 Feedback
|
Table Of Contents
Release Notes for Cisco AnyConnect VPN Client, Release 2.0, for HP webOS
Devices Supported by Cisco AnyConnect 2.4 for HP webOS
Security Appliances and Software Supported
Limitations of the AnyConnect Secure Mobility Client for HP webOS
Configuration and Deployment Overview
HP webOS Specific Considerations
Configuring the ASA for Use with webOS
Release Notes for Cisco AnyConnect VPN Client, Release 2.0, for HP webOS
Updated: November 2010Contents
This document includes the following sections:
•
Devices Supported by Cisco AnyConnect 2.4 for HP webOS
•
•
Overview
This document is intended as a supplement to the Cisco AnyConnect 2.4 Administrator Guide and includes only HP webOS specific information. For additional information refer to the following topics in the 2.4 Administrator Guide:
•
–
–
–
–
•
Introduction
The Cisco AnyConnect Secure Mobility Client provides remote users with secure VPN connections to the Cisco ASA 5500 Series using the Secure Socket Layer (SSL) protocol and the Datagram TLS (DTLS) protocol.
The Cisco AnyConnect Secure Mobility Client for HP webOS provides seamless and secure remote access to enterprise networks. The client provides a full tunneling experience that allows any installed application to communicate as though connected directly to the enterprise network. It runs on HP webOS version 2.0 or later and supports connections over an IPv4 network tunnel. AnyConnect is integrated as part of HP webOS VPN. Updates to AnyConnect functionality will be provided by HP when available.
Devices Supported by Cisco AnyConnect 2.4 for HP webOS
The Cisco AnyConnect Secure Mobility Client requires HP webOS 2.0 or later and runs on all compatible devices.
Security Appliances and Software Supported
The Cisco AnyConnect Secure Mobility Client supports all Cisco Adaptive Security Appliance models. It does not support PIX devices. See the Adaptive Security Appliance VPN Compatibility Reference: http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html for a complete list of compatibility requirements.
Table 1 shows the minimum Cisco ASA 5500 software images that support AnyConnect.
Table 1 Software Images that Support AnyConnect, Release 2.4
ASA Boot image
8.0(3).1 or later
Adaptive Security Device Manager (ASDM)
6.1(3).1 or later
Note
Supported Features
The following AnyConnect features are supported:
•
–
•
–
–
–
–
–
–
•
–
–
–
–
•
–
–
–
–
–
•
•
–
–
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Limitations of the AnyConnect Secure Mobility Client for HP webOS
The initial release of Cisco AnyConnect Secure Mobility Client for HP webOS supports only the features that are strictly related to remote access.
Tunnel Keep-Alive is supported, but this may reduce the battery life of the device if the update interval is set to the minimum value.
Because webOS 2.0 does not support AnyConnect client profiles, you must configure the ASA for use with webOS (see the "Configuring the ASA for Use with webOS" section.)
When you connect to tunnel groups configured for CSD, a "Posture Assessment Failed" message is displayed. You should use group URLs that bypass CSD. The workaround for this is only for webOS 2.0 on launch.
Note
Client Installation
The Palm comes equipped with a pre-installed client. For client support and updates, refer to this site http://www.palm.com/intl/support/index.html.
Configuration and Deployment Overview
Very few steps are required to set up the Cisco AnyConnect Secure Mobility Client. The client needs only:
•
•
Connection Persistence
AnyConnect for HP webOS supports a full suite of authentication capabilities similar to the AnyConnect for Windows, Mac OS X, and Linux.
To achieve the most transparent end user experience, you should use certificate-only authentication.
Network Roaming
The Network Roaming, or reconnect, feature enables AnyConnect to re-establish VPN connectivity when switching between networks, for example EDGE/1xRTT, 3G/EVDO, and Wi-Fi. This provides the user with seamless mobility and a secure connection that persists across networks.
Note
The ASA administrator has full control over the tunneling policy. You can require that all network traffic to the corporate network uses the VPN connection, or you can enable a split tunneling policy that will tunnel only certain networks. For further details refer to your ASA Administrator Guide.
Recommended Configurations
For the best user experience, Cisco recommends that system administrators run the latest maintenance release of ASA. Specific caveats have been fixed in the ASA that affect mobile clients (such as CSCti08822—ASA sends TCP keepalive packets for CSTP tunnel and CSCtj46900—Last CSD data element is not being loaded into DAP).
Also, Cisco recommends using multiple tunnel-groups for mobile devices, depending on the authentication configuration. You will have to decide how best to balance user experience with security.
For AAA-based authentication tunnel-groups for mobile devices, the tunnel-group should have a very long idle-timeout (such as 24 hours). This enables the client to remain in Reconnecting state without requiring the user to re-authenticate. You should consider setting a shorter idle timeout for certificate-only based authentication compared to AAA-based authentication.
HP webOS Specific Considerations
The following considerations should be taken into account when deploying the Cisco AnyConnect Security Mobility Client 2.4 to HP webOS devices.
•
•
Note
Known Issues
The following items are known issues with the AnyConnect client and are scheduled to be fixed in the first maintenance release of HP webOS 2.0.
•
•
•
Configuring the ASA for Use with webOS
WebOS 2.0 does not support AnyConnect client profiles. Perform the following to configure support for webOS 2.0 VPN connections.
Step 1
For example, on ASDM 6.3, choose Configuration > Network (Client) Access > Group Policies > Add > Advanced > SSL VPN Client and do not specify any profiles. Uncheck Inherit next to Client Profiles to download if the policy is not the default group policy.
Step 2
Step 3
Step 4
asa1(config)#tunnel-group webOS webvpn-attributesasa1(config-tunnel-webvpn)# without-csdCSCtj36459 is preventing ASA support for webOS connections if CSD is enabled; therefore, you must disable CSD on the tunnel group. This caveat is scheduled to be fixed in the first maintenance release of webOS 2.0.
Step 5
Troubleshooting
Initially you should enable logging and follow the troubleshooting steps in the webOS 2.0 help documentation. If you are unable to resolve the issue by following those steps, try the following:
•
•
•
Support Policy
If you are experiencing issues with the AnyConnect client, including configuration, setup, and operation of AnyConnect on HP products, contact HP support at 1-877-426-3777 or visit their support website at http://www.palm.com/intl/support/index.html.
If you are experiencing issues with configuring Cisco head-end equipment, including configuration, setup, and operation of that equipment, contact Cisco support at 1-800-553-2447 or visit our support website at http://tools.cisco.com/ServiceRequestTool/create.
Note
Notices and Licensing
See the following sections for Cisco AnyConnect Secure Mobility Client license information.
The following options support full AnyConnect client functionality while specifying the number of SSL VPN sessions supported:
•
•
These licenses are mutually exclusive per device (that is, per security appliance), but you can configure a mixed network. A nominally priced AnyConnect Mobile license is also required.
License Options
For brief descriptions and example product numbers (SKUs) of the AnyConnect user license options, see Cisco Secure Remote Access: VPN Licensing Overview.
For the latest detailed information about the AnyConnect user license options, see Managing Feature Licenses in the Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3.
End-User License Agreement
For the end-user license agreement, go to: http://www.cisco.com/univercd/cc/td/doc/es_inpck/eu1jen__.pdf
OpenSSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product includes software written by Tim Hudson (tjh@cryptsoft.com).
For Open Source License information for this product, please see the following link: http://www.cisco.com/en/US/docs/security/asa/asa83/license/opensrce.html#wp50053.
Related Documentation
For more information, refer to the following documentation:
•
•
http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html
•
Additional information on using VPN connections with webOS devices is available from Palm at http://www.palm.com/intl/support/index.html.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2010 Cisco Systems, Inc. All rights reserved.
