Downloads |
Q. What is the Cisco® AnyConnect Secure Mobility Client?
A. The Cisco AnyConnect Secure Mobility Client is a multifunctional security client that supports security services such as SSL and IPsec remote-access VPN, 802.1X, and secure mobility integration with ScanSafe. The modular client allows organizations to select the features and capabilities that are most applicable to their secure connectivity needs, providing maximum flexibility and benefit.
Q. What features are available in AnyConnect Secure Mobility Client Version 3.0?
A. The following features are available:
• Integrated Cisco ScanSafe Web Security services offer cloud-based real-time web protection and policy enforcement
• IEEE 802.1X functionality, provided as part of the Network Access Manager, adds a single authentication framework to manage user and device identity
• IEEE 802.1AE (MACsec), provided as part of the Network Access Manager, offers data confidentiality, integrity, and authentication of data origin on a wired network
• IPsec/IKEv2 offers an optimized connection for latency-sensitive traffic when security policies require use of IPsec
• Telemetry shares feedback with the Cisco web filtering infrastructure about the origin of malicious content
Q. Is Version 3.0 available as an upgrade for existing AnyConnect customers?
A. Existing AnyConnect customers are recommended to upgrade to the latest version to take advantage of the new features and bug fixes. Customers with an existing Cisco SMARTnet® support contract can upgrade free of charge. Customers running the Cisco IPsec VPN Client are encouraged to upgrade to AnyConnect to take advantage of the latest VPN features. The low-cost AnyConnect Essentials licensing option provides an attractive migration opportunity for existing Cisco VPN Client customers.
Q. How has AnyConnect been designed to take advantage of these new features?
A. Cisco designed the AnyConnect Secure Mobility Client with customization in mind. New features are modular: Customers can install just the modules applicable to their deployment needs and install new modules as their needs evolve.
The new modules added in AnyConnect Version 3.0 include the following:
Web Security for ScanSafe module - Cloud-based web security services
VPN module - SSL and the latest version of IPsec VPN (IKEv2)
Network Access Manager module - 802.1x, MACsec functionality
Secure Mobility
Q. What is Secure Mobility?
A. Secure mobility combines web security and remote access VPN for an exceptionally comprehensive and secure enterprise mobility solution. Most enterprise traffic is web-based, which dramatically increases the level of security threats. The Cisco AnyConnect Secure Mobility Solution uses the Cisco AnyConnect Secure Mobility Client and Cisco ASA 5500 Series Adaptive Security Appliance with either a premises-based Cisco IronPort® Web Security Appliance or cloud-based Cisco ScanSafe Web Security services to provide acceptable use policy (AUP) controls, malware filtering, data security, and application visibility and control.
Q. What is the difference between the Cisco AnyConnect Secure Mobility Solution using AnyConnect Version 2.5 or AnyConnect Version 3.0?
A. With AnyConnect Version 3.0, an organization has the choice and flexibility of using either the premises-based Cisco IronPort Web Security Appliance or the cloud-based Cisco ScanSafe Web Security service for enhanced web security. Cisco AnyConnect Version 2.5 works solely with the Cisco IronPort Web Security Appliance.
Q. Does the AnyConnect Web Security for ScanSafe module work with the Cisco IronPort Web Security Appliance?
A. No. The web security module is only required for interaction with the Cisco ScanSafe Web Security service. When connected to the corporate network, the Cisco IronPort Web Security Appliance will provide web security with AnyConnect in a transparent fashion.
Q. What is Cisco ScanSafe?
A. Cisco ScanSafe is the largest global provider of web security software as a service to keep malware off corporate networks and control and secure employee web usage. With the addition of Cisco ScanSafe to the AnyConnect Secure Mobility Solution, organizations now have a choice to deploy a premises-based Cisco IronPort Web Security Appliance or cloud-based Cisco ScanSafe Web Security services to provide comprehensive protection for roaming employees.
Q. Is AnyConnect an alternative to the ScanSafe Anywhere+ client?
A. AnyConnect Version 3.0 provides equivalent functionality to the ScanSafe AnyWhere+ 1.2 client. ScanSafe customers may deploy AnyConnect as an alternative to AnyWhere+ for extending the perimeter to roaming workers for the purpose of enabling consistent policy and security regardless of location (home, hotspots, client sites, etc.).
Q. Is an additional AnyConnect license needed to enable ScanSafe functionality?
A. No additional AnyConnect licenses are needed for ScanSafe connectivity. Licensing for the ScanSafe capabilities will be handled by existing ScanSafe licensing requirements.
Q. Is there licensing for the Cisco AnyConnect Secure Mobility Client itself?
A. Yes. For a nominal fee, the Cisco AnyConnect Essentials license provides full VPN tunneling, the Network Access Manager module, and telemetry features. The AnyConnect Premium license supports all Essentials capabilities, plus advanced features such as clientless SSL VPN, Cisco Secure Desktop capabilities (including HostScan), and support for the Cisco AnyConnect Secure Mobility Solution. For more information, please see the licensing overview document in the AnyConnect product documentation area of Cisco.com.
Q. What is the telemetry module?
A. The telemetry module is used in conjunction with the Cisco IronPort Web Security Appliance. This optional module provides confidential feedback from endpoints to the web filtering infrastructure, using information about the origin of malicious content. This enhances web security protection levels by working to strengthen the filtering algorithm and improves the accuracy of the URL reputation database by analyzing and correlating endpoint data.
Q. How can I learn more about the Cisco AnyConnect Secure Mobility Solution?
A. More information is available at http://www.cisco.com/en/US/netsol/ns1049/index.html.
VPN
Q. I am an AnyConnect Version 2.5 customer. Will I encounter any usability changes in the client when I upgrade to Version 3.0?
A. Yes. The user interface has been updated to accommodate the additional capabilities in Version 3.0. The AnyConnect product documentation contains screenshots that illustrate the changes and highlight the usability enhancements in Version 3.0.
Q. I see that the AnyConnect VPN module supports IPsec. Will the AnyConnect VPN module work with Cisco VPN 3000 Series concentrators?
A. No. Cisco VPN 3000 Series concentrators support IPsec IKEv1. The VPN module in AnyConnect Version 3.0 supports IPsec IKEv2. Additionally, the AnyConnect Secure Mobility Client does not work with Cisco PIX® Security Appliances.
Q. Why does the AnyConnect Secure Mobility Client support IKEv2 and not IKEv1?
A. IKEv2 offers greater security when compared to the older IKEv1. Unlike IKEv1, IKEv2 is capable of supporting AnyConnect features such as hostscan, dynamic access policies, and secure mobility.
Q. Can an AnyConnect Version 3.0 client establish a VPN connection to prior Cisco ASA Software releases?
A. Existing AnyConnect SSL features are backward-compatible with Cisco ASA Software Release 8.0.x. However, new AnyConnect features, such as IKEv2, will require a future Cisco ASA Software release and associated Cisco Adaptive Security Device Manager (ASDM) version.
Q. If I have a profile from AnyConnect Version 2.5 or earlier, do I have to rebuild the profile for AnyConnect Version 3.0?
A. You will only need to rebuild the profile if you plan to use the new features in AnyConnect Version 3.0.
Q. Will the standalone DART tool provide the diagnostics and reporting capabilities for new Cisco AnyConnect Version 3.0 features?
A. Yes. All integrated diagnostics and reporting capabilities will be captured by the DART tool.
Network Access Manager
Q. How is IEEE 802.1X available in Cisco AnyConnect?
A. 802.1X over Ethernet (802.3) and Wi-Fi (802.11) is available as a separate module in AnyConnect: the Network Access Manager. This separately loadable module must be installed on the endpoint for AnyConnect to perform 802.1X authentication.
Q. Does Cisco AnyConnect support wireless connectivity?
A. Yes. The Network Access Manager associated with AnyConnect Version 3.0 and later supports wireless connectivity using an 802.11 wireless network interface card.
Q. Does Cisco AnyConnect support WPA2?
A. Yes. The Network Access Manager in AnyConnect Version 3.0 and later supports WPA2; provided WPA2 is supported by the wireless network interface card.
Q. I understand the AnyConnect Network Access Manager can be used to put different users on different VLANs on my wired network. Can I encrypt that data?
A. Yes. The AnyConnect Network Access Manager supports 802.1AE, also known as MACsec, which encrypts traffic over the wired LAN.
Q. What hardware is required for MACsec?
A. There are no hardware requirements for MACsec on the local machine. If the network interface card does not support MACsec, the encryption is done on the main processor on the local computer. A MACsec-capable switch is required on the network side.
Q. How do the 802.1X features in the AnyConnect Network Access Manager compare to the features in the Cisco Secure Services Client (CSSC)?
A. The AnyConnect Network Access Manager module is a replacement for the Cisco CSSC's 802.1X functionality.
Q. What features in the CSSC are not being carried over to the AnyConnect Network Access Manager?
A. In AnyConnect Version 3.0 and later, the interaction between the CSSC Client and the traditional Cisco VPN Client has been discontinued.
Q. Can I use the AnyConnect Network Access Manager with the traditional Cisco VPN Client?
A. Yes. You can use the Cisco VPN Client with the AnyConnect Network Access Module, but they are separate applications with separate user interfaces. There is no interaction between the AnyConnect Network Access Manager and the Cisco VPN Client.
Q. Can I use the AnyConnect Network Access Manager without the VPN function?
A. Yes. All of the components in the AnyConnect Secure Mobility Client can be used independently. If you are not using the AnyConnect VPN functionality, you can install the AnyConnect Secure Mobility Client so that functionality is not enabled.
Q. I see there is a GINA module that is part of the AnyConnect Secure Mobility Client. When do I need to use that module?
A. The GINA module is used with the VPN portion of the AnyConnect Secure Mobility Client. It is used for pre-logon authentication. The Network Access Manager does not require the separate GINA module for pre-logon authentication.
Q. I am currently running the Cisco Secure Services Client today. Do I need to uninstall it prior to installing the AnyConnect Network Access Manager?
A. No. The installation of the AnyConnect Network Access Manager will recognize that the Secure Services Client version 5.x is installed and will uninstall it as part of the Network Access Manager installation.
Q. Can I upgrade directly from the Cisco Secure Services Client Version 4.x?
A. Upgrading directly from the Cisco Secure Services Client Version 4.x is not supported. You will need to uninstall Version 4.x before installing the AnyConnect Network Access Manager.
Q. Will user configurations from the Secure Services Client be retained when I upgrade to the AnyConnect Network Access Manager?
A. Yes. The user's personal configuration information will be retained as part of the upgrade. If you choose to define more restrictive policies as part of the transition to the AnyConnect Network Access Manager, profiles the user created in the Secure Services Client that now violate the update AnyConnect Network Access Manager policy will not be supported.
Q. I have created an organization-specific XML for the Secure Services Client. Will I need to create a new one for the AnyConnect Network Access Manager?
A. No. As part of the installation of the Network Access Manager, AnyConnect will import organization-specific configurations from the Cisco Secure Services Client Version 5.x. However, new features in the Network Access Manager will require an updated configuration file.
Q. The Secure Services Client has a management utility for complex configuration editing. What is the equivalent function in AnyConnect?
A. AnyConnect offers a profile editor that can run either as a standalone utility or as part of the Cisco ASDM on Cisco ASA 5500 Series Adaptive Security Appliances.
Q. The Cisco Secure Services Client allowed me to limit the wireless encryptions and EAP methods the end user could select. Does the AnyConnect Network Access Manager support this functionality?
A. Yes, with improvements. The authentication policy in the Cisco Secure Services Client management utility could be applied to both deployed and user-created profiles. The authentication policy in the AnyConnect Network Access Manager is only applicable to user-created profiles, which means it can be tuned to only those capabilities that an end user should be able to access.
Q. Can I prevent users from adding any profiles to the AnyConnect Network Access Manager?
A. Yes. User profile configuration can be prevented through the authentication policy in the Network Access Manager profile editor.
Q. Can I prevent users from disabling the AnyConnect Network Access Manager?
A. Yes. You can use the Network Access Manager profile editor to prevent users from disabling the Network Access Manager. However, users that have administrative privileges on the local machine can stop the Network Access Manager service and uninstall the Network Access Manager.
Q. Does the AnyConnect Network Access Manager support certificates?
A. Yes. The AnyConnect Network Access Manager supports certificates, smartcards, key fobs, usernames/passwords, and tokens as network authentication credentials.
Q. Can the AnyConnect Network Access Manager take advantage of a user's Windows authentication and use those credentials instead of asking the user in a separate dialogue?
A. Yes. The AnyConnect Network Access Manager can use the credentials that the user enters into Windows, including smartcards and username/password combinations. A security advance starting with Windows Vista limits the use of username/password credentials to MSCHAPv2.