30-52
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with SSL and IKEv2 IPSec VPN Policies
Citrix (ICA)—For Citrix MetaFrame services.
Post—For post services.
Plug-in File—The name of the File policy object that defines the plug-in file. Enter the name
of the File object or click Select to select an object or to create a new one. For more information
on creating File Objects, see Add and Edit File Object Dialog Boxes, page 33-25.
To edit a plug-in, select it, click the Edit Row button, and make your changes in the Edit Plug-In
Entry dialog box.
To delete a plug-in, select it and click the Delete Row button. You are asked to confirm the deletion.
Understanding SSL VPN AnyConnect Client Settings
The Cisco AnyConnect VPN Client provides secure SSL and IKEv2 IPsec connections to the security
appliance for remote users. The client gives remote users the benefits of an SSL or IKEv2 IPsec VPN
client without the need for network administrators to install and configure clients on remote computers.
Tip IKEv2 IPsec connections require AnyConnect 3.0 or higher clients.
Without a previously installed client, remote users enter the IP address in their browser of an interface
configured to accept SSL or IKEv2 IPsec VPN connections. Unless the security appliance is configured
to redirect http:// requests to https://, users must enter the URL in the form https://<address>.
After the user enters the URL, the browser connects to that interface and displays the login screen. If the
user satisfies the login authentication, and the security appliance identifies the user as requiring the
client, it downloads the client that matches the operating system of the remote computer. After
downloading, the client installs and configures itself, establishes a secure connection and either remains
or uninstalls itself (depending on the security appliance configuration) when the connection terminates.
In the case of a previously installed client, when the user authenticates, the security appliance examines
the revision of the client and upgrades the client as necessary.
When the client negotiates a connection with the security appliance, it connects using Transport Layer
Security (TLS), and optionally, Datagram Transport Layer Security (DTLS). DTLS avoids latency and
bandwidth problems associated with some SSL connections and improves the performance of real-time
applications that are sensitive to packet delays.
The AnyConnect client can be downloaded from the security appliance, or it can be installed manually
on the remote workstation by the system administrator. For more information about installing the client
manually, see the Cisco AnyConnect Secure Mobility Client Administrator Guide. AnyConnect
documentation is available at
http://www.cisco.com/en/US/products/ps10884/tsd_products_support_series_home.html. You can find
general information about AnyConnect at http://www.cisco.com/go/anyconnect.
The security appliance downloads the client based on the group policy or username attributes of the user
establishing the connection. You can configure the security appliance to automatically download the
client, or you can configure it to prompt the remote user about whether to download the client. In the
latter case, if the user does not respond, you can configure the security appliance to either download the
client after a timeout period or present the login page.