Thanks, I have a couple of questions:

1. So the "Anyconnect" client is the Java based one like the Client VPN tool, mean we don'e have to install the VPN client on user laptops anymore?
2. I noticed there is also a Portal page where you can public websites and use plugins like ica and rdp, if I upgrade the SSL VPN licence from 2 users to 25 this will also mean we can have 25 users shared across the portal page and using Anyconenct?
3. What is the SSL client I thought that was the Anyconnect client (see image):

Thanks

Answers below:

1. Yes. You can go to the portal and download the client with an option of keeping it installed so that the next time on the users can directly start up the client.

2. Yes. 25 ssl vpn peers can be used for the clientless solution too. But note that if you purchase the anyconnect essentials license, it can be used only for anyconnect and not the clientless solutions(portal,plugins etc).

3. SSL vpn client is the older version of the Anyconnect client ( for ASA 7.x version). It has fewer features too.

Thanks,

1. Does the SSL certificate get created on the ASA or do I have to buy one from say Versign?
2. Can I create different profiles like on the Cisco VPN client for the Anyconnect or clientless options, so if a sales user logs in they get different access to IT?

Regards

1. Both are acceptable. Jut that in case of using a third prty certificate(well known CA), it will be trusted by the end user and you wont get that certificate not trusted error each time you connect.

2. Yes you can create different profiles and use for the AnyConnect clients. But they are a bit different from the IPSEC client. They can be pushed from the ASA when you connect to a particular group-policy. The guide is here.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac03features.html#wp1228114

Thanks,

1.) I guess the self cert of official one are as good as each other, do I have to create the self cert or is this done automatically?

2.) I guess these VPN modes may allow someone with an iPad or Dell's Android streak to connect securely, as we have a few important internal websites we want to allow remote users to access?

Regards

1) You don need to create a cert at all. Automatically when webvpn is enabled a cert is generated but you wont be able to see that on the ASA. But you can create a self signed cert with the right dns name of the ASA and import the cert to the cleint machine( or install) so that you can avoid the cert not trusted errors.

2) Not sure what you mean by vpn modes.Ipad is ok to use but you need a special app to use that.

http://itunes.apple.com/us/app/cisco-anyconnect/id392790924?mt=8

I don think the there is an anyconnect android app yet that can be used.

Looks like I am spoilt for choice to allow users to securely access our confidential websites remotely, just choosing the right one, my head hurts. I guess I must try and get the group policy right for this to all work, hopefully I can do all this from the asdm gui?

We use windows Active Directory and have a windows IAS radius server too, hopefully I can still use these to control what type of access each user gets.

Yes its easier to use the asdm gui for all this. And once connected the anyconnect client is similar to ipsec client, you have to have the right nat rules and all.

And yes, you can use the IAS radius server to authentciate and authorize the anyconnect vpn users without any problem.

Please mark the post as answered if you have got your queries resolved.

Thanks

Hi,

1. Few last thing what is the secure desktop option I've seen on the ASDM?
2. And how can I create a new self cert on the ASA to use our DNS name?
3. http://www.youtube.com/watch?v=pP1uteL7Z8c  - Is this tool covered in the SSL licence or do we need to enable the "AnyConnect for Mobile" option too?

Thanks