Anyconnect Web Security

Posted : admin | On 30-04-2021



Introduction

This document describes the deploying of AnyConnect web security module for client based VPN terminating on Cisco Adaptive Security Appliances (ASA).

  • Cisco AnyConnect Secure Mobility Client Secure VPN access for remote workers For organizations of all sizes that need to protect sensitive data at scale, Duo is the user-friendly zero-trust security platform for all users, all devices and all applications.
  • Cisco AnyConnect Web Security Module is a software program developed by Cisco Systems. The most common release is 3.1.05170, with over 98% of all installations currently using this version.
  • Should I remove Cisco AnyConnect Web Security Module by Cisco Systems? You can deploy the Web Security module and benefit from the ScanSafe web scanning services without having to install an ASA.

Prerequisites

Requirements

There are no specific requirements for this document.

Components used

As shown in the image, set up split exclusion for Web Security. Select download Web Security client module, as shown in the image. Download Web security client profile. Edit Anyconnect VPN group policy Client Profiles to Download Add, now choose the created Profile (as in Step 1) Click OK and apply the changes.

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

  • Upload the Anyconnect (recommend v4.1+) image on ASA
  • Enable the VPN profile on ASA, as shown in the image

Configure

Anyconnect WebSecurity deployment through ASA

The steps involved in configuration are:

  • Configure Anyconnect Websecurity client profile
  • Edit Anyconnect VPN group policy
  • Set split exclusion for Web Securityand select download Web Security client module
  • Edit Anyconnect VPN group policy and select the Web Security client profile

Step 1. Configuring Anyconnect Websecurity Client profile

Navigate to Configuration >Remove Access VPN >Network (Client) Access >Anyconnect Client Profile, click on

Add and select the AnyConnect Web Security Client Profile.

Note: The Profile Name is hard-coded on the client side, so regardless of the name configured, the ASA always pushes out Websecurity_serviceprofile.wso to the client.

Note: This is a default profile without authentication license key.

Step 2. Edit the newly created profile to add authentication license key and customize the configuration.

Step 3. Set split exclusion for Web Security and select download Web security client module

Edit Anyconnect VPN group policy, as shown in the image.

As shown in the image, set up split exclusion for Web Security.

Select download Web Security client module, as shown in the image.

Step 4. Download Web security client profile

Edit Anyconnect VPN group policy > Client Profiles to Download > Add, now choose the created Profile (as in Step 1)

Click OK and apply the changes.

Verify

When you connect to Anyconnect VPN, ASA will push the Anyconnect webscurity module through VPN as shown in the image.

If you are already logged in, its recommended to log off and then log in back for the functionality to be enabled.

Upgrade/Downgrade Anyconnect version

The deployment functionality remains unaltered if the version is upgraded. However, downgrade is not possible. So, with the current example of 4.1.x, it can be upgraded to version 4.2

The steps involved are as follows:

Step 1. Upload the latest Anyconnect package 4.2 to flash and replace 4.1 with latest file.

Under Anyconnect Client Software > Replace, and then choose the recent image file.

Step 2.When you re-connect to Anyconnect VPN, ASA will push the latest Anyconnect module through VPN with no alterations to the web security profile.

Note: Downgrade is not supported.

Troubleshoot

This section provides information you can use in order to troubleshoot your configuration.

Using DART to Gather Troubleshooting Information:

DART is the AnyConnect Diagnostics and Reporting Tool that you can use to collect data useful for troubleshooting AnyConnect installation and connection problems. DART supports Windows 7, Windows Vista, Windows XP, Mac version 10.5 and 10.6, and Linux Redhat. The DART wizard runs on the computer that runs AnyConnect. It assembles the logs, status, and diagnostic information for Cisco Technical Assistance Center (TAC) analysis and does not require administrator privileges.
Although DART does not rely on any component of the AnyConnect software to run, yet you can launch it from AnyConnect, it will collect the AnyConnect log file, if it is available. Currently, DART is available as a standalone installation, or the administrator can push this application to the client PC as part of the AnyConnect dynamic download infrastructure. Once installed, the end user can start the wizard from the Cisco folder available through the Start button.

The Cisco AnyConnect Secure Mobility client is a web-based VPN client that does not require user configuration. Use Cisco AnyConnect VPN to securely access the Student Information System (SIS) and other IT administration systems VPN, also called IP tunneling, is a secure method of accessing USC computing resources.

This page provides instructions on how to download, install, and connect to the Cisco AnyConnect Secure Mobility client from mobile devices that runs the Android operating system.

Note: Due to the many different types of Android devices, not every Android-based device will work in the same way. ITS is not able to guarantee that these instructions will work on every Android device (4.0 and later). This documentation was created using Android 4.2.2 on a Samsung Galaxy Tab.

Installing and Configuring the Cisco AnyConnect Secure Mobility Client

To install and configure the Cisco AnyConnect Secure Mobility client on an Internet-connected Android device:

  1. Download and install the AnyConnect ICS+ client from the Google Play Store.
  2. Once the app has finished installing, select Open to launch the application.
  3. On the next screen, click OK to accept the license agreement.
  4. To configure your USC VPN connection, tap Connection.
  5. On the Advanced Preferences screen, tap Add New VPN Connection.
  6. On the Connection Editor screen, fill in the following information:
    1. In the Description field, type USC.
    2. In the Server Address field, type sslvpn2.usc.edu and then tap Done.

Connecting to VPN

Once you have configured your USC VPN connection, you will need to take the following steps every time you want to connect to VPN:

  • Select the AnyConnect VPN icon from your device and then tap AnyConnect VPN.
    • On the AnyConnect screen:

    See Full List On Cisco.com

    1. Choose the appropriate VPN Group Authentication Profile for your location from the Group pull-down menu. For information describing each of these authentication profiles, please see the VPN Frequently Asked Questions page.
    2. In the Username field, enter your USC NetID username. Your USC NetID username and password are the username and password you use to connect to services such as my.usc.edu and Workday.
    3. In the Password field, enter your USC NetID password.
    4. Tap Next.

    Anyconnect Web Security

    NOTE: The first time you connect, you will be asked to trust the application. Check the box next to I trust this application. to accept this and connect to VPN.

  • When you have successfully connected to USC VPN, the app will say Connected under AnyConnect VPN.

    • Disconnecting from VPN

    To disconnect from VPN, move the slider next to AnyConnect VPN to Off.

    Getting Help

    AnyConnect Host Scan - Cisco

    Web

    Download Cisco AnyConnect Secure Mobility Client For Windows ...

    If you need help installing and connecting to your AnyConnect Secure Mobility client, contact the ITS Customer Support Center.