WIXLIB

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release4.7Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000800 553-NETS (6387)Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this emarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1721R) 2018Cisco Systems, Inc. All rights reserved.

CONTENTSCHAPTER 1Deploy AnyConnect1Before You Begin Deployment 1AnyConnect Deployment Overview 1Preparing the Endpoint for AnyConnect 4Using Mobile Broadband Cards with AnyConnect 4Add the ASA to the List of Internet Explorer Trusted Sites on Windows 4Block Proxy Changes in Internet Explorer 5Configure How AnyConnect Treats Windows RDP Sessions 5Configure How AnyConnect Treats Linux SSH Sessions 6DES-Only SSL Encryption on Windows 7Using NVM on Linux 7Prerequisites to Build the AnyConnect Kernel Module 7Package NVM with Prebuilt AnyConnect Linux Kernel Module 8Predeploying AnyConnect 8AnyConnect Module Executables for Predeploy and Web Deploy 10Locations to Predeploy the AnyConnect Profiles 10Predeploying AnyConnect Modules as Standalone Applications 12Deploying Stand-Alone Modules with an SMS on Windows 12Deploying AnyConnect Modules as Standalone Applications 13User Installation of Stand-Alone Modules 13Predeploying to Windows 14Distributing AnyConnect Using the zip File 14Contents of the AnyConnect zip File 14Distributing AnyConnect Using an SMS 15Windows Predeployment Security Options 17AnyConnect Module Installation and Removal Order on Windows 17Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.7iii

ContentsPredeploying to macOS 18Install and Uninstall AnyConnect on macOS 18Installing AnyConnect Modules on macOS as a Standalone Application 18Restrict Applications on macOS 19Predeploying to Linux 20Installing Modules for Linux 20Uninstalling Modules for Linux 20Manually Installing/Uninstalling NVM on a Linux Device 20Initializing Server Certificate Verification with Firefox 21Manually Installing DART on a Linux Device 21Web Deploying AnyConnect 21Configuring Web Deployment on the ASA 23Browser Restrictions for WebLaunch 23Download the AnyConnect Package 23Load the AnyConnect Package on the ASA 24Enable Additional AnyConnect Modules 24Create a Client Profile in ASDM 24Configuring Web Deployment on ISE 25Prepare AnyConnect Files for ISE Upload 26Configure ISE to Deploy AnyConnect 27Configuring Web Deployment on FTD 28Updating AnyConnect Software and Profiles 29Disabling AnyConnect Auto Update 31Prompting Users to Download AnyConnect During WebLaunch 31Allowing Users to Defer Upgrade 31Set the Update Policy 34Update Policy Overview 34Authorized Server Update Policy Behavior 34Unauthorized Server Update Policy Behavior 35Update Policy Guidelines 36Update Policy Example 36AnyConnect Reference Information 37Locations of User Preferences Files on the Local Computer 37Port Used by AnyConnect 38Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.7iv

ContentsCHAPTER 2Customize and Localize the AnyConnect Client and Installer39Modify AnyConnect Installation Behavior 39Disable Customer Experience Feedback 39Modify Installation Behavior, Windows 40Windows Installer Properties That Customize Client Installations 40Windows Installer Properties for AnyConnect Modules 41Import a Customized Installer Transform to the Adaptive Security Appliance 43Localize the AnyConnect Installer Screens 44Import a Localized Installer Transform to the Adaptive Security Applicance 44Modify Installation Behavior, macOS 46Customize Installer Behavior on macOS with ACTransforms.xml 46Disable the Customer Experience Feedback Module 46Modify Installation Behavior, Linux 47Customizing Installer Behavior on Linux with ACTransform.xml 47Enable DSCP Preservation 47Set Public DHCP Server Route 48Customize the AnyConnect GUI Text and Messages 48Add or Edit the AnyConnect Text and Messages 50Import Translation Tables to the Adaptive Security Appliance 52Create Message Catalogs for Enterprise Deployment 53Merge New Messages into a Customized Translation Table on the ASA 54Select the Default Language for Windows on the Client 55Create Custom Icons and Logos for the AnyConnect GUI 55Replace AnyConnect GUI Components 56AnyConnect Icons and Logos for Windows 57AnyConnect Icons and Logos for Linux 60AnyConnect Icons and Logos for macOS 62Create and Upload an AnyConnect Client Help File 63Write and Deploy Scripts 63Write, Test, and Deploy Scripts 65Configure the AnyConnect Profile for Scripting 66Troubleshoot Scripts 66Write and Deploy Custom Applications with the AnyConnect API 67Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.7v

ContentsUse the AnyConnect CLI Commands 67Launch the Client CLI Prompt 68Use the Client CLI Commands 68Prevent a Windows Popup Message When ASA Terminates a Session 70Prepare AnyConnect Customizations and Localizations for ISE Deployment 71Prepare an AnyConnect Localization Bundle 71Prepare an AnyConnect Customization Bundle 72CHAPTER 3The AnyConnect Profile Editor75About the Profile Editor 75Add a New Profile from ASDM 75The AnyConnect VPN Profile 76AnyConnect Profile Editor, Preferences (Part 1) 76AnyConnect Profile Editor, Preferences (Part 2) 79AnyConnect Profile Editor, Backup Servers 84AnyConnect Profile Editor, Certificate Matching 84AnyConnect Profile Editor, Certificate Enrollment 87AnyConnect Profile Editor, Certificate Pin 88Certificate Pinning Wizard 89AnyConnect Profile Editor, Mobile Policy 89AnyConnect Profile Editor, Server List 89AnyConnect Profile Editor, Add/Edit a Server List 90AnyConnect Profile Editor, Mobile Settings 92NVM Profile Editor 93The AnyConnect Local Policy 97Local Policy Parameters and Values 97Change Local Policy Parameters Manually 101Enable Local Policy Parameters in an MST File 101Enable Local Policy Parameters with the Enable FIPS Tool 102CHAPTER 4Configure VPN Access103Connect and Disconnect to a VPN 103AnyConnect VPN Connectivity Options 103Configure VPN Connection Servers 105Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.7vi

ContentsAutomatically Start Windows VPN Connections Before Logon 106About Start Before Logon 106Limitations on Start Before Logon 107Configure Start Before Logon 107Troubleshoot Start Before Logon 108Automatically Start VPN Connections When AnyConnect Starts 109Configure Start Before Logon (PLAP) on Windows Systems 109Automatically Restart VPN Connections 109Use Trusted Network Detection to Connect and Disconnect 110About Trusted Network Detection 110Guidelines for Trusted Network Detection 110Configure Trusted Network Detection 111Require VPN Connections Using Always-On 113About Always-On VPN 113Limitations of Always-On VPN 113Guidelines for Always-On VPN 113Configure Always-On VPN 114Configure Always-On in the AnyConnect VPN Client Profile 114Add Load-Balancing Backup Cluster Members to the Server List 115Exempt Users from Always-On VPN 115Set a Connect Failure Policy for Always-On 116Use Captive Portal Hotspot Detection and Remediation 118About Captive Portals 118Configure Captive Portal Remediation 119Enhanced Captive Portal Remediation (Windows Only) 119Configure Captive Portal Remediation Browser Failover 120Troubleshoot Captive Portal Detection and Remediation 120Configure AnyConnect over L2TP or PPTP 121Use Management VPN Tunnel 122About the Management VPN Tunnel 122Configure the Management VPN Tunnel 124Configure the Tunnel Group for the Management VPN Tunnel 124Create a Profile for Management VPN Tunnel 124(Optional) Upload an Already Configured Management VPN Profile 125Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.7vii

ContentsAssociate the Management VPN Profile to Group Policies 125Configure a Custom Attribute to Support Tunnel-All Configuration126Restrict Management VPN Profile Updates 126Troubleshoot Management VPN Tunnel Connectivity Issues 127Configure AnyConnect Proxy Connections 128About AnyConnect Proxy Connections 128Requirements for AnyConnect Proxy Connections 129Limitations on Proxy Connections 129Allow a Local Proxy Connection 130Public Proxy 130Configure a Public Proxy Connection, Windows 130Configure a Public Proxy Connection, macOS 130Configure a Public Proxy Connection, Linux 131Configure a Private Proxy Connection 131Configure the Client to Ignore Browser Proxy Settings 131Lock Down the Internet Explorer Connections Tab 131Verify the Proxy Settings 132Select and Exclude VPN Traffic 132Configure IPv4 or IPv6 Traffic to Bypass the VPN 132Configure a Client Firewall with Local Printer and Tethered Device Support 133About Dynamic Split Tunneling 133Interoperability Between Static Split Tunneling and Dynamic Split Tunneling 134Outcome of Overlapping Scenarios with Split Tunneling Configuration 135Notifications of Dynamic Split Tunneling Usage 135Split DNS 135Requirements for Split DNS 136Configure Split DNS 136Verify Split DNS Using AnyConnect Logs 137Check Which Domains Use Split DNS 137Manage VPN Authentication 137Important Security Considerations 137Configure Server Certificate Handling 137Server Certificate Verification 137Invalid Server Certificate Handling 138Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.7viii