A new topic for the CCIE Security 3.X blueprint is the Cisco AnyConnect VPN. This is an enhancement to an earlier technology that you are probably familiar with - the Clientless SSL VPN. The idea behind the Clientless SSL VPN is to provide basic VPN capabilities to a remote PC that does not possess a VPN client. The remote PC in this case just needs an SSL capable Web browser.

The Clientless SSL VPN solution has limped along for a time, but has needed enhancements provided by the AnyConnect VPN approach. While the legacy Clientless SSL VPN supports Windows 2000 and Windows XP, the operating systems supported by the AnyConnect VPN feature include:

  • Windows 2000
  • Windows XP
  • Vista
  • MAC Intel
  • MAC Power PC
  • Red Hat Linux

What other features does the AnyConnect VPN provide? Here are the most dramatic improvements:

  • Datagram Transport Layer Security (DTLS) with SSL connections - DTLS is detailed in RFC 4347 and helps to avoid latency and bandwidth issues associated with some SSL-only connections; the AnyConnect clients also allows fallback to TLD if DTLS fails for any reason
  • Standalone Mode - the Cisco AnyConnect VPN client can run as a simple PC application that requires no browser in order to function
  • Command Line Interface (CLI) - the AnyConnect VPN Client features CLI support for various commands
  • Microsoft Installer (MSI) Support
  • IPv6 VPN access
  • Start Before Login (SBL) - in Windows environments, this feature allows for login scripts and drive mapping, as well as other features
  • Certificate-only authentication - no username and password required

If you are wondering how this new VPN application can coexist with other Cisco VPN options, it turns out that you can use it simultaneously with the legacy Clientless SSL VPN option, and it can coexist with the full IPSec Cisco VPN Client, but you cannot use it simultaneously.

So how does the AnyConnect VPN Client work? The end user either launches the preinstalled AnyConnect VPN client or enters the appropriate URL for your Adaptive Security Appliance (ASA) in a Web browser. Once the user completes authentication, the security appliance determines if the AnyConnect client is needed, and downloads the correct version for the Operating System detected. After downloading, the client installs and establishes a secure SSL connection. Depending upon the ASA configuration, when the VPN connection is terminated, the AnyConnect VPN Client can uninstall itself or remain. In the case of a previously installed AnyConnect VPN Client, after user authentication, the security appliance can upgrade the AnyConnect VPN Client version as needed.

The next post on this subject will cover caveats and best practices for the automated installation of the AnyConnect VPN client on remote PCs.

About INE

INE is the premier provider of technical training for the IT industry. INE is revolutionizing the digital learning industry through the implementation of adaptive technologies and a proven method of hands on training experiences. Our portfolio of trainings is built for all levels of technical learning, specializing in advanced networking technologies, next generation security and infrastructure programming and development. Want to talk to a training advisor about our course offerings and training plans? Give us a call at 877-224-8987 or email us at sales@ine.com

Subscribe to INE Blog Updates

New Blog Posts!