Cisco anyconnect secure mobility client инструкция

Some 3G cards require configuration steps before using
AnyConnect. For example, the VZAccess Manager has three settings:

• modem manually connects

• modem auto connect except when roaming

• LAN adapter auto connect

If you choose
LAN adapter auto connect, set the preference to NDIS mode.
NDIS is an always on connection where you can stay connected even when the
VZAccess Manager is closed. The VZAccess Manager shows an autoconnect LAN
adapter as the device connection preference when it is ready for AnyConnect
installation. When an AnyConnect interface is detected, the 3G manager drops
the interface and allows the AnyConnect connection.

When you move to a higher priority connection—wired networks are
the highest priority, followed by WiFi, and then mobile broadband—AnyConnect
makes the new connection before breaking the old one.

You can configure AnyConnect to allow VPN connections from Windows RDP
sessions. By default, users connected to a computer by RDP are not able to start a VPN
connection with the Cisco AnyConnect Secure Mobility Client. The following table shows
the logon and logout options for a VPN connection from an RDP session. These preferences
are configured in the VPN client profile:

Windows Logon Enforcement—Available in SBL mode

• Single Local Logon (Default)—Allows only one local user to
  be logged on during the entire VPN connection. Also, a local user can establish
  a VPN connection while one or more remote users are logged on to the client PC.
  This setting has no effect on remote user logons from the enterprise network
  over the VPN connection.

  Note

  If the VPN connection is configured for all-or-nothing tunneling, then the remote logon is disconnected because of the resulting modifications of the client PC routing table for the VPN connection. If the VPN connection is configured for split-tunneling, the remote logon might or might not be disconnected, depending on the routing configuration for the VPN connection.

• Single Logon—Allows only one user to be logged on during
  the entire VPN connection. If more than one user is logged on, either locally or
  remotely, when the VPN connection is being established, the connection is not
  allowed. If a second user logs on, either locally or remotely, during the VPN
  connection, the VPN connection terminates. No additional logons are allowed
  during the VPN connection, so a remote logon over the VPN connection is not
  possible.

  Note	Multiple simultaneous logons are not supported.

Windows VPN Establishment—Not Available in SBL Mode

• Local Users Only (Default)—Prevents a remotely logged-on
  user from establishing a VPN connection. This is the same functionality as in
  prior versions of AnyConnect.

• Allow Remote Users—Allows remote users to establish a VPN
  connection. However, if the configured VPN connection routing causes the remote
  user to become disconnected, the VPN connection terminates to allow the remote
  user to regain access to the client PC. Remote users must wait 90 seconds after
  VPN establishment if they want to disconnect their remote login session without
  causing the VPN connection to be terminated.

See
AnyConnect VPN Connectivity
Options for additional VPN session connectivity options.

You can configure AnyConect to allow VPN connections from Linux SSH sessions. By default, users connected to a computer by
SSH are not able to start a VPN connection with the Cisco AnyConnect Secure Mobility Client. The following table shows the
logon and logout options for a VPN connection from an SSH session. These options are configured in the VPN client profile.

Linux Login Enforcement— Single Local Logon (Default): Allows only one local user to be logged on during the entire VPN connection. Also, a local
user can establish a VPN connection while one or more remote users are logged on to the client PC. This setting has no effect
on remote user logons from the enterprise network over the VPN connection.

Note

If the VPN connection is configured for all-or-nothing tunneling, then the remote logon is disconnected because of the resulting modifications of the client PC routing table for the VPN connection. If the VPN connection is configured for split-tunneling, the remote logon might or might not be disconnected, depending on the routing configuration for the VPN connection.

Single Logon—Allows only one user to be logged on during the entire VPN connection. If more than one user is logged on (either locally
or remotely) when the VPN connection is being established, the connection is not allowed. If a second user logs on (either
locally or remotely) during the VPN connection, the VPN connection terminates. No additional logons are allowed during the
VPN connection, so a remote logon over the VPN connection is not possible.

See AnyConnect VPN Connectivity Options for additional VPN session connectivity options.

By default, Windows does not support DES SSL encryption. If you
configure DES-only on the ASA, the AnyConnect connection fails. Because
configuring these operating systems for DES is difficult, we do not recommend
that you configure the ASA for DES-only SSL encryption.

Prepare the target device:

• Make sure that the GNU Make Utility is installed.

• Install the kernel header package:

  • For RHEL, install the package kernel-devel-$(uname -r), such as kernel-devel-2.6.32-642.13.1.el6.x86_64.

  • For Ubuntu, install the package linux-headers-$(uname -r), such as linux-headers-4.2.0-27-generic.

• Make sure that the GCC compiler is installed. The major.minor version of the installed GCC compiler should match the GCC version with which the kernel was built. You can verify this in
  the /proc/version file.

The following table shows the filenames on the endpoint computer when
you predeploy or web deploy the Umbrella Roaming Security Module, Network Access
Manager, AMP Enabler, ISE Posture, and Network Visibility Module clients to a
Windows computer.

AnyConnect 4.3 (and later) has moved to the Visual Studio 2015
build environment and requires VS redistributable files for its Network Access
Manager Module functionality. These files are installed as part of the install
package. You can use the .msi files to upgrade the Network Access Manager
Module to 4.3 (or later), but the AnyConnect Secure Mobility Client must be
upgraded first and running release 4.3 (or later).

Note

If you have a Windows server OS, you may experience installation errors when attempting to install AnyConnect Network Access Manager. The WLAN service is not installed by default on the server operating system, so you must install it and reboot the PC. The WLANAutoconfig service is a requirement for the Network Access Manager to function on any Windows operating system.

If you are copying the files to the client system, the following
tables show where you must place the files.

AnyConnect endpoints are uniquely identified by a Universal Device Identifier (UDID), which all modules of AnyConnect use.
When a Windows VM is cloned, the UDID remains the same for all the clones from a source. To avoid any potential issues with
cloned VMs, follow this action before using AnyConnect:

1. Navigate to C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client and run dartcli.exe with administrator privileges as:

   dartcli.exe -nu

   or

   dartcli.exe -newudid

2. Print the UDID prior to and after this command to ensure that the UDID has changed with this comand:

   dartcli.exe -u

   or

   dartcli.exe -udid

The Network Access Manager, Web Security, and Umbrella Roaming Security modules can run as standalone applications. The AnyConnect
core client is installed, but the VPN and AnyConnect UI are not used.

Predeployment zip Modifications

The zip package file contains the Install Utility, a selector menu program to launch the individual component installers,
and the MSIs for the core and optional AnyConnect modules. When you make the zip package file available to users, they run
the setup program (setup.exe). The program displays the Install Utility menu, from which users choose which AnyConnect modules
to install. You probably do not want your users to chose which modules to load. So if you decide to distribute using a zip
file, edit the zip to remove the modules you do not want to use, and edit the HTA file.

One way to distribute an ISO is by using virtual CD mount software, such as SlySoft or PowerIS.

• Update the zip file with any profiles that you created when you bundled the files, and to remove any installers for modules
  that you do not want to distribute.

• Edit the HTA file to personalize the installation menu, and to remove links to any module installers that you do not want
  to distribute.

After extracting the installers (*.msi) for the modules you want to deploy from the zip image, you can distribute them manually.

Cisco recommends that end users are given limited rights on the device that
hosts the Cisco AnyConnect Secure
Mobility Client. If an end user warrants additional rights, installers can provide a lockdown
capability that prevents users and local administrators from switching off or stopping
those Windows services established as locked down on the endpoint. You can also prevent
users from uninstalling AnyConnect.

AnyConnect for macOS is distributed in a DMG file, which includes all the AnyConnect modules. When users open the DMG file,
and then run the AnyConnect.pkg file, an installation dialog starts, which guides the user through installation. On the Installation
Type screen, the user is able to select which packages (modules) to install.

To remove any of the AnyConnect modules from your distribution, use the
Apple pkgutil tool, and sign the package after modifying it.staller with
ACTransforms.xml. You can customize the language and appearance a You can also
modify the innd change some other install actions, which is described in the
Customization chapter: Customize Installer Behavior on macOS with ACTransforms.xml.

Gatekeeper restricts which applications are allowed to run on
the system. You can choose to permit applications downloaded from:

• Mac App Store

• Mac App Store and identified developers

• Anywhere

The default setting is Mac App Store and identified developers
(signed applications).

The current version of AnyConnect is signed application using an Apple certificate. If Gatekeeper is configured for Mac App
Store (only), then you must either select the Anywhere setting or control-click to bypass the selected setting to install
and run AnyConnect from a predeployed installation. For more information see: http://www.apple.com/macosx/mountain-lion/security.html.

If you will be using server
certificates with AnyConnect, you must make a certificate store available for AnyConnect
to access and verify certificates as trusted. By default, AnyConnect uses the Firefox
certificate store.

Multiple Module
Requirement

If you deploy the core client plus one or more optional modules,
you must apply the lockdown property to each of the installers. Lockdown is
described in the
Windows Predeployment MSI Examples.

This action is available for the VPN installer, Network Access Manager,
Network Visibility Module, and Umbrella Roaming Security Module.

Note	If you choose to activate lockdown to the VPN installer, you will consequently be locking down AMP Enabler as well.

1. Store anyconnect-dart-linux-(ver)-k9.tar.gz locally.

2. From a terminal, extract the tar.gz file using the
   tar -zxvf <path to tar.gz file including
   the file name command.

3. From a terminal, navigate to the extracted folder and run
   dart_install.sh using the
   sudo ./dart_install.sh command.

4. Accept the license agreement and wait for the installation to
   finish.

Note	You can only uninstall DART using /opt/cisco/anyconnect/dart/dart_uninstall.sh.

Note	Because the EDGE browser does not support ActiveX, our provisioning page hides the Automatic Provisioning options.

Note	Web launch works on all browsers that support NPAPI (Netscape Plugin Application Programming Interface) plugins.

Also, with the
addition of the AnyConnect Umbrella Roaming Security Module, Microsoft .NET 4.0
is required.

Download the latest Cisco AnyConnect Secure
Mobility Client package from the Cisco AnyConnect Software Download
webpage.

Note	You should not have different versions for the same operating system on the ASA.

ISE can configure and
deploy the AnyConnect core, ISE Posture module and OPSWAT (compliance module)
to support posture for ISE. ISE can also deploy all the AnyConnect modules and
resources that can be used when connecting to an ASA. When a user browses to a
resource controlled by ISE:

• If ISE is behind
  an ASA, the user connects the ASA, downloads AnyConnect, and makes a VPN
  connection. If AnyConnect ISE Posture was not installed by the ASA, then the
  user is redirected to the AnyConnect Client Portal to install the ISE Posture.

• If ISE is not
  behind an ASA, the user connects to the AnyConnect Client Portal, which guides
  him to install the AnyConnect resources defined in the AnyConnect configuration
  on ISE. A common configuration is to redirect the browser to AnyConnect client
  provisioning portal if the ISE Posture status is unknown.

• When the user is
  directed to the AnyConnect Client Provisioning Portal in ISE:

  • If the browser is Internet Explorer, ISE downloads AnyConnect Downloader, and the Downloader loads AnyConnect.

  • For all other browsers, ISE opens the client provisioning redirection portal, which displays a link to download the Network
    Setup Assistant (NSA) tool. The user runs the NSA, which finds the ISE server, and downloads the AnyConnect downloader.

    When the NSA is done running in Windows, it deletes itself. When it is done running on macOS, it must be manually deleted.

The ISE documentation
describes how to:

• Create AnyConnect
  Configuration profiles in ISE

• Add AnyConnect Resources to ISE from a local device

• Add AnyConnect
  Provisioning Resources from a Remote Site

• Deploy the
  AnyConnect client and resources

Note

Because AnyConnect ISE posture module does not support web proxy based redirection in discovery, Cisco recommends that you use non-redirection based discovery. You can find further information in the Client Provisioning Without URL Redirection for Different Networks section of the Cisco Identity Services Engine Administrator Guide.

ISE can configure and
deploy the following AnyConnect resources:

• AnyConnect core
  and modules, including the ISE Posture module

• Profiles: Network Visibility Module, AMP Enabler, VPN, Network Access Manager,
  Customer Feedback and AnyConnect ISE Posture

• Files for
  customization

  • UI Resources

  • Binaries,
    connection scripts and help files

• Localization
  files

  • AnyConnect
    gettext translations for message localizations

  • Windows
    Installer Transforms

A Firepower Threat Defense (FTD) device is a Next Generation Firewall (NGFW) that provides secure gateway capabilities similar
to the ASA. FTD devices support Remote Access VPN (RA VPN) using the AnyConnect Secure Mobility Client only, no other clients,
or clientless VPN access is supported. Tunnel establishment and connectivity are done with IPsec IKEv2 or SSL. IKEv1 is not
supported when connecting to an FTD device.

Windows, macOS, and Linux AnyConnect clients are configured on the FTD headend and deployed upon
connectivity; giving remote users the benefits of an SSL or IKEv2 IPsec VPN client
without the need for client software installation and configuration. In the case of a
previously installed client, when the user authenticates, the FTD headend examines the
revision of the client, and upgrades the client as necessary.

Without a previously installed client, remote users enter the IP address of an interface configured to download and install
the AnyConnect client. The FTD headend downloads and installs the client that matches the operating system of the remote computer,
and establishes a secure connection.

The AnyConnect apps for Apple iOS and Android devices are installed from the platform app store. They require a minimum configuration
to establish connectivity to the FTD headend. As with other headend devices and environments, alternative deployment methods,
as described in this chapter, can also be used to distribute the AnyConnect software.

Currently, only the core AnyConnect VPN module and the AnyConnect VPN Profile can be configured on the FTD and distributed
to endpoints. A Remote Access VPN Policy wizard in the Firepower Management Center (FMC) quickly and easily sets up these
basic VPN capabilities.

It is possible to disable or limit AnyConnect automatic updates
by configuring and distributing client profiles.

• In the VPN Client Profile:

  • Auto
    Update disables automatic updates. You can include this profile with
    the AnyConnect web-deployment installation or add to an existing client
    installation. You can also allow the user to toggle this setting.

• In the VPN Local Policy Profile:

  • Bypass Downloader
    prevents any updated content on the ASA from being
    downloaded to the client.

  • Update Policy offers granular control over software
    and profiles updates when connecting to different headends.

AnyConnect stores some profile settings on the user computer in
a user preferences file and a global preferences file. AnyConnect uses the
local file to configure user-controllable settings in the Preferences tab of
the client GUI and to display information about the last connection, such as
the user, the group, and the host.

AnyConnect uses the global file for actions that occur before
logon, for example, Start Before Logon and AutoConnect On Start.

The following table shows the filenames and installed paths for
preferences files on the client computer:

The following tables list the ports used by the Cisco AnyConnect Secure
Mobility Client for each protocol.