Transcription
SSL VPNLast Updated: October 19, 2011The SSL VPN feature (also known as WebVPN) provides support, in Cisco IOS software, for remote useraccess to enterprise networks from anywhere on the Internet. Remote access is provided through a SecureSocket Layer (SSL)-enabled SSL VPN gateway. The SSL VPN gateway allows remote users to establish asecure VPN tunnel using a web browser. This feature provides a comprehensive solution that allows easyaccess to a broad range of web resources and web-enabled applications using native HTTP over SSL(HTTPS) browser support. SSL VPN delivers three modes of SSL VPN access: clientless, thin-client, andfull-tunnel client support.This document is primarily for system administrators. If you are a remote user, see the document SSL VPNRemote User Guide.NoteThe Cisco AnyConnect VPN Client is introduced in Cisco IOS Release 12.4(15)T. This feature is the nextgeneration SSL VPN Client. If you are using Cisco software earlier than Cisco IOS Release 12.4(15)T, youshould be using the SSL VPN Client and see the GUI for the SSL VPN Client when you are web browsing.However, if you are using Cisco Release 12.4(15)T or a later release, you should be using the CiscoAnyConnect VPN Client and see the GUI for Cisco AnyConnect VPN Client when you are web browsing. Finding Feature Information, page 1Prerequisites for SSL VPN, page 2Restrictions for SSL VPN, page 2Information About SSL VPN, page 4How to Configure SSL VPN Services on a Router, page 35Configuration Examples for SSL VPN, page 119Additional References, page 141Feature Information for SSL VPN, page 143Notices, page 150Finding Feature InformationYour software release may not support all the features documented in this module. For the latest featureinformation and caveats, see the release notes for your platform and software release. To find informationAmericas Headquarters:Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
SSL VPNPrerequisites for SSL VPNabout the features documented in this module, and to see a list of the releases in which each feature issupported, see the Feature Information Table at the end of this document.Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Prerequisites for SSL VPNTo securely access resources on a private network behind an SSL VPN gateway, the remote user of an SSLVPN service must have the following: An account (login name and password)An SSL-enabled browser (for example, Internet Explorer, Netscape, Mozilla, or Firefox)Operating system support"Thin client" support used for TCP port-forwarding applications requires administrative privileges onthe computer of the remote user."Tunnel mode" for Cisco SSL VPN requires administrative privileges for initial installation of the fulltunnel client.The remote user must have local administrative privileges to use thin client or full tunnel clientfeatures.The SSL VPN gateway and context configuration must be completed before a remote user can accessresources on a private network behind an SSL VPN. For more information, see the How to ConfigureSSL VPN Services on a Router, page 35 section.ACL Support--The time range should have already been configured.Single SignOn Netegrity Cookie Support--A Cisco plug-in must be installed on a Netegrity SiteMinderserver.Licensing--In Cisco IOS Release 15.0(1)M, the SSL VPN gateway is a seat-counted licensing featureon Cisco 880, Cisco 890, Cisco 1900, Cisco 2900, and Cisco 3900 platforms. A valid licence isrequired for a successful SSL VPN session.SSL VPN-supported browser--The following browsers have been verified for SSL VPN. Otherbrowsers might not fully support SSL VPN features.Note Later versions of the following software are also supported.Firefox 2.0 (Windows and Linux)Internet Explorer 6.0 or 7.0Linux (Redhat RHEL 3.0 , FEDORA 5, or FEDORA 6)Macintosh OS X 10.4.6Microsoft Windows 2000, Windows XP, or Windows VistaSafari 2.0.3Restrictions for SSL VPN 2General Restrictions for SSL VPN, page 3Cisco AnyConnect VPN Client, page 3Thin Client Control List Support, page 3
General Restrictions for SSL VPNRestrictions for SSL VPN HTTP Proxy, page 3Features Not Supported on the Cisco IOS SSL VPN, page 3General Restrictions for SSL VPN URLs referred by the Macromedia Flash player cannot be modified for secure retrieval by the SSLVPN gateway.Cisco Secure Desktop (CSD) 3.1 and later versions are not supported.Cisco AnyConnect VPN ClientThe Cisco AnyConnect VPN Client is not supported on Windows Mobile when the client connects to aCisco IOS headend router (supported in Cisco IOS Release 15.0(1)M and later releases). The CiscoAnyConnect VPN Client does not support the following: Client-side authentication (supported in Cisco IOS Release 15.0(1)M and later releases)Compression supportIPsecIPv6 VPN accessLanguage translation (localization)SequencingStandalone Mode (supported in Cisco IOS Release 12.4(20)T and later releases)Thin Client Control List SupportAlthough there is no limitation on the maximum number of filtering rules that can be applied for eachaccess control list (ACL) entry, keeping the number below 50 should have no impact on routerperformance.HTTP ProxyThe HTTP Proxy feature works only with Microsoft Internet Explorer.The HTTP Proxy feature will not work if the browser proxy setup cannot be modified because of anysecurity policies that have been placed on the client workstation.Features Not Supported on the Cisco IOS SSL VPNThe following features are not supported on the Cisco IOS SSL VPN: Application Profile Customization Framework (APCF): an XML-based rule set for clientless SSLVPNJava and ActiveX Client Server PluginsOn Board Built-in Single Sign OnSmart TunnelsSharePoint SupportPortal Page CustomizationUsing Smartcard for Authentication (supported in Cisco IOS Release 15.0(1)M and later releases)Support for External Statistics Reporting and Monitoring Tools3
SSL VPN OverviewInformation About SSL VPN NoteLightweight Directory Access Protocol (LDAP) SupportDynamic Access Policies (DAP)Cisco Unified Communications Manager (Cisco UCM) 8.0.1 VPN-enabled 7900 series IP phonesThe following features introduced in the AnyConnect 2.5.217 release: AnyConnect Profile Editor Captive Portal Hotspot Detection Captive Portal Remediation Client Firewall with Local Printer and Tethered Device Support Connect Failure Policy Optimal Gateway Selection Post Log-in Always-on VPN QuarantineAlthough you can connect to a Cisco IOS headend using AnyConnect 2.5, the features introduced inAnyConnect 2.5 will not be supported. However, features introduced in AnyConnect 2.4 and earlierreleases are supported when you are using AnyConnect 2.5 with a Cisco IOS headend.AnyConnect 3.0 is not supported when you are connecting to a Cisco IOS headend.Information About SSL VPN SSL VPN Overview, page 4Licensing, page 5Modes of Remote Access, page 7SSL VPN Features, page 12Other SSL VPN Features, page 31Platform Support, page 35SSL VPN OverviewCisco IOS SSL VPN provides SSL VPN remote-access connectivity from almost any Internet-enabledlocation using only a web browser that natively supports SSL encryption. This feature allows yourcompany to extend access to its secure enterprise network to any authorized user by providing remoteaccess connectivity to corporate resources from any Internet-enabled location.Cisco IOS SSL VPN can also support access from noncorporate-owned machines, including homecomputers, Internet kiosks, and wireless hot spots. These locations are difficult places to deploy andmanage VPN client software and the remote configuration required to support IPsec VPN connections.The figure below shows how a mobile worker (the lawyer at the courthouse) can access protected resourcesfrom the main office and branch offices. Site-to-site IPsec connectivity between the main and remote sites4
LicensingInformation About SSL VPNis unaltered. The mobile worker needs only Internet access and supported software (web browser andoperating system) to securely access the corporate network.Figure 1Secure SSL VPN Access ModelSSL VPN delivers the following three modes of SSL VPN access: Clientless--Clientless mode provides secure access to private web resources and will provide access toweb content. This mode is useful for accessing most content that you would expect to access in a webbrowser, such as Internet access, databases, and online tools that employ a web interface.Thin client (port-forwarding Java applet)--Thin-client mode extends the capability of thecryptographic functions of the web browser to enable remote access to TCP-based applications such asPost Office Protocol version 3 (POP3), Simple Mail Transfer Protocol (SMTP), Internet MessageAccess protocol (IMAP), Telnet, and Secure Shell (SSH).Tunnel mode--Full tunnel client mode offers extensive application support through its dynamicallydownloaded Cisco AnyConnect VPN Client (next-generation SSL VPN Client) for SSL VPN. Fulltunnel client mode delivers a lightweight, centrally configured and easy-to-support SSL VPNtunneling client that provides network layer access to virtually any application.SSL VPN application accessibility is somewhat constrained relative to IPsec VPNs; however, SSL-basedVPNs provide access to a growing set of common software applications, including web page access, webenabled services such as file access, e-mail, and TCP-based applications (by way of a downloadable thinclient applet). SSL-based VPN requires slight changes to user workflow because some applications arepresented through a web browser interface, not through their native GUI. The advantage for SSL VPNcomes from accessibility from almost any Internet-connected system without needing to install additionaldesktop software.LicensingStarting in Cisco IOS Release 15.0(1)M, the SSL VPN gateway is a seat-counted licensing feature on theCisco 880, Cisco 890, Cisco 1900, Cisco 2900, and Cisco 3900 platforms. A license count is associated5
LicensingInformation About SSL VPNwith each license, and the count indicates the instances of the feature available for use in the system. In thecase of SSL VPN, a seat refers to the maximum number of sessions allowed at a time.You can get the license at http://www.cisco.com/go/license.For instructions on installing a license using Cisco License Manager (CLM), see the User Guide for CiscoLicense Manager, Release 2.2 at http://www.cisco.com/en/US/docs/net mgmt/license manager/lm 2 2/2.2 user guide/clm book.html.For instructions on installing a license using Cisco CLI, see the “Cisco IOS Software Activation Tasks andCommands” chapter of the Software Activation Configuration Guide at ion/guide/csa commands ps6441 TSD Products Configuration Guide Chapter.html.SSL VPN supports the following types of licenses: Permanent licenses--No usage period is associated with these licenses. All permanent licenses are nodelocked and validated during installation and usage.Evaluation licenses--These are metered licenses that are valid for a limited period. The usage period ofa license is based on a system clock. The evaluation licenses are built into the image and are not nodelocked. The evaluation licenses are used only when there are no permanent, extension or grace periodlicenses available for a feature. An end-user license agreement (EULA) has to be accepted beforeusing an evaluation license.Extension licenses--Extension licenses are node-locked metered licenses. These licenses are installedusing the management interfaces on the device. A EULA has to be accepted as part of installation.Grace-rehost licenses--Grace period licenses are node locked metered licenses. These licenses areinstalled on the device as part of the rehost operation. A EULA has to be accepted as a part of therehost operation.For all the license types, except the evaluation license, a EULA has to be accepted during the licenseinstallation. This means that all the license types except the evaluation license are activated afterinstallation. In the case of an evaluation license, a EULA is presented during an SSL VPN gatewayconfiguration or an SSL VPN context configuration.An SSL VPN session corresponds to a successful login to the SSL VPN service. An SSL VPN session iscreated when a valid license is installed and the user credentials are successfully validated. On a successfuluser validation, a request is made to the licensing module to get a seat. An SSL VPN session is created onlywhen the request is successful. If a valid license is not installed, the SSL VPN gateway configuration andSSL VPN context configurations are successful, but the user cannot login successfully. When multiplegateways and contexts are configured, the total number of sessions are equal to the total sessions allowedby the license.The same user can create multiple sessions and for each session a seat count is reserved. The seatreservation does not happen in the following cases: Multiple TCP connections such as web server content, Outlook Web Access (OWA) and CommonIntermediate Format (CIF) file shares.Port forward session initiation.Full tunnel session creation from a browser session.Full tunnel session is up and a crypto rekey is done.When the total active sessions are equal to the maximum license count of the current active license, nomore new sessions are allowed.The reserved seat count or session is released when 6a user logs out.a Dead Peer Detection (DPD) failure happens.
Modes of Remote AccessRemote Access Overview a session timeout occurs.an idle timeout occurs.a session is cleared administratively using the clear webvpn session command.disconnected from the tunnel.context is removed even when there are active sessions.You can use the show webvpn license command to display the available count and the current usage. Todisplay the current license type and time period left in case of a nonpermanent license, use the show licensecommand. To get information related to license operations, events, and errors, use the debug webvpnlicense command.For migrating from any Cisco IOS 12.4T release to Cisco IOS 15.x release, use the license migration tool dminServlet/migrateLicense.New Cisco IOS SSL VPN licenses that are generated are cumulative. Therefore the old licenses becomeinactive when a new license is applied. For example, when you are upgrading your license from 10 countsto 20 counts (an increase of 10 counts on the current 10 counts), Cisco provides a single 20 count license.The old license for 10 counts is not required when a permanent license for a higher count is available.However, the old license will exist in an inactive state as there is no reliable method to clear the old license.In Cisco IOS Release 15.1(4)M1 and later releases, a Crypto Export Restrictions Manager (CERM) licenseis reserved only after the user logs in. If you have an Integrated Services Router Generation 2 (ISR G2)router with a CERM license, you must upgrade to Cisco IOS Release 15.1(4)M1 or later releases. BeforeCisco IOS Release 15.1(4)M1, a CERM license is reserved for every SSL or Transport Layer Security(TLS) session.Modes of Remote Access Remote Access Overview, page 7Clientless Mode, page 8Thin-Client Mode, page 9Tunnel Mode, page 11Remote Access OverviewEnd-user login and authentication is performed by the web browser to the secure gateway using an HTTPrequest. This process creates a session that is referenced by a cookie. After authentication, the remote useris shown a portal page that allows access to the SSL VPN networks. All requests sent by the browserinclude the authentication cookie. The portal page provides all the resources available on the internalnetworks. For example, the portal page could provide a link to allow the remote user to download andinstall a thin-client Java applet (for TCP port forwarding) or a tunneling client.7
Modes of Remote AccessClientless ModeThe figure below shows an overview of the remote access modes.Figure 2Modes of Remote Access OverviewThe following table summarizes the level of SSL VPN support that is provided by each access mode.Table 1Access Mode SummaryA-- ClientlessMode Browser-based(clientless)MicrosoftWindows orLinuxWeb-enabledapplications,file sharing,Outlook WebAccessGatewayperformsaddress orprotocolconversionand contentparsing andrewritingB--Thin-Client Mode TCP port forwardingUses Java AppletExtends application supportTelnet, e-mail, SSH, MeetingMaker, Sametime ConnectStatic port-based applicationsC--Tunnel Mode Works like “clientless” IPsec VPNTunnel client loaded through Javaor ActiveX (approximately 500 kB)Application agnostic--supports allIP-based applicationsScalableLocal administrative permissionsrequired for installationClientless ModeIn clientless mode, the remote user accesses the internal or corporate network using the web browser on theclient machine. The PC of the remote user must run the Windows 2000, Windows XP, or Linux operatingsystems.The following applications are supported in clientless mode:8
Modes of Remote AccessThin-Client Mode Web browsing (using HTTP and HTTPS)--provides a URL box and a list of web server links in theportal page that allows the remote user to browse the web.File sharing (using common Internet file system [CIFS])--provides a list of file server links in theportal page that allows the remote user to do the following operations: NoteBrowse a network (listing of domains)Browse a domain (listing of servers)Browse a server (listing of shares)List the files in a shareCreate a new fileCreate a directoryRename a directoryUpdate a fileDownload a fileRemove a fileRename a fileLinux requires that the Samba application is installed before CIFS file shares can be remotely accessed. Web-based e-mail, such as Microsoft Outlook Web Access (OWA) 2003 (using HTTP and HTTPS)with Web Distributed Authoring and Versioning (WebDAV) extensions--provides a link that allowsthe remote user to connect to the exchange server and read web-based e-mail.Thin-Client ModeThin-client mode, also called TCP port forwarding, assumes that the client application uses TCP to connectto a well-known server and port. In thin-client mode, the remote user downloads a Java applet by clickingthe link provided on the portal page, or the Java applet is downloaded automatically (see the Options forConfiguring HTTP Proxy and the Portal Page, page 10 section). The Java applet acts as a TCP proxy onthe client machine for the services that you configure on the gateway.The applications that are supported in thin-client mode are mainly e-mail-based (SMTP, POP3, and InternetMap Access Protocol version 4 [IMAP4]) applications.NoteThe TCP port-forwarding proxy works only with the Sun Microsystems Java Runtime Environment (JRE)version 1.4 or later versions. A Java applet is loaded through the browser that verifies the JRE version. TheJava applet will refuse to run if a compatible JRE version is not detected.The Java applet initiates an HTTP request from the remote user client to the SSL VPN gateway. The nameand port number of the internal e-mail server is included in the HTTP request (POST or CONNECT). TheSSL VPN gateway creates a TCP connection to that internal e-mail server and port.The Java applet starts a new SSL connection for every client connection.You should observe the following restrictions when using thin-client mode: The remote user must allow the Java applet to download and install.You cannot use thin-client mode for applications such as FTP, where the ports are negotiateddynamically. You can use TCP port forwarding only with static ports.9
Modes of Remote AccessOptions for Configuring HTTP Proxy and the Portal PageNoteThere is a known compatibility issue with the encryption type and Java. If the Java port-forwarding appletdoes not download properly and the configuration line ssl encryption 3des-sha1 aes-sha1 is present, youshould remove the line from the WebVPN gateway subconfiguration. Options for Configuring HTTP Proxy and the Portal Page, page 10Options for Configuring HTTP Proxy and the Portal PageEffective with Cisco IOS Release 12.4(11)T, administrators have more options for configuring the HTTPproxy and the portal page. If HTTP proxy is enabled, the Java applet acts as the proxy for the browser ofthe user, thereby connecting the client workstation with the gateway. The home page of the user (as definedby the user group) is opened automatically or, if configured by the administrator, the user is directed to anew website.HTTP proxy supports both HTTP and HTTPS.Benefits of Configuring HTTP ProxyHTTP supports all client-side web technologies (including HTML, Cascading Style Sheets [CSS],JavaScript, VBScript, ActiveX, Java, and flash), HTTP Digest authentication, and client certificateauthentication. Remote users can use their own bookmarks, and there is no limit on cookies. Because thereis no mangling involved and the client can cache the objects, performance is much improved over previousoptions for configuring the HTTP proxy and portal page.Illustrations of Port Forwarding with and Without an HTTP Proxy ConfigurationThe figure below illustrates TCP port forwarding without HTTP proxy configured.Figure 3TCP Port Forwarding Without HTTP Proxy ConfiguredIn the figure above, the following steps occur:1 User downloads the proxy applet.2 Applet updates the registry to add HTTP as a Remote Procedure Call (RPC) transport.3 Applet examines the registry to determine the exchange (and local catalog) server and create serverentries that refer to those servers.10
Modes of Remote AccessTunnel Mode45678910Applet opens local port 80 and listens for connections.User starts Outlook, and Outlook connects to 10.0.0.254:80.Applet opens a connection to the secure gateway and delivers the requests from Outlook.Secure gateway examines the requests to determine the endpoint exchange server.Data flows from Outlook, through the applet and the secure gateway, to the exchange server.User terminates Outlook.User closes the applet. Before closing, the applet undoes configuration Steps 3 and 4.The figure below illustrates TCP port forwarding when HTTP proxy is configured.Figure 4HTTP ProxyIn the figure above, the following steps occur:1 Proxy applet is downloaded automatically.2 Applet saves the original proxy configuration of the browser.3 Applet updates the proxy configuration of the browser to be the local loopback address with anavailable local port (by default, port 8080).4 Applet opens the available local port and listens for connections.5 Applet, if so configured, opens the home page of the user, or the user browses to a new website.6 Applet accepts and looks at the HTTP or HTTPS request to determine the destination web server.7 Applet opens a connection to the secure gateway and delivers the requests from the browser.8 Secure gateway examines the requests to determine the endpoint web server.9 Data flows from the browser, through the applet and the secure gateway, to the web server.10 User closes applet. Before closing, the applet undoes configuration Steps 2 and 3.NoteHTTP proxy can also be enabled on an authentication, authorization, and accounting (AAA) server. See thetable SSL VPN RADIUS Attribute-Value Pairs in the Configuring RADIUS Attribute Support for SSLVPN, page 51 section (port-forward-http-proxy and port-forward-http-proxy-url attributes).Tunnel ModeIn a typical clientless remote access scenario, remote users establish an SSL tunnel to move data to andfrom the internal networks at the application layer (for example, web and e-mail). In tunnel mode, remoteusers use an SSL tunnel to move data at the network (IP) layer. Therefore, tunnel mode supports most IP-11
SSL VPN FeaturesAccess Control Enhancementsbased applications. Tunnel mode supports many popular corporate applications (for example, MicrosoftOutlook, Microsoft Exchange, Lotus Notes E-mail, and Telnet).The tunnel connection is determined by the group policy configuration. The Cisco AnyConnect VPN Clientis downloaded and installed on the remote user PC, and the tunnel connection is established when theremote user logs into the SSL VPN gateway.By default, the Cisco AnyConnect VPN Client is removed from the client PC after the connection is closed.However, you have the option to keep the Cisco AnyConnect VPN Client installed on the client PC.SSL VPN Features Access Control Enhancements, page 12SSL VPN Client-Side Certificate-Based Authentication, page 13AnyConnect Client Support, page 14Application ACL Support, page 14Automatic Applet Download, page 14Backend HTTP Proxy, page 15Front-Door VRF Support, page 15Full-Tunnel Cisco Express Forwarding Support, page 16GUI Enhancements, page 16Internationalization, page 21Max-User Limit Message, page 23Netegrity Cookie-Based Single SignOn Support, page 23NTLM Authentication, page 23RADIUS Accounting, page 23Stateless High Availability with Hot Standby Router Protocol, page 23TCP Port Forwarding and Thin Client, page 24URL Obfuscation, page 26URL Rewrite Splitter, page 27User-Level Bookmarking, page 27Virtual Templates, page 27License String Support for the 7900 VPN Client, page 27SSLVPN DVTI Support, page 27SSL VPN Phase-4 Features, page 29DTLS Support for IOS SSL VPN, page 29Cisco AnyConnect VPN Client Full Tunnel Support, page 30Access Control EnhancementsEffective with Cisco IOS Release 12.4(20)T, administrators can configure automatic authentication andauthorization for users. Users provide their usernames and passwords via the gateway page URL and do nothave to reenter their usernames and passwords from the login page. Authorization is enhanced to supportmore generic authorization, including local authorization. In previous releases, only RADIUS authorizationwas supported.For information about configuring this feature, see the Configuring Automatic Authentication andAuthorization, page 88 section.12
SSL VPN FeaturesSSL VPN Client-Side Certificate-Based AuthenticationSSL VPN Client-Side Certificate-Based AuthenticationThis feature enables SSL VPN to authenticate clients based on the client’s AAA username and passwordand also supports WebVPN gateway authentication of clients using AAA certificates.SSL VPN Client-Side Certificate-Based Authentication feature includes the following features: Certificate-Only Authentication and Authorization Mode, page 13 Two-Factor Authentication and Authorization Mode, page 13 Identification of WebVPN Context at Runtime Using Certificate Map Match Rules, page 13 Support for AnyConnect Client to Implement Certificate Matching Based on Client ProfileAttributes, page 13Certificate-Only Authentication and Authorization ModeCertificate-only authorization requires the user to provide a AAA authentication certificate as part of theWebVPN request, but does not require the username and password for authorization. The user requestsWebVPN access with the AAA authentication certificate from the WebVPN gateway. The WebVPNgateway validates the identity of the client using the AAA authentication certificate presented to it. TheWebVPN extracts the username from the AAA authentication certificate presented to it and uses it as theusername in the AAA request. AAA authentication and AAA authorization are then completed with a hardcoded password. To configure certificate-only authorization use the authentication certificate command.Two-Factor Authentication and Authorization ModeTwo-factor authorization requires the user to request WebVPN access and present a AAA authenticationcertificate. The AAA authentication certificate is validated and the client’s identity is verified. TheWebVPN gateway then presents the login page to the user. The user enters their username and passwordand WebVPN sends AAA authentication and AAA authorization requests to the AAA server. The AAAauthentication list and the AAA authorization lists configured on the server are then used for authenticationand authorization. To configure two-factor authentication and authorization mode use the authenticationcertificate aaa command.NoteIf the username-prefill command is configured, the username textbox on the login page will be disabled.The user will be asked only for their password on the login page.Identification of WebVPN Context at Runtime Using Certificate Map Match RulesCertificate map match rules are used by SSL VPN to identify the WebVPN context at runtime. TheWebVPN context is required for AAA authentication and authorization mode and trustpoint configuration.When the user does not provide the WebVPN context, the identification of the WebVPN context at runtimeis possible using certificate map matching by matching the certificate presented by the client with thecertificate map match rules. To configure certificate map matching in WebVPN use the match-certificatecommand.Support for AnyConnect Client to Implement Certificate Matching Based on Client Profile AttributesCisco AnyConnect client has certificate match functionality allowing it to select a suitable certificate whileinitiating tunnel connection with SSL VPN. In the case of standalone mode, the certificate selection ismade based on the certificate match. When selecting a certificate, Cisco AnyConnect client can select the13
SSL VPN FeaturesAnyConnect Client Supportappropriate certificate based on the AnyConnect client profile attributes. This requires SSL VPN to supportAnyConnect client profiles. The profile file is imported after modification by the administrator using thesvc profile command. To create an AnyConnect client profile use the template that appears after installingCisco AnyConnect in this location: \Documents and Settings\All Users\Application Data\Cisco\Cis
Oct 19, 2011 · SSL VPN Last Updated: October 19, 2011 The SSL VPN feature (also known as WebVPN) provides support, in Cisco IOS software, for remote user access to enterprise networks from anywhere on the Internet. Remote access is provided through a Secure Socket Layer (SSL)-enabled SSL VPN gateway. The SS
