69-120
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter69 General VPN Setup
SSL VPN Client Settings
SSL VPN Client Settings
The Cisco AnyConnect VPN client provides secure SSL connections to the ASA for remote users. The
client gives remote users the benefits of an SSL VPN client without the need for network administrators
to install and configure clients on remote computers.
Without a previously-installed client, remote users enter the IP address in their browser of an interface
configured to accept SSL VPN connections. Unless the ASA is configured to redirect http:// requests to
https://, users must enter the URL in the form https://<address>.
If you need to redirect http:// requests to https://, go to Configuration > Remote Access VPN >
Advanced, then click HTTP Redirect. Choose the interface you want to redirect, then click Edit to
display the Edit HTTP/HTTPS Settings dialog box. Check the Redirect HTTP to HTTPS check box,
and change the HTTP Port value, if necessary. Click OK to close this dialog box, then click Apply to
save your settings.
After entering the URL, the browser connects to that interface and displays the login screen. If the user
satisfies the login and authentication, and the ASA identifies the user as requiring the client, it
downloads the client that matches the operating system of the remote computer. After downloading, the
client installs and configures itself, establishes a secure SSL connection and either remains or uninstalls
itself (depending on the ASA configuration) when the connection terminates.
In the case of a previously installed client, when the user authenticates, the ASA examines the revision
of the client, and upgrades the client as necessary.
When the client negotiates an SSL VPN connection with the ASA, it connects using Transport Layer
Security (TLS), and optionally, Datagram Transport Layer Security (DTLS). DTLS avoids latency and
bandwidth problems associated with some SSL connections and improves the performance of real-time
applications that are sensitive to packet delays.
The AnyConnect client can be downloaded from the ASA, or it can be installed manually on the remote
PC by the system administrator. For more information about installing the client manually, see the
Cisco AnyConnect VPN Client Administrator Guide.
The ASA downloads the client based on the group policy or local user policy attributes. You can
configure the ASA to automatically download the client, or you can configure it to prompt the remote
user about whether to download the client. In the latter case, if the user does not respond, you can
configure the ASA to either download the client after a timeout period or present the login page.
Fields
SSL VPN Client Images table—Displays the package files specified as SSL VPN client images, and
allows you to establish the order that the ASA downloads the images to the remote PC.
Add—Displays the Add SSL VPN Client Image dialog box, where you can specify a file in flash
memory as a client image file, or where you can browse flash memory for a file to specify as a
client image. You can also upload a file from a local computer to the flash memory.
Replace—Displays the Replace SSL VPN Client Image dialog box, where you can specify a file
in flash memory as an client image to replace an image highlighted in the SSL VPN Client
Images table. You can also upload a file from a local computer to the flash memory.
Delete—Deletes an image from the table. This does not delete the package file from flash.
Move Up and Move Down—changes the order in which the ASA downloads the client images
to the remote PC. It downloads the image at the top of the table first. Therefore, you should
move the image used by the most commonly-encountered operating system to the top.
SSL VPN Client Profiles table—Displays the XML files specified as SSL VPN client profiles. These
profiles display host information in the AnyConnect VPN Client user interface.