Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17696
Views
7
Helpful
14
Replies

Profile Cisco AnyConnect Secure Mobility

Go to solution
sergei-bilan
Level 1
Level 1

‎12-28-2022 04:16 AM

Hi Team, 

I can’t find how to make it so that in one Any connect window I have a choice of double vpn gateways

 <?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint>CFJNBDJF889e58FKCKDLSJFKD</ClientCertificateThumbprint>
<MultipleClientCertificateThumbprints></MultipleClientCertificateThumbprints>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName>post.gw.ua</DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup></DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>

I Want to add more <DefaultHostName>post1.gw.ua</DefaultHostName> And choose and not enter each time into the window with your hands. Does anyone know how to make a selection in the drop-down window. I will be greteful for help.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sergei-bilan

‎12-28-2022 05:32 AM - edited ‎12-28-2022 05:33 AM

I wasn't implying to modify preferences.xml. Instead create two profile files, each with a unique name - i.e., profile1.xml and profile2.xml and save them in the ..\VPN\Profile directory.

Here is an example of an entire profile.xml file. After those are in place, you need to restart the AnyConnect / Secure Client GUI to make it parse them.

 

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
	<ClientInitialization>
		<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
		<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
		<ShowPreConnectMessage>false</ShowPreConnectMessage>
		<CertificateStore>All</CertificateStore>
		<CertificateStoreMac>All</CertificateStoreMac>
		<CertificateStoreLinux>All</CertificateStoreLinux>
		<CertificateStoreOverride>false</CertificateStoreOverride>
		<ProxySettings>Native</ProxySettings>
		<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
		<AuthenticationTimeout>30</AuthenticationTimeout>
		<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
		<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
		<LocalLanAccess UserControllable="true">false</LocalLanAccess>
		<DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
		<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
		<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
		<AutoReconnect UserControllable="false">true
			<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
		</AutoReconnect>
		<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
		<AutoUpdate UserControllable="false">true</AutoUpdate>
		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
		<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
		<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
		<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
		<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
		<PPPExclusion UserControllable="false">Automatic
			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
		</PPPExclusion>
		<EnableScripting UserControllable="false">false</EnableScripting>
		<EnableAutomaticServerSelection UserControllable="true">false
			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
		</EnableAutomaticServerSelection>
		<RetainVpnOnLogoff>false
		</RetainVpnOnLogoff>
		<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
		<AllowManualHostInput>true</AllowManualHostInput>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>user friendly connection name</HostName>
			<HostAddress>FQDN of host</HostAddress>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

 

View solution in original post

14 Replies 14

Go to solution
Rob Ingram
VIP
VIP

‎12-28-2022 04:27 AM

@sergei-bilan use the AnyConnect VPN Profile editor which is a GUI to help create the XML profile, rom there go to Server List to define the gateways.

Here is an example configuration

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreLinux>All</CertificateStoreLinux>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>30</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="false">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>VPN 1</HostName>
<HostAddress>vpn1.domain.com</HostAddress>
</HostEntry>
<HostEntry>
<HostName>VPN2</HostName>
<HostAddress>vpn2.domain.com</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>

This XML profile is saved to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile or C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile if using Secure Client 5.0. Restart AnyConnect and the gateways will appear in AnyConnect to select.

Go to solution
sergei-bilan
Level 1
Level 1
In response to Rob Ingram

‎12-28-2022 05:10 AM

C:\Users\jon\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client - There is a file here preferences.xml

I edited it but it didn`t work

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint>CFJNBDJF889e58FKCKDLSJFKD</ClientCertificateThumbprint>
<MultipleClientCertificateThumbprints></MultipleClientCertificateThumbprints>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName>post.gw.ua</DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup></DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
<ServerList>
<HostEntry>
<HostName>VPN 1</HostName>
<HostAddress>vpn1.domain.com</HostAddress>
</HostEntry>
<HostEntry>
<HostName>VPN2</HostName>
<HostAddress>vpn2.domain.com</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectPreferences>

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-28-2022 04:28 AM

There needs to be a connection profile for that VPN in the hidden AnyConnect Profiles folder (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\VPN\Profile or C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile by default on Windows).

You can create it with the VPN profile editor. If you want to have two profile to choose between then create a second profile in the same folder, each with its own host name and address. This is the section that would be modified:

<ServerList>
<HostEntry>
<HostName>Name the user sees</HostName>
<HostAddress>FQDN of gateway</HostAddress>
</HostEntry>
</ServerList>

 

Go to solution
sergei-bilan
Level 1
Level 1
In response to Marvin Rhoads

‎12-28-2022 05:12 AM 

If I create the same file, then this is impossible because it will no longer be called preferences.xml but preferences-copy.xml
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sergei-bilan

‎12-28-2022 05:32 AM - edited ‎12-28-2022 05:33 AM

I wasn't implying to modify preferences.xml. Instead create two profile files, each with a unique name - i.e., profile1.xml and profile2.xml and save them in the ..\VPN\Profile directory.

Here is an example of an entire profile.xml file. After those are in place, you need to restart the AnyConnect / Secure Client GUI to make it parse them.

 

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
	<ClientInitialization>
		<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
		<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
		<ShowPreConnectMessage>false</ShowPreConnectMessage>
		<CertificateStore>All</CertificateStore>
		<CertificateStoreMac>All</CertificateStoreMac>
		<CertificateStoreLinux>All</CertificateStoreLinux>
		<CertificateStoreOverride>false</CertificateStoreOverride>
		<ProxySettings>Native</ProxySettings>
		<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
		<AuthenticationTimeout>30</AuthenticationTimeout>
		<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
		<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
		<LocalLanAccess UserControllable="true">false</LocalLanAccess>
		<DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
		<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
		<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
		<AutoReconnect UserControllable="false">true
			<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
		</AutoReconnect>
		<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
		<AutoUpdate UserControllable="false">true</AutoUpdate>
		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
		<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
		<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
		<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
		<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
		<PPPExclusion UserControllable="false">Automatic
			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
		</PPPExclusion>
		<EnableScripting UserControllable="false">false</EnableScripting>
		<EnableAutomaticServerSelection UserControllable="true">false
			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
		</EnableAutomaticServerSelection>
		<RetainVpnOnLogoff>false
		</RetainVpnOnLogoff>
		<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
		<AllowManualHostInput>true</AllowManualHostInput>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>user friendly connection name</HostName>
			<HostAddress>FQDN of host</HostAddress>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

 

Go to solution
sergei-bilan
Level 1
Level 1
In response to Marvin Rhoads

‎12-28-2022 05:55 AM

Thanks for the help) It works

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Marvin Rhoads

‎12-28-2022 06:20 AM

if he assign two XML profile which one will be use if he connect, how user can select between two profile ?
the user need a way to select the GW he want, then he can use the profile, or I am wrong ?

0 Helpful

Go to solution
sergei-bilan
Level 1
Level 1
In response to Marvin Rhoads

‎02-02-2023 11:16 AM

Hi Marvin, Do you know to do the same on Apple's MacOS?

0 Helpful

Go to solution
Fort CC
Level 1
Level 1
In response to sergei-bilan

‎05-21-2024 11:09 PM

You may try my answer below that works for linux.  Likely it would work for MacOS as well.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-28-2022 05:27 AM

do this in ASA 
config two group-url each one have different IP (DNS resolve it to different ), hence when user enter URL 1 it will go to IP1 of ASA and if enter URL2 it get IP2 of ASA.

0 Helpful

Go to solution
sergei-bilan
Level 1
Level 1
In response to MHM Cisco World

‎12-28-2022 05:34 AM

Hi, Needed by editing the AnyConnect profile

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to sergei-bilan

‎12-28-2022 05:37 AM

no need, only do this in ASA with tunnel-group. 
XML allow you to add only one secure GW and as I know this use for auto-connect feature. 

0 Helpful

Go to solution
dissai
Level 1
Level 1
In response to MHM Cisco World

‎04-05-2024 12:19 AM

Hi MHM,

Can assist with working Cisco Anyconnect Profile XML file which can work on Linux and macos environment.

Thank you.

DI 

0 Helpful

Go to solution
Fort CC
Level 1
Level 1
In response to dissai

‎05-21-2024 11:07 PM

To add multiple hosts in linux,  you can edit a profile.xml   file and place it in /opt/cisco/anyconnect/profile/.   A sample profile.xml  specifying multiple hosts  is the following:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">
<ServerList>
<HostEntry>
<HostName> host1 </HostName>
<HostAddress> ip1 </HostAddress>
</HostEntry>
</ServerList>
<ServerList>
<HostEntry>
<HostName> host2 </HostName>
<HostAddress> ip2 </HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>

The listed hosts will show up in the vpnui pull down.   That is, in linux you do not need to create an individual profile file for each host.  One profile file can work for multiple hosts.

Macos likely follows the same syntax. 

0 Helpful
Customers Also Viewed These Support Documents