AC Client and Profile

AC- Client and Profile

Before AnyConnect can be enabled on the ASA, we need to load the client image on the ASA appliance. There are different clients available for Windows, Linux and MAC systems. Latest of these images can be downloaded via Cisco CCO login

  • For Windows, a standard Windows installer file (.msi) for each module, is provided. These files are installed with a Windows utility called msiexec.
  • For Mac OS X, a disk image that contain OS X standard .pkg (or .mpkg) installers which are installed with the OS X installer utility, is provided.
  •  For Linux,  .tgz files which are GZIP compressed Tar archive files, are provided. The archive contains installation files and an install script that copies files to the proper location.

In addition to the core AnyConnect VPN client that provides SSL and IPsec (IKEv2) secure VPN connections to the ASA, version 3.1 has the following modules:

• Network Access Manager
• Posture Assessment
• Telemetry
• Web Security
• AnyConnect Diagnostic and Reporting Tool (DART)
• Start Before Logon (SBL)

Configuring ASA to download the client image.

Step 1:- Download the latest Cisco AnyConnect Secure Mobility client package from the Cisco AnyConnect Software Download webpage.
Step 2:- Specify the Cisco AnyConnect Secure Mobility client package file as a client image. In ASDM, navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Software.
Step 3:- To add an AnyConnect image, click Add.
• Click Browse Flash to select an AnyConnect image you have already uploaded to the ASA.
• Click Upload to browse to an AnyConnect image you have stored locally on your computer.
Step 4:- Click OK or Upload.
Step 5:- Click Apply.

You can configure this feature for a group policy or user. To change these login settings, follow this procedure:

Step 1:- In ASDM, go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies.
Select a group policy and click Edit. The Edit Internal Group Policy window displays.
Step 2:- In the navigation pane, choose Advanced > AnyConnect Client > Login Settings. Uncheck the Inherit check box, if necessary, and select a Post Login setting. If you choose to prompt users, specify a timeout period and select a default action to take when that period expires in the Default Post Login Selection area.
Step 3:- Click OK and be sure to apply your changes to the group policy.
Step 4:- Click Save.

Initial installation of the client will require administrator rights but subsequent client upgrades does not require admin rights, for a user ID.

You can force the user to accept a client update, or allow them to defer the update until later.
• Auto Update – When enabled on the VPN profile, forces the user to accept the update. You can also  configure AutoUpdate so the user can disable it, although this could result in the client never getting any updates.
• Deferred Update – When a client update is available, AnyConnect opens a dialog asking the user if they would like to update, or to defer the update. Deferred Update is enabled by adding custom attributes to the ASA, and then referencing and configuring those attributes the group policies. It is supported by all Windows, Linux and OS X.

Client Profiles

Cisco AnyConnect Secure Mobility client features are enabled in the AnyConnect profiles. These profiles contain configuration settings for the core client VPN functionality and for the optional client modules Network Access Manager, posture, telemetry, and Web Security. The ASA deploys the profiles during AnyConnect installation and updates. Profiles can be created via ASDM and also via stand-alone profile editor.

Profiles are xml files with details for gateway connection, DNS info, gateway specific backup and various access settings. If you have more than one gateway, you will have to create multiple profiles will specific aliases and it will appear as a drop down in the AC Client. Profiles are place in the below system paths.

The profile needs to be placed in the below path for the client to read its contents.

Windows 7 and Vista

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\

Windows XP

C:\Document and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Mac OS X and Linux

/opt/cisco/anyconnect/profile/