Transcription

CH A P T E R3Configuring AnyConnect Client FeaturesThe AnyConnect client includes two files that enable and configure client features—the AnyConnectclient profile and the AnyConnect local policy. This chapter describes the AnyConnect client featuresand how to enable them in the profile, the local policy, and on the security appliance.AnyConnect Client ProfileThe AnyConnect profile is an XML file deployed by the security appliance during client installation andupdates. This file provides basic information about connection setup, as well as advanced features suchas Start Before Logon (SBL). Users cannot manage or modify profiles.You can configure the security appliance to deploy profiles globally for all AnyConnect client users, orbased on the group policy of the user. Usually, a user has a single profile file. This profile contains allthe hosts needed by a user, and additional settings as needed. In some cases, you might want to providemore than one profile for a given user. For example, someone who works from multiple locations mightneed more than one profile. Be aware that some of the profile settings, such as Start Before Login,control the connection experience at a global level. Other settings, such as those unique to a particularhost, depend on the host selected.AnyConnect Local PolicyThe AnyConnect local policy specifies additional security parameters for the AnyConnect VPN client,including operating in a mode compliant with Level 1 of the Federal Information Processing Standard(FIPS). Other parameters in the AnyConnect Local Policy increase security by forbidding remoteupdates to prevent Man-in-the-Middle attacks and by preventing non-administrator or non-root usersfrom modifying client settings. Unlike the client profile, the local policy is not deployed by the securityappliance and must be deployed by an enterprise software deployment system.The first two sections of this chapter describe how to make changes to the AnyConnect client profile orlocal policy: Configuring and Deploying the AnyConnect Client Profile, page 3-2 Configuring the AnyConnect Local Policy, page 3-8The following sections describe each client feature and the necessary changes to the AnyConnect clientprofile, local policy, and/or the security appliance software: Configuring Start Before Logon, page 3-10 Enabling FIPS and Additional Security, page 3-20 Enabling Trusted Network Detection, page 3-25 Configuring a Certificate Store, page 3-27 Configuring Simplified Certificate Enrollment Protocol, page 3-31Cisco AnyConnect VPN Client Administrator GuideOL-20841-033-1

Chapter 3Configuring AnyConnect Client FeaturesConfiguring and Deploying the AnyConnect Client Profile Configuring Certificate Matching, page 3-38 Prompting Users to Select Authentication Certificate, page 3-45 Configuring Backup Server List Parameters, page 3-47 Configuring a Windows Mobile Policy, page 3-48 Configuring a Server List, page 3-54 Split DNS Fallback, page 3-57 Scripting, page 3-57 Proxy Support, page 3-62 Allow AnyConnect Session from an RDP Session for Windows Users, page 3-63 AnyConnect over L2TP or PPTP, page 3-64Configuring and Deploying the AnyConnect Client ProfileAn AnyConnect client profile is an XML file cached to the endpoint file system. The client parameters,represented as XML tags in this file, name the security appliances with which to establish VPN sessionsand enable client features.You can create and save XML profiles using a text editor. The client installation contains one profiletemplate (AnyConnectProfile.tmpl) you can copy, rename, and save as an XML file, then edit and use asa basis to create other profile files.The profile file is downloaded from the security appliance to the remote user’s PC, in the directory:C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\ProfileThe location for Windows Vista is slightly different: C:\ProgramData\Cisco\Cisco AnyConnect VPNClient\Profile. You must first import the profile(s) into the security appliance in preparation fordownloading to the remote PC. You can import a profile using either ASDM or the command-lineinterface. The AnyConnectProfile.tmpl file automatically downloaded with the AnyConnect client is anexample AnyConnect profile.NoteIn order for the client initialization parameters in a profile to be applied to the client configuration, thesecurity appliance the user connects to must appear as a host entry in that profile. If you do not add thesecurity appliance address or FQDN as a host entry in the profile, then filters do not apply for the session.For example, if you create a certificate match and the certificate properly matches the criteria, but youdo not add the security appliance as a host entry in that profile, the certificate match is ignored. For moreinformation about adding host entries to the profile, see Configuring a Server List, page 3-54.This section covers the following topics: Default Client Profile, page 3-3 Editing the Client Profile, page 3-4 Validating the XML in the Profile, page 3-5 Deploying the Client Profile to AnyConnect Clients, page 3-6Cisco AnyConnect VPN Client Administrator Guide3-2OL-20841-03

Chapter 3Configuring AnyConnect Client FeaturesConfiguring and Deploying the AnyConnect Client ProfileDefault Client ProfileYou configure profile attributes by modifying the XML profile template and saving it with a uniquename. You can then distribute the profile file to end users at any time. The distribution mechanisms arebundled with the software distribution.The following example shows a sample AnyConnect Profile file. The bold type identifies the values youcan modify to customize the profile. In this example, blank lines separate the major groupings forlegibility. Do not include these blank lines in your profile.CautionDo not cut and paste the examples from this document. Doing so introduces line breaks that can breakyour XML. Instead, open the profile template file in a text editor such as Notepad or Wordpad. ?xml version "1.0" encoding "UTF-8" ? AnyConnectProfile xmlns "http://schemas.xmlsoap.org/encoding/"xmlns:xsi emaLocation "http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd" ClientInitialization UseStartBeforeLogon UserControllable "false" false /UseStartBeforeLogon ShowPreConnectMessage false /ShowPreConnectMessage CertificateStore All /CertificateStore CertificateStoreOverride false /CertificateStoreOverride AutoConnectOnStart UserControllable "true" true /AutoConnectOnStart MinimizeOnConnect UserControllable "true" true /MinimizeOnConnect LocalLanAccess UserControllable "true" true /LocalLanAccess AutoReconnect UserControllable "true" true AutoReconnectBehaviorUserControllable "false" ReconnectAfterResume /AutoReconnectBehavior /AutoReconnect AutoUpdate UserControllable "false" true /AutoUpdate RSASecurIDIntegration UserControllable "false" Automatic /RSASecurIDIntegration CertificateMatch KeyUsage MatchKey Digital Signature /MatchKey /KeyUsage ExtendedKeyUsage ExtendedMatchKey ClientAuth /ExtendedMatchKey /ExtendedKeyUsage DistinguishedName DistinguishedNameDefinition Operator "Equal" Wildcard "Enabled"MatchCase "Enabled" Name CN /Name Pattern ASASecurity /Pattern /DistinguishedNameDefinition /DistinguishedName /CertificateMatch BackupServerList HostAddress asa-02.cisco.com /HostAddress HostAddress 192.168.1.172 /HostAddress /BackupServerList MobilePolicy DeviceLockRequired MaximumTimeoutMinutes "60" MinimumPasswordLength "4"PasswordComplexity "pin" / /MobilePolicy /ClientInitialization Cisco AnyConnect VPN Client Administrator GuideOL-20841-033-3

Chapter 3Configuring AnyConnect Client FeaturesConfiguring and Deploying the AnyConnect Client Profile ServerList HostEntry HostName CVC-ASA-01 /HostName HostAddress CVC-ASA-01.example.com /HostAddress UserGroup StandardUser /UserGroup BackupServerList HostAddress cvc-asa-02.example.com /HostAddress HostAddress cvc-asa-03.example.com /HostAddress /BackupServerList /HostEntry /ServerList /AnyConnectProfile Editing the Client ProfileRetrieve a copy of the profile file (AnyConnectProfile.xml) from a client installation. Make a copy andrename the copy with a name meaningful to you. Alternatively, you can modify an existing profile. SeeTable 1-4, “Paths to the Profile Files on the Endpoint” to identify the profile path for each supportedoperating system.Edit the profiles file. The example below shows the contents of the profiles file (AnyConnectProfile.xml)for Windows: ?xml version "1.0" encoding "UTF-8"? !-This is a template file that can be configured to support theidentification of secure hosts in your network.The file needs to be renamed to CiscoAnyConnectProfile.xml.The svc profiles command imports updated profiles for downloading toclient machines.-- Configuration ClientInitialization UseStartBeforeLogon false /UseStartBeforeLogon /ClientInitialization HostEntry HostName /HostName HostAddress /HostAddress /HostEntry HostEntry HostName /HostName HostAddress /HostAddress /HostEntry /Configuration HostName identifies the secure gateway or cluster to the user. It appears on the “Connect to” drop-downlist on the Connection tab of the user GUI. It can be any name you want to use. HostAddress specifiesthe actual hostname and domain (e.g., hostname.example.com) of the secure gateway to be reached.(While this value may instead specify an IP address, we do not recommend it.) The value of HostNamecan match the hostname portion of the HostAddress value, but matching the name is not a requirementbecause the parent tag HostEntry associates these values. Matching the hostname in both child tags does,however, simplify the association for administrators testing and troubleshooting VPN connectivity.Cisco AnyConnect VPN Client Administrator Guide3-4OL-20841-03

Chapter 3Configuring AnyConnect Client FeaturesConfiguring and Deploying the AnyConnect Client Profile HostEntry HostName Sales gateway /HostName HostAddress Sales gateway.example.com /HostAddress /HostEntry NoteDo not cut and paste the examples from this document. Doing so introduces line breaks that can breakyour XML. Instead, open the profile template file in a text editor such as Notepad or Wordpad.Use the template that appears after installing AnyConnect on a workstation: \Documents andSettings\All Users\Application Data\Cisco\Cisco AnyConnect VPNClient\Profile\AnyConnectProfile.tmplValidating the XML in the ProfileIt is important to validate the XML in the AnyConnect client profile you create. Use an online validationtool or the profile import feature in ASDM. For validation, you can use the AnyConnectProfile.xsd foundin the same directory as the profile template. This .xsd file is the XML schema definition for the clientprofile, and is intended to be maintained by a Secure Gateway administrator and then distributed withthe client software.NoteValidate the profile before importing it into the security appliance. Doing so makes client-side validationunnecessary.The XML file based on this schema can be distributed to clients at any time, either as a bundled file withthe software distribution or as part of the automatic download mechanism. The automatic downloadmechanism is available only with certain Cisco Secure Gateway products.In Microsoft Windows with MSXML 6.0, the AnyConnect client validates the XML profile against theprofile XSD schema and logs any validation failures. MSXML 6.0 ships with Windows 7 and Vista. It isavailable for download from Microsoft for Windows XP from the following px?FamilyID d21c292c-368b-4ce1-9dab-3e9827b70604&displaylang enWhen modifying a profile, be sure to check your typing and make sure the capitalization matches thecapitalization in the XML tag names. This is a common error that results in a profile failing validation.For example, attempting to validate a profile that has the following preference entry: UseStartBeforeLogon UserControllable "false" false /UseStartBeforeLogon results in the following error message:Cisco AnyConnect VPN Client Administrator GuideOL-20841-033-5

Chapter 3Configuring AnyConnect Client FeaturesConfiguring and Deploying the AnyConnect Client ProfileFigure 3-1XML Validation ErrorIn this example, the value False (initial letter capitalized) should have been false (all lowercase), and theerror indicates this.Deploying the Client Profile to AnyConnect ClientsFollow these steps to configure the security appliance to deploy a profile with the AnyConnect client:Step 1Identify to the security appliance the client profiles file to load into cache memory.Go to Configuration Remote Access VPN Network (Client) Access Advanced Client Settings(Figure 3-2).Step 2In the SSL VPN Client Profiles area, click Add. The Add SSL VPN Client Profiles dialog box appears.Figure 3-2Step 3Adding or Editing an AnyConnect VPN Client ProfileEnter the profile name and profile package names in their respective fields. To browse for a profilepackage name, click Browse Flash. The Browse Flash dialog box appears (Figure 3-3).Cisco AnyConnect VPN Client Administrator Guide3-6OL-20841-03

Chapter 3Configuring AnyConnect Client FeaturesConfiguring and Deploying the AnyConnect Client ProfileFigure 3-3Step 4Browse Flash Dialog BoxSelect a file from the table. The file name appears in the File Name field below the table. Click OK. Thefile name you selected appears in the Profile Package field of the Add or Edit SSL VPN Client Profilesdialog box.Click OK in the Add or Edit SSL VPN Client dialog box. This makes profiles available to group policiesand username attributes of client users.Cisco AnyConnect VPN Client Administrator GuideOL-20841-033-7

Chapter 3Configuring AnyConnect Client FeaturesConfiguring the AnyConnect Local PolicyStep 5To specify a profile for a group policy, go to Configuration Remote Access VPN Network (Client)Access Group Policies. (Figure 3-4)Figure 3-4Specify the Profile to use in the Group PolicyStep 6Deselect Inherit and select a Client Profile to Download from the drop-down list.Step 7When you have finished with the configuration, click OK.Configuring the AnyConnect Local PolicyThe AnyConnect Local Policy specifies additional security parameters for the AnyConnect VPN client,including operating in a mode compliant with Level 1 of the Federal Information Processing Standard(FIPS), 140-2, a U.S. government standard for specific security requirements for cryptographic modules.The FIPS 140-2 standard applies to all federal agencies that use cryptographic-based security systemsto protect sensitive information in computer and telecommunication systems.Other parameters in the AnyConnect Local Policy increase security by forbidding remote updates toprevent Man-in-the-Middle attacks and by preventing non-administrator or non-root users frommodifying client settings.AnyConnect Local Policy parameters reside in an XML file called AnyConnectLocalPolicy.xml. This fileis not deployed by the ASA 5500 Series security appliance. You must deploy this file using corporatesoftware deployment systems or change the file manually on a user computer.This section covers the following topics: AnyConnect Local Policy File Example, page 3-9Cisco AnyConnect VPN Client Administrator Guide3-8OL-20841-03

Chapter 3Configuring AnyConnect Client FeaturesConfiguring the AnyConnect Local Policy Changing Parameters for Windows Clients using our MST File, page 3-9 Changing Parameters Manually in the AnyConnect Local Policy File, page 3-10AnyConnect Local Policy File ExampleThe following is an example of the AnyConnect Local Policy file: ?xml version "1.0" encoding "UTF-8"? AnyConnectLocalPolicy acversion "2.4.140"xmlns http://schemas.xmlsoap.org/encoding/xmlns:xsi aLocation "http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd" FipsMode false /FipsMode BypassDownloader false /BypassDownloader RestrictWebLaunch false /RestrictWebLaunch StrictCertificateTrust false /StrictCertificateTrust RestrictPreferenceCaching false /RestrictPreferenceCaching RestrictTunnelProtocols false /RestrictTunnelProtocols /AnyConnectLocalPolicy Changing Parameters for Windows Clients using our MST FileFor Windows installations, you can apply the MST file we provide to the standard MSI installation fileto change AnyConnect Local Policy parameters, including enabling FIPS mode. The installationgenerates an AnyConnect Local Policy file with FIPS enabled.For information about where you can download our MST, see the licensing information your receivedfor the FIPS client.The MST file contains the following custom rows. The names correspond to the parameters inAnyConnect Local Policy file (AnyConnectLocalPolicy.xml). See Table 3-3 for the descriptions andvalues you can set for these parameters: LOCAL POLICY BYPASS DOWNLOADER LOCAL POLICY FIPS MODE LOCAL POLICY RESTRICT PREFERENCE CACHING LOCAL POLICY RESTRICT TUNNEL PROTOCOLS LOCAL POLICY RESTRICT WEB LAUNCH LOCAL POLICY STRICT CERTIFICATE TRUSTCisco AnyConnect VPN Client Administrator GuideOL-20841-033-9

Chapter 3Configuring AnyConnect Client FeaturesConfiguring Start Before LogonChanging Parameters Manually in the AnyConnect Local Policy FileTo change AnyConnect Local Policy parameters manually, follow this procedure:Step 1Retrieve a copy of the AnyConnect Local Policy file (AnyConnectLocalPolicy.xml) from a clientinstallation.Table 3-1 shows the installation path for each operating system.Table 3-1Step 2Operating System and AnyConnect Local Policy File Installation PathOperating SystemInstallation PathWindows 7C:\ProgramData\Cisco\Cisco AnyConnect VPN ClientWindows VistaC:\ProgramData\Cisco\Cisco AnyConnect VPN ClientWindows XPC:\Documents and Settings\All Users\Application Data\Cisco\CiscoAnyConnect VPN ClientWindows Mobile%PROGRAMFILES%\Cisco AnyConnect VPN ClientLinux/opt/cisco/vpnMac OS X/opt/cisco/vpnEdit the parameter settings. The example below shows the contents of the AnyConnect Local Policy filefor Windows: ?xml version "1.0" encoding "UTF-8"? AnyConnectLocalPolicy acversion "2.4.140"xmlns http://schemas.xmlsoap.org/encoding/xmlns:xsi aLocation "http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd" FipsMode false /FipsMode BypassDownloader false /BypassDownloader RestrictWebLaunch false /RestrictWebLaunch StrictCertificateTrust false /StrictCertificateTrust RestrictPreferenceCaching false /RestrictPreferenceCaching RestrictTunnelProtocols false /RestrictTunnelProtocols /AnyConnectLocalPolicy Step 3Save the file as AnyConnectLocalPolicy.xml and deploy the file to remote computers using corporate anIT software deployment system.Configuring Start Before LogonStart Before Logon (SBL) forces the user to connect to the enterprise infrastructure over a VPNconnection before logging on to Windows by starting the AnyConnect client before the Windows logindialog box appears. After authenticating to the security appliance, the Windows login dialog appears,and the user logs in as usual. SBL is only available for Windows and lets you control the use of loginscripts, password caching, mapping network drives to local drives, and more.NoteThe AnyConnect client does not support SBL for Windows XP x64 (64-bit) Edition.Cisco AnyConnect VPN Client Administrator Guide3-10OL-20841-03

Chapter 3Configuring AnyConnect Client FeaturesConfiguring Start Before LogonTo enable the SBL feature, you must make changes to the AnyConnect client profile and enable thesecurity appliance to download a client module for SBL.Reasons you might consider for enabling SBL for your users include: The user’s computer is joined to an Active Directory infrastructure. The user cannot have cached credentials on the computer (the group policy disallows cachedcredentials). The user must run login scripts that execute from a network resource or need access to a networkresource. A user has network-mapped drives that require authentication with the Microsoft Active Directoryinfrastructure. Networking components (such as MS NAP/CS NAC) exist that might require connection to theinfrastructure.Within the AnyConnect client, the only configuration you do for SBL is enabling the feature. Networkadministrators handle the processing that goes on before logon based upon the requirements of theirsituation. Logon scripts can be assigned to a domain or to individual users. Generally, the administratorsof the domain have batch files or the like defined with users or groups in Microsoft Active Directory. Assoon as the user logs on, the login script executes.SBL creates a network that is equivalent to being on the local corporate LAN. For example, with SBLenabled, since the user has access to the local infrastructure, the logon scripts that would normally runwhen a user is in the office would also be available to the remote user.For information about creating logon scripts, see the following Microsoft TechNet 033.mspx?mfr trueFor information about using local logon scripts in Windows XP, see the following Microsoft article:http://www.windowsnetworking.com/articles tutorials/wxpplogs.htmlIn another example, a system might be configured to not allow cached credentials to be used to log onto the computer. In this scenario, users must be able to communicate with a domain controller on thecorporate network for their credentials to be validated prior to gaining access to the computer.SBL requires a network connection to be present at the time it is invoked. In some cases, this might notbe possible, because a wireless connection might depend on credentials of the user to connect to thewireless infrastructure. Since SBL mode precedes the credential phase of a login, a connection wouldnot be available in this scenario. In this case, the wireless connection needs to be configured to cache thecredentials across login, or another wireless authentication needs to be configured, for SBL to work.AnyConnect is not compatible with fast user switching.This section covers the following topics: Installing Start Before Logon Components (Windows Only), page 3-11 Configuring Start Before Logon (PLAP) on Windows 7 and Vista Systems, page 3-15Installing Start Before Logon Components (Windows Only)The Start Before Logon components must be installed after the core client has been installed.Additionally, the AnyConnect 2.2 Start Before Logon components require that version 2.2, or later, ofthe core AnyConnect client software be installed. If you are pre-deploying the AnyConnect client andthe Start Before Logon components using the MSI files (for example, you are at a big company that hasCisco AnyConnect VPN Client Administrator GuideOL-20841-033-11

Chapter 3Configuring AnyConnect Client FeaturesConfiguring Start Before Logonits own software deployment—Altiris or Active Directory or SMS.) then you must get the order right.The order of the installation is handled automatically when the administrator loads AnyConnect if it isweb deployed and/or web updated.Differences Between Windows-Vista and Pre-Vista Start Before LogonThe procedures for enabling SBL differ slightly on Windows Vista systems. Pre-Vista systems use acomponent called VPNGINA (which stands for virtual private network graphical identification andauthentication) to implement SBL. Vista systems use a component called PLAP to implement SBL.In the AnyConnect client, the Windows Vista Start Before Logon feature is known as the Pre-LoginAccess Provider (PLAP), which is a connectable credential provider. This feature lets networkadministrators perform specific tasks, such as collecting credentials or connecting to network resources,prior to login. PLAP provides start Before Logon functions on Windows Vista. PLAP supports 32-bitand 64-bit versions of the operating system with vpnplap.dll and vpnplap64.dll, respectively. The PLAPfunction supports Windows Vista x86 and x64 versions.NoteIn this section, VPNGINA refers to the Start Before Logon feature for pre-Vista platforms, and PLAPrefers to the Start Before Logon feature for Windows Vista systems.In pre-Vista systems, Start Before Logon uses a component known as the VPN Graphical Identificationand Authentication Dynamic Link Library (vpngina.dll) to provide Start Before Logon capabilities. TheWindows PLAP component, which is part of Windows Vista, replaces the Windows GINA component.A GINA is activated when a user presses the Ctrl Alt Del key combination. With PLAP, theCtrl Alt Del key combination opens a window where the user can choose either to log in to the systemor to activate any Network Connections (PLAP components) using the Network Connect button in thelower-right corner of the window.The sections that immediately follow describe the settings and procedures for both VPNGINA and PLAPSBL. For a complete description of enabling and using the SBL feature (PLAP) on a Windows Vistaplatform, see Configuring Start Before Logon (PLAP) on Windows 7 and Vista Systems, page 3-15.Profile Parameters for Enabling SBLThe element value for UseStartBeforeLogon allows this feature to be turned on (true) or off (false). Ifthe you set this value to true in the profile, additional processing occurs as part of the logon sequence.See the Start Before Logon description for additional details.You enable SBL by setting the UseStartBefore Logon value in the AnyConnect profile to true: ClientInitialization UseStartBeforeLogon true /UseStartBeforeLogon /ClientInitialization To disable SBL, set the same value to false.The following table shows the settings.Table 3-2UseStartBeforeLogon Client Initialization TagDefault Value1Possible Values2 User ControllableUser Controllable by Default3 OSs Supportedtruetrue, falsetrueYesWindows 7, Vista, and XP1. AnyConnect uses the default value if the profile does not specify one.Cisco AnyConnect VPN Client Administrator Guide3-12OL-20841-03

Chapter 3Configuring AnyConnect Client FeaturesConfiguring Start Before Logon2. Insert the parameter value between the beginning and closing tags; for example, UseStartBeforeLogon true /UseStartBeforeLogon .3. The user controllable attribute is defined inside the preference tags; for example, UseStartBeforeLogon UserControllable ”true” true /UseStartBeforeLogon . Its possible values are “true” or “false”, and these determinewhich preferences are overridden by the preferences*.xml files. This is an optional attribute, and if not defined, the default value is used.Preferences made UserControllable ”true” in the profile are visible in the Preferences dialog.Making SBL User-ControllableTo make SBL user-controllable, use the following statement when enabling SBL: UseStartBeforeLogon UserControllable ”true” true /UseStartBeforeLogon To revert to the default, in which SBL is not user-controllable, set the UserControllable preference withinthe UseStartBeforeLogon preference to false.Enabling SBL on the Security ApplianceTo minimize download time, the AnyConnect client requests downloads (from the security appliance)only of core modules that it needs for each feature that it supports. To enable SBL, you must specify theSBL module name in group policy on the security appliance.In addition, you must ensure that the UseStartBeforeLogon parameter, within the profile file youspecified for the group policy, is set to true. For example: UseStartBeforeLogon UserControllable “false” true /UseStartBeforeLogon NoteThe user must reboot the remote computer before SBL takes effect.To specify the SBL module on the security appliance, follow this procedure:Step 1Go to Configuration Remote Access VPN Network (Client) Access Group Policies (Figure 3-5).Step 2Select a group policy and click Edit. The Edit Internal Group Policy window displays.Step 3Select Advanced SSL VPN Client in the left-hand navigation pane. SSL VPN settings display.Step 4Uncheck the Inherit box for the Optional Client Module for Download setting.Step 5Select the Start Before Logon module in the drop-list.Cisco AnyConnect VPN Client Administrator GuideOL-20841-033-13

Chapter 3Configuring AnyConnect Client FeaturesConfiguring Start Before LogonFigure 3-5Specifying the SBL Module to DownloadUsing the Manifest FileThe AnyConnect package that is uploaded on the security appliance contains a file calledVPNManifest.xml. The following example shows some sample content of this file: ?xml version "1.0" encoding "UTF-7"? vpn rev "1.0" file version "2.1.0150" id "VPNCore" is core "yes" type "exe" action "install" uri binaries/anyconnect-win-2.1.0150-web-deploy-k9.exe /uri /file file version "2.1.0150" id "gina" is core "yes" type "exe" action "install"module "vpngina" uri 9.exe /uri /file /vpn The security appliance has stored on it configured profiles, as explained in Step 1 above, and it alsostores one or multiple AnyConnect packages that contain the AnyConnect client itself, downloaderutility, manifest file, and any other optional modules or supporting files.When a remote user connects to the security appliance using WebLaunch or an previously-installedclient, the downloader is downloaded first and run, and it uses the manifest file to ascertain whether thereis a existing client on the remote user’s computer that needs to be upgraded, or whether a freshinstallation is required. The manifest file also contains information about whether there are any optionalmodules that must be downloaded and installed—in this case, the VPNGINA. The installation ofCisco AnyConnect VPN Client Administrator Guide3-14OL-20841-03

Chapter 3Configuring AnyConnect Client FeaturesConfiguring Start Before LogonVPNGINA is activated if the group-policy of the user specifies SBL as an opti

Step 1 Identify to the security appliance the client profiles file to load into cache memory. Go to Configuration Remote Access VPN Network (Client) Access Advanced Client Settings (Figure 3-2). Step 2 In the SSL VPN Client Profiles area, click