-10
ContentsAuto ReconnectServer ListScriptingA-18A-19A-21Authentication Timeout ControlIgnore ProxyA-22A-22Allow AnyConnect Session from an RDP Session for Windows UsersAnyConnect over L2TP or PPTPA-24Other AnyConnect Profile SettingsAPPENDIXBTelemetry XML ReferenceAPPENDIXCCommunicating User GuidelinesA-22A-24B-1C-1Responding to a TUN/TAP Error Message with Mac OS X 10.564-bit Internet Explorer Not SupportedC-2Avoiding the Wireless Hosted NetworkC-2Mac OS X 10.6 Sends All DNS Queries in the ClearStart Before Logon and DART InstallationResponding to a Quarantine StateC-1C-2C-2C-3Using the AnyConnect CLI Commands to Connect (Standalone Mode)Setting the Secure Connection (Lock) Icon C-5AnyConnect Hides the Internet Explorer Connections TabC-3C-5Using a Windows Remote Desktop C-5Network Profiles with Machine-only Authentication C-6Network Profiles with Machine and User Authentication C-6Network Profiles with User-only Authentication C-6Credential Provider on Microsoft Vista and Win7When GPO Configured for SSO C-10SmartCard CP C-10NAM CP Pre-logon Status Display C-11C-8Cipher Requirements Running Internet Explorer on Windows XPC-11Cisco AnyConnect Secure Mobility Client Administrator Guidexv
ContentsCisco AnyConnect Secure Mobility Client Administrator Guidexvi
About this GuideThis guide describes how to install the Cisco AnyConnect Secure Mobility client image onto thecentral-site ASA, configure AnyConnect for deployment to remote user computers, configureconnection profiles and group policies on ASDM for AnyConnect, install AnyConnect onto mobiledevices, and monitor and troubleshoot AnyConnect connections.Throughout this guide, the term “ASA” applies to all models in the Cisco ASA 5500 series (ASA 5505and higher).AudienceThis guide is for administrators who perform any of the following tasks: Manage network security Install and configure ASAs Configure VPNsConventionsThis document uses the following conventions:ConventionIndicationbold fontCommands and keywords and user-entered text appear in bold font.italic fontDocument titles, new or emphasized terms, and arguments for which you supplyvalues are in italic font.[ ]Elements in square brackets are optional.{x y z }Required alternative keywords are grouped in braces and separated byvertical bars.[x y z]Optional alternative keywords are grouped in brackets and separated byvertical bars.stringA nonquoted set of characters. Do not use quotation marks around the string orthe string will include the quotation marks.courier fontTerminal sessions and information the system displays appear in courier font.Nonprinting characters such as passwords are in angle brackets.Cisco AnyConnect Secure Mobility Client Administrator Guidexvii
About this Guide[ ]Default responses to system prompts are in square brackets.!, #An exclamation point (!) or a pound sign (#) at the beginning of a line of codeindicates a comment line.NoteMeans reader take note.TipMeans the following information will help you solve a problem.CautionTimesaverMeans reader be careful. In this situation, you might perform an action that could result in equipmentdamage or loss of data.Means the described action saves time. You can save time by performing the action described inthe paragraph.Related Documents AnyConnect Secure Mobility Client 2.5 Release Notes AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 2.5 Cisco ASA 5500 Series Adaptive Security Appliances Release Notes Cisco ASA 5500 Series Adaptive Security Appliances Install and Upgrade Guides Cisco ASA 5500 Series Adaptive Security Appliances Configuration Guides Cisco ASA 5500 Series Adaptive Security Appliances Command References Cisco ASA 5500 Series Adaptive Security Appliances Error and System Messages Cisco Adaptive Security Device Manager Release Notes Cisco Adaptive Security Device Manager Configuration Guides Online help for ASDM Cisco Secure Desktop Release Notes Cisco Secure Desktop Configuration Guides For Open Source License information for this product, go cts licensing information listing.html.Cisco AnyConnect Secure Mobility Client Administrator Guidexviii
About this GuideObtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additionalinformation, see the monthly What’s New in Cisco Product Documentation, which also lists all new andrevised Cisco technical documentation, w/whatsnew.htmlSubscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feedand set content to be delivered directly to your desktop using a reader application. The RSS feeds are a freeservice and Cisco currently supports RSS Version 2.0.Cisco AnyConnect Secure Mobility Client Administrator Guidexix
About this GuideCisco AnyConnect Secure Mobility Client Administrator Guidexx
CH A P T E R1Introduction to the AnyConnect Secure MobilityClientThe Cisco AnyConnect Secure Mobility client is the next-generation VPN client, providing remote userswith secure IPsec (IKEv2) or SSL VPN connections to the Cisco 5500 Series Adaptive SecurityAppliance (ASA). AnyConnect provides end users with a connectivity experience that is intelligent,seamless and always-on, with secure mobility across today's proliferating managed and unmanagedmobile devices.Deployable from the ASA or from Enterprise Software Deployment SystemsAnyConnect can be deployed to remote users from the ASA or using enterprise software deploymentsystems. When deployed from the ASA, remote users make an initial SSL connection to the ASA byentering the IP address or DNS name in their browser of an ASA configured to accept clientless SSLVPN connections. The ASA presents a login screen in the browser window, and if the user satisfies thelogin and authentication, downloads the client that matches the computer operating system. Afterdownloading, the client installs and configures itself and establishes an IPsec (IKEv2) or SSL connectionto the ASA.Customizable and TranslatableYou can customize the AnyConnect to display your own corporate image to remote users. You canrebrand AnyConnect by replacing our default GUI components, deploy a transform you create for moreextensive rebranding, or deploy your own client GUI that uses the AnyConnect API. You can alsotranslate messages displayed by AnyConnect or the installer program in the language preferred by theremote user.Easily ConfiguredUsing ASDM, you can easily configure AnyConnect features in the client profile—an XML file thatprovides basic information about connection setup, as well as advanced features such as Start BeforeLogon (SBL). For some features, you also need to configure the ASA. The ASA deploys the profileduring AnyConnect installation and updates.Additional Supported ModulesThe Cisco AnyConnect Secure Mobility client, Version 3.0, integrates new modules into the AnyConnectclient package: Network Access Manager (NAM)—Formerly called the Cisco Secure Services Client, this moduleprovides Layer 2 device management and authentication for access to both wired and wirelessnetworks.Cisco
iii Cisco AnyConnect Secure Mobility Client Administrator Guide CONTENTS About this Guide xvii Audience xvii Conventions xvii Related Documents xviii Obtaining .
