Showing results for 
Search instead for 
Did you mean: 

Always-On VPN and Management VPN Tunnel Requirements?

What are the hardware and licensing requirements to deploy Always-On VPN with Management VPN Tunnel to Windows 10 and Mac devices?

We would like laptops to automatically connect to Management VPN tunnels so that users always have connectivity to our internal domain controllers when they log in. We want it to work like a seamless version of SBL except that the computer would only have access to limited resources such as domain controllers and remote management and patching/update servers prior to login).

Does the SBL plugin need to be installed on the device to use the Management VPN Tunnel?

Can you suppress displaying the AnyConnect icon in the system tray so that some users don’t feel compelled to try to disconnect the VPN if they feel that they don’t need to access internal corporate resources they normally used VPN for in the past?

Is there any integration with MFA such as DUO and RSA tokens when logging into a computer using Always-On VPN?


If Cisco AnyConnect fails due to software corruption or some configuration issue with the device and Always-On VPN policy applied which blocks internet access unless Always-On VPN is connected, would there be any way for the end user to receive remote assistance to fix the issue?

Are there internet accessible sites and IP ranges that can be whitelisted to work without requiring Always-On VPN working so that help desk personnel can start a remote assistance session to assist the user with reinstalling the AnyConnect client or doing whatever else is required to get it working again?

VIP Master

Few things we need to consider deploying this solution (is this addon to additional infrastructure or new), if addon to exiting we believe standard infrastructure in place (Network and windows Server AD ).


you can choose any vendor for multifactor authentication, based on comfort, cisco offer Duo so seamless integration, I worked with other vendors too, all are same, (look for cost effect and reliable solution based on your requirement).



here is the good document latest one to start with :


any connect guide :


***** Rate All Helpful Responses *****

How to Ask The Community for Help

I couldn’t find anything in the links provided on how to provide remote support to a user if the Always-on VPN feature is configured, but not working properly due to an issue with the local PC.

Is there a way to configure a whitelist of allowed connections that are still available when Always-on VPN is disabled/disconnected locally (such as a list of internet-accessible networks required for remote assistance tools to work)?


Is simultaneous deployment of always-on VPN and management VPN tunnel compatible on the same system?

Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (46%)

Content for Community-Ad