Cisco 5505 Administration Guide

Cisco 5505 - ASA Firewall Edition Bundle Manual

Get Cisco 5505 - ASA Firewall Edition Bundle PDF manuals and user guides
UPC - 882658082252
View all Cisco 5505 manuals
Add to My Manuals
Save this manual to your list of manuals

Cisco 5505 manual content summary:

  • Cisco 5505 | Administration Guide - Page 1
    Cisco AnyConnect VPN Client Administrator Guide Version 2.0 Updated May 12, 2010 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: OL-12950-012
  • Cisco 5505 | Administration Guide - Page 2
    THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California
  • Cisco 5505 | Administration Guide - Page 3
    Support, and Security Guidelines 10 Licensing 10 Introduction 1 AnyConnect Client Features 1 Remote User Interface 2 Getting and Installing the Files You Need 7 CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop 7 Common AnyConnect VPN Client Installation and Configuration
  • Cisco 5505 | Administration Guide - Page 4
    Desktop Support 15 6 C H A P T E R Configuring AnyConnect Features Using CLI 1 Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections 1 Enabling DTLS Globally for a Specific Port 2 Enabling DTLS for Specific Groups or Users 2 Prompting Remote Users 2 Enabling IPv6 VPN
  • Cisco 5505 | Administration Guide - Page 5
    1 Using the AnyConnect CLI Commands to Connect (Standalone Mode) 1 Connecting Using WebLaunch 3 User Log In and Log Out 4 Logging In 4 Logging Out 4 Configuring and Using User Profiles 4 Enabling AnyConnect Client Profile Downloads 5 Configuring Profile Attributes 10 Enabling Start Before Logon (SBL
  • Cisco 5505 | Administration Guide - Page 6
    Contents B A P P E N D I X INDEX Sample AnyConnect Profile Schema 3 Using Microsoft Active Directory to Add the Security Appliance to the List of Internet Explorer Trusted Sites for Domain Users 1 Cisco AnyConnect VPN Client Administrator Guide 6 OL-12950-012
  • Cisco 5505 | Administration Guide - Page 7
    help you configure the Cisco AnyConnect VPN Client parameters on the security appliance. This guide does not cover every feature, but describes only the most common configuration scenarios. You can configure and monitor the security appliance by using either the command-line interface or ASDM, a web
  • Cisco 5505 | Administration Guide - Page 8
    and on the remote user PCs. Chapter 3, "Installing the AnyConnect Client and Configuring the Security Appliance with ASDM" Describes how to use ASDM to install the Cisco AnyConnect VPN Client on the security appliance. Chapter 4, "Installing the Describes how to use the command-line interface to
  • Cisco 5505 | Administration Guide - Page 9
    can push to remote users a group policy that adds the security appliance to the list of trusted sites in Internet Explorer. Document Conventions Command descriptions use these conventions: • Braces ({ }) indicate a required choice. • Square brackets ([ ]) indicate optional elements. • Vertical bars
  • Cisco 5505 | Administration Guide - Page 10
    Support, and Security Guidelines About This Guide Obtaining Documentation, Obtaining Support, and Security Guidelines For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents
  • Cisco 5505 | Administration Guide - Page 11
    is primarily on Windows PC users. AnyConnect Client Features The Cisco AnyConnect VPN Client is the next-generation VPN client, providing remote users with secure VPN connections to the Cisco 5500 Series Adaptive Security Appliance running ASA version 8.0 and higher or ASDM 6.0 and higher. It
  • Cisco 5505 | Administration Guide - Page 12
    Remote users see the Cisco AnyConnect VPN Client user interface (Figure 1-1). The Connection tab provides a drop-down list of profiles for connecting to remote systems. You can optionally configure a banner message to appear on the Connection tab. The status line at the bottom of the interface shows
  • Cisco 5505 | Administration Guide - Page 13
    Remote User Interface Figure 1-1 Cisco AnyConnect VPN Client User Interface, Connection Tab If you do not have certificates set up, you might see the dialog box shown in Figure 1-2. When you see this dialog box, click Yes to connect. Figure 1-2 Security Alert Dialog Box Note Note: Most users
  • Cisco 5505 | Administration Guide - Page 14
    appears again. For detailed information and examples of instances in which the remote user does or does not see the Security Alert dialog box, see Adding a Security Certificate in Response to Browser Security Alert Windows, page 2-4. Cisco AnyConnect VPN Client Administrator Guide 1-4 OL-12950-012
  • Cisco 5505 | Administration Guide - Page 15
    Remote User Interface Figure 1-3 shows the Statistics tab, including current connection information. Figure 1-3 Cisco AnyConnect VPN Client User Interface, Statistics Tab Clicking the Details tab shows Statistics Details window (Figure 1-4). The Statistics tab in the Statistics Details window
  • Cisco 5505 | Administration Guide - Page 16
    Remote User Interface Chapter 1 Introduction Figure 1-4 Cisco AnyConnect VPN Client User Interface, Statistics Tab, Statistics Details Tab Clicking the Route Details tab (Figure 1-5) shows the secured and non-secured routes for this connection. Figure 1-5 Cisco AnyConnect VPN Client User
  • Cisco 5505 | Administration Guide - Page 17
    the user interface and define the names and addresses of host computers. CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop If your remote users have Cisco Security Agent (CSA) installed, you must import new CSA policies to the remote users to enable the AnyConnect VPN Client
  • Cisco 5505 | Administration Guide - Page 18
    policy and generate rules. For more information, see the CSA document Using Management Center for Cisco Security Agents 5.2. Specific information about exporting policies is located in the section Exporting and Importing Configurations. Cisco AnyConnect VPN Client Administrator Guide 1-8 OL-12950
  • Cisco 5505 | Administration Guide - Page 19
    software on the ASA5500 using the Adaptive Security Device Manager (ASDM) or the CLI command interface. It also describes how to install the AnyConnect client on a user's PC and how to enable AnyConnect client features after installation. WebLaunch Mode Without a previously-installed client, remote
  • Cisco 5505 | Administration Guide - Page 20
    Command Line Configuration Guide. For detailed descriptions of the commands referred to in this administrator's guide, see the Cisco ASA 5500 Command Reference Guide for version 8.0 or later. The security appliance loads the client based on the group policy or username attributes of the user
  • Cisco 5505 | Administration Guide - Page 21
    important for users of Windows XP SP2 with enhanced security. Windows Vista users must add the security appliance to the list of trusted sites in order to use the dynamic deployment feature. Refer to the following sections for instructions. AnyConnect Client and New Windows Installations In
  • Cisco 5505 | Administration Guide - Page 22
    on a client in response to the browser alert windows. Connecting to this security appliance. A remote user using standalone mode might see a Security Alert dialog box in several possible login situations. The following examples and scenarios show some instances. After these descriptions, you'll
  • Cisco 5505 | Administration Guide - Page 23
    authority; for example, their own certificate authority or cacert.org. The user sees the Security Alert pop-up on the first connection attempt but never thereafter until he or she switches to a different security appliance and back. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 2-5
  • Cisco 5505 | Administration Guide - Page 24
    't been configured. When at default, the security appliance generates a self-signed server certificate that the AnyConnect client does not trust. The user sees the Security Alert pop-up on the first connection attempt but never thereafter until he or she switches to a different security appliance
  • Cisco 5505 | Administration Guide - Page 25
    commands, replacing x.x.x.x with the IP of your security appliance outside or public address: crypto ca trustpoint self enrollment self subject-name CN=x.x.x.x,CN=vpn.yoursys.com crl configure crypto ca enroll self ssl trust-point self outside write When users first connect using AnyConnect
  • Cisco 5505 | Administration Guide - Page 26
    -system-specific download sites. Double-click the MSI file. The welcome screen for the Cisco AnyConnect VPN Client Setup Wizard displays. Click Next. The End-User License Agreement displays. Accept the license agreement and click OK. The Select Installation Folder screen displays. Accept the default
  • Cisco 5505 | Administration Guide - Page 27
    boots. After installing the client, you can start the client manually from the user interface with the Linux command /opt/cisco/vpn/bin/vpnui or with the client CLI command /opt/cisco/vpn/bin/vpn. Installing the AnyConnect Client on a PC Running MAC OSX The AnyConnect client image for MAC OSX is
  • Cisco 5505 | Administration Guide - Page 28
    Installing the AnyConnect Client on a User's PC Chapter 2 Common AnyConnect VPN Client Installation and Configuration Procedures 2-10 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012
  • Cisco 5505 | Administration Guide - Page 29
    consists of copying a client image to the security appliance and identifying the file to the security appliance as a client image. With multiple clients, you must also assign the order in which the security appliance loads the clients to the remote PC. Note The AnyConnect client configuration uses
  • Cisco 5505 | Administration Guide - Page 30
    in the flash memory of the security appliance, you can enter the name of the image in the Flash SVC Image field, and click OK. The SSL VPN Client Settings panel now shows the AnyConnect client images you identified (Figure 3-3). Cisco AnyConnect VPN Client Administrator Guide 3-2 OL-12950-012
  • Cisco 5505 | Administration Guide - Page 31
    list. Enable the security appliance to download the AnyConnect client to remote users. Go to Network (Client) Access > SSL VPN Connection Profiles. The SSL VPN Connection Profiles panel appears (Figure 3-4). Check Enable Cisco AnyConnect VPN Client or legacy SSL VPN client access on the interfaces
  • Cisco 5505 | Administration Guide - Page 32
    Chapter 3 Installing the AnyConnect Client and Configuring the Security Appliance with ASDM Figure 3-4 Enable SSL VPN Client Check Box Step 6 Configure a method of address assignment. You can use DHCP, and/or user-assigned addressing. You can also create a local IP address pool and assign the
  • Cisco 5505 | Administration Guide - Page 33
    the AnyConnect Client and Configuring the Security Appliance with ASDM Figure 3-5 Add IP Pool Dialog Enter the name of the new IP address pool. Enter the starting and ending IP addresses, and enter the subnet mask and click OK. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 3-5
  • Cisco 5505 | Administration Guide - Page 34
    . To add a new connection profile, click Add. The Add SSL VPN Connection > Basic dialog box appears, which is identical to the Edit dialog box, except that you must supply a name for the connection profile. Then proceed as follows. Cisco AnyConnect VPN Client Administrator Guide 3-6 OL-12950-012
  • Cisco 5505 | Administration Guide - Page 35
    Chapter 3 Installing the AnyConnect Client and Configuring the Security Appliance with ASDM Click Select in the Client Address Assignment area. The Select Address Pool dialog box appears (Figure 3-7), containing available address pools. Select a pool The pool you select appears in the Assign
  • Cisco 5505 | Administration Guide - Page 36
    Client and Configuring the Security Appliance with ASDM The Edit Internal Group Policy dialog appears (Figure 3-8): Figure 3-8 Edit Internal Group Policy, General Tab Check the SSL VPN Client check box to include SSL VPN as a tunneling protocol. Cisco AnyConnect VPN Client Administrator Guide
  • Cisco 5505 | Administration Guide - Page 37
    the AnyConnect Client and Configuring the Security Appliance with ASDM Step 9 Configure SSL VPN attributes for a user or group. To display SSL VPN features for groups, In the navigation pane of the Internal Group Policy dialog, choose Advanced > SSL VPN Client. The SSL VPN Client features
  • Cisco 5505 | Administration Guide - Page 38
    the AnyConnect Client uses to configure the connection entries that appear in the client user interface, including the names and addresses of host computers. • Optional Client Module to Download-Specify any modules that the AnyConnect client needs to download to enable more features, such as Start
  • Cisco 5505 | Administration Guide - Page 39
    :/cdisk71 319662 bytes copied in 3.695 secs (86511 bytes/sec) Identify a file on flash as an SSL VPN client package file using the svc image command from webvpn configuration mode: svc image filename order The security appliance expands the file in cache memory for downloading to remote PCs. If you
  • Cisco 5505 | Administration Guide - Page 40
    SVC image - increase disk space via the 'cache-fs' command, use the cache-fs limit command to adjust the size of cache memory: Step 3 Check the status of the clients using the show webvpn svc command: hostname(config-webvpn)# show webvpn svc 1. disk0:/anyconnect-win-2.0.0343-k9.pkg 1 CISCO STC
  • Cisco 5505 | Administration Guide - Page 41
    can also specify other protocols to permit by adding the names of those protocols to this command. For more information about the vpn-tunnel-protocol command, see the command description in Cisco Security Appliance Command Reference. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 4-3
  • Cisco 5505 | Administration Guide - Page 42
    Groups, Group Policies, and Users" in Cisco Security Appliance Command Line Configuration Guide. Disabling Permanent Client Installation Disabling permanent AnyConnect client installation enables the automatic uninstalling feature of the client. The client on the remote computer uninstalls at the
  • Cisco 5505 | Administration Guide - Page 43
    E R Configuring AnyConnect Features Using ASDM The AnyConnect client includes the following features, which you configure on the security appliance: • Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections, page 5-1 • Prompting Remote Users, page 5-4 • Enabling IPv6 VPN
  • Cisco 5505 | Administration Guide - Page 44
    default value is port 443. Configuring DTLS If DTLS is configured and UDP is interrupted, the remote user's connection automatically falls back from DTLS to TLS. The default is enabled; however, DTLS is not enabled by default on any individual interface. Enabling DTLS allows the AnyConnect client
  • Cisco 5505 | Administration Guide - Page 45
    Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client Figure 5-2 shows an example of configuring the DTLS setting for an internal group policy. Figure 5-2 Enabling or Disabling DTLS Note When using the AnyConnect client with DTLS on security
  • Cisco 5505 | Administration Guide - Page 46
    Prompting Remote Users Chapter 5 Configuring AnyConnect Features Using ASDM Prompting Remote Users To enable the security appliance to prompt remote AnyConnect VPN client users to download the client, select Configuration > Device Management > Users/AAA > User Accounts > Add or Edit. The Add or
  • Cisco 5505 | Administration Guide - Page 47
    to Remote Users for SSL VPN Client Download Enabling IPv6 VPN Access The AnyConnect client allows access to IPv6 resources over a public IPv4 connection (Windows XP SP2, Windows Vista, Mac OSX, and Linux only). You must use the command-line interface to configure IPv6; ASDM does not support IPv6
  • Cisco 5505 | Administration Guide - Page 48
    Using ASDM Figure 5-5 Optional Client Module to Download In the case of Start Before Logon, you must also enable the feature in the XML profile. For a list of values to enter for each AnyConnect client feature, see the Release Notes for the Cisco AnyConnect VPN Client. Configuring, Enabling, and
  • Cisco 5505 | Administration Guide - Page 49
    with the Basic option selected. In the Authentication area, select only Certificate as the Method. Figure 5-6 Configuring Certificate-Only Authentication, Edit SSL VPN Dialog Box To make this feature take effect, you must also enable AnyConnect client access on particular interfaces and ports, as
  • Cisco 5505 | Administration Guide - Page 50
    area, select the check box Enable Cisco AnyConnect VPN Client or legacy SSL VPN Client access on the interfaces selected in the table below. Then select the check boxes for the interfaces on which you want to enable access. Specify the Access Port. The default access port is 443. If you want
  • Cisco 5505 | Administration Guide - Page 51
    VPN connections is enabled on the security appliance, both at the global level and for specific groups or users. For broadband connections, compression might result in poorer performance. By default, if you have not changed the compression setting globally, compression is enabled. You can configure
  • Cisco 5505 | Administration Guide - Page 52
    • Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client • Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client Figure 5-9 shows an
  • Cisco 5505 | Administration Guide - Page 53
    or Edit > Add or Edit Internal Group Policy > Advanced > SSL VPN Client • Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 5-11
  • Cisco 5505 | Administration Guide - Page 54
    Configuring, Enabling, and Using Other AnyConnect Features Chapter 5 Configuring AnyConnect Features Using ASDM • Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client Figure 5-10 shows an example of configuring the keepalive messages
  • Cisco 5505 | Administration Guide - Page 55
    Using ASDM Configuring, Enabling, and Using Other AnyConnect Features • Configuration > Remote Access VPN > Network (Client) Access > AAA Setup > Local Users > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client > Key Regeneration • Device Management > Users/AAA > User Accounts
  • Cisco 5505 | Administration Guide - Page 56
    Device Management > Users/AAA > User Accounts > Add or Edit > Add or Edit User Account > VPN Policy > SSL VPN Client > Dead Peer Detection Figure 5-12 shows an example of configuring the Dead Peer Detection setting for an internal group policy. 5-14 Cisco AnyConnect VPN Client Administrator Guide
  • Cisco 5505 | Administration Guide - Page 57
    access policies, see Cisco ASDM User Guide, Cisco Security Appliance Command Line Configuration Guide, or Cisco Security Appliance Command Reference. Cisco Secure Desktop Support Cisco Secure Desktop validates the security of client computers requesting access to your SSL VPN, helps ensure they
  • Cisco 5505 | Administration Guide - Page 58
    Windows XP. There is no specific configuration of AnyConnect required to use Secure Desktop. For detailed information about configuring Cisco Secure Desktop, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators (Software Release 3.2). 5-16 Cisco AnyConnect VPN
  • Cisco 5505 | Administration Guide - Page 59
    T E R Configuring AnyConnect Features Using CLI The AnyConnect client includes the following features, which you configure on the security appliance: • Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections, page 6-1 • Prompting Remote Users, page 6-2 • Enabling IPv6 VPN
  • Cisco 5505 | Administration Guide - Page 60
    (config-group-webvpn)# svc dtls enable Prompting Remote Users You can enable the security appliance to prompt remote AnyConnect VPN client users to download the client with the svc ask command from group policy webvpn or username webvpn configuration modes: [no] svc ask {none | enable [default
  • Cisco 5505 | Administration Guide - Page 61
    configures the security appliance to prompt the remote user to download the client or go to the WebVPN portal page and to wait 10 seconds for user response before downloading the client: hostname(config-group-webvpn)# svc ask enable default svc timeout 10 Enabling IPv6 VPN Access The AnyConnect
  • Cisco 5505 | Administration Guide - Page 62
    'address-pool' command). Step 4 Configure an IPv6 Tunnel Default Gateway: ipv6 route inside ::/0 X:X:X:X::X tunneled Enabling Modules for Additional AnyConnect Features As new features are released for the AnyConnect client, you must update the AnyConnect clients of your remote users for them to
  • Cisco 5505 | Administration Guide - Page 63
    default, compression for all SSL VPN connections is enabled on the security appliance, both at the global level and for specific groups or users. For broadband connections, compression might result in poorer performance. You can configure compression globally using the compression svc command from
  • Cisco 5505 | Administration Guide - Page 64
    Windows 2000 and Windows XP. There is no specific configuration of AnyConnect required to use Secure Desktop. For detailed information about configuring Cisco Secure Desktop, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators (Software Release 3.2). Enabling
  • Cisco 5505 | Administration Guide - Page 65
    for fallback to occur. To enable DPD on the security appliance or client for a specific group or user, and to set the frequency with which either the security appliance or client performs DPD, use the svc dpd-interval command from group-policy or username webvpn mode: svc dpd-interval {[gateway
  • Cisco 5505 | Administration Guide - Page 66
    command to remove the command from the configuration and cause the value to be inherited: In the following example, the security appliance is configured to enable the client to send keepalive messages with a frequency of 300 seconds (5 minutes), for the existing group-policy sales: hostname(config
  • Cisco 5505 | Administration Guide - Page 67
    and enters the username and password credentials into the fields of the AnyConnect GUI. Depending on ho w you configure the system, the user might also be required to select a group. When the connection is established, the security appliance checks the version of the client on the user's PC and, if
  • Cisco 5505 | Administration Guide - Page 68
    from the command line: Windows connect 209.165.200.224 Establishes a connection to a security appliance with the address 209.165. 200.224. After contacting the requested host, the AnyConnect client displays the group to which the user belongs and asks for the user's username and password. If you
  • Cisco 5505 | Administration Guide - Page 69
    user then enters the username and password information on a Logon screen and selects the group and clicks submit. If you have specified a banner, that information appears, and the user acknowledges the banner by clicking Continue. The portal window appears. To start the AnyConnect client, the user
  • Cisco 5505 | Administration Guide - Page 70
    and Using User Profiles Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles Note For Windows Vista users who use the Internet Explorer browser, you must add the security appliance to the list of trusted sites, as described in Adding a Security Appliance to
  • Cisco 5505 | Administration Guide - Page 71
    \Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.tmpl Follow these steps to edit profiles and use ASDM to enable the security appliance to download them to remote clients: OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 7-5
  • Cisco 5505 | Administration Guide - Page 72
    .225 To identify to the security appliance the client profiles file to load into cache memory, select Configuration > Remote Access VPN > Network (Client) Access > Advanced > Client Settings (Figure 7-1). Cisco AnyConnect VPN Client Administrator Guide 7-6 OL-12950-012
  • Cisco 5505 | Administration Guide - Page 73
    Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring and Using User Profiles Figure 7-1 Adding or Editing an AnyConnect VPN Client Profile In the SSL VPN Client Profiles area, click Add or Edit. the Add or Edit SSL VPN Client Profiles dialog box appears
  • Cisco 5505 | Administration Guide - Page 74
    . Click OK in the Add or Edit SSL VPN Client dialog box. This makes profiles available to group policies and username attributes of client users. To configure a profile for a group policy, select Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Select an existing group
  • Cisco 5505 | Administration Guide - Page 75
    a profile for a user, select Configuration > Device Management > Users/AAA > User Accounts. Select an existing username and click Edit or click Add to configure a new username. In the navigation pane, select VPN Policy > SSL VPN Client. To modify an existing user's profile, select that user from the
  • Cisco 5505 | Administration Guide - Page 76
    Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles Figure 7-5 Add or Edit User Account Dialog Box (Username) Step 7 Step 8 Deselect Inherit and select a Client Profile to Download from the drop-down list or click New to specify a new client profile. If
  • Cisco 5505 | Administration Guide - Page 77
    , the AnyConnect client requests downloads (from the security appliance) only of core modules that it needs for each feature that it supports. To enable new features, such as Start Before Logon (SBL), you must specify the module name using the svc modules command from group policy webvpn or username
  • Cisco 5505 | Administration Guide - Page 78
    Configuring and Using AnyConnect Client Operating Modes and User Profiles You must also specify on the security appliance that you want to allow SBL (or any other modules for additional features). See the description in the section Enabling Modules for Additional AnyConnect Features, page 5-5 (ASDM
  • Cisco 5505 | Administration Guide - Page 79
    Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring 15 shows how you might configure client to those matching the specified criteria and criteria match conditions. Table 7-4 lists the supported criteria: OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide
  • Cisco 5505 | Administration Guide - Page 80
    Profile Attributes Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles Table 7-4 Criteria for Certificate Distinguished Name Appendix A, "Sample AnyConnect Profile and XML Schema," for an example. 7-14 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012
  • Cisco 5505 | Administration Guide - Page 81
    Configuring and Using AnyConnect Client Operating Modes and User Profiles Configuring Profile Attributes Certificate Matching Example The following example shows how to enable the attributes that you can use to refine client > OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 7-15
  • Cisco 5505 | Administration Guide - Page 82
    Configuring Profile Attributes Chapter 7 Configuring and Using AnyConnect Client Operating Modes and User Profiles 7-16 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012
  • Cisco 5505 | Administration Guide - Page 83
    user interface that the remote user sees upon logging in. You customize the AnyConnect Client user interface by replacing files that affect the interface with your own, custom files. For example, with a Windows installation, you can change the company logo from the default Cisco logo by replacing
  • Cisco 5505 | Administration Guide - Page 84
    under the disconnect button when the client is connected. Icon that replaces login fields on various authentication/certificate warnings. Mac OS X icon file format that is used for all icon services, such as Dock, Sheets, and Finder. Cisco AnyConnect VPN Client Administrator Guide 8-2 OL-12950-012
  • Cisco 5505 | Administration Guide - Page 85
    Cisco AnyConnect VPN Client. Messages for the Cisco Secure Desktop (CSD). Messages on the logon and logout pages, portal page, and all the messages customizable by the user. Banners displayed to remote users and messages when VPN access is denied. Messages displayed to Port Forwarding users. Text
  • Cisco 5505 | Administration Guide - Page 86
    this pane, you can configure language translation tables that the security appliance uses to translate titles and messages associated with the portal page, the AnyConnect VPN client user interface, Cisco Secure Desktop, and plug-ins. Cisco AnyConnect VPN Client Administrator Guide 8-4 OL-12950-012
  • Cisco 5505 | Administration Guide - Page 87
    Chapter 8 Customizing and Localizing the AnyConnect Client Figure 8-1 Language Localization Pane Customizing the End-user Experience Fields • Add-Launches the Add Localization Entry dialog The template on which the table is based. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 8-5
  • Cisco 5505 | Administration Guide - Page 88
    a translation table in cache memory with the name you specify. Use an abbreviation that is compatible with the language options for your browser. For below shows the message Connected, with the Spanish text in the msgstr field: msgid "Connected" Cisco AnyConnect VPN Client Administrator Guide 8-6
  • Cisco 5505 | Administration Guide - Page 89
    AnyConnect VPN Client, the first user message to appear does not correctly translate, because that message is missing from the AnyConnect message catalog in the AnyConnect.po template. You retrieve AnyConnect.po from the security msgid "Please enter your username and password." msgstr "" The message
  • Cisco 5505 | Administration Guide - Page 90
    for the Cisco Secure Desktop (CSD). - customization-Messages on the logon and logout pages, portal page, and all the messages customizable by the user. - keepout-Message displayed to remote users when VPN access is denied. - PortForwarder-Messages displayed to Port Forwarding users. - url-list
  • Cisco 5505 | Administration Guide - Page 91
    Service, which is displayed on the portal page when a Clientless user establishes a VPN connection. The complete template contains many pairs of message fields: # Copyright (C) 2007 by Cisco Systems, Inc. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: ASA\n" "Report-Msgid-Bugs-To: support@cisco
  • Cisco 5505 | Administration Guide - Page 92
    the End-user Experience Chapter 8 Customizing and Localizing the AnyConnect Client hostname# import webvpn translation-table customization language es-us tftp://209.165.200.225/portal hostname hostname# show import webvpn translation-table Translation Tables' Templates: AnyConnect PortForwarder
  • Cisco 5505 | Administration Guide - Page 93
    help for your browser for specific information about multiple language support. The tag specifies the language that the remote user first encounters when connecting to the security appliance. In the example code above, the language is English. Figure 8-4 shows the login page and
  • Cisco 5505 | Administration Guide - Page 94
    command. The following example shows the customization object sales enabled in the group policy sales: hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-webvpn)# customization value sales Note With the AnyConnect VPN Client, the first user
  • Cisco 5505 | Administration Guide - Page 95
    ASDM, page 9-2 • Logging Off AnyConnect Client Sessions, page 9-3 • Updating AnyConnect Client and SSL VPN Client Images, page 9-4 Viewing AnyConnect Client and SSL VPN Sessions You can view information about active sessions using the show vpn-sessiondb command in privileged EXEC mode: show vpn
  • Cisco 5505 | Administration Guide - Page 96
    the Maximum Transmission Unit size (from 256 to 1406 bytes) for SSL VPN connections established by the AnyConnect Client by using the svc mtu command from group policy webvpn or username webvpn configuration mode: [no] svc mtu size Cisco AnyConnect VPN Client Administrator Guide 9-2 OL-12950-012
  • Cisco 5505 | Administration Guide - Page 97
    , both the client and the security appliance use the lower value that was set using the MTU configuration command. Logging Off AnyConnect Client Sessions To log off all AnyConnect Client and SSL VPN sessions, use the vpn-sessiondb logoff svc command in global configuration mode: vpn-sessiondb logoff
  • Cisco 5505 | Administration Guide - Page 98
    command that is in the configuration. If the new filenames are different, uninstall the old files using the no svc image command. Then use the svc image command to assign an order to the images and cause the security appliance to load the new images. Cisco AnyConnect VPN Client Administrator Guide
  • Cisco 5505 | Administration Guide - Page 99
    sample of a Cisco AnyConnect VPN Client Profile XML file. This file is intended to be maintained by a Secure Gateway administrator and then distributed with the client software. The xml file based on this schema can be distributed to clients at any time. The distribution mechanisms supported are as
  • Cisco 5505 | Administration Guide - Page 100
    some cases (e.g. BackupServerList) host specific overrides are possible. -->
  • Cisco 5505 | Administration Guide - Page 101
    ="HostEntry"> This is the data needed to attempt a connection to a specific host. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide A-3
  • Cisco 5505 | Administration Guide - Page 102
    information used to manage the Cisco VPN client software. This file is intended to be maintained by a Secure Gateway administrator and then distributed with the client software. The xml file based on this schema can be distributed to clients at any time. The distribution mechanisms supported are as
  • Cisco 5505 | Administration Guide - Page 103
    " default="pinAllowed" minOccurs="0"> If user is enables the definition of various attributes that can be used to refine client certificate selection. Cisco AnyConnect VPN Client Administrator Guide
  • Cisco 5505 | Administration Guide - Page 104
    > This section contains the list of hosts the user will be able to select from. client certificates. Cisco AnyConnect VPN Client Administrator Guide
  • Cisco 5505 | Administration Guide - Page 105
    >Certificate Extended Key attributes that can be used for choosing acceptable client certificates. 1.3.6.1.5.5.7.3.6 Cisco AnyConnect VPN Client Administrator Guide A-7
  • Cisco 5505 | Administration Guide - Page 106
    matching allows for exact match criteria in the choosing of acceptable client certificates.
  • Cisco 5505 | Administration Guide - Page 107
    and XML Schema Sample AnyConnect Profile Schema OL-12950-012 Name Name Name
  • Cisco 5505 | Administration Guide - Page 108
    Profile Schema Appendix A Sample AnyConnect Profile and XML Schema Company Department Title Issuer Dn A-10 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012
  • Cisco 5505 | Administration Guide - Page 109
    Profile and XML Schema Sample AnyConnect Profile Schema OL-12950-012 ="1"/> Cisco AnyConnect VPN Client Administrator Guide A-11
  • Cisco 5505 | Administration Guide - Page 110
    enabled for this definition enables the Start Before Logon feature A-12 Cisco AnyConnect VPN Client Administrator Guide
  • Cisco 5505 | Administration Guide - Page 111
    disables the Start Before Logon feature. OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide A-13
  • Cisco 5505 | Administration Guide - Page 112
    Sample AnyConnect Profile Schema Appendix A Sample AnyConnect Profile and XML Schema A-14 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012
  • Cisco 5505 | Administration Guide - Page 113
    Read and the Apply Group Policy check boxes in the Allow column. Click OK. Click Edit. Navigate to User Configuration > Windows Settings > Internet Explorer Maintenance > Security. Right-click Security Zones and Content Ratings in the right-hand pane and click Properties. Select Import the current
  • Cisco 5505 | Administration Guide - Page 114
    the Security Appliance that you want to add to the list of Trusted Sites and click Add. The format can contain a hostname (https://vpn.mycompany snap-in window)s. Allow sufficient time for the policy to propagate throughout the domain or forest. Cisco AnyConnect VPN Client Administrator Guide B-2
  • Cisco 5505 | Administration Guide - Page 115
    Security) 1 connection 1 enabling 1 fallback to TLS 2 dynamic access policies 2, 15, 6 E Edit Internal Group Policy dialog 8 Edit SSL VPN Connection dialog 6 end-user interface customizing 1 extended certificate key usage matching 13 F fallback from DTLS to TLS 2 configuring with ASDM 2 Cisco
  • Cisco 5505 | Administration Guide - Page 116
    AnyConnect Mac OSX 9 Windows PC 8 interface customizing 1 user 2 Internet Explorer adding security appliance to trusted sites 3 adding security appliance to trusted sites using AD 1 IPv6 VPN access 2 access, enabling with ASDM 5 access, enabling with CLI 3 K keepalive messages 11, 8 configuring
  • Cisco 5505 | Administration Guide - Page 117
    attributes, configuring 11 downloading 5 user 4 profile, AnyConnect 1 prompting remote users 4, 2 R rekey 2 remote user, prompting 4, 2 Route Details tab 6 S SBL (start before login) 2 schema, XML 1 Security Alert dialog box 3 See also AnyConnect Client. See also SSL VPN Client Select Address
  • Cisco 5505 | Administration Guide - Page 118
    , AD 1 trusted sites IE requirement, individual 4 WebLaunch mode 1 Windows AnyConnect CLI commands 1 Windows PC, installing AnyConnect 8 Windows Vista trusted sites requirement 4, 1 X XML profile file 5 XML schema, sample 1 IN-4 Cisco AnyConnect VPN Client Administrator Guide OL-12950-012
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco AnyConnect VPN Client
Administrator Guide
Version 2.0
Updated May 12, 2010
Customer Order Number: OL-12950-012