Chapter 38 Configuring Anyconnect Vpn Client Connections - Cisco PIX 500 Series Configuration Manual

Configuring AnyConnect VPN Client Connections
The Cisco AnyConnect VPN Client provides secure SSL connections to the security appliance for
remote users. Without a previously-installed client, remote users enter the IP address in their browser of
an interface configured to accept SSL VPN connections. Unless the security appliance is configured to
redirect http:// requests to https://, users must enter the URL in the form https://<address>.
After entering the URL, the browser connects to that interface and displays the login screen. If the user
satisfies the login and authentication, and the security appliance identifies the user as requiring the
client, it downloads the client that matches the operating system of the remote computer. After
downloading, the client installs and configures itself, establishes a secure SSL connection and either
remains or uninstalls itself (depending on the security appliance configuration) when the connection
terminates.
In the case of a previously installed client, when the user authenticates, the security appliance examines
the revision of the client, and upgrades the client as necessary.
When the client negotiates an SSL VPN connection with the security appliance, it connects using
Transport Layer Security (TLS), and optionally, Datagram Transport Layer Security (DTLS). DTLS
avoids latency and bandwidth problems associated with some SSL connections and improves the
performance of real-time applications that are sensitive to packet delays.
The AnyConnect client can be downloaded from the security appliance, or it can be installed manually
on the remote PC by the system administrator. For more information about installing the client manually,
see the Cisco AnyConnect VPN Client Administrator Guide.
The security appliance downloads the client based on the group policy or username attributes of the user
establishing the connection. You can configure the security appliance to automatically download the
client, or you can configure it to prompt the remote user about whether to download the client. In the
latter case, if the user does not respond, you can configure the security appliance to either download the
client after a timeout period or present the login page.
This section covers the following topics:
Installing the AnyConnect SSL VPN Client, page 38-2
•
Enabling AnyConnect Client Connections, page 38-3
•
Enabling Permanent Client Installation, page 38-5
•
Configuring DTLS, page 38-5
•
• Prompting Remote Users, page 38-6
• Enabling AnyConnect Client Profile Downloads, page 38-7
Enabling Additional AnyConnect Client Features, page 38-9
•
Configuring Advanced SSL VPN Features, page 38-13
•
OL-12172-03
C H A P T E R
Cisco Security Appliance Command Line Configuration Guide
38
38-1