A new topic for the CCIE Security 3.X blueprint is the Cisco AnyConnect VPN. This is an enhancement to an earlier technology that you are probably familiar with - the Clientless SSL VPN. The idea behind the Clientless SSL VPN is to provide basic VPN capabilities to a remote PC that does not possess a VPN client. The remote PC in this case just needs an SSL capable Web browser.
The Clientless SSL VPN solution has limped along for a time, but has needed enhancements provided by the AnyConnect VPN approach. While the legacy Clientless SSL VPN supports Windows 2000 and Windows XP, the operating systems supported by the AnyConnect VPN feature include:
- Windows 2000
- Windows XP
- MAC Intel
- MAC Power PC
- Red Hat Linux
What other features does the AnyConnect VPN provide? Here are the most dramatic improvements:
- Datagram Transport Layer Security (DTLS) with SSL connections - DTLS is detailed in RFC 4347 and helps to avoid latency and bandwidth issues associated with some SSL-only connections; the AnyConnect clients also allows fallback to TLD if DTLS fails for any reason
- Standalone Mode - the Cisco AnyConnect VPN client can run as a simple PC application that requires no browser in order to function
- Command Line Interface (CLI) - the AnyConnect VPN Client features CLI support for various commands
- Microsoft Installer (MSI) Support
- IPv6 VPN access
- Start Before Login (SBL) - in Windows environments, this feature allows for login scripts and drive mapping, as well as other features
- Certificate-only authentication - no username and password required
If you are wondering how this new VPN application can coexist with other Cisco VPN options, it turns out that you can use it simultaneously with the legacy Clientless SSL VPN option, and it can coexist with the full IPSec Cisco VPN Client, but you cannot use it simultaneously.
So how does the AnyConnect VPN Client work? The end user either launches the preinstalled AnyConnect VPN client or enters the appropriate URL for your Adaptive Security Appliance (ASA) in a Web browser. Once the user completes authentication, the security appliance determines if the AnyConnect client is needed, and downloads the correct version for the Operating System detected. After downloading, the client installs and establishes a secure SSL connection. Depending upon the ASA configuration, when the VPN connection is terminated, the AnyConnect VPN Client can uninstall itself or remain. In the case of a previously installed AnyConnect VPN Client, after user authentication, the security appliance can upgrade the AnyConnect VPN Client version as needed.
The next post on this subject will cover caveats and best practices for the automated installation of the AnyConnect VPN client on remote PCs.