cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1069
Views
0
Helpful
4
Replies

Using ASA as an Anyconnect profile deployment tool

bursamalaysia
Level 1
Level 1

I have a requirement to use an ASR router as a IKEv2 headend for Anyconnect clients.  For ease of deployment, I want to use the ASA firewall to enable users (multiple OS - Win/Mac/Linux) to download their respective Anyconnect clients as well as the profile needed to connect to the ASR.  Note that the ASA is only used for AC and AC profile downloads, it takes no part in any VPN termination.  Users will just point their browser to the ASA firewall web page and download both the AC client and the profile, then they will launch the AC and connect to the ASR router. 

My question is, can this be done? 

Thank you!

1 Accepted Solution

Accepted Solutions

I suppose it should work although I haven't tried it personally.

Note as above "The ASA presents a login screen in the browser window, and if the user satisfies the login and authentication". So you would need a clientless SSL login onto the ASA BEFORE moving onto the "downloads the client ..." step.

You should be able to, from there, download the client and profile and have the profile host setup to point to the address of the ASR router.

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

In order to act as the deployment tool, I believe you'd have to have a VPN setup on the ASA, if only for that purpose.

Begging the question of why you would want to. You can deploy the software independent of any ASA connection by following the guidelines for pre-deployment in the AnyConnect Administrator's Guide. Reference.

Yes, I want to deploy the software independant of any ASA VPN connection.  From the Admin guide:

When deployed from the ASA, remote users make an initial SSL connection to the ASA. In their browser, they enter the IP address or DNS name of an ASA configured to accept clientless SSL VPN connections. The ASA presents a login screen in the browser window, and if the user satisfies the login and authentication, downloads the client that matches their computer's operating system. After downloading, the client installs and configures itself and establishes an IPsec (IKEv2) or SSL connection to the ASA. 

On the last sentence, I need the client to establish an IPSEC connection to the ASR, not the ASA.  Just wanted to confirm that this can be done. 

Thank you

I suppose it should work although I haven't tried it personally.

Note as above "The ASA presents a login screen in the browser window, and if the user satisfies the login and authentication". So you would need a clientless SSL login onto the ASA BEFORE moving onto the "downloads the client ..." step.

You should be able to, from there, download the client and profile and have the profile host setup to point to the address of the ASR router.

Alright, thanks! I will try that out sometime later and update here.