Re: anyconnect secure mobility client connect to multiple peer a

andrew.king · ‎09-04-2013

I am configuring a Clients ASA and using anyconnect secure mobility client but during testing I noticed that my peer address for my company vpn was deleted after I installed the new clients certificate.

Is there a way to have 2 peer address in the same way that the old VPN used .pcf profiles?

Thanks.

andrew.king · ‎09-04-2013

Found the solution

Perform following Steps :

Open location : “%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile”
Open notepad and copy below text :

http://schemas.xmlsoap.org/encoding/">

username

ssl_url

none

true

Edit user and hostname as required.
Add client certificate thumbprint ( You can get this from preferences.xml file in

C:\Users\\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client (for Windows 7).

Save as xml file in same location. .
Restart cisco anyconnect.

* perform same steps for all the addresses(profiles) you want to create. And you will get the list of all the address in Cisco anyconnect.

djf052363 · ‎04-13-2015

Andrew,

I'm using Win 7 Enterprise SP1 O/S & AnyConnect Ver. 3.1.05187

My C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

consists of 2 files - an AnyConnectProfile.xsd file (see screenshot below) & an .xml file (see beneath screenshot for redacted version for that file.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
   <ClientInitialization>
       <UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon>
       <AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
       <ShowPreConnectMessage>false</ShowPreConnectMessage>
       <CertificateStore>All</CertificateStore>
       <CertificateStoreOverride>false</CertificateStoreOverride>
       <ProxySettings>Native</ProxySettings>
       <AllowLocalProxyConnections>false</AllowLocalProxyConnections>
       <AuthenticationTimeout>12</AuthenticationTimeout>
       <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
       <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
       <LocalLanAccess UserControllable="true">false</LocalLanAccess>
       <ClearSmartcardPin UserControllable="true">false</ClearSmartcardPin>
       <IPProtocolSupport>IPv4</IPProtocolSupport>
       <AutoReconnect UserControllable="true">true
           <AutoReconnectBehavior UserControllable="true">ReconnectAfterResume</AutoReconnectBehavior>
       </AutoReconnect>
       <AutoUpdate UserControllable="false">true</AutoUpdate>
       <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
       <WindowsLogonEnforcement>SingleLogon</WindowsLogonEnforcement>
       <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
       <AutomaticVPNPolicy>true
           <TrustedDNSDomains>XYZ123.com</TrustedDNSDomains>
           <TrustedDNSServers>10.104.XXX.XX</TrustedDNSServers>
           <TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
           <UntrustedNetworkPolicy>DoNothing</UntrustedNetworkPolicy>
           <AlwaysOn>false
           </AlwaysOn>
       </AutomaticVPNPolicy>
       <PPPExclusion UserControllable="false">Automatic
           <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
       </PPPExclusion>
       <EnableScripting UserControllable="false">false</EnableScripting>
       <BackupServerList>
           <HostAddress>vpn1.XYZ123.com</HostAddress>
           <HostAddress>vpn2.XYZ123.com</HostAddress>
           <HostAddress>vpn3.XYZ123.com</HostAddress>
       </BackupServerList>
       <EnableAutomaticServerSelection UserControllable="false">false
           <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
           <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
       </EnableAutomaticServerSelection>
       <RetainVpnOnLogoff>false
       </RetainVpnOnLogoff>
   </ClientInitialization>
   <ServerList>
       <HostEntry>
           <HostName>Denver Employee Primary VPN</HostName>
           <HostAddress>vpn1.XYZ123.com</HostAddress>
           <PrimaryProtocol>IPsec</PrimaryProtocol>
       </HostEntry>
       <HostEntry>
           <HostName>Denver Employee Secondary VPN</HostName>
           <HostAddress>vpn2.XYZ123.com</HostAddress>
           <PrimaryProtocol>IPsec</PrimaryProtocol>
       </HostEntry>
       <HostEntry>
           <HostName>New York Employee Primary VPN</HostName>
           <HostAddress>vpn3.XYZ123.com</HostAddress>
           <PrimaryProtocol>IPsec</PrimaryProtocol>
       </HostEntry>
   </ServerList>
</AnyConnectProfile>

My preferences .xml follows:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser>xxxxxxx</DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint>B93902BE6C1431988E1CA88AC5049668D97EDC83</ClientCertificateThumbprint>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName>Denver Employee Secondary VPN</DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup>XXXXXXXXXXX</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>

The above is the profile I use for one company (XYZ123) & I want to be able add the profile for a 2nd company (ABC789), so I can select it from the AnyConnect dropdown.

Specifically, how do I modify these files if with the 2nd comapny - ABC789 - my username or DefaultUser is yyyyyyy & my ssl_url or DefaultGroup is YYYYYYYYYYY?

Would greatly appreciate any input on this, as I'm not quite as 'high-speed' with coding type functions as I'd like to be.

Cheers, Duncan F

Marvin Rhoads · ‎04-13-2015

Under the ServerList section above, simply add additional HostEntry sections. Each one begins and ends as shown below, just type in the host name and host address values. If the primary protocol is SSL (most common) we can leave out that line as SSL is the default (vice IPsec).

<HostEntry>
           <HostName>2nd company</HostName>
           <HostAddress>fqdn or IP address of second comapny</HostAddress>
           <PrimaryProtocol>IPsec</PrimaryProtocol>
       </HostEntry>

djf052363 · ‎04-13-2015

Marvin - I'll give it a go this evening & see how I make out - thanks for the quick follow-up!

Duncan F

Marvin Rhoads · ‎04-13-2015

You're welcome. Note you will need to restart the VPN UI to make the client software re-parse the <profile name>.xml file(s).

I should have correctly noted that you actually create new profiles for each connection - not modify the one in use by your company.

Here's a better template for you to use:

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

<ClientInitialization>

<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>

<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>

<ShowPreConnectMessage>false</ShowPreConnectMessage>

<CertificateStore>All</CertificateStore>

<CertificateStoreOverride>false</CertificateStoreOverride>

<ProxySettings>Native</ProxySettings>

<AllowLocalProxyConnections>true</AllowLocalProxyConnections>

<AuthenticationTimeout>12</AuthenticationTimeout>

<AutoConnectOnStart UserControllable="true">true</AutoConnectOnStart>

<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>

<LocalLanAccess UserControllable="true">false</LocalLanAccess>

<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>

<IPProtocolSupport>IPv4</IPProtocolSupport>

<AutoReconnect UserControllable="false">true

<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>

</AutoReconnect>

<AutoUpdate UserControllable="true">true</AutoUpdate>

<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

<AutomaticVPNPolicy>false</AutomaticVPNPolicy>

<PPPExclusion UserControllable="false">Disable

<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>

</PPPExclusion>

<EnableScripting UserControllable="false">false</EnableScripting>

<EnableAutomaticServerSelection UserControllable="true">false

<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>

<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>

</EnableAutomaticServerSelection>

<RetainVpnOnLogoff>false

</RetainVpnOnLogoff>

</ClientInitialization>

<ServerList>

<HostEntry>

<HostName>(name you want in dropdown)</HostName>

<HostAddress>(new host)</HostAddress>

</HostEntry>

</ServerList>

</AnyConnectProfile>

ggreene011 · ‎01-24-2016

I'm one of those people who needs multiple host entries. Is it possible to save the username with each entry? Currently, I'm getting the last username used (coming from preferences.xml).

Marvin Rhoads · ‎01-24-2016

Sorry but the last username used will always be used by default.

It's not possible to store a username per profile.

The only change you can make to that behavior is to not use the last username at all.

(Corner case - if the VPN is setup on the ASA to use user certificates, the VPN can pull the username automatically from the certificate.)

ggreene011 · ‎01-24-2016

Thanks for the answer. I had tried putting <user> and <username> in various places with no success. At least now I know it's a dead end.

anyconnect secure mobility client connect to multiple peer addresses