Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2675
Views
5
Helpful
9
Replies

Anyconnect SBL Win7

spencercook
Level 1
Level 1

‎10-01-2013 07:33 AM - edited ‎02-21-2020 07:11 PM

I know this has been done to death by the looks of the websites/posts I've found but I'm still getting nowhere.

Background,

Win7 PC's at a remote location.  Users have never logged onto them, and I need SBL.

pre-Installed the Anyconnect client v 3.1.04066, with the SBL addon

However nothing I do seems to permit me to use SBL.

I press C+A+D, and try switch user, but I get no icon on the lower right to run the SBL window.

Is there something I'm missing here?

Thanks

Spencer

Labels:
0 Helpful
9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

‎10-01-2013 12:37 PM

Spencer

In addition to installing the SBL addon have you also edited/setup the XML profile that AnyConnect uses with the settings for SBL?

HTH

Rick

HTH

Rick
0 Helpful

Jeet Kumar
Cisco Employee
Cisco Employee

‎10-01-2013 12:56 PM

Hi Spencer,

To enable SBL we needed GINA module installed on your machine and a a profile with SBL enabled.

If you are looking for it to be pre-installed then make sure you have this 2 things there on your PC.

You can download the GINA module from the cisco site. It comes in budle with the ISO file and you have to manually import the profile.

In case if you already have both of them and still its not working we would need a DART logs from the machine,.

Thanks

Jeet Kumar

spencercook
Level 1
Level 1

‎10-02-2013 01:02 AM

Thanks for your responses,

I've got the SBL installed as well, it was installed as part of the anyconnect package.  Where do I locate the XML profile for anyconnect?  I've done a search and find c:\program files\cisco\cisco anyconnect secure mobility client\acsock.xml, but this has no entries for either "start" or "SBL".

Is this the correct file?

*EDIT*

I've located 4 other xml files under C:\programdata\cisco\cisco anyconnect secure mobility client\

files being

preferences_global.xml

anyconnectlocalpolicy.xml

vpnmanifestsbl.xml

vpnmanifestclient.xml

I assume it's one or more of these.

Note, the latest version 3.1 of anyconnect seems to have a different folder structure to the previous 3.0 version.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to spencercook

‎10-02-2013 02:36 AM

Spencer

The first time that I installed AnyConnect for a customer who wanted support for SBL I found the XML profile and actually edited the XML code to create the entries that we needed. After that I discovered that it is possible to edit/create the profile through ASDM and this is generally an easier process. So my advice to you is to look into ASDM as the way to get the entries that you need in the profile.

HTH

Rick

HTH

Rick
0 Helpful

spencercook
Level 1
Level 1

‎10-02-2013 02:45 AM

Thanks for that Richard, But the problem is for me to edit via ASDM, means all of the machines will have to be brought to site, for the users to log on, so we can obtain cached credentials, so the VPN can be initiated to download the profile.

This isn't an issue for a couple of users, but if we have 50 or 60, then it will be very labour intensive, with hours wasted in travelling time.

Although can someone confirm if I do this through the ASDM route on one machine, then copy the profile and put it on all other machines it will work?

Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to spencercook

‎10-02-2013 05:33 AM

Spencer

Is it possible for those PCs to connect to the ASA from where they are? If so the XML profile could be loaded automatically and remotely.

HTH

Rick

HTH

Rick
0 Helpful

spencercook
Level 1
Level 1

‎10-02-2013 05:55 AM

For some it's possible, but for most it will mean physically picking them up and moving them to do this.

I have SBL working now on the client side.  I created the profile on the asa and connected to the test machine used for getting this working.  However I'm getting the certificate error caused with AC3.1, and the client logon then VPN logon prompts me to connect anyway, however the SBL VPN authentication terminates with a trusted network error.

Does anyone know of a way to ignore and use the self cert or will I have to go down the route of purchasing a new certificate?

Thanks.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to spencercook

‎10-02-2013 05:58 AM

Spencer

I am not aware of a way to use the self signed certificate without getting the error. If you do not want users to see those error/warning messages then I believe that you need to purchase a public certificate.

HTH

Rick

HTH

Rick
0 Helpful

spencercook
Level 1
Level 1

‎10-02-2013 06:00 AM

Thanks for your help.

Looks like it might have to be a new certificate, because without it the SBL won't connect.  And our users are now complaining that they have to click to continue at the cert warning.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents