Cisco anyconnect secure mobility client инструкция

The AnyConnect client provides many options for automatically
connecting, reconnecting, or disconnecting VPN sessions. These options provide
a convenient way for your users to connect to your VPN, and they also support
your network security requirements.

Trusted Network Detection (TND) gives you the ability to have
AnyConnect automatically disconnect a VPN connection when the user is inside
the corporate network (the trusted network) and start the VPN connection when
the user is outside the corporate network (the untrusted network).

TND does not interfere with the ability of the user to manually
establish a VPN connection. It does not disconnect a VPN connection that the
user starts manually in the trusted network. TND only disconnects the VPN
session if the user first connects in an untrusted network and moves into a
trusted network. For example, TND disconnects the VPN session if the user makes
a VPN connection at home and then moves into the corporate office.

You configure TND in the AnyConnect VPN Client profile. No
changes are required to the ASA configuration. You need to specify the action
or policy AnyConnect takes when recognizing it is transitioning between trusted
and untrusted networks, and identify your trusted networks and servers.

• Because the TND feature controls the AnyConnect GUI and
  automatically starts connections, the GUI should run at all times. If the user
  exits the GUI, TND does not automatically start the VPN connection.

• If AnyConnect is also running Start Before Logon (SBL), and the
  user moves into the trusted network, the SBL window displayed on the computer
  automatically closes.

• Trusted Network Detection with or without
  Always-On
  configured is supported on IPv6 and IPv4 VPN connections to the ASA over IPv4
  and IPv6 networks.

• Multiple profiles on a user computer may present problems if the
  TND configuration is different.

  If the user has received a TND-enabled profile in the past, upon
  system restart, AnyConnect attempts to connect to the security appliance it was
  last connected to, which may not be the behavior you desire. To connect to a
  different security appliance, they must manually disconnect and re-connect to
  that headend. The following workarounds will help you prevent this problem:

  • Enable TND in the client profiles loaded on all the ASAs on your
    corporate network.

  • Create one profile listing all the ASAs in the host entry
    section, and load that profile on all your ASAs.

  • If users do not need to have multiple, different profiles, use
    the same profile name for the profiles on all the ASAs. Each ASA overrides the
    existing profile.

Always-On operation prevents access to Internet
resources when the computer is not on a trusted network, unless a VPN session
is active. Enforcing the VPN to always be on in this situation protects the
computer from security threats.

When
Always-On is enabled, it establishes a VPN
session automatically after the user logs in and upon detection of an untrusted
network. The VPN session remains open until the user logs out of the computer,
or the session timer or idle session timer (specified in the ASA group policy)
expires. AnyConnect continually attempts to reestablish the connection to
reactivate the session if it is still open; otherwise, it continually attempts
to establish a new VPN session.

When
Always-On is enabled in the VPN Profile,
AnyConnect protects the endpoint by deleting all the other downloaded
AnyConnect profiles and ignores any public proxies configured to connect to the
ASA.

The following AnyConnect options also need to be considered when
enabling
Always-On:

• Allowing the user to disconnect the Always-On VPN session: AnyConnect provides the ability for the user to disconnect Always-On VPN sessions. If you enable Allow VPN
  Disconnect , AnyConnect displays a Disconnect button upon
  the establishment of a VPN session. By default, the profile editor enables the
  Disconnect button when you enableAlways-On VPN.

  Pressing the disconnect button locks all interfaces to prevent data
  from leaking out and to protect the computer from internet access except for
  establishing a VPN session. Users of Always-On VPN sessions may want to click Disconnect so they can choose an alternative
  secure gateway due to performance issues with the current VPN session, or
  reconnection issues following the interruption of a VPN session.

• Setting a connect failure policy: The connect failure policy determines
  whether the computer can access the internet if Always-On VPN is enabled and AnyConnect cannot establish a VPN session. See Set a Connect Failure Policy.

• Handling captive portal hotspots: See Use Captive Portal Hotpost Detection and Remediation.

• Always On is available only on Windows and macOS

• If
  Always-On
  is enabled, but the user does not log on, AnyConnect does not establish the VPN
  connection. AnyConnect starts the VPN connection only post-login.

• Always-On VPN does not support connecting though
  a proxy.

To enhance protection against threats, we recommend the
following additional protective measures if you configure
Always-On VPN:

• We strongly recommend purchasing a digital certificate from a
  certificate authority (CA) and enrolling it on the secure gateways. The ASDM
  provides an
  Enroll ASA SSL VPN with Entrust button on the
  Configuration > Remote Access VPN > Certificate Management
  > Identity Certificates panel to facilitate enrollment of a
  public certificate.

• If you are using always-on VPN, external SAML IdP is not supported (however,
  with internal SAML IdP, the ASA proxies all traffic to IdP and is supported)

• Predeploy a profile configured with Always-On to the endpoints to limit connectivity to the pre-defined ASAs. Predeployment prevents contact with a rogue server.

• Restrict administrator rights so that users cannot terminate
  processes. A PC user with admin rights can bypass an
  Always-On policy by stopping the agent. If you
  want to ensure fully-secure
  Always-On, you must deny local admin rights to
  users.

• Restrict access to the Cisco sub-folders on Windows computers,
  typically
  C:ProgramData.

• Users with limited or standard privileges may sometimes have
  write access to their program data folders. They could use this access to
  delete the AnyConnect profile file and thereby circumvent the
  Always-On feature.

• Predeploy a group policy object (GPO) for Windows users to prevent users with limited rights from terminating the GUI. Predeploy
  equivalent measures for macOS users.

Many facilities that offer Wi-Fi and wired access, such as
airports, coffee shops, and hotels, require the user to pay before obtaining
access, to agree to abide by an acceptable use policy, or both. These
facilities use a technique called captive portal to prevent applications from
connecting until the user opens a browser and accepts the conditions for
access. Captive portal detection is the recognition of this restriction, and
captive portal remediation is the process of satisfying the requirements of a
captive portal hotspot in order to obtain network access.

Captive portals are detected automatically by AnyConnect when
initiating a VPN connection requiring no additional configuration. Also,
AnyConnect does not modify any browser configuration settings during captive
portal detection and does not automatically remediate the captive portal. It
relies on the end user to perform the remediation. AnyConnect reacts to the
detection of a captive portal depending on the current configuration:

• If
  Always-On
  is disabled, or if
  Always-On
  is enabled and the Connect Failure Policy is open, the following message is
  displayed on each connection attempt:

  
  The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.
  

  The end user must perform captive portal remediation by meeting
  the requirements of the provider of the hotspot. These requirements could be
  paying a fee to access the network, signing an acceptable use policy, both, or
  some other requirement defined by the provider.

• If
  Always-On
  is enabled and the connect failure policy is closed, captive portal remediation
  needs to be explicitly enabled. If enabled, the end user can perform
  remediation as described above. If disabled, the following message is displayed
  upon each connection attempt, and the VPN cannot be connected.

  
  The service provider in your current location is restricting access to the Internet. The AnyConnect protection settings must be lowered for you to log on with the service provider. Your current enterprise security policy does not allow this.
  

AnyConnect can falsely assume that it is in a captive portal in
the following situations.

• If AnyConnect attempts to contact an ASA with a certificate
  containing an incorrect server name (CN), then the AnyConnect client will think
  it is in a “captive portal” environment.

  To prevent this, make sure the ASA certificate is properly
  configured. The CN value in the certificate must match the name of the ASA
  server in the VPN client profile.

• If there is another device on the network before the ASA, and
  that device responds to the client’s attempt to contact an ASA by blocking
  HTTPS access to the ASA, then the AnyConnect client will think it is in a
  “captive portal” environment. This situation can occur when a user is on an
  internal network, and connects through a firewall to connect to the ASA.

  If you need to restrict access to the ASA from inside the corporation,
  configure your firewall such that HTTP and HTTPS traffic  to the ASA’s
  address does not return an HTTP status. HTTP/HTTPS access to the ASA should
  either be allowed or completely blocked to ensure that HTTP/HTTPS requests
  sent to the ASA will not return an unexpected response.

If users cannot access a captive portal remediation page, ask
them to try the following:

• Terminate any applications that use HTTP, such as instant
  messaging programs, e-mail clients, IP phone clients, and all but one browser
  to perform the remediation.

  The captive portal may be actively inhibiting DoS attacks by
  ignoring repetitive attempts to connect, causing them to time out on the client
  end. The attempt by many applications to make HTTP connections exacerbates this
  problem.

• Disable and re-enable the network interface. This action
  triggers a captive portal detection retry.

• Restart the computer.

AnyConnect supports VPN sessions through Local, Public, and
Private proxies:

• Local Proxy Connections:

  A local proxy runs on the same PC as AnyConnect, and is
  sometimes used as a transparent proxy. Some examples of a transparent proxy
  service include acceleration software provided by some wireless data cards, or
  a network component on some antivirus software, such as Kaspersky.

  The use of a local proxy is enabled or disabled in the
  AnyConnect VPN client profile, see
  Allow
  a Local Proxy Connection.

• Public Proxy Connections:

  Public proxies are usually used to anonymize web traffic. When Windows is configured to use a public proxy, AnyConnect uses
  that connection. Public proxy is supported on macOS and Linux for both native and override.

• Private Proxy Connections:

  Private proxy servers are used on a corporate network to prevent
  corporate users from accessing certain Web sites based on corporate usage
  policies, for example, pornography, gambling, or gaming sites.

  You configure a group policy to download private proxy settings to the browser after the tunnel is established. The settings
  return to their original state after the VPN session ends. See Configure a Private Proxy Connection.

  Note

  AnyConnect SBL connections through a proxy server are dependent on the Windows operating system version and system (machine) configuration or other third-party proxy software capabilities; therefore, refer to system wide proxy settings as provided by Microsoft or whatever third-party proxy application you use.

OS support of proxy connections varies as shown:

• IPv6 proxies are not supported for any type of proxy
  connection.

• Connecting through a proxy is not supported with the
  Always-On feature enabled.

• A VPN client profile is required to allow access to a local proxy.

• For Windows: Find the proxy settings in the registry under:

  
  HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings

  

• For macOS: Open a terminal window, and type:

  
  scutil --proxy
  

See the Client Firewall with Local Printer and Tethered Device Support section in the Cisco ASA Series Configuration Guide.

When split DNS is configured in the
Network (Client) Access group policy, AnyConnect tunnels specific DNS queries to the
private DNS server (also configured in the group policy). All other DNS queries go to
the DNS resolver on the client operating system, in the clear, for DNS resolution. If
split DNS is not configured, AnyConnect tunnels all DNS queries.

If split DNS is not configured, AnyConnect tunnels all DNS queries.

We strongly recommend that you enable Strict Certificate Trust for the AnyConnect client. To
configure Strict Certificate Trust, see the Local Policy
Parameters and Values section: Local Policy Preferences.

The
Cisco AnyConnect Secure
Mobility Client
uses the Simple Certificate Enrollment Protocol (SCEP) to provision and renew a
certificate as part of client authentication. Certificate enrollment using SCEP
is supported by AnyConnect IPsec and SSL VPN connections to the ASA in the
following ways:

• SCEP Proxy: The ASA acts as a proxy for SCEP requests and
  responses between the client and the Certificate Authority (CA).

  • The CA must be accessible to the ASA, not the AnyConnect client,
    since the client does not access the CA directly.

  • Enrollment is always initiated automatically by the client. No
    user involvement is necessary.

• Legacy SCEP: The AnyConnect client communicates with the CA directly to enroll and obtain a certificate.

  • The CA must be accessible to the AnyConnect client, not the ASA, through an established VPN tunnel or directly on the same
    network the client is on.

  • Enrollment is initiated automatically by the client and may be initiated manually by the user if configured.

AnyConnect integrates support for RSA SecurID client software
versions 1.1 and later running on Windows 7 x86 (32-bit) and x64 (64-bit).

RSA SecurID software authenticators reduce the number of items a
user has to manage for safe and secure access to corporate assets. RSA SecurID
Software Tokens residing on a remote device generate a random one-time-use
passcode that changes every 60 seconds. The term SDI stands for Security
Dynamics, Inc. technology, which refers to this one-time password generation
technology that uses hardware and software tokens.

Typically, users make an AnyConnect connection by clicking the
AnyConnect icon in the tools tray, selecting the connection profile with which
they wish to connect, and then entering the appropriate credentials in the
authentication dialog box. The login (challenge) dialog box matches the type of
authentication configured for the tunnel group to which the user belongs. The
input fields of the login dialog box clearly indicate what kind of input is
required for authentication.

For SDI authentication, the remote user enters a PIN (Personal
Identification Number) into the AnyConnect software interface and receives an
RSA SecurID passcode. After the user enters the passcode into the secured
application, the RSA Authentication Manager validates the passcode and allows
the user to gain access.

Users who use RSA SecurID hardware or software tokens see input
fields indicating whether the user should enter a passcode or a PIN, a PIN, or
a passcode and the status line at the bottom of the dialog box provides further
information about the requirements. The user enters a software token PIN or
passcode directly into the AnyConnect user interface.

The appearance of the initial login dialog box depends on the
secure gateway settings: the user can access the secure gateway either through
the main login page, the main index URL, a tunnel-group login page, or a tunnel
group URL (URL/tunnel-group). To access the secure gateway via the main login
page, the “Allow user to select connection” check box must be set in the
Network (Client) Access AnyConnect Connection Profiles page. In either case,
the secure gateway sends the client a login page. The main login page contains
a drop-down list in which the user selects a tunnel group; the tunnel-group
login page does not, since the tunnel-group is specified in the URL.

In the case of a main login page (with a drop-down list of
connection profiles or tunnel groups), the authentication type of the default
tunnel group determines the initial setting for the password input field label.
For example, if the default tunnel group uses SDI authentication, the field
label is “Passcode;” but if the default tunnel group uses NTLM authentication,
the field label is “Password.” In Release 2.1 and later, the field label is not
dynamically updated with the user selection of a different tunnel group. For a
tunnel-group login page, the field label matches the tunnel-group requirements.

The client supports input of RSA SecurID Software Token PINs in
the password input field. If the RSA SecurID Software Token software is
installed and the tunnel-group authentication type is SDI, the field label is
“Passcode” and the status bar states “Enter a username and passcode or software
token PIN.” If a PIN is used, subsequent consecutive logins for the same tunnel
group and username have the field label “PIN.” The client retrieves the
passcode from the RSA SecurID Software Token DLL using the entered PIN. With
each successful authentication, the client saves the tunnel group, the
username, and authentication type, and the saved tunnel group becomes the new
default tunnel group.

AnyConnect accepts passcodes for any SDI authentication. Even
when the password input label is “PIN,” the user may still enter a passcode as
instructed by the status bar. The client sends the passcode to the secure
gateway as is. If a passcode is used, subsequent consecutive logins for the
same tunnel group and username have the field label “Passcode.”

The RSASecureIDIntegration profile setting has three possible
values:

• Automatic—The client first attempts one method, and if it fails,
  the other method is tried. The default is to treat the user input as a token
  passcode (HardwareToken), and if that fails, treat it as a software token pin
  (SoftwareToken). When authentication is successful, the successful method is
  set as the new SDI Token Type and cached in the user preferences file. For the
  next authentication attempt, the SDI Token Type defines which method is
  attempted first. Generally, the token used for the current authentication
  attempt is the same token used in the last successful authentication attempt.
  However, when the username or group selection is changed, it reverts to
  attempting the default method first, as shown in the input field label.

  Note	The SDI Token Type only has meaning for the automatic setting. You can ignore logs of the SKI Token Type when the authentication mode is not automatic. HardwareToken as the default avoids triggering next token mode.

• SoftwareToken—The client always interprets the user input as a
  software token PIN, and the input field label is “PIN:”.

• HardwareToken—The client always interprets the user input as a
  token passcode, and the input field label is “Passcode:”.

Note	AnyConnect does not support token selection from multiple tokens imported into the RSA Software Token client software. Instead, the client uses the default selected via the RSA SecurID Software Token GUI.