Cisco AnyConnect 安全移动客户端管理员指南，4.1 版

Cisco AnyConnect 4.1 : 2014 05 04

: 2015 05 22

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883

AnyConnect 1

AnyConnect 1

AnyConnect 2

AnyConnect 2

Windows ASA Internet Explorer 3

Internet Explorer 3

AnyConnectWindows RDP 4

Windows DES SSL 6

AnyConnect 6

AnyConnect 7

AnyConnect 8

AnyConnect 9

Windows SMS 9

10

10

Windows 11

ISO AnyConnect 11

AnyConnect ISO 11

SMS AnyConnect 12

WindowsMSI 12

Windows 14

Windows AnyConnect 14

Mac OS X 15

Mac OS X AnyConnect 15

Mac OS X 15

Mac OS X 16

Linux 16

Cisco AnyConnect 4.1 iii

Linux 16

Linux 17

Firefox 17

Linux DART 18

AnyConnect 18

ASA 19

WebLaunch 19

AnyConnect 20

ASA AnyConnect 20

AnyConnect 20

ASDM 21

ISE 21

AnyConnect ISE 22

ISE AnyConnect 23

AnyConnect 24

AnyConnect 25

WebLaunch AnyConnect 26

26

ASA 26

ISE 27

GUI 28

28

28

29

29

30

31

AnyConnect 32

32

AnyConnect VPN 32

AnyConnect 35

AnyConnect 35

Cisco AnyConnect 4.1 iv

35

(Windows) 36

Windows 36

AnyConnectWindows 37

38

AnyConnect 39

AnyConnect 40

40

(Mac OSX) 42

ACTransforms.xmlMac OS X 42

42

(Linux) 43

ACTransform.xml Linux 43

AnyConnect GUI 43

AnyConnect 45

47

47

ASA 48

Windows 49

AnyConnect GUI 49

AnyConnect GUI 50

Windows AnyConnect 51

Linux AnyConnect 54

Mac OS X AnyConnect 56

AnyConnect 57

58

59

AnyConnect 61

61

AnyConnect API 62

AnyConnect ISE 63

AnyConnect 63

Cisco AnyConnect 4.1 v

AnyConnect 64

AnyConnect 67

67

AnyConnect 67

ASDM 68

68

AnyConnect 69

70

AnyConnect VPN 70

AnyConnect 1 71

AnyConnect 2 73

AnyConnect 77

AnyConnect 77

AnyConnect 80

AnyConnect 81

AnyConnect 82

AnyConnect/ 82

AnyConnect 84

84

87

MST 87

FIPS 88

VPN 91

VPN 91

AnyConnect VPN 91

VPN 93

Windows VPN 94

94

95

95

AnyConnect 95

AnyConnect SBL 96

Cisco AnyConnect 4.1 vi

97

AnyConnect VPN 97

Windows (PLAP) 97

PLAP 98

PLAPWindows PC 98

PLAP AnyConnect 99

VPN 99

100

100

100

101

VPN 102

VPN 102

VPN 103

VPN 103

VPN 104

AnyConnect VPN 104

104

VPN 105

106

106

106

107

108

108

108

109

L2TP PPTP AnyConnect 109

PPP 110

AnyConnect 111

AnyConnect 111

AnyConnect 112

Cisco AnyConnect 4.1 vii

112

112

112

Windows 113

Mac 113

Linux 113

113

114

Internet Explorer Connections 114

115

VPN 115

IPv4 IPv6 VPN 115

116

116

DNS 116

DNS 116

DNS 116

AnyConnect DNS 117

DNS 117

VPN 118

118

118

118

119

122

122

SCEP 123

SCEP 123

124

124

SCEP 125

SCEP VPN 125

Cisco AnyConnect 4.1 viii

ASA SCEP 125

SCEP 126

SCEP VPN 126

ASA SCEP 127

SCEPWindows 2008 127

SCEP 127

SCEP 128

129

129

Windows 130

Windows 131

Mac Linux PEM 132

133

133

133

134

134

SDI (SoftID) VPN 136

SDI 137

SDI RADIUS SDI 138

ASA RADIUS/SDI 139

141

141

B FIPS 142

142

143

143

144

(Client Policy) 144

(Authentication Policy) 146

(Networks) 147

(Networks)(Media Type) 148

Cisco AnyConnect 4.1 ix

(Networks)(Security Level) 149

149

802.1X Settings 149

Security 150

Port Authentication Exception Policy 151

151

151

152

NetworksNetwork Connection Type 153

NetworksUser or Machine Authentication 153

EAP 154

EAP-GTC 154

EAP-TLS 155

EAP-TTLS 155

EAP-TTLS 156

PEAP 157

PEAP 158

EAP-FAST 158

EAP-FAST 159

LEAP 160

160

160

163

164

Network Groups 165

167

ISE 168

168

168

169

170

VLAN 170

AnyConnect ISE 171

Cisco AnyConnect 4.1 x

ISE 171

173

173

173

OPSWAT 174

ASA 174

HostScan 174

175

175

175

HostScan 176

176

DAP BIOS 176

BIOS DAP 177

BIOS 177

ASA HostScan 177

ISE 177

179

181

181

182

182

183

183

184

185

HTTP(S) 185

Windows Internet 186

187

187

188

188

Cisco AnyConnect 4.1 xi

189

190

191

192

193

KDF 194

194

/ 195

DNS 195

196

196

196

196

196

DART 197

ASDM 197

197

198

198

Cisco AnyConnect 199

Windows 199

Mac OS X 200

200

AMP 201

AMP 201

AMP 201

AMP 202

AMP 202

FIPS 203

FIPSNGE AnyConnect 203

AnyConnect FIPS 204

AnyConnect FIPS 204

Cisco AnyConnect 4.1 xii

AnyConnect FIPS 205

AnyConnect FIPS 205

AnyConnect VPN FIPS 206

AnyConnect VPN FIPS 206

Windows FIPS 206

FIPS 207

FIPS 207

FIPS 208

Cisco AnyConnect 209

209

AnyConnect 211

AnyConnect 211

AnyConnect VPN 211

AnyConnect VPN 212

212

212

213

214

FIPS B 215

Windows Phone AnyConnect 216

Windows 10Windows Phone 8.1 AnyConnect 216

ASA VPN 216

AnyConnect VPN 218

AnyConnect 218

Anyconnect 220

AnyConnect 223

223

223

DART 224

225

Systeminfo 225

225

Cisco AnyConnect 4.1 xiii

AnyConnect 225

AnyConnect 226

AnyConnect 226

AnyConnect 227

VPN 228

VPN 228

229

VPNMicrosoft Windows 229

VPN 230

230

VPNVA.sys 230

vpnagent.exe 230

/ 231

231

AnyConnect 231

.log .dmp 231

vpndownloader AnyConnect (LSP) NOD32

AV 232

AT&T 232

232

Microsoft Internet Explorer 232

(Certified by an Unknown Authority) 232

232

233

Juniper Odyssey 233

Odyssey 233

ASA (Kaspersky AV Workstation 6.x) 234

UDP DTLS (McAfee Firewall 5) 234

Microsoft 234

/ 234

234

AnyConnect (Wave EMBASSY Trust Suite) 234

Cisco AnyConnect 4.1 xiv

235

Bonjour 235

TUNOpenVPN 235

WinsockLSP 2 235

LSP 3 235

SSL 235

DPDEVDO Venturi 236

DTLSDSL 236

NETINTERFACE_ERRORCheckPoint Kaspersky 236

236

237

Cisco AnyConnect 4.1 xv

Cisco AnyConnect 4.1 xvi

1 AnyConnect

AnyConnect 1

AnyConnect 2

AnyConnect 6

AnyConnect 18

AnyConnect 24

AnyConnect 32

AnyConnect AnyConnect AnyConnect

Cisco AnyConnect

- (SMS)

- AnyConnectASA ISE ASA ISEAnyConnect

AnyConnect

AnyConnectAnyConnectASA

AnyConnect VPN

ASAIOSMicrosoft WindowsLinuxMac OS X Cisco AnyConnect 4.1

Cisco AnyConnect 4.1 1

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/release/notes/b_Release_Notes_AnyConnect_4_1.html

AnyConnect

AnyConnect ISE 1.3 ASA

ASA - ASA AnyConnectAnyConnectASA AnyConnectAnyConnect VPN

ISE 1.3 - (NAD) ASANAD ISEAnyConnect VPN

AnyConnect

(SMS)Windows

-AnyConnectWindows ISOMac OS X DMG Linux gzip

AnyConnecthttp://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-feature-guides-list.html

AnyConnect

AnyConnect

AnyConnect AnyConnect

AnyConnect

AnyConnect

AnyConnect ISE (OPSWAT)

AnyConnect

AnyConnect 3G AnyConnectVZAccess Manager

(LAN adapter auto connect)NDISNDIS VZAccess VZAccess



http://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-feature-guides-list.html

AnyConnectAnyConnect3G AnyConnect

WiFiAnyConnect

Windows ASA Internet Explorer Active Directory ASA Internet Explorer Internet Explorer

1 Windows

2 Active DirectoryMMC

3 Properties 4 Group Policy New 5 Enter 6 Properties Security

Allow Read Apply Group Policy OK 7 EditUserConfiguration> Windows Settings> Internet ExplorerMaintenance> Security 8 Security Zones and Content Ratings Properties 9 Import the current security zones and privacy settings Continue 10 Modify Settings Trusted Sites Sites 11 URL Add

(https://vpn.mycompany.com) IP (https://192.168.1.100) (https://vpn.mycompany.com) (https://*.mycompany.com)

12 Close OK 13

14 Internet OK

Internet Explorer AnyConnectInternet Explorer Tools > Internet Options > Connections

ASA Connections


AnyConnect Windows ASA Internet Explorer

ASA

Windows Connections ASA

1 ASDMConfiguration > RemoteAccess VPN > Network (Client) Access > Group Policies 2 Edit Add 3 Advanced > Browser Proxy Proxy Server Policy 4 Proxy Lockdown 5 Inherit

YesAnyConnect Internet ExplorerConnections

NoAnyConnect Internet ExplorerConnections

6 OK 7 Apply

AnyConnect Windows RDP AnyConnectWindows RDP VPN RDP Cisco AnyConnect VPN RDPVPN VPN


AnyConnect AnyConnect Windows RDP

SBL

Single Local Logon- VPN

PC VPN VPN

VPN VPNPCVPN

VPN

Single Logon - VPN

VPN VPN VPN VPN VPN

Windows LogonEnforcement

Local Users Only-VPNAnyConnect

AllowRemoteUsers -VPN VPN VPN PC

VPNVPN 90

Windows VPNEstablishment

VPN AnyConnect VPN


AnyConnect AnyConnect Windows RDP

Windows DES SSL Windows DES SSL ASA DESAnyConnect DES ASA DES SSL

AnyConnectSMSAnyConnectAnyConnect

AnyConnect AnyConnect 8

VPNAnyConnect

AnyConnect ISE ISE

1 AnyConnect AnyConnect cisco.com

AnyConnect

anyconnect-win--pre-deploy-k9.isoWindows

anyconnect-macosx-i386--k9.dmgMac OS X

anyconnect-predeploy-linux-64--k9.tar.gzLinux64

Linux

2

AnyConnect VPN

Cisco AnyConnect

AnyConnect


AnyConnectWindows DES SSL

AnyConnect ISE

AnyConnect AMP

AnyConnect

AnyConnect VPN

AnyConnect

AnyConnect

AnyConnect

ASDM PCWindows PCWindows

3 AnyConnect

4 AnyConnect

5 AnyConnectASA ISE AnyConnect

AnyConnect AMPISEWindows

1

AnyConnect NAMWINS x.x.x - k9msi

AnyConnect NAMWINS x.x.x - k9msi

anyconnect-websecurity-win-x.x.x-pre-deploy-k9.msianyconnect-websecurity-win-x.x.x-web-deploy-k9.exe

anyconnect-iseposture-win-x.x.x-pre-deploy-k9.msianyconnect-iseposture-win-x.x.x-web-deploy-k9.msiISE

anyconnect-amp-win-x.x.x-pre-deploy-k9.msianyconnect-amp-win-x.x.x-web-deploy-k9.exeAMP



Windows 2008R2 AnyConnectWLANPC

AnyConnect

2AnyConnect

AnyConnectanyfilename.xml

XMLAnyConnectAnyConnectProfile.xsd

3

%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile VPN

Windows 78.x

%ProgramData%\Cisco\ Cisco AnyConnect Secure MobilityClient\NetworkAccessManager\newConfigFiles

%ProgramData%\Cisco\ Cisco AnyConnect Secure Mobility Client\WebSecurity

%ProgramData%\Cisco\ Cisco AnyConnect Secure MobilityClient\CustomerExperienceFeedback

%PROGRAMFILES%\Cisco\Cisco AnyConnect Secure MobilityClient\opswat

OPSWAT

%ProgramData%\Cisco\CiscoAnyConnect SecureMobility Client\ISEPostureISE

%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\AMPEnabler

AMP



/opt/cisco/anyconnect/profile

Mac OS X

/opt/cisco/anyconnect/CustomerExperienceFeedback

/opt/cisco/anyconnect/bin

/opt/cisco/anyconnect/lib/opswaOPSWAT

/opt/cisco/anyconnect/lib

/Applications/Cisco/Cisco AnyConnect Secure MobilityClient.app/Contents/Resources/

/opt/cisco/anyconnect/iseposture/ISE

/opt/cisco/anyconnect/ampenabler/AMP

/opt/cisco/anyconnect/profileLinux

AnyConnect AnyConnectVPN AnyConnect UI

Windows SMS

1 (SMS)MSI PRE_DEPLOY_DISABLE_VPN=1 VPNmsiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart /passive

PRE_DEPLOY_DISABLE_VPN=1 /lvx*

MSI VPNDisable_ServiceProfile.xml VPN

2 CLI



msiexec /package anyconnect-websecurity-win--pre-deploy-k9.msi /norestart /passive

/lvx* c:\test.log

3 DARTmisexec /package annyconnect-dart-win--k9.msi /norestart /passive /lvx* c:\test.log

4 Windows

5 Cisco AnyConnectWindows

AnyConnectDART

VPNDisable_ServiceProfile.xmlVPNAnyConnect

ISO

1 AnyConnect AnyConnect

2 Cisco AnyConnect VPN Module VPN VPN

3 LockDownComponentServicesWindows

4 VPN AnyConnect GUI Install Selecteda) /b) OK PRE_DEPLOY_DISABLE_VPN=1AnyConnect



c) VPN VPNDisable_ServiceProfile.xmld) e) VPN

Windows

ISO AnyConnectISO AnyConnectMSI ISO (setup.exe)AnyConnect ISO ISOHTA

ISO CD SlySoft PowerIS

ISO

ISO

HTA

AnyConnect ISO

AnyConnectGUI.ico

Setup.exe

DARTMSIanyconnect-dart-win-x.x.x-k9.msi

SBL SBLanyconnect-gina-win-x.x.x-pre-deploy-k9.msi

ISEMSIanyconnect-iseposture-win-x.x.x-pre-deploy-k9.msi

AMP EnablerMSIanyconnect-amp-win-x.x.x-pre-deploy-k9.msi

MSIanyconnect-nam-win-x.x.x.msi

MSIanyconnect-posture-win-x.x.x-pre-deploy-k9.msi

MSIanyconnect-websecurity-win-x.x.x-pre-deploy-k9.msi

AnyConnectMSIanyconnect-win-x.x.x-pre-deploy-k9.msi


AnyConnect Windows

setup.exeautorun.inf

eula.html

HTML (HTA)

setup.hta

SMS AnyConnect ISO (*.msi)

2-24 SMS AnyConnect

Windows AnyConnect AlwaysInstallElevatedWindows(UAC)AnyConnect

Microsoft Internet Explorer (MSIE) Java ActiveX

MSIMSI ProfilesCCOMSI

SMSAltiris

Windows MSI

msiexec /package anyconnect-win-x.x.x-pre-deploy-k9.msi /norestart /passivePRE_DEPLOY_DISABLE_VPN=1 /lvx*

anyconnect-win-x.x.x-pre-deploy-k9-install-datetimestamp.log

VPNAnyConnect


AnyConnect Windows

msiexec /package anyconnect-win-x.x.x-pre-deploy-k9.msi /norestart /passive /lvx*

anyconnect-win-x.x.x-pre-deploy-k9-install-datetimestamp.log VPNAnyConnect

msiexec /package anyconnect-win-x.x.x-pre-deploy-k9.msi /norestart /passiveDISABLE_CUSTOMER_EXPERIENCE_FEEDBACK=1 /lvx*

anyconnect-win-x.x.x-pre-deploy-k9-install-datetimestamp.log

msiexec /package anyconnect-dart-win-x.x.x-k9.msi /norestart /passive /lvx*

anyconnect-dart-x.x.x-pre-deploy-k9-install-datetimestamp.log(DART)

msiexec /package anyconnect-gina-win-x.x.x-k9.msi /norestart /passive /lvx*

anyconnect-gina-x.x.x-pre-deploy-k9-install-datetimestamp.log

SBL

msiexec /package anyconnect-nam-win-x.x.x-k9.msi /norestart /passive /lvx*

anyconnect-nam-x.x.x-pre-deploy-k9-install-datetimestamp.log

msiexec /package anyconnect-websecurity-win-x.x.x-pre-deploy-k9.msi/norestart/passive /lvx*

anyconnect-websecurity-x.x.x-pre-deploy-k9-install-datetimestamp.log

msiexec /package anyconnect-posture-win-x.x.x-pre-deploy-k9.msi /norestart/passive/lvx*

anyconnect-posture-x.x.x-pre-deploy-k9-install-datetimestamp.log

ASA

msiexec /package anyconnect-iseposture-win-x.x.x-pre-deploy-k9.msi/norestart/passive /lvx*

anyconnect-iseposture-x.x.x-pre-deploy-k9-install-datetimestamp.log

ISE

msiexec /package anyconnect-amp-win-x.x.x-pre-deploy-k9.msi / norestart/passive/lvx*

AnyConnect amp x.x.x - pre - deploy - k9 - install - datetimestamp.log

AMP

AnyConnect Windows

Windows (_)Windows VPNsampleTransforms-x.x.x.zip


AnyConnect Windows

Windows Cisco AnyConnect

Windows AnyConnect

Windows

MSI (LOCKDOWN)WindowsMSI ISO

/ AnyConnect

AnyConnectWindows/(Add/Remove Program)ARPSYSTEMCOMPONENT=1Windows/(Add/Remove Program)

MSI

Windows AnyConnect

AnyConnect

1 AnyConnect GUI VPNSSL IPsec

2 AnyConnect (DART) AnyConnect

3 AMPSBL

4 AMP SBL

5 AnyConnect

6 DARTDART


AnyConnect Windows

AnyConnect XML

Mac OS X

Mac OS X AnyConnectMac OS X AnyConnect DMG AnyConnect DMG AnyConnect.pkgInstallation Type

AnyConnectApple pkgutil ACTransforms.xml Cisco AnyConnect 4.1

Mac OS X VPN VPN AnyConnect UI

DMG AnyConnect AnyConnect

1 ScanCenter Cisco.com Cisco AnyConnect DMG

2

3 hdiutil convert -format UDRW -o

4 Windows

5

6 WebSecurity_ServiceProfile.xmlWebSecurity_ServiceProfile.wso WebSecurity_ServiceProfile.xml

7 WebSecurity_ServiceProfile.wsoWindows AnyConnectx.x.x/Profiles/websecurityMac OS Xcp \Volumes\"AnyConnect "\Profiles\websecurity\


AnyConnect Mac OS X

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1.html

8 Mac OS X AnyConnect x.x.x/Profiles TextEditACTransforms.xml True VPN

True

9 Cisco.com Cisco AnyConnect x.x.xVPNDisable_ServiceProfile.xml AnyConnect AnyConnect AnyConnect x.x.x/profiles/vpn

10 AnyConnect DMG

Mac OS X MacOSX 10.8Gatekeeper

Mac App Store

Mac App Store

Mac(Mac App Store and identified developers)

AnyConnect AppleMac App StoreGatekeeper(Anywhere)Ctrl AnyConnecthttp://www.apple.com/macosx/mountain-lion/security.html

Linux

Linux Linux tar.gz


AnyConnect Linux

http://www.apple.com/macosx/mountain-lion/security.html.http://www.apple.com/macosx/mountain-lion/security.html.

1 AnyConnect GUI VPNSSL IPsec

2 DART AnyConnect

3

Linux AnyConnect

DART

1

2 AnyConnect

3 DART

Firefox AnyConnect AnyConnectAnyConnect Firefox

Firefox

Linux AnyConnect AnyConnect FirefoxFirefox

Firefox

Firefox Firefox PEM

WindowsMSI 12

VPN


AnyConnect Linux

VPN AMP

Linux DART1 anyconnect-dart-linux-(ver)-k9.tar.gz 3.0.3050 DART anyconnect-linux-(ver)-k9.pkg

2 tar -zxvf

URL Internet ExplorerWindows ASA Internet Explorer

ISE

ISE AnyConnect ISE AnyConnect ISE AnyConnect InternetExplorerActiveX AnyConnect

ISE

ISE ASA AnyConnect

ISEAnyConnect ISE ISEISE(Agent Configuration) >(Policy) >(Client Provisioning) NAC AnyConnect ISE

ASA

WebLaunch

4 Weblaunch AnyConnect

Internet Explorer 10

Firefox 9.0.1

Chrome 23.0.1271.95 m

Windows 8.x x8632 x6464

Internet Explorer 8 9

Firefox 3

Google Chrome 6

Windows 7 x8632 x6464

Safari 2

Google Chrome 6

Mac OS X 10.710.832 64

Firefox 3Linux64 VPN


AnyConnect ASA

AnyConnect Cisco AnyConnect Cisco AnyConnect

AnyConnect

anyconnect-win-x.x.x-k9.pkgWindows

anyconnect-macosx-i386-x.x.x-k9.pkgMac OS X

anyconnect-linux-64-x.x.x-k9.pkgLinux64

ASA

ASA AnyConnect

1 Configuration > Remote Access > VPN > Network (Client) Access > AnyConnect ClientSoftwareAnyConnect ASA AnyConnect ASA

2 AnyConnect Add

Browse Flash ASA AnyConnect

Upload AnyConnect

3 OK Upload 4 Apply

AnyConnect

AnyConnect VPN

Start Before Logon AnyConnect


AnyConnect ASA

http://www.cisco.com/cgi-bin/tablebuild.pl/anyconnect

1 ASDMConfiguration > RemoteAccess VPN > Network (Client) Access > Group Policies 2 Edit Add 3 VPN Policy > AnyConnect Client Client Modules to Download

Add ASA 4 Apply

ASDM AnyConnect ASA ASA

1 Configuration >Remote Access VPN >Network (Client) Access >AnyConnect Client Profile 2 Change Group Policy 3 Change Policy for Profile Available Group Policies

Policies

4 OK 5 AnyConnect Client Profile Apply 6 Save 7 OK

ISE ISE AnyConnectISE OPSWAT ISEISE ASA AnyConnect ISE

ISE ASA ASA AnyConnect VPNAnyConnect ISE ASA AnyConnect ISE

ISE ASA AnyConnect ISE AnyConnect AnyConnect ISE AnyConnect

ISE AnyConnect


AnyConnect ISE

Internet Explorer ISE Anyconnect AnyConnect

ISE (NSA) NSA ISE Anyconnect

NSAWindowsMac OS X

ISE

ISE AnyConnect

AnyConnect ISE

AnyConnect

AnyConnect

ISE AnyConnect

AnyConnect ISE

AMPVPN AnyConnect ISE

AnyConnect gettext

Windows Installer

AnyConnect ISE

AnyConnect PC AnyConnect

AnyConnect ISE

ZIP ISE

AnyConnect UI

VPN


AnyConnect ISE

AnyConnect

AnyConnect Gettext

AnyConnect ISE ISE

ISE AnyConnect AnyConnect ISE AnyConnect

ISE AnyConnectAnyConnect(AnyConnect ModuleSelection) VPN/ VPNVPNDisable_ServiceProfile.xml AnyConnect GUI VPNVPNDisable_ServiceProfile.xml AnyConnect CCO

1 ISE (Policy) > (Policy Elements) > (results)(Client Provisioning) (Resources) (Resources)

2 (Add) > (Agent resources from local disk) AnyConnect AnyConnect

3 Add > AnyConnect Configuration AnyConnect/ Opswat

ISEASAWindows AnyConnect AnyConnect ISE ISE AnyConnect

5ISE AnyConnect

ISE

AnyConnectDesktopWindows

AnyConnectDesktopOSX

AnyConnectWebAgentWindows

AnyConnectWebAgentOSX

AnyConnect

AnyConnectComplianceModuleWindows

AnyConnectComplianceModuleOSX


AnyConnect ISE

ISE

AnyConnectProfile

ISE AnyConnect

AnyConnect

AnyConnectCustomizationBundle

AnyConnectLocalizationBundle

4 AnyConnect ISE NAC/MACAnyConnect NAC/MAC AnyConnect 2 AnyConnect


AnyConnect - AnyConnect ASAAnyConnect ASAAnyConnect VPN

ASA - ASA

ISE - ISEISE AnyConnect

ISE (DACL) ASA ISE AnyConnect

ISE ASA

AnyConnect

1 AnyConnect(Connect)

2 ASA SSL ISEISE



3 AnyConnect AnyConnect VPN

ASA ISE

1 DACL ISE AnyConnect

2 Internet ExplorerActiveXAnyConnect (NSA) AnyConnect

3 AnyConnect ISE AnyConnect AnyConnect ISE

4 ISE

AnyConnect

1 ASA

2 ISE

3 AnyConnect Internet Explorer ActiveX Java

4 AnyConnect ASA VPN

ASA ISE

1 ISE AnyConnect

2 Internet ExplorerActiveX AnyConnect AnyConnect

3 AnyConnectVPN ISEAnyConnectISE

4 ISE


VPN

Auto UpdateAnyConnect

VPN

Bypass Downloader ASA

Update Policy



WebLaunch AnyConnectASA AnyConnect

AnyConnect

1 ASDMConfiguration > RemoteAccess VPN > Network (Client) Access > Group Policies 2 Edit Add 3 Advanced > AnyConnect Client > Login Settings Inherit

Post Login Default Post Login Selection

4 OK Save

AutoUpdateAnyConnectAnyConnectAutoUpdate

(DeferredUpdate)(DeferredUpdate)AnyConnectWindowsLinux OS X Deferred Upgrade

ASA

ASA

ASA ASA/ASDM ASA/ASDM Cisco ASA VPN ASDM Cisco ASA VPN CLI

ASDM

*

True(false)

Falsetruefalse

DeferredUpdateAllowed


AnyConnect WebLaunch AnyConnect

*

AnyConnect

VPN

0.0.0x.x.xDeferredUpdateMinimumVersion

DeferredUpdateMinimumVersion

DeferredUpdateDismissResponse

1500 - 300

DeferredUpdateDismissTimeout


DeferredUpdateDismissResponse

*

ISE

1 Policy > Resultsa)b) Client Provisioningc) Resources Add > Agent Resources from Local Disk


AnyConnect WebLaunch AnyConnect

d) AnyConnect pkg Submit

2 AnyConnect

3 Resources AnyConnect AnyConnect ConfigurationAnyConnectConfiguration

GUI


AnyConnectAnyConnectVPN

(Server Name)AnyConnect

FQDN IP*.example.com

(Allow Software Updates FromAny Server) VPN

VPN (Allow VPN Profile Updates From AnyServer) VPN

(Allow Service Profile Updates From AnyServer)

ISE (Allow ISE Posture ProfileUpdates From Any Server) ISE

(AllowComplianceModuleUpdatesFromAnyServer)


AnyConnect

(Server Name)

AnyConnect

AnyConnect

AnyConnect

AnyConnect

VPNISE

(Allow ... Updates From Any Server) AnyConnect

(Allow Software Updates From Any Server)

ASA

VPN

VPN (Allow VPN Profile Updates From Any Server)

VPNVPN

VPNVPN VPN

(Allow Service Profile Updates From Any Server)


AnyConnect

ISE (Allow ISEPosture ProfileUpdates FromAny Server)

ISE ISE ISE

ISEISE ISE

(AllowComplianceModuleUpdates FromAnyServer)

ISE

(Server Name) IP IP IP FQDN

VPN VPN VPN

VPN

DNS

DNS

VPNPPP

VPN

(UpdateHistory.log) ASA


AnyConnect

%AllUsers%\Application Data\Cisco\Cisco AnyConnect Secure MobilityClient\Logs

AnyConnect ASA

VPN XML

falsefalsefalsefalsefalsefalse

truetruetruefalsetrue

seattle.example.comnewyork.example.com

ASA

AnyConnect ASA

VPN 3.1.05182seattle.example.com

VPN 3.1.06079newyork.example.com

VPN 3.1.07021raleigh.example.com

AnyConnect VPN

seattle.example.comAnyConnect VPN VPN

newyork.example.com AnyConnectASAVPN

raleigh.example.com ASAVPN VPN


AnyConnect

VPN

AnyConnect

AnyConnectAnyConnect GUI Preferences

AnyConnect Start Before Logon AutoConnect OnStart

C:\Users\username\AppData\Local\Cisco\ Cisco AnyConnect VPN Client \preferences.xml

Windows

C:\ProgramData\Cisco\CiscoAnyConnect VPNClient\ preferences_global.xml

/Users/username/.anyconnectMac OS X

/opt/cisco/anyconnect/.anyconnect_global

/home/username/.anyconnectLinux

/opt/cisco/anyconnect/.anyconnect_global

AnyConnect VPN Cisco VPN Cisco AnyConnect

Cisco AnyConnect

TCP 443TLS (SSL)

TCP 80SSL

UDP 443DTLS

UDP 500UDP 4500IPsec/IKEv2


AnyConnectAnyConnect

Cisco VPN (IPsec)

UDP 500UDP 4500IPsec/NATT

UDP 500UDP 4500IPsec/NATT

TCPIPsec/TCP

UDP 500UDP XIPsec/UDP


AnyConnectAnyConnect VPN


AnyConnectAnyConnect VPN

2 AnyConnect

AnyConnect 35

AnyConnect GUI 43

AnyConnect GUI 49

AnyConnect 57

58

AnyConnect API 62

AnyConnect ISE 63

AnyConnect

Web AnyConnect Web SSLSSL AnyConnect AnyConnect(StartAnyConnect)

-(Enable CustomerExperience Feedback Service)


MST - sampleTransforms-X.X.xxxxx.zipanyconnect-win-disable-customer-experience-feedback.mst

(Windows)Windows AnyConnect

- msiexecWeb

-Microsoft OrcaOrcaMicrosoft Windows Installer (SDK)Microsoft Windows SDKWindows SDKhttp://msdn.microsoft.comWindows SDK

Web(Configuration)>VPN(RemoteAccessVPN)>(Network (Client) Access) >AnyConnect/(AnyConnectCustomization/Localization) >(Customized Installer Transforms)Web

ISO setup.hta HTML

AnyConnect

Windows Windows AnyConnectMicrosoftWindows

MTU - VPN (RESET_ADAPTER_MTU) 1WindowsMTU

Windows - Cisco AnyConnect

AnyConnect

VPNMSI (LOCKDOWN)LOCKDOWNWindowsMSICiscoAnyConnect


AnyConnect (Windows)

AMP VPN

ActiveX - AnyConnect VPNVPNWebLaunch ActiveX AnyConnect 3.1 VPN ActiveX

AnyConnectVPN ActiveXAnyConnect NOINSTALLACTIVEX=0 msiexec

AnyConnect/(Add/RemoveProgram) -AnyConnectWindows/(Add/Remove Program) ARPSYSTEMCOMPONENT=1

MSI Cisco AnyConnect

AnyConnect Windows MSI

msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart /passivePRE_DEPLOY_DISABLE_VPN=1 /lvx*

anyconnect-win--pre-deploy-k9-install-datetimestamp.log

VPNAnyConnect

msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart /passive /lvx*

anyconnect-win--pre-deploy-k9-install-datetimestamp.log VPNAnyConnect

msiexec /package anyconnect-win-ver-pre-deploy-k9.msi /norestart /passiveDISABLE_CUSTOMER_EXPERIENCE_FEEDBACK=1 /lvx*

anyconnect-win--pre-deploy-k9-install-datetimestamp.log

msiexec /package anyconnect-dart-win-ver-k9.msi /norestart /passive /lvx*

anyconnect-dart--pre-deploy-k9-install-datetimestamp.log(DART)

msiexec /package anyconnect-gina-win-ver-k9.msi /norestart /passive /lvx*

anyconnect-gina--pre-deploy-k9-install-datetimestamp.log

SBL



msiexec /package anyconnect-nam-win-ver-k9.msi /norestart /passive /lvx*

anyconnect-nam--pre-deploy-k9-install-datetimestamp.log

msiexec /package anyconnect-websecurity-win-ver-pre-deploy-k9.msi/norestart/passive /lvx*

anyconnect-websecurity--pre-deploy-k9-install-datetimestamp.log

msiexec /package anyconnect-posture-win-ver-pre-deploy-k9.msi /norestart/passive/lvx*

anyconnect-posture--pre-deploy-k9-install-datetimestamp.log

msiexec /package anyconnect-amp-win-ver-pre-deploy-k9.msi /norestart/ passive/lvx*

anyconnect-amp--pre-deploy-k9-install-datetimestamp.log

AMP

Windows

1 ASDM Configuration > Remote Access VPN > Network (Client) Access > AnyConnectCustomization/Localization > Customized Installer Transforms

2 Import Import AnyConnect Customization Objects



3 ASA

4 Import Now

AnyConnect

company_logo.bmpMyProfile.xml

DATA CHANGE - Component Component ComponentId+ MyProfile.xml {39057042-16A2-4034-87C0-8330104D8180}

Directory_ Attributes Condition KeyPathProfile_DIR 0 MyProfile.xml

DATA CHANGE - FeatureComponents Feature_ Component_+ MainFeature MyProfile.xml

DATA CHANGE - File File Component_ FileName FileSize Version Language Attributes Sequence+ MyProfile.xml MyProfile.xml MyProf~1.xml|MyProfile.xml 601 8192 35

company_logo.bmp 37302{39430} 8192{0}

DATA CHANGE - Media DiskId LastSequence DiskPrompt Cabinet VolumeLabel Source+ 2 35



AnyConnect AnyConnectASAMSI GUI

AnyConnectAnyConnect AnyConnect cisco.com

OrcaASA

30 cisco.comAnyConnect .zip

anyconnect-win--web-deploy-k9-lang.zip

AnyConnect 3.1.xxxxx

.mst30 ASAMicrosoftOrcaOrcaMicrosoftWindows (SDK)Microsoft Windows SDK

ASDM ASA

1 ASDM Configuration > Remote Access VPN > Network (Client) Access > AnyConnectCustomization/Localization > Localized Installer Transforms

2 Import Import MST Language Localization



3 Language

4 Import Now

5 Apply

(ES) LanguagesAnyConnect



(Mac OSX)

AnyConnectMacAnyConnect

ACTransforms.xml Mac OS X Mac OS X .pkg ACTransforms.xml XML

1 .pkgProfile2 Profile3 .dmgProfile

XML

ValueValue

OS X ACTransforms.xml DisableVPNACTransforms.xml DMG Profiles

Mac OS X

1 hdiutil dmg/hdiutil convert anyconnect-macosx-i386-ver-k9.dmg -format UDRW -oanyconnect-macosx-i386-ver-k9-rw.dmg

2 ACTransforms.xmlfalse


AnyConnect (Mac OSX)

(Linux)

ACTransform.xml Linux Linux .pkg ACTransforms.xml XML

.pkgProfile

Profile

.dmgProfile

Profiles XML ACTransforms.xml

ValueValue

AnyConnect GUI (ASA) AnyConnect ASDMWindows

Windows www.cisco.com

Windows

Windows

WindowsAnyConnectAnyConnectASAAnyConnectASA AnyConnect www.cisco.com 47

)


AnyConnect (Linux)

GUI

AnyConnect ID

47(Save to File) ASDM

ASA

ASAAltirisGettext AnyConnect (anyconnect.po) .mo .mo

AnyConnect

/

UI


AnyConnect AnyConnect GUI

AnyConnect IDAnyConnectGUI

Save to File ASDM

1 ASDM Configuration > Remote Access VPN > Network (Client) Access > AnyConnectCustomization/Localization > GUI Text and Messages

2 Add Add Language Localization Entry



3 Language (en)

4 Edit Edit Language Localization Entrymsgidmsgstr msgid msgstr

Call your network administrator at 800-553-2447

5 OK Apply



1 www.cisco.com

2 ASDM Configuration > Remote Access VPN > Network (Client) Access > AnyConnectCustomization/Localization > GUI Text and Messages

3 Import Import Language Localization Entry 4

5

6 Import Now AnyConnectAnyConnect

AnyConnect

ASA Altiris AgentGettextAnyConnect .po.mo

GettextGNUGNUgnu.orgGUIGettext Poeditpoedit.net Gettext


\l10n l ("el")10 n

Windows - :\Program Data\Cisco\Cisco AnyConnect SecureMobility Client\l10n\\LC_MESSAGES

Mac OS X Linux -/opt/cisco/anyconnect/l10n//LC_MESSAGES


AnyConnect

1 http://www.gnu.org/software/gettext/ Gettext Gettext

2 AnyConnect AnyConnect AnyConnect.po

3 AnyConnect.po notepad.exe

4 Gettext .po .momsgfmt -o AnyConnect.mo AnyConnect.po

5 .mo

ASA AnyConnect

GNU GettextWindows GNU gnu.org GUI Gettext Poeditpoedit.net

AnyConnectASA

1 Remote Access VPN > Language Localization > Templates AnyConnect AnyConnect.pot msgmerge.exe

2 AnyConnectWindows Gettext AnyConnect (.po) (.pot) AnyConnect_merged.po

msgmerge -o AnyConnect_merged.po AnyConnect.po AnyConnect.pot

C:\Program Files\GnuWin32\bin> msgmerge -o AnyConnect_merged.po AnyConnect.po

AnyConnect.pot....................................... done.


AnyConnect ASA

Poedit AnyConnect.po File > Open > POTCatalog >Update PoeditUpdate Summary

3 Remote Access VPN > Language Localization Import AnyConnect AnyConnect_merged.po

Windows ASAAnyConnect

Windows

1 Control Panel > Region and Languages Clock,Language, and Region > Change display language

2 /

3

AnyConnectfr-caAnyConnectfr

AnyConnect GUI AnyConnect AnyConnect VPN

AnyConnect GUIMac LinuxWindows company_logo.png AnyConnectGUI

company_logo.bmp AnyConnect company_logo.bmp


AnyConnect Windows

http://www.cisco.com/en/us/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac06websecurity.html

AnyConnect GUI AnyConnect

1 ASDM Configuration > Remote Access VPN > Network (Client) Access > AnyConnectCustomization/Localization > Resources

2 ImportImport AnyConnect Customization Objects

3

4 Import Now


AnyConnect AnyConnect GUI

Windows AnyConnect Windows

%PROGRAMFILES%\Cisco\Cisco AnyConnect Secure Mobility Client\res\

%PROGRAMFILES%Windows C:\ProgramFiles

x

Windows

24 x 24

PNG

about.png

(Advanced)(About)

24 x 24

PNG

about_hover.png

(Advanced)(About)

128 x 128

PNG

app_logo.png

128 x 128 128 x128


AnyConnect Windows AnyConnect

x

Windows

16 x 16

ICO

attention.ico

97 x 58

PNG

company_logo.png

(Advanced)

97 x 58 97 x 58

97 x 58

PNG

company_logo_alt.png

About

97 x 58 97 x 58

1260 x 1024

JPEG

cues_bg.jpg

(Advanced)(About)



x

Windows

16 x 16

ICO

error.ico

16 x 16

ICO

neutral.ico

16 x 16

ICO

transition_1.ico

transition_2.ico transition_3.ico VPN3

16 x 16

ICO

transition_2.ico




x

Windows

16 x 16

ICO

transition_3.ico


16 x 16

ICO

vpn_connected.ico

VPN

Linux AnyConnect Linux

/opt/cisco/anyconnect/pixmaps/

GUI

x

Linux

142 x 92

PNG

company-logo.png

AnyConnect 3.0 62x33 PNG


AnyConnect Linux AnyConnect

x

Linux

16 x 16

PNG

CVCabout.png

About

16 x 16

PNG

cvc-connect.png

(Connect)(Connection)

16 x 16

PNG

CVCdisconnect.png

(Connection)

16 x 16

PNG

CVCinfo.png

(Statistics)

16 x 16

PNG

systray_connected.png

16 x 16

PNG

systray_notconnected.png


AnyConnect Linux AnyConnect

x

Linux

16 x 16

PNG

systray_disconnecting.png

16x16

PNG

systray_quarantined.png

16 x 16

PNG

systray_reconnecting.png

48 x 48

PNG

vpnui48.png

Mac OS X AnyConnect OS X

/Cisco AnyConnect Secure Mobility Client/Contents/Resources

GUI


AnyConnect Mac OS X AnyConnect

x Mac OS X

142 x 92

PNG

bubble.png

50 x 33

PNG

logo.png

128 x 128

ICNS

vpngui.icns

Mac OS X

16 x 16

PNGMac OS X

AnyConnect AnyConnectAnyConnectAnyConnectAnyConnect PDF HTML



1 help_AnyConnect.html HTML

2 ASDM Configuration > Remote Access VPN > Network (Client) Access > AnyConnectCustomization/Localization > Binary

3 help_AnyConnect.xxxPDFHTMLHTMMHT 4 PC AnyConnect PC

UI

5 AnyConnect

help_AnyConnect.html

Windows - C:\ProgramData\Cisco\Cisco AnyConnect Secure MobilityClient\Help

Mac OS X - /opt/cisco/anyconnect/help

AnyConnect

VPN OnConnect

VPN OnDisconnect

VPNOnConnect VPN OnConnect

VPN

VPN

VPN

AnyConnectWebLaunch


AnyConnect

AnyConnect

- AnyConnectOnConnectOnDisconnect

- AnyConnect OnConnect onDisconnectOnConnectOnDisconnectAnyConnectAnyConnect VBSPerl Bash

-

Windows -MicrosoftWindowsAnyConnectWindows VPNAnyConnectWindows cmd .bat

-AnyConnect EnableScripting

GUI - GUI VPNOnDisconnect

64Windows - AnyConnect 32 64WindowsAnyConnect cmd.exe 32

32 cmd.exe 64 cmd.exe32Windows 7 64cmd.exe msg %WINDIR%\SysWOW64

32 cmd.exe

AnyConnect


AnyConnect

1

2

ASDM ASA

Network (Client) Access > AnyConnect Customization/Localization > Script

ASDM6.3ASA scripts_OnConnect OnDisconnect scripts_ OnConnect OnDisconnect myscript.bat scripts_OnConnect_myscript.bat OnConnect_myscript.bat

ASDM 6.3

scripts_OnConnect

scripts_OnDisconnect

ASAASA

VPN

OnConnect

OnDisconnect

6

%ALLUSERSPROFILE%\Cisco\CiscoAnyConnect SecureMobilityClient\Script

Microsoft Windows

/opt/cisco/anyconnectLinux

Linux

/opt/cisco/anyconnect/scriptMac OS X


AnyConnect

AnyConnect

1 VPN Preferences (Part 2) 2 Enable Scripting VPN 3 User Controllable On Connect OnDisconnect 4 Terminate Script On Next Event

AnyConnectVPNVPNOnDisconnectOnConnectMicrosoftWindowsOnConnect OnDisconnectMac OS LinuxOn Connect OnDisconnect

5 Enable Post SBL On Connect Script SBLVPN On Connect

ASA VPN

1 OnConnect OnDisconnect

2

3 VPN OnConnect OnDisconnectASA OnConnect ASA OnConnect OnConnect OnDisconnect ASA VPN



OnConnect OnDisconnect VPN

4 Linux

5

AnyConnect API WindowsLinuxMacAnyConnectAPI (UI) AnyConnect UI

CLI GUI

vpncli.exevpnui.exeWindows

vpnvpnuiLinux

vpnASAAltirisGUIMac

Mac

ASA

AnyConnectAnyConnectAnyConnectUI AnyConnect ASDMAnyConnect

Cisco AnyConnectGUI


AnyConnect AnyConnect API

AnyConnect ISE

AnyConnect AnyConnect AnyConnect ISEAnyConnect ISEAnyConnect AnyConnect

ISE AnyConnect Gettext .po .mo Gettextmsgfmt http://www.gnu.org/software/gettext/ Gettext Gettext

1 AnyConnecta) www.cisco.com Cisco AnyConnect Software Download

AnyConnect-Localization-(release).zip *.po

b) *.poc) Gettext *.po *.mo

msgfmt -o AnyConnect.mo AnyConnect.po

2 AnyConnecta) l10nb) l10nfr-ch

c)

l10n\fr-ch\AnyConnect.mo\he\AnyConnect.mo\ja\AnyConnect.mo

3 Windows AnyConnecta) www.cisco.comCiscoAnyConnect

anyconnect-win-(release)-web-deploy-k9-lang.zipanyconnect-gina-win-(release)-web-deploy-k9-lang.zip



AnyConnect AnyConnect ISE

b)

4 Windows AnyConnecta) mstb) mstfr-ch

c)

l10n\fr-ch\AnyConnect.mo\he\AnyConnect.mo\ja\AnyConnect.mo

mst\fr-ch\AnyConnect_fr-ca.mst\he\AnyConnect_he.mst\ja\AnyConnect_ja.mst

5 AnyConnect-Localization-Bundle-.zip AnyConnect

AnyConnect ISE AnyConnect AnyConnect ISE

AnyConnect AnyConnect AnyConnect GUIVPN ISE AnyConnect ISEAnyConnectwin\resource\

\binary\transform

mac-intel\resource\binary\transform

AnyConnectWindowsMac OSX resourcebinary transform

resource AnyConnect GUI

AnyConnect GUI 49

binary VPN


VPN 58

transform

Windows (Windows) 36



Max OSX ACTransforms.xmlMac OS X 42

AnyConnect

1

2 resourcesAnyConnect GUI

3 binary help_AnyConnect.html

4 binary VPN OnConnect OnDisconnect

5 transform

6 AnyConnect-Customization-Bundle.zip AnyConnect

AnyConnect ISE AnyConnect AnyConnect ISE



3 AnyConnect

67

68

AnyConnect VPN 70

AnyConnect 84

Cisco AnyConnect ASAAnyConnectASDM

AnyConnectASDM AnyConnect AnyConnect

Windows

AnyConnect AnyConnect VPN 70

AnyConnect 84

144

ISE 177

182

AMP 202

209


ASDM

AnyConnect

AnyConnect ASDMWindows

ASDM ASA

1 ASDM Configuration > Remote Access VPN > Network (Client) Access > AnyConnectClient Profile

2 Add 3

4 Profile Usage

5 Profile Location Browse Flash ASA XML

6 Upload 7 AnyConnect

8 OK

ASDMWindowsVPN

CiscoAnyConnect(AddorRemovePrograms) VPN

Java - JRE 1.6

JRE 1.6


AnyConnect ASDM

-Windows 7MSIWindows

- Firefox Internet Explorer

- Cisco AnyConnect 5 MBJRE 1.6 100 MB

ASAVPNGUI ASA FQDN ASA

AnyConnect AnyConnect AnyConnect ISO .pkgWindows(.exe)anyconnect-profileeditor-win--k9.exe

1 Cisco.com anyconnect-profileeditor-win--k9.exe

2 anyconnect-profileeditor-win--k9.exe

3 Welcome Next 4 Choose Setup Type Next

Typical -

(Custom) -

(Complete) -

5 TypicalComplete CustomWill be installed on local hard drive Entire Feature willbe unavailable Next

6 Ready to Install Install 7 Finish

AnyConnectC:\Program Files\Cisco\Cisco AnyConnectProfile Editor

(Start) > (All Programs) > (Cisco) >Cisco AnyConnect (Cisco AnyConnect Profile Editor)



XMLASA XML

1 Start > All Programs > Cisco > Cisco AnyConnect ProfileEditor

2 File > Open XML

VPN Schema Validation failed

3 File > Save

AnyConnect VPN AnyConnect Cisco AnyConnect VPNISEAnyConnectASA

ASA ISE AnyConnectAnyConnect VPN VPN

AnyConnectGUI(Preferences)

/


AnyConnect

AnyConnect 1 Use Start Before Logon -WindowsWindowsAnyConnectWindows VPN

ShowPre-connectMessage -AnyConnect

Certificate Store - AnyConnect (All)

All- AnyConnect

Machine - AnyConnectWindows

User - AnyConnect

Certificate Store Override - AnyConnectWindows

WindowsWindows

Auto Connect on Start -AnyConnectAnyConnectVPN

Minimize On Connect - VPNAnyConnect GUI

Local LAN Access - ASA VPN LAN

LAN8.4(1)SSL AnyConnect VPN VPN 2

Auto Reconnect -AnyConnect VPN Auto Reconnect



DisconnectOnSuspend- AnyConnect VPN

ReconnectAfterResume -AnyConnect VPN

Auto Update - User Controllable

RSA Secure ID IntegrationWindows- RSAAnyConnect RSA

Windows Logon Enforcement - (RDP)VPNVPNAnyConnectVPN VPN

Single Local Logon-VPN PC VPNVPN

VPNVPN PC VPN VPN

Single Logon - VPNVPNVPNVPNVPN VPN

WindowsVPNEstablishment -PCVPNAnyConnect

Local Users Only- VPN AnyConnect

Allow Remote Users -VPNVPNVPNPCVPNVPN 90

Clear SmartCard PIN

IP Protocol Supported - IPv4 IPv6 AnyConnectASAAnyConnect IPAnyConnect IPv4AnyConnect IPv6

IP

IPv4 - ASA IPv4



IPv6 - ASA IPv6

IPv4, IPv6 - ASA IPv4 IPv4 IPv6

IPv6, IPv4 - ASA IPv6 IPv6 IPv4

IPv4 IPv6 VPN IP IP VPN

AnyConnect 2 (Disable Automatic Certificate Selection)Windows-

(Proxy Settings) - AnyConnect

(Native) - AnyConnect

(IgnoreProxy) - ASA

(Override) - LinuxWindows

(Allow Local Proxy Connections) -AnyConnectWindows PC VPN

(EnableOptimalGatewaySelection) (OGS) IPv4-AnyConnect (RTT) OGS OGS(Automatic Selection) GUI(Connection)(Connect To)



OGS

(Always On)

(PAC)

AAA

(SuspensionTimeThreshold)-VPN

(Performance Improvement Threshold)

(Performance ImprovementThreshold) (%)-

20%

VPN (Automatic VPN Policy)WindowsMac- AnyConnect(Trusted Network Detection allowing AnyConnect)(Trusted Network Policy)(Untrusted Network Policy) VPN VPN Automatic VPNPolicy VPN

Trusted Network Policy -AnyConnect VPN

Disconnect- VPN

Connect - VPN

Do Nothing - Trusted Network PolicyUntrustedNetwork Policy Do Nothing Trusted Network Detection

Pause - VPNAnyConnect VPNAnyConnect VPN

Untrusted Network Policy -AnyConnectVPNVPN

Connect- VPN



DoNothing -VPNTrustedNetwork PolicyUntrustedNetwork PolicyDoNothingTrustedNetworkDetection

Trusted DNS Domains - DNS*.cisco.com (*) DNS

Trusted DNS Servers - DNS 192.168.1.2, 2001:DB8::1DNS (*)

Always On -WindowsMac OS XAnyConnect VPN

VPN AnyConnectVPN

VPN

Allow VPN Disconnect - AnyConnect VPN Disconnect VPN VPNVPN Disconnect

DisconnectVPN Disconnect VPN

Connect Failure Policy - AnyConnect VPN ASA Allow VPN Disconnect fail-openfail-close

Closed - VPN

Open - VPN



AnyConnect VPN

ACL VPNAnyConnect

VPN AnyConnect

VPN

Connect Failure Policy Closed

Allow Captive Portal Remediation -AnyConnect

VPN

Remediation Timeout - AnyConnect AllowCaptive Portal Remediation5

Apply Last VPNLocal Resource Rules -VPNASA ASA LAN ACL

(Allow Manual Host Input) - AnyConnect UI VPN VPN VPN

PPP Exclusion - PPP VPNAnyConnectGUI Route Details PPP

Automatic - PPPAnyConnect PPP IP IP

Disabled - PPP

Override - PPP PPP IP PPP



PPP Exclusion

PPP Exclusion Server IP - PPP IP

PPP

Enable Scripting - OnConnect OnDisconnect

Terminate Script On Next Event -VPNAnyConnectOnConnect VPN OnDisconnectMicrosoftWindows OnConnect OnDisconnectMac OS Linux OnConnect OnDisconnect

Enable Post SBL On Connect Script - OnConnect SBLVPN VPNMicrosoft Windows

VPN -Windows VPN

User Enforcement - VPN Retain VPNOn Logoff VPNWindows

Authentication Timeout Values -AnyConnect 12AnyConnect 0 - 20

AnyConnect

Host Address - IP (FQDN)

Add -

Move Up -

Move Down -

Delete -

AnyConnect

AnyConnect



Key UsageDigital_Signature

Extended Key UsageClient Auth

Key Usage -

Decipher_Only -Key_Agreement

Encipher_Only -Key_Agreement

CRL_Sign - CRL CA

Key_Cert_Sign - CA

Key_Agreement -

Data_Encipherment - Key_Encipherment

Key_Encipherment -

Non_Repudiation -Key_Cert_signCRL_Sign

Digital_Signature -Non_RepudiationKey_Cert_SignCRL_Sign

Extended Key Usage - Extended Key UsageOID

ServerAuth (1.3.6.1.5.5.7.3.1)

ClientAuth (1.3.6.1.5.5.7.3.2)

CodeSign (1.3.6.1.5.5.7.3.3)

EmailProtect (1.3.6.1.5.5.7.3.4)

IPSecEndSystem (1.3.6.1.5.5.7.3.5)

IPSecTunnel (1.3.6.1.5.5.7.3.6)

IPSecUser (1.3.6.1.5.5.7.3.7)

TimeStamp (1.3.6.1.5.5.7.3.8)

OCSPSign (1.3.6.1.5.5.7.3.9)

DVCS (1.3.6.1.5.5.7.3.10)

IKE Intermediate

Custom ExtendedMatch Key 10- 10 OID 1.3.6.1.5.5.7.3.11

Distinguished Name 10- (DN)

Name - (DN)



CN -

C -/

DC -

DNQ - DN

EA -

GENQ -

GN -

I -

L -

N -

O -

OU -

SN -

SP -/

ST -

T -

ISSUER-CN -

ISSUER-DC -

ISSUER-SN -

ISSUER-GN -

ISSUER-N -

ISSUER-I -

ISSUER-GENQ -

ISSUER-DNQ - DN

ISSUER-C -/

ISSUER-L -

ISSUER-SP -/

ISSUER-ST -

ISSUER-O -

ISSUER-OU -

ISSUER-T -



ISSUER-EA -

Pattern -

abc.cisco.com cisco.comcisco.com

Operator - DN

Equal - ==

Not Equal - !=

Wildcard -

Match Case -

133

AnyConnect AnyConnect (SCEP)

Certificate Expiration Threshold -AnyConnectRADIUS 0 180

Certificate Import Store -Windows

Automatic SCEPHost - SCEP SCEPASA ASA (FQDN)asa.cisco.com scep_eng

CA URL - SCEP SCEP CA CA FQDN IPhttp://ca01.cisco.com

Prompt For Challenge PW - GetCertificate

Thumbprint - CA SHA1MD5

CACAURLfingerprintthumbprint

Certificate Contents - SCEP



(CN) -

(OU) -

(O) -

(ST) -

(SP) -

/ (C) -/

(EA) - (EA) %USER%@cisco.com%USER% ASA

(DC) - (DC) cisco.com

(SN) -

(GN) -

UnstructName (N) -

(I) -

(GEN) -Jr.III.

(DN) - DN

(L) -

(T) -

CA - SCEP CA

- RSA

DisplayGetCertificate Button -AnyConnect GUIGet Certificate

RADIUS

122

AnyConnect AnyConnect 3.0Windows Mobile Cisco AnyConnect 2.5Windows Mobile



AnyConnect GUIVPN

-IP (FQDN)

- IP FQDN

- URL

SCEP -

CA URL - (CA) URL

Add/Edit - Server List Entry

Delete -

Details - CA URL

VPN 93

AnyConnect /

Host Display Name -IP (FQDN)

FQDN or IP Address - IP FQDN

Host Address IP FQDN Host NameAnyConnect

Hostname FQDN Host Address IPHostname FQDN DNS

IP IPv4 IPv6

User Group -

URL Primary Protocol IPsecUser Group SSL URL

Additional mobile-only settings - Apple iOS Android

Backup Server List



Host Address - IP FQDN

Add -

Move Up -

Move Down -

Delete -

Load Balancing Server List

Host Address - IP FQDN

Add -

Delete -

Primary Protocol - SSL IPsec IKEv2 SSL

Standard Authentication Only (IOS Gateways)- IPsec IOS

ASAAnyConnectEAP ASA DNSMSIE

Auth Method During IKE Negotiation -

IKE Identity - EAP ID_GROUP IDi *$AnyConnectClient$*

Automatic SCEP Host - SCEP

CAURL - SCEP CAURL FQDN IPhttp://ca01.cisco.com

Prompt For Challenge PW - Get Certificate

CA Thumbprint - CA SHA1MD5



CA CA URLfingerprintthumbprint

VPN 93

AnyConnect AnyConnectLocalPolicy.xml XMLASA

VPN AnyConnectLocalPolicy.xmlXML


acversion=""

FIPS Mode

FIPS FIPS

Bypass Downloader

VPNDownloader.exe ASA

Bypass Downloader ASA

ASA VPN VPN

ASA VPN VPN VPN



ASA VPNASABypassDownloader true ASA BypassDownloader true

Enable CRL Check

Windows SSL IPsec VPN(CRL)AnyConnectCRLAnyConnect

(CA)

CRLEnable CRL CheckAnyConnect CRL

CRLAnyConnect Strict Certificate Turst

CRLCRLAnyConnect Strict Certificate Turst StrictCertificate Turst

Always OnAnyConnect CRL CRL AnyConnect

Restrict Web Launch

FIPSWebLaunch AnyConnect Cookie

Strict Certificate Trust

AnyConnect Local

policy prohibits the acceptance of untrusted server certificates. A connection will

not be established.

AnyConnect Strict Certificate Trust


AnyConnect



AnyConnect


Credentials -

Thumbprints -

CredentialsAndThumbprints -

All -

false -

PEM (Exclude Pem File Cert Store)LinuxMac

PEM

FIPS OpenSSL PEM FIPS

Mac (Exclude Mac Native Cert Store)Mac

Mac

Firefox NSS (Exclude Firefox NSS Cert Store)LinuxMac

Firefox NSS

Update Policy

Allow Software Updates From AnyServer

VPN

Allow VPN Profile Updates From AnyServer

VPN

Allow Service Profile Updates FromAnyServer

Allow ISEPosture Profile Updates FromAny Server

ISE

Allow Compliance Module Updates From AnyServer


AnyConnect

Server Name

VPNAnyConnect FQDNIP

1 AnyConnect (AnyConnectLocalPolicy.xml)

7 AnyConnect

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility ClientWindows

/opt/cisco/anyconnectLinux

/opt/cisco/anyconnectMac OS X

2 AnyConnectLocalPolicy AnyConnect VPN

3 AnyConnectLocalPolicy.xml

4

MST

MSTMST AnyConnect(AnyConnectLocalPolicy.xml)

LOCAL_POLICY_BYPASS_DOWNLOADER

LOCAL_POLICY_FIPS_MODE

LOCAL_POLICY_RESTRICT_PREFERENCE_CACHING

LOCAL_POLICY_RESTRICT_TUNNEL_PROTOCOLS


AnyConnect

LOCAL_POLICY_RESTRICT_WEB_LAUNCH

LOCAL_POLICY_STRICT_CERTIFICATE_TRUST

AnyConnect

FIPS FIPS FIPS AnyConnect FIPSWindows LinuxMac root

FIPS FIPS

EnableFIPSFIPS FIPS

FIPS vpnagent (Windows) vpnagentMac Linux

Windows FIPS

EnableFIPS rwl=false sct=true bd=true fm=false

LinuxMac

./EnableFIPS rwl=false sct=true bd=true fm=false

FIPS AnyConnect

fm=[true | false]FIPS

bd=[true | false]

rwl=[true | false]WebLaunch

sct=[true | false]

rpc=[Credentials | Thumbprints | CredentialsAndThumbprints | All | false]


AnyConnect FIPS

efn=[true | false] Firefox NSSLinuxMac

epf=[true | false] PEMLinuxMac

emn=[true | false]MacMac


AnyConnect FIPS


AnyConnect FIPS

4 VPN

VPN 91

VPN 115

VPN 118

VPN

AnyConnect VPN AnyConnect VPN VPN

AnyConnect

VPN

AnyConnect VPN

Windows VPN

AnyConnect VPN

VPN

VPN VPN

VPN


AnyConnect

ASA AnyConnect VPN VPN

(Keepalive) - ASAASA ASA

ASDM(Keepalive) ASDM Cisco ASA 5500

CLI Keepalive CLI Cisco ASA 5500

(Dead PeerDetection) - ASAAnyConnectR-U-There IPsec

ASA DPDASA

ASA DPD 300

ASA DPDDPD 30

ASA DPDASDMDPDCisco ASA VPN ASDMCLIDPDCisco ASA VPNCLI

DPD30(GroupPolicy)>(Advanced)>AnyConnect(AnyConnect Client) >(Dead Peer Detection)

DPD 300(Group Policy) >(Advanced)>AnyConnect(AnyConnectClient) >(DeadPeerDetection)

SSL IPsec 1(Group Policy) >(Advanced) >AnyConnect(AnyConnect Client) >(KeyRegeneration)

AnyConnect

AnyConnect VPN

VPN

(Default Idle Timeout) - 30

CLI webvpn default-idle-timeout 1800


VPN AnyConnect VPN

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_anyconnect.html#wp1090828http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_anyconnect.html#wp1090828http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_anyconnect.html#wp1090788http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/vpn/vpn_anyconnect.html#wp1090788

VPN(VPN Idle Timeout) - SSL VPN vpn-idle-timeout default-idle-timeout

ASDM VPN ASDM Cisco ASA 5500

CLI VPN CLI Cisco ASA 5500

VPN AnyConnect VPN VPNFQDN IP

AnyConnect GUI Connect to VPN GUI

1 VPN Server List 2 Add 3

a) Host Display NameFQDN IP&

IPsec SSL URL

b) IPsec Standard Authentication OnlyAnyConnect EAP

AnyConnect EAP ASA DNSMSIE

7 SCEPa) SCEP CA URL FQDN IPhttp://ca01.cisco.comb) Prompt For Challenge PW Get Certificate

c) CA SHA1MD5 CA CAURLfingerprintthumbprint

8 OK

AnyConnect 82AnyConnect/ 82

Windows VPN

(SBL)Windows VPN

SBLAnyConnectWindows VPNWindows

SBLSBL 802-1X

SBLWindowsWindows

Windows (PLAP) AnyConnect SBL

PLAP Ctrl+Alt+Del Network ConnectPLAP

PLAPWindows 32 64

SBL

Active Directory


VPN Windows VPN

Microsoft Active Directory

SBL

Active Directory

MS NAP/CS NAC

AnyConnect

AnyConnect

1 AnyConnect

2 AnyConnect SBL

AnyConnect

AnyConnectAnyConnect SBLAnyConnect DLLWindows 7Windows 2008 32 64 PLAP vpnplap.dll vpnplap64.dll

VPNGINA PLAP AnyConnectVPNGINA PLAP

SBL ASA SBL AnyConnectMSIAnyConnect


VPN Windows VPN

1 ASDMConfiguration > RemoteAccess VPN > Network (Client) Access > Group Policies 2 Edit Add 3 Advanced > AnyConnect Client 4 Optional Client Module for Download Inherit 5 AnyConnect SBL

AnyConnect SBL

SBLSBL

SBL

1 VPN Preferences (Part 1) 2 Use Start Before Logon 3 SBL User Controllable

SBL


VPN Windows VPN

1 AnyConnect ASA

2 *.xml

3 Windows Add/Remove Programs SBL

4 AnyConnect

5 AnyConnect

6 Start Before Logon

7 DART AnyConnect

8 AnyConnect

Description: Unable to parse the profile C:\Documents and Settings\All Users\ApplicationData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\VABaseProfile.xml. Host data notavailable.

9 .tmpl .xml XML

AnyConnect VPN Auto Connect On StartAnyConnectVPN VPN

Auto Connect On Start

1 VPN Preferences (Part 1) 2 Auto Connect On Start 3 Auto Connect On Start User Controllable

Windows (PLAP) (SBL)Windows VPN


VPN AnyConnect VPN

SBL AnyConnect (PLAP)PLAPWindows SBLPLAP vpnplap.dll vpnplap64.dll 32 64PLAP x86 x64

PLAPvpnplap.dll vpnplap64.dll SBLPLAP DLLWindows 7Windows 2008 32 64 PLAP

PLAPAnyConnectPLAP

SBLPLAPAnyConnect SBL 96 Switch User Network Connect

Alt+Tab

PLAP Windows PC

1 Windows Ctrl+Alt+Del Switch User

2 Switch UserNetwork ConnectAnyConnect Switch User VPN Network Connect VPN CancelVPN

3 NetworkConnectAnyConnectAnyConnect

4 GUIAnyConnect

5 Network ConnectMicrosoft Disconnect

6


VPN Windows (PLAP)

AnyConnect PLAP VPN

PLAP AnyConnect VPNPLAP Disconnect

DisconnectVPN

Disconnect

PLAP PC Cancel

PC

WindowsPress CTRL + ALT + DEL to log on

Windows PLAP AnyConnect

VPN Auto ReconnectAnyConnectVPN 3GAutoReconnectWindowsMac OS Linux

Auto Reconnect VPN

1 VPN Preferences (Part 1) 2 Auto Reconnect 3 Auto Reconnect Behavior

Disconnect On Suspend -AnyConnect VPN

Reconnect After Resume -VPN


VPN VPN

(TND) AnyConnect VPN VPN

TNDVPNVPNTND VPNVPN TNDVPN

AnyConnect VPN TND ASAAnyConnect

TNDAnyConnect GUIGUIGUI TND VPN

AnyConnect SBL

IPv4 IPv6 ASA IPv6 IPv4 VPN

TND

TNDAnyConnect

ASA TND

ASA ASA

ASA ASA


VPN

1 VPN Preferences (Part 1) 2 Automatic VPN Policy 3 Trusted Network Policy

Disconnect - VPN

Connect - VPN

Do Nothing - Trusted Network Policy UntrustedNetwork Policy Do Nothing Trusted Network Detection (TND)

Pause -VPNAnyConnect VPNAnyConnect

VPN

4 Untrusted Network Policy

Connect - VPN

Do Nothing - VPNTrusted Network Policy Untrusted Network Policy Do Nothing Trusted NetworkDetection

5 Trusted DNS Domains DNSDNS split-dns ASA DNS

AnyConnect DNS

DNS

DNS DNS Advanced TCP/IP Settings

TrustedDNSDomains DNS

*example.comexample.com


VPN

TrustedDNSDomains DNS

*.example.com OR example.com,anyconnect.example.com

example.com AND anyconnect.cisco.com

*.example.com OR asa.example.com,anyconnect.example.com

asa.example.com AND example.cisco.com

(*) DNS

6 Trusted DNS Servers DNSDNS203.0.113.1,2001:DB8::1 (*) DNS

DNS DNS IPmus.cisco.com DNS DNSmus.cisco.com

TrustedDNSDomains/TrustedDNSServersTrustedDNSServers DNS

VPN

7 URLWeb (Add)URL (Set)

DNSDNS DNS DNS

VPN

VPN VPN VPN

VPNVPNASAAnyConnect VPN

VPNAnyConnect AnyConnect ASA

AnyConnect


VPN VPN

VPNAnyConnect VPN VPN (Allow VPN Disconnect) AnyConnect VPN(Disconnect)VPN Disconnect

DisconnectVPNVPNDisconnectVPN VPN

VPN AnyConnect VPN

VPN

AnyConnect VPNAnyConnect VPN

VPN

VPN VPN

(CA)ASDMConfiguration> Remote Access VPN > Certificate Management > Identity Certificates EnrollASA SSL VPN with Entrust

ASA

PC

Windows C:\ProgramData

AnyConnect

Windows (GPO)GUIMacOS


VPN VPN

VPN

1 AnyConnect VPN

2

3 VPN

AnyConnect VPN

VPN ASA VPN VPN

1 VPN Preferences (Part 2) 2 Automatic VPN Policy 3

4 Always On 5 Allow VPN Disconnect 6

7

VPN AnyConnect VPN VPN

ASDM


VPN VPN

1 VPN Server List 2 Edit 3 FQDN IP

VPN

VPN

ASA AnyConnectVPN

AAA

1 Configuration >Remote Access VPN >Network (Client) Access >Dynamic Access Policies >Add Edit

2 VPN Selection Criteria ID AAA

3 Add or Edit Dynamic Access Policy AnyConnect


VPN VPN

4 VPN for AnyConnect client Disable

VPN AnyConnect VPNAnyConnect

VPNAnyConnect

AnyConnect VPN

VPNWeb

Disconnect Disconnect

VPN

VPN


VPN VPN

Web

Apply Last VPN Local Resources VPN

AnyConnect

AnyConnect

VPN

AnyConnect VPN

VPN

1 VPN Preferences (Part 2) 2 Connect Failure Policy

Closed-

Open -

3 a) b) VPNApplyLastVPNLocal

Resources


VPN VPN

Wi-Fi/

VPN AnyConnectAnyConnect

AnyConnect

The service provider in your current location is restricting access to the Internet.You need to log on with the service provider before you can establish a VPN session.You can try this by visiting any website with your browser.

VPN

The service provider in your current location is restricting access to the Internet.The AnyConnect protection settings must be lowered for you to log on with the serviceprovider. Your current enterprise security policy does not allow this.

AnyConnectVPNVPN

AnyConnect VPN

1 VPN Preferences (Part 1) 2 (Allow Captive Portal Remediation)

3


VPN

AnyConnect

AnyConnect

AnyConnect (CN) ASA AnyConnect

ASA CN VPN ASA

ASA ASA HTTPS ASA AnyConnect ASA

ASAASAHTTPHTTPS HTTP ASA HTTP/HTTPS ASA HTTP/HTTPS

HTTPIP

DoS HTTP

L2TP PPTP AnyConnect/ ISP 2 (L2TP) (PPTP)

(PPP)AnyConnect PPP VPN ASAASAAnyConnectPPP AnyConnect GUI Route Details

1 VPN Preferences (Part 2) 2 PPPExclusionUserControllable


VPN L2TP PPTP AnyConnect

Automatic - PPPAnyConnect PPP IP IP

Override -PPPPPP IPPPPExclusionUserControllable true

Disabled - PPP

3 PPP Exclusion Server IP PPP IP UserControllable preferences.xml PPP IP

preferences.xml PPP

PPP PPP Exclusion AnyConnect

1 XML

Windows%LOCAL_APPDATA%\Cisco\CiscoAnyConnect SecureMobility Client\preferences.xml

Mac OS X/Users/username/.anyconnect

Linux/home/username/.anyconnect

2 PPPExclusion Override PPP IP IPv4

Override192.168.22.44

3

4 AnyConnect


VPN L2TP PPTP AnyConnect

AnyConnect

AnyConnect AnyConnect VPN

AnyConnectKaspersky

AnyConnectVPN

WindowsAnyConnectMac Linux

Windows

VPN

AnyConnect SBLWindowsMicrosoft

VPN

VPNWindows Linux

VPN AnyConnect 2

ASAAnyConnectAnyConnectAnyConnect (PAC) ASAAnyConnect


VPN AnyConnect

AnyConnect

LinuxMac OS XWindows

Safari InternetExplorer

IE

IPv6

VPN

1 VPN Preferences (Part 2) 2 Allow Local Proxy Connections

Windows LinuxAnyConnect4.1Mac LinuxMac

Linux AnyConnect

AnyConnectNTLMAnyConnectAnyConnect ASA


VPN AnyConnect

Windows

Windows

1 Internet Explorer Internet Options 2 Connections LAN Settings 3 IP

Mac

1

2 Advanced

3 Proxies

4 HTTPS

5 Secure Proxy Server

Linux

Linux

1 ASA Cisco ASA VPN ASDM

Mac scutil --proxy ASA VPN

2

3 Internet Explorer Connections


VPN AnyConnect

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1336831http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1336831

AnyConnect PCMicrosoft Internet Explorer SafariAnyConnect

1 VPN Preferences (Part 2) 2 Proxy Settings IgnoreProxyIgnore Proxy

ASA

Internet Explorer Connections

AnyConnect Internet Explorer Tools > Internet Options > Connections

ASA Connections

ASA

Windows Connections ASA

ASA ASDM

1 ASDMConfiguration > RemoteAccess VPN > Network (Client) Access > Group Policies 2 Edit Add 3 Advanced > Browser Proxy Proxy Server Policy 4 Proxy Lockdown 5 Inherit Yes AnyConnect Internet Explorer

ConnectionsNoAnyConnect Internet ExplorerConnections

6 OK 7 Apply


VPN AnyConnect

Windows

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Mac OS X

scutil --proxy

VPN

IPv4 IPv6 VPN Client Bypass Protocol AnyConnect ASA IPv6 IPv4 ASA IPv4 IPv6

AnyConnect ASA VPNASA IPv4/ IPv6

IP Client Bypass Protocol ASA IP IP VPN

Client Bypass Protocol VPNIP

ASA IPv4AnyConnectIPv6 Client Bypass ProtocolIPv6 Client Bypass ProtocolIPv6

ASA Client Bypass Protocol

1 ASDMConfiguration > RemoteAccess VPN > Network (Client) Access > Group Policies 2 Edit Add 3 Advanced > AnyConnect 4 Client Bypass Protocol Inherit 5

Disable ASA IP

Enable IP


VPN VPN

6 OK 7 Apply

Cisco ASA VPN ASDM

Cisco ASA VPN ASDMAnyConnect

ASDM Configuration > Remote Access VPN > Network (Client) Access >AnyConnect Connection Profiles > Add/Edit > Group Policy

DNS DNSAnyConnect DNS DNS DNS DNS DNS DNSAnyConnect DNS

DNS DNS AAAAANSTXTMXSOAANYSRVPTRCNAME PTR

WindowsMac OS X AnyConnect DNS

Mac OS XAnyConnect IPDNS

IP IPv4 DNS IP IPv6 IP

IP DNS

DNS DNS


VPN

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1409337http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1543109http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1543109

1 DNS Cisco ASA VPN ASDM

DNS DNS

2 - Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Advanced >Split TunnelingTunnelNetworkListBelowNetworkList

DNS Exclude Network List Below Tunnel Network List Below DNS

3 DNS Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Advanced >Split Tunneling Send All DNS lookups through tunnel DNS Names

ASDM Configuration > Remote Access VPN > Network (Client) Access >AnyConnect Connection Profiles > Add/Edit > Group Policy

AnyConnect DNS DNS AnyConnectReceived VPN Session ConfigurationSettings DNSIPv4 DNS IPv6 DNS

DNS DNS ping DNS nslookup dig DNS

DNS

1 ipconfig/all DNS 2 VPN DNS


VPN DNS

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/vpn/vpn_asdm_setup.html#wp1351696

DNS

ASA

VPN

AnyConnect Strict Certificate Trust


AnyConnect


Strict Certificate Trust Cisco AnyConnect4.1

AnyConnect (CRL)

CRLCRLWindowsMac OS X CRL

ASA

FQDN FQDN SSL FQDN IP

IPsec SSLDigitalSignature KeyAgreement KeyEncipherment EKU


VPN VPN

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1.htmlhttp://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1.html

serverAuth SSL IPsec ikeIntermediate IPsecKU EKU

IPsec IPsec

DNS IPIP

OSXShow Expired Certificates()

CN(Change Settings)(Keep Me Safe)

Linux


VPN

(Keep Me Safe)

(Change Settings) AnyConnect(Advance) > VPN >(Preferences)

(Block connections to untrusted servers) CA(Certificate Blocked Error Dialog)


VPN

VPN (Always trust this VPN server and import thecertificate)

AnyConnect (Advanced) > VPN > (Preferences) (Block connections to untrusted servers) AnyConnect

(Strict Certificate Trust)(Strict Certificate Trust)

(StrictCertificateTrust)CiscoAnyConnect 4.1 AnyConnect

AnyConnect VPN Always On DAP

(Strict Certificate Trust)

AnyConnect


VPN

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1.htmlhttp://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1.html

AAA ID

URL URL

ASADepartment_OUASA

CA

1 Configuration > Remote Access VPN > Network (Client) Access > AnyConnect ConnectionProfiles Edit Edit AnyConnect Connection Profile

2 Basic Authentication Certificate

3 OK

Cisco AnyConnect (SCEP) AnyConnect IPsec SSL VPN ASA SCEP

SCEPASA (CA) SCEP

CA ASA AnyConnect CA

SCEPAnyConnect CA

CA AnyConnect ASA VPN


VPN

AnyConnect 80

SCEP SCEP AnyConnect ASA

1 AAA ASAASA AAA

2 AAA AAA SCEP

3 ASA CA CA

4 SCEP ASA

SCEP

SCEP

SCEP SSL SSL IPsec

SCEP AnyConnect SCEP

1 ASAASA

2 SCEP

3 AAASCEP ASAASA AAA

4 AAA

SCEP 2 Get Certificate CA

CA VPN VPNAAA


VPN

5 AAA VPN

6 SCEP 2VPN CA CA

7 SCEP ASA

SCEP

SCEP

(Certificate Expiration Threshold) (Get Certificate)

SCEP

SCEP CA IOS CSWindows Server 2003 CAWindows Server 2008CA

CA

CACA AnyConnect CA SCEPSCEP CA

ASAVPN SCEPWebLaunch AnyConnect SCEP

ASA SCEP

ASACA

ASA

URL URL

ASA Engineering Department_OUASA


VPN

ASAaaa.cisco.sceprequiredDAP

Windows

Windows Yes

SCEP

SCEP VPN

1 VPN Certificate Enrollment 2 Certificate Enrollment 3 Certificate ContentsAnyConnect

%machineid%HostScan/Posture

ASA SCEP

SCEP ASA VPN

1 cert_group

General SCEP Forwarding URL CA URL

Advanced > AnyConnect Client Inherit for Client Profiles to Download SCEP ac_vpn_scep_proxy

2 cert_tunnel

AAA

cert_group

Advanced > General Enable SCEP Enrollment for this Connction Profile


VPN

Advanced >GroupAlias/GroupURL (cert_group)URL

SCEP

SCEP VPN

1 VPN Certificate Enrollment 2 Certificate Enrollment 3 Automatic SCEP Host

FQDN IP SCEPasa.cisco.com ASAscep_eng asa.cisco.com/scep-eng

SCEP FQDN IPSCEP

4 CA CA URLfingerprintthumbprint

a) CA URL SCEP CA FQDN IPhttp://ca01.cisco.com/certsrv/mscep/mscep.dll

b) Prompt For Challenge PWc) CA SHA1MD5

8475B661202E3414D4BB223A464E6AAB8CA123AB

5 Certificate ContentsAnyConnect

%machineid%HostScan/Posture

6 DisplayGet Certificate Button

7 SCEP Certificate EnrollmentSCEPa) Server Listb) Add Editc) 5 6 Automatic SCEP Host Certificate Authority


VPN

ASA SCEP

ASA SCEP VPN

1 cert_enroll_group Advanced > AnyConnect Client Inherit for Client Profiles to Download SCEP ac_vpn_legacy_scep

2 cert_auth_group

3 cert_enroll_tunnel

Basic Authentication Method AAA

Basic Default Group Policy cert_enroll_group

Advanced > GroupAlias/Group URL URL (cert_enroll_group)

ASA

4 cert_auth_tunnel

Basic Authentication Method Certificate

Basic Default Group Policy cert_auth_group

ASA

5 GeneralConnection Profile (Tunnel Group) LockSCEP SCEP

SCEP Windows 2008 Windows 2008 SCEP AnyConnect

SCEP

SCEP SCEP


VPN

1 (Start) > (Run) regedit (OK)

2 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword EnforcePassword

3 EnforcePassword0 REG-DWORD

4 regedit

SCEP

SCEP

1 Server Manager Start > Admin Tools > Server Manager

2 Roles > Certificate Services AD Certificate Services

3 CA Name > Certificate Templates

4 Certificate Templates > Manage 5 Cert Templates Console Duplicate

6 Windows Server 2008 version OK 7 NDES-IPSec-SSL

8

9 Cryptography

10 Subject Name Supply in Request 11 Extensions Application Policies

IP

IP IKE intermediate

IP

IP

SSL IPsec


VPN

12 Apply OK 13 Servermanager >Certificate Services-CANameCertificate TemplatesNew>Certificate

Template to Issue NDES-IPSec-SSL OK 14 Start > Runregedit OK 15 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP

16 NDES-IPSec-SSL

EncryptionTemplate

GeneralPurposeTemplate

SignatureTemplate

17 Save

AnyConnectCertificate Expiration ThresholdAnyConnectAnyConnect

RADIUS

1 VPN Certificate Enrollment 2 Certificate Enrollment 3 Certificate Expiration Threshold

AnyConnect

0 0 180

4 OK



VPN

AnyConnectWindowsMac Unix Privacy EnhancedMail (PEM)

1 WindowsWindows 130 VPN AnyConnect

2 WindowsWindows 131 AnyConnect

3 Mac LinuxMac Linux PEM 132

4 Mac Linux VPN

5 133AnyConnect AnyConnect

Windows WindowsVPNAnyConnectAnyConnect

Windows Certificate Store Override AnyConnect

Windows Certificate Store Override

AnyConnect Certificate Store Certificate Store OverrideWindows

AnyConnect Certificate StoreOverride

Certificate Store



VPN

AnyConnect Certificate StoreOverride

Certificate Store



Machine


Machine

AnyConnect

1 Certificate Store AnyConnect (All)

All- AnyConnect

Machine - AnyConnectWindows

User - AnyConnect

2 AnyConnect Certificate StoreOverride

Windows AnyConnectSCEPAnyConnect

Windows


VPN

1 VPN Preferences (Part 2) 2 Disable Certificate Selection 3 User Controllable Advanced > VPN > Preferences

Mac Linux PEM AnyConnect (PEM)AnyConnect PEM

.pem

.key

client.pem client.key

PEM PEM

PEM

PEM

CA~/.cisco/certificates/ca(1) ~

~/.cisco/certificates/client

~/.cisco/certificates/client/private

PEM /opt/.cisco ~/.cisco


VPN

AnyConnect AnyConnect VPN Certificate Matching

AnyConnect 77

KeyUsageAnyConnectVPN Key Usage

DECIPHER_ONLY

ENCIPHER_ONLY

CRL_SIGN

KEY_CERT_SIGN

KEY_AGREEMENT

DATA_ENCIPHERMENT

KEY_ENCIPHERMENT

NON_REPUDIATION

DIGITAL_SIGNATURE

Extended Key Usage AnyConnect (OID)

OID

1.3.6.1.5.5.7.3.1serverAuth

1.3.6.1.5.5.7.3.2ClientAuth

1.3.6.1.5.5.7.3.3CodeSign

1.3.6.1.5.5.7.3.4EmailProtect


VPN

OID

1.3.6.1.5.5.7.3.5IPSecEndSystem

1.3.6.1.5.5.7.3.6IPSecTunnel

1.3.6.1.5.5.7.3.7IPSecUser

1.3.6.1.5.5.7.3.8TimeStamp

1.3.6.1.5.5.7.3.9OCSPSign

1.3.6.1.5.5.7.3.10DVCS

1.3.6.1.5.5.8.2.2IKE Intermediate

OID 1.3.6.1.5.5.7.3.11 OID OID

Distinguished Name Add

SubjectCommonNameCN

SubjectSurNameSN

SubjectGivenNameGN

SubjectUnstructNameN

SubjectInitialsI

SubjectGenQualifierGENQ

SubjectDnQualifierDNQ

SubjectCountryC

SubjectCityL

SubjectStateSP


VPN

SubjectStateST

SubjectCompanyO

SubjectDeptOU

SubjectTitleT

SubjectEmailAddrEA

DomainComponentDC

IssuerCommonNameISSUER-CN

IssuerSurNameISSUER-SN

IssuerGivenNameISSUER-GN

IssuerUnstructNameISSUER-N

IssuerInitialsISSUER-I

IssuerGenQualifierISSUER-GENQ

IssuerDnQualifierISSUER-DNQ

IssuerCountryISSUER-C

IssuerCityISSUER-L

IssuerStateISSUER-SP

IssuerStateISSUER-ST

IssuerCompanyISSUER-O

IssuerDeptISSUER-OU

IssuerTitleISSUER-T

IssuerEmailAddrISSUER-EA

IssuerDomainComponentISSUER-DC

Distinguished NameDistinguished Name


VPN

SDI (SoftID) VPN AnyConnectWindows 7 x8632 x6464 RSA SecurID 1.1

RSA SecurIDRSA SecurID 60 SDI Security Dynamics, Inc.


SDI AnyConnect PIN RSASecurIDRSA

RSASecurIDPINPINAnyConnect PIN

URLURLURL/()AnyConnect (Network (Client) Access AnyConnect Connection Profiles) (Allow user to select connection)URL

SDIPasscode NTLMPassword 2.1

RSA SecurID PIN RSA SecurID SDIPasscodeEnter ausername and passcode or software token PIN PINPIN PIN RSA SecurID DLL

AnyConnect SDIPIN

Passcode

RSASecureIDIntegration

Automatic - (HardwareToken) PIN (SoftwareToken) SDI


VPN SDI (SoftID) VPN

SDI

SDISKIHardwareToken

SoftwareToken - PINPIN:

HardwareToken -Passcode:

AnyConnect RSA RSA SecurID GUI

SDI SDI

SDI

PIN

PIN

SDI

SDI PIN PINSDI RADIUS SDI

SDI SDI

PIN PIN

PIN SDI



PINPINAnyConnectPINPIN

PIN PIN SDI PIN

PIN PIN PIN PIN (00000000) PINRSASDIPIN

SDI PIN PIN SDI PIN RSASDI PIN

PIN

PIN SDI

PIN

PIN

PIN PIN

SDI PIN PIN

PIN SDI PIN PIN

PIN AnyConnect PINPIN 48 PIN

RADIUSPIN PIN

PIN PIN RSA SecurIDDLL RSA SecurID DLL

SDI RADIUS SDI SDI

SDI SDI SDI



RADIUS SDI RADIUS SDI SDI SDI

SDI RADIUS SDI SDI SDIASA SDIAnyConnect

RADIUS SDI SDI SDI

RADIUSASA SDIASA SDIRADIUS AnyConnect SDIASA RADIUS

SDI SDIASA SDI

AnyConnect

ASA RADIUS/SDI ASA SDI RADIUS AnyConnect SDI RADIUS SDI

1 Configuration > Remote Access VPN > Network (Client) Access > AnyConnect ConnectionProfiles

2 SDI RADIUS Edit 3 Edit AnyConnect Connection Profile Advanced

Group Alias / Group URL 4 Enable the display of SecurID messages on the login screen 5 OK 6 Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups 7 Add AAA 8 Edit AAA Server Group AAA OK 9 AAA Server Groups AAA Servers in the Selected

Group Add 10 SDIMessage Table ASA

RADIUSRADIUS RADIUS



ASA (ACS) ACS ASA

new PIN new-pin-sup next-ccode-and-reauth new-pin-supnew PIN RADIUSnew PIN with the next card code new-pin-supnext-ccode-and-reauth

RADIUS

PINEnter Next PASSCODEnext-code

PIN PIN PINnew-pin-sup

PIN PINPINnew-pin-meth

PIN PINAlpha-Numerical PIN

new-pin-req

ASA PINPIN

PINnew-pin-reenter

PIN PINnew-pin-sys-ok

PIN PIN

PIN

next-ccode-and-reauth

ASA PIN

PINready - for - sys -PIN

11 OK Apply Save



5

141

143

144

2 2

Mac OS X Linux AnyConnect ISE AnyConnect ISE

Cisco AnyConnect

(IEEE 802.3) (IEEE 802.11)

Windows 7 (3G)MicrosoftAPIWAN

Windows

Windows

IEEE 802.1X

IEEE MACsec

EAP


EAP-FASTPEAPEAP-TTLSEAP-TLS LEAPEAP-MD5EAP-GTCIEEE 802.3 EAP-MSCHAPv2

EAP

PEAP - EAP-GTCEAP-MSCHAPv2 EAP-TLS

EAP-TTLS - EAP-MD5 EAP-MSCHAPv2PAPCHAPMSCHAPMSCHAPv2

EAP-FAST - GTCEAP-MSCHAPv2 EAP-TLS

-WEPWEPTKIP AES

- WPAWPA2/802.11i

AnyConnect

WindowsMicrosoft CAPI 1.0 CAPI 2.0 (CNG)

WindowsECDSA (SSO)ECDSA

B FIPS FIPS

ACS ISE Suite B OpenSSL 1.x FreeRADIUS 2.x Suite BMicrosoftNPS 2008 Suite BNPS RSA

802.1X/EAP Suite B RFC 5430 TLS 1.2

MACsecWindows 7 FIPS

Windows 7 Elliptic Curve Diffie-Hellman (ECDH)

Windows 7 ECDSA

Windows 7 ECDSA CA

Windows 7 ECDSA CAPEM

Windows 7 ECDSA

Microsoft Windows Cisco AnyConnectAnyConnect


B FIPS

Windows

Windows

RDP

user/example [email protected]

PIN

Windows EnforceSingleLogon

Windows EnforceSingleLogon OverlayIcon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\CredentialProviders\{B12744B8-5BB7-463a-B85E-BB7627E7