What is the XML profile?
You enable Cisco AnyConnect Secure Mobility client features in the AnyConnect profiles—XML files that contain configuration settings for the core client with its VPN functionality. The ASA deploys the profiles during AnyConnect installation and updates. Users cannot manage or modify profiles directly
Where is located the XML profile?
Windows 7 and 8
%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Mac OS X
/opt/cisco/anyconnect/profile
Linux
/opt/cisco/anyconnect/profile
How to access the XML profile?
Anyconnect profile can be located on the ASDM.
Configuration>Remote Access VPN>Network Access> Anyconnect Client Profile.
Preferences part 1
Use Start Before Logon
Start before logon is a feature for the user to see the Anyconnect logon screen before log in on the windows machine.
This feature is available for the following windows platforms and is disabled by default:
Windows vista
Windows 7
Windows 8 and 8.1
Some examples of the use of SBL:
- The PC of the user is joined to an Active Directory infrastructure.
- The user cannot have cached credentials on the PC, that is, if the group policy disallows cached credentials.
- The user must run login scripts that execute from a network resource or that require access to a network resource.
- A user has network-mapped drives that require authentication with the Active Directory infrastructure.
- Networking components, such as MS NAP/CS NAC, can require connection to the infrastructure.
For SBL to work you need:
- ASA certificate must be added to Local Computer certificate store (Trusted Root Certification Authorities). (Self-sign certificate only) or a 3rd party certificate needs to be installed on the ASA.
- Certificate's subject CN must match the DNS resolved name. Editing hosts file is also OK.
- ASA should have SBL enabled in the Anyconnect Client Profile (though you could manually edit the .xml on client's computer)
- ASA must be reachable via a domain name. IP address does not work.
- FQDN equal on xml profile:
<HostEntry>
<HostName>vpn.tbecinc.com</HostName>
<HostAddress>vpn.tbecinc.com</HostAddress>
ASA required configuration:
hostname(config)# group-policy SBL-VPN attributes
hostname(config-group-policy)# webvpn
hostame(config-group-webvpn)# svc modules value vpngina
Show pre-connected message
Enables an administrator to have a one-time message displayed prior to a users first connection attempt. For example, the message can remind users to insert their smart card into its reader.
This message can be customized on the following path:
ASDM>Configuration>Remote Access VPN>Anyconnect Customization/localization>GUI text and messages>Edit
The message appear on the file with the label "This is a pre-connected reminder message”
Certificate store
Controls which certificate store(s) Anyconnect uses for storing and reading certificates. The default setting (All) is appropriate for most cases. Do not change this setting unless you have a specific reason or scenario requirement to do so.
- All: (Default) Directs the Anyconnect client to use all certificate stores for locating certificates.
- Machine: Directs the Anyconnect client to restrict certificate lookup to the Windows local machine certificate store.
- User: Directs the Anyconnect client to restrict certificate lookup to the local user certificate stores.
NOTE: IF you're using SBL is a must have this setting with ALL or machine store, when the Anyconnect is on SBL mode is unable to read user certificates.
Certificate Store Override
Allows an administrator to direct Anyconnect to search for certificates in the Windows machine certificate store when the user does not have administrator privileges on their device.This will prevent permissions issues when the user is not an Admin on a device.
Auto Connect on Start
Anyconnect, when started, automatically establishes a VPN connection with the secure gateway specified by the Anyconnect profile, or to the last gateway to which the client connected.
Minimize On Connect
After establishing a VPN connection, the Anyconnect GUI minimizes.
Local LAN Access
Allows the user complete access to the local LAN connected to the remote computer during the VPN session to the ASA.
Enabling local LAN access can potentially create a security weakness from the public network through the user computer into the corporate network. Is not recommended to active this feature, instead use exclude specified under the Anyconnect group-policy or Anyconnect Firewall feature.
Auto Reconnect
Anyconnect attempts to reestablish a VPN connection if you lose connectivity
Auto Reconnect Behavior
Disconnect On Suspend: (Default) Anyconnect releases the resources assigned to the VPN session upon a system suspend and do not attempt to reconnect after the system resumes.
Reconnect After Resume: Anyconnect attempts to reestablish a VPN connection if you lose connectivity.
Auto Update
When checked, enables the automatic update of the client. You can upload a newer version on the ASA to automatically upgrade the VPN client on the user computer.
RSA Secure ID Integration (Windows only)
Controls how the user interacts with RSA. By default, Anyconnect determines the correct method of RSA interaction (automatic setting: both software and hardware tokens accepted).
Windows Logon Enforcement
Allows a VPN session to be established from a Remote Desktop Protocol (RDP) session. Split tunneling must be configured in the group policy.
Anyconnect disconnects the VPN connection when the user who established the VPN connection logs off. If the connection is established by a remote user, and that remote user logs off, the VPN connection terminates.
- Single Local Logon (Default): Allows only one local user to be logged on during the entire VPN connection. Also, a local user can establish a VPN connection while one or more remote users are logged on to the client PC.
- Single Logon: Allows only one user to be logged on during the entire VPN connection. If more than one user is logged on, either locally or remotely, when the VPN connection is being established, the connection is not allowed. If a second user logs on, either locally or remotely, during the VPN connection, the VPN connection terminates.
Windows VPN Establishment
Determines the behavior of Anyconnect when a user who is remotely logged on to the client PC establishes a VPN connection.
- Local Users Only (Default): Prevents a remotely logged-on user from establishing a VPN connection.
- Allow Remote Users: Allows remote users to establish a VPN connection.. Remote users must wait 90 seconds after VPN establishment if they want to disconnect their remote login session without causing the VPN connection to be terminated.
Clear SmartCard PIN
Once the Anyconnect session is terminated, the SmartCard PIN is deleted from the computer cache.
IP Protocol Supported
For clients with both an IPv4 and IPv6 address attempting to connect to the ASA using Anyconnect, needs to decide which IP protocol to use to initiate the connection. By default Anyconnect initially attempts to connect using IPv4. If that is not successful, Anyconnect attempts to initiate the connection using IPv6.
Preferences part 2
Disable Automatic Certificate Selection (Windows only)
Disables automatic certificate selection by the client and prompts the user to select the authentication certificate. This setting can be disabled on the Anyconnect GUI also.
Proxy Settings
Specifies a policy in the Anyconnect profile to control client access to a proxy server. Use this when a proxy configuration prevents the user from establishing a tunnel from outside the corporate network.
- Native (default): causes the client to use both proxy settings previously configured by Anyconnect, and the proxy settings configured in the browser. The proxy settings configured in the global user preferences are pre-pended to the browser proxy settings.
- Ignore Proxy: Ignores the browser proxy settings on the user's computer. Does not affect proxies that can reach the ASA.
- Override: Manually configures the address of the Public Proxy Server. Public proxy is the only type of proxy supported for Linux.
Allow Local Proxy Connections
Enabled by default, Anyconnect lets Windows users establish a VPN session through a transparent or non-transparent proxy service on the local PC. Uncheck this parameter if you want to disable support for local proxy connections.
Enable optimal Gateway Selection
OGS is a feature that can be used in order to determine which gateway has the lowest Round Trip Time (RTT) and connect to that gateway. One can use the OGS feature in order to minimize latency for Internet traffic without user intervention.
OGS works best with the latest Anyconnect client and ASA software Version 9.1(3) or later.
How it works?
The client sends three HTTP/443 requests to each headend that appears in a merge of all profiles. These HTTP probes are referred to as OGS pings in the logs
OGS determines the user location based on the network information, such as the Domain Name System (DNS) suffix and the DNS server IP address. The RTT results, along with this location, are stored in the OGS cache.
OGS location entries are cached for 14 days, clear this cache is not user configurable. It means the OGS process is triggered every 14 days, if the user move from location the OGS process won't be triggered again.
Currently, OGS only runs the checks if the user comes out of suspend, and the threshold has been exceeded. OGS does not connect to a different ASA if the ASA the user is connected to crashes or becomes unavailable. OGS contacts only the primary servers in the profile in order to determine the optimal one.Even if the user machine has other profiles, they will not be able to select any of them until OGS is disabled.
When OGS is used, if connectivity to the gateway to which the users are connected is lost, then Anyconnect connects to the servers in the backup server list and not to the next OGS host.
OGS contacts only the primary servers in order to determine the optimal one. Once determined, the connection algorithm is:
- Attempt to connect to the optimal server.
- If that fails, try the optimal server's backup server list.
- If that fails, try each server that remains in the OGS selection list, ordered by its selection results.
When the administrator configures the backup server list, the current profile editor only allows the administrator to enter the Fully Qualified Domain Name (FQDN) for the backup server, but not the user-group as is possible for the primary server:
Suspension Time Threshold (hours): The elapsed time from disconnecting to the current secure gateway to reconnecting to another secure gateway. If users experience too many transitions between gateways, increase this time.
Performance Improvement Threshold (%):The performance improvement that triggers the client to connect to another secure gateway. The default is 20%.
If AAA is used, users may have to re-enter their credentials when transitioning to a different secure gateway. Using certificates eliminates this problem.
More information about OGS
https://supportforums.cisco.com/document/58711/anyconnect-optimal-gateway-selection-operation
Automatic VPN policy (Trusted Network detection)
TND gives you the ability to have Anyconnect automatically disconnect a VPN connection when the user is inside the corporate network (the trusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network).
If Anyconnect is also running Start before Logon (SBL), and the user moves into the trusted network, the SBL window displayed on the computer automatically close.
TND does not interfere with the ability of the user to manually establish a VPN connection. It does not disconnect a VPN connection that the user starts manually in the trusted network. TND only disconnects the VPN session if the user first connects in an untrusted network and moves into a trusted network.
TND is supported on Windows and MAC computers
TND requires a strict certificate checking. (Anyconnect will not establish a session if the certificate presented by the ASA cannot be verified)
Trusted Network Policy: the action the client takes when the user is inside the corporate
- Disconnect: The client terminates the VPN connection in the trusted network.
- Connect: The client initiates a VPN connection in the trusted network.
- Do Nothing: The client takes no action in the trusted network. Setting both the Trusted Network Policy and Untrusted Network Policy to do nothing disables TND.
- Pause: Anyconnect suspends the VPN session instead of disconnecting it if a user enters a network configured as trusted. When the user goes outside the trusted network again, Anyconnect resumes the session. This feature is for the user’s convenience because it eliminates the need to establish a new VPN session after leaving a trusted network
Untrusted Network Policy: the action the client takes when the user is outside the corporate network.
- Connect: The client initiates a VPN connection upon the detection of an untrusted network.
- Do nothing: The client takes no action upon detection of an untrusted network. This option disables Always-On VPN
Trusted DNS Domains: DNS suffixes (a string separated by commas) that a network interface may have when the client is in the trusted network. For example: *.cisco.com
Trusted DNS Servers: All DNS server addresses (a string separated by commas) that a network interface may have when the client is in the trusted network. For example: 2.2.2.*, 4.4.4.4
Always-ON
You can configure Anyconnect to establish a VPN session automatically after the user logs in to a computer. The VPN session remains open until the user logs out of the computer, or the session timer or idle session timer expires
Supported on Windows and MAC computers.
Always-on VPN does not currently support connecting though a proxy. When Anyconnect detects always-on VPN in the profile, it protects the endpoint by deleting all other Anyconnect profiles, and ignores any public proxies configured to connect to the ASA
This feature requires an Anyconnect Premium License.
Allow VPN disconnect
Enables the disconnect button on the client , Users of always-on VPN sessions may want to click Disconnect so they can choose an alternative secure gateway for reasons such as the following:
- Performance issues with the current VPN session.
- Reconnection issues following the interruption of a VPN session
Disabling the Disconnect button can at times hinder or prevent VPN access.
If the user clicks Disconnect during an always-on VPN session, Anyconnect locks all interfaces to prevent data from leaking out and protects the computer from internet access except for that required to establish a new VPN session. Anyconnect locks all interfaces, regardless of the connect failure policy.
Connect Failure Policy
Open: Does not restrict network access when Anyconnect cannot establish a VPN session (for example, when an ASA is unreachable).
Closed: Restricts network access when the VPN is unreachable. ARP, DNS, DHCP, connectivity to the secure gateway IP is the only traffic allowed.
More information regarding TND and Always-On
Allow captive portal remediation
Many facilities that offer Wi-Fi and wired access, such as airports, coffee shops, and hotels, require the user to pay before obtaining access, agree to abide by an acceptable use policy, or both. These facilities use a technique called captive portal to prevent applications from connecting until the user opens a browser and accepts the conditions for access.
If always-on VPN is enabled, the connect failure policy is closed, captive portal remediation is disabled, and Anyconnect detects the presence of a captive portal, the AnyConnect GUI displays the following message once per connection and once per reconnect:
“The service provider in your current location is restricting access to the Internet.”
“The Anyconnect protection settings must be lowered for you to log on with the service provider. Your current enterprise security policy does not allow this.”
Captive portal detection is enabled by default, and is non-configurable
Captive portal remediation is the process of satisfying the requirements of a captive portal hotspot to obtain network access. By default, the connect failure policy prevents captive portal remediation because it restricts network access. You can configure AnyConnect to lift restricted access to let the user satisfy the captive portal requirements. You can also specify the duration for which the client lifts restricted access
If the connect failure policy is open, users can remediate captive portal requirements. The captive portal remediation feature applies only if the connect failure policy is closed and a captive portal is present.
Remediation Timeout: Enter the number of minutes that Anyconnect lifts the network access restrictions. The user needs enough time to satisfy the captive portal requirements
Apply Last VPN Local Resource Rules: Applies the last client firewall it received from the security appliance, which may include ACLs allowing access to resources on the local LAN.
When users connect to the ASA with a tunnel all option, all traffic is tunneled through the connection and users cannot access resources on their local network. This includes printers, cameras, and Windows Mobile devices (tethered devices) that sync with the local computer. You can use the ASA to deploy endpoint OS firewall capabilities to restrict access to particular types of local resources, such as printers and tethered devices.
The following notes clarify how the Anyconnect client uses the firewall:
- The source IP is not used for firewall rules. The client ignores the source IP information in the firewall rules sent from the ASA. The client determines the source IP depending on whether the rules are public or private. Public rules are applied to all interfaces on the client. Private rules are applied to the Virtual Adapter.
- The ASA supports many protocols for ACL rules. However, the Anyconnect firewall feature supports only TCP, UDP, ICMP, and IP.
Allow Manual host Input
Allow the user to type the host IP on the Anyconnect client, otherwise will be locked by the host on the XML profile.
PPP Exclusion
ISPs in some countries require support of the L2TP and PPTP tunneling protocols to send traffic destined for the secure gateway over a PPP connection
Anyconnect uses the point-to-point adapter generated by the external tunnel. When establishing a VPN tunnel over a PPP connection, the client must exclude traffic destined for the ASA from the tunneled traffic intended for destinations beyond the ASA. To specify whether and how to determine the exclusion route, use the PPP exclusion setting.
PPP exclusion:
- Automatic: Enables PPP exclusion. Anyconnect automatically uses the IP address of the PPP server.
- Override: Also enables PPP exclusion. If automatic detection fails to get the IP address of the PPP server, and the PPP Exclusion UserControllable value is true, instruct users to manually input the PPP server IP.
- Disabled: PPP exclusion is not applied.
Enable Scripting
Launches OnConnect and OnDisconnect scripts if present
Terminate Script on Next Event: Terminates a running script process if a transition to another scriptable event occurs. On Microsoft Windows, Anyconnect also terminates any scripts that the OnConnect or OnDisconnect script launched, as well as all their script descendents. On Mac OS and Linux, Anyconnect terminates only the OnConnect or OnDisconnect script; it does not terminate child scripts.
Enable Post SBL on Connect Scrip: Prevents launching of the OnConnect script if SBL establishes the VPN session.
AnyConnect supports script launching during WebLaunch and standalone launches
Cisco does not support example scripts or customer-written scripts.
Retain VPN on Logoff
Keeps the VPN session when the user logs off a Windows operating system
User enforcement
- Any User: Continues the VPN session even if a different user logs on. This value
- Same User Only: Ends the VPN session when a different user logs on.
Authentication Timeout Control
By default, Anyconnect waits up to 12 seconds for an authentication from the secure gateway before terminating the connection attempt. Anyconnect then displays a message indicating the authentication timed out.
More information about this features:
Hope It helps
-Randy -