72-135
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter72 Configuring Clientless SSL VPN
Customizing the AnyConnect Client
We recommend that you sign your custom Windows client binaries (either GUI or CLI version) that you
import to the ASA. A signed binary has a wider range of functionality available to it. If the binaries are
not signed the following functionality is affected:
Web-Launch—The clientless portal is available and the user can authenticate. However, the
behavior surrounding tunnel establishment does not work as expected. Having an unsigned GUI on
the client results in the client not starting as part of the clientless connection attempt. And once it
detects this condition, it aborts the connection attempt.
SBL—The Start Before Logon feature requires that the client GUI used to prompt for user
credentials be signed. If it is not, the GUI does not start. Because SBL is not supported for the CLI
program, this affects only the GUI binary file.
Auto Upgrade—During the upgrade to a newer version of the client, the old GUI exits, and after the
new GUI installs, the new GUI starts. The new GUI does not start unless it is signed. As with
Web-launch, the VPN connection terminates if the GUI is not signed. However, the upgraded client
remains installed.
Restrictions
The ASA does not support this feature for the AnyConnect VPN client, Versions 2.0 and 2.1. For more
information on manually customizing the client, see the AnyConnect VPN Client Administrator Guide
and the Release Notes for Cisco AnyConnect VPN Client.
Importing Scripts
AnyConnect lets you download and run scripts when the following events occur:
Upon the establishment of a new AnyConnect client VPN session with the security appliance. We
refer to a script triggered by this event as an OnConnect script because it requires this filename
prefix.
Upon the tear-down of an AnyConnect client VPN session with the security appliance. We refer to
a script triggered by this event as an OnDisconnect script because it requires this filename prefix.
Thus, the establishment of a new AnyConnect VPN session initiated by Trusted Network Detection
triggers the OnConnect script (assuming the requirements are satisfied to run the script). The
reconnection of a persistent AnyConnect VPN session after a network disruption does not trigger the
OnConnect script.
Prerequisites
These instructions assume you know how to write scripts and run them from the command line of the
targeted endpoint to test them.
Restrictions
The AnyConnect software download site provides some example scripts; if you examine them,
please remember that they are only examples; they may not satisfy the local computer requirements
for running them, and are unlikely to be usable without customizing them for your network and user
needs. Cisco does not support example scripts or customer-written scripts.
For complete information about deploying scripts, and their limitations and restrictions, see the
AnyConnect VPN Client Administrators Guide.