Initial AnyConnect Configuration for FTD managed by FMC

Hi Jason, 

I got a question after watching your video.

Time 6:12, you added CA Certificate (paste certificate here) . Is this the Root CA Certificate (from the CA authority which I'll send CSR to sign it) you added?

Thanks for clarification. 

Regards, 

Sam

Hello Sam,

This is the CA certificate that will ultimately sign your identity certificate.  For instance if you had this structure:

It would be the SubCA1 that you would put here.  Similar to the ASA when we authenticate a trustpoint with the CA, then import the ID cert to the same trustpoint.  It is always the CA that directly signs the certificate in the full certificate chain.

Please let me know if that clarifies it for you, or if you have any additional questions.

Jason

Hi Jason, 

Thanks for clarification. I think I got it. For example I'm going to sign my CSR by Let's Encrypt. 

So it will be the "Let's Encrypt Authority X3". Correct? 

Thanks. 

Example:

Identity Certificate (server certificate)

Let's Encrypt Authority X3

DST Root CA X3

So it will be the "Let's Encrypt Authority X3". Correct? 

Example:

Identity Certificate (server certificate)

Let's Encrypt Authority X3

DST Root CA X3

Yes! Exactly, you got it perfect!

Jason

Thanks and I really appreciate your help! 

Regards, 

Sam

Hi Jason,

Thank you to share this guide.

I have a question about licensing: at minute 2:51 you mention that the amount of Anyconnect (Plus or Apex) to purchase has to match the number of users connecting to the FTD VPN endpoint Firewall but when an FTD is enabled to use Anyconnect license on the FMC then the number of these licenses decreases only by 1 and not by the amount of users actually connected, did I get this right?

So please let me know if these assumptions are correct:

• if we have 1000 users concurrently connecting on 5 different FTDs we should purchase 1000 Anyconnect licenses
• When we enable our FTDs to use Anyconnect license through FMC then the number of used Anyconnect licenses should decrease in our Smart Account to 995 
• if these 5 FTDs are for example Firepower 2110 that allows 1500 max remote access users and we have in total more than 1000 users connected (say 2000 between all the FTDs), the licenses will not reflect the number of users connected and so they will be allowed anyways
• Obviously, to be compliant, we have to purchase the additional 1000 Anyconnect licenses (I think Cisco allows a grace period of 40 days to be compliant) but there this is not reflected in the license count in the Smart Account

Also

• if all the statements above are correct, what is the license count usage for HA FTDs ? is it one license applied for HA pair or is for each individual FTD? 
• Anyconnect licenses are to be purchase for concurrent users or for individual users? I mean if we have 1000 users in total but only 500 are connecting concurrently to our remote access vpn, do we need to purchase 1000 licenses or 500 ?

Hello Giovanni,

You are correct in all of your statements. 

To answer the last two questions, when you apply a license to an HA pair, it is one license count per box.  So it should decrease by 2 licenses, one for each FTD device. 

Based on the documentation here:

https://www.cisco.com/c/dam/en/us/products/collateral/security/anyconnect-og.pdf

Note: The number of licenses needed for AnyConnect Plus or Apex is based on all the possible unique users
that may use any Cisco AnyConnect service. The exact number of Plus or Apex licenses should be based on the
total number of unique users that require the specific services associated with each license type.

You should purchase licenses based on the total number of possible unique users that are authorized by your company to access AnyConnect. If you have 10000 employees in your company, but only 1000 would ever be in a position to work remotely and need AnyConnect access, then you would purchase 1000 licenses.

Please let me know if this clears things up, or if you have any additional questions.

Thank you Jason,

I would like to ask if these statement are valid also for ASA code and if with FTD there is an actual difference of feature set technically enabled between Anyconnect Plus and Apex.

For example Anyconnect APEX is necessary for ISE posture but with ASA code there is no practical check where this is enforced, as far as I know only in ISE there is a check for the ISE Apex license.

Is this the same behavior for FTD code or for example an Anyconnect APEX license needs to be enabled in FTD for posture to be processed by an anyconnect client in remote access to the FTD device with an ISE in the backend?

Hello Giovanni,

The check is always done on ISE, whether the headend is the ASA or the FTD box.  You need the APEX/PLUS license to use the AnyConnect client on the ASA/FTD but ISE posture license check is done on the ISE side, not the headend side.

Does that make sense?

Yes Jason, thanks.

I was referring to any license enforcement that would be different on FTD code from ASA code but apparently no difference.

Thanks again for your help

PS: I may have some comments on FTD features I would like to share but I guess this is not the right thread for that, if by any chance I could get in touch here or directly with you about it let me know

Hi Jason,

Another question : I am running a test with FTD and remote access and I would like to use a wildcard certificate on the outside interface, is it possible to do it with FMC? 

I am failing to see how to apply a wildcard certificate (that I imported on the internal certificates objects) to the remote access outside interface, at least through the wizard there is no option to do so

EDIT:

I just realized my error, to load a wildcard certificate, or any certificate to use on a outside interface for remote access on the firewalls all what is needed is to select

Enrollment type : PKCS12 File

Then upload the certificate along with the private key and the passcode.

It looks like you have it sorted out now.  Let me know if you are still having issues.

I will have a full series on certificate on ASA, FTD, FDM, IOS XE, and IOS routers in the coming weeks. I will include PKCS12, Self-signed, Manual, and SCEP enrollment along with just about anything you can think of relating to certs and Cisco devices. 

Additionally, we will be having an event to discuss some of the other questions you had about FTD on Monday.

Please find more details below:

• Event page:  https://community.cisco.com/t5/security-events/community-ask-me-anything-event-configuration-troubleshooting/ba-p/4058831
• Discussion page: https://community.cisco.com/t5/vpn/community-ask-me-anything-configuration-troubleshooting-and-best/m-p/4058826

Hope to see you there!

Jason

Indeed helpful video; thanks for sharing.