 Feedback
|
Table Of Contents
AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 2.5
AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 2.5
Published: August 13, 2010This document identifies the AnyConnect Release 2.5 features, license requirements, and endpoint OSs that each feature supports. It also shows a progressive chart of the licenses available and the features they support.
AnyConnect requires an AnyConnect Essentials license or an AnyConnect Premium SSL VPN Edition license to specify the maximum number of remote access sessions supported at a time. Either license supports the features in Table 1.
Table 1 Basic Features Supported by AnyConnect Essentials and Premium Licenses
WebLaunch deployment.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Manual (standalone) endpoint installation.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Windows Mobile
Remote Desktop Protocol (RDP) session to establish an AnyConnect session.
Windows
Datagram Transport Layer Security (DTLS) with SSL access to VPN.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Windows Mobile
Compression for TLS—Increases the communications performance between the security appliance and the client.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Fallback from DTLS to TLS if DTLS fails.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Windows Mobile
PPP exclusion route for AnyConnect over L2TP or PPTP.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Start script on connect and another on disconnect.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Certificate-only authentication.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Windows Mobile
Machine certificate authentication for standalone mode.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
RSA SecurID integration.
Windows 7, Vista, and XP
RSA SecurID Software Token Client Software 1.1 or later support (single token only).
Windows 7, Vista, and XP
Smartcard support.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Simple Certificate Enrollment Protocol (SCEP) to provision and renew a certificate used for client authentication.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Windows Mobile
List valid certificates for users to select to authenticate the VPN session.
Windows 7, Vista, and XP
Certificate store and certificate store override.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Dynamic access policies for multiple group membership and endpoint security.
Note: Requires ASA 8.0(x) or later.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Quarantine—The use of AAA attributes and dynamic access policies to isolate a VPN session.
Note: Requires ASA 8.0(x) or later. Showing quarantine status and terminate user messages requires ASA 8.3(1) or later.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Graphical and CLI user interfaces.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Minimize on connect.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Windows Mobile
Split tunneling to permit the endpoint to send some traffic in the clear Note: Requires ASA 8.0(x) or later.
Windows 7, Vista, and XP
In-the-clear DNS queries with split tunneling enabled.
Windows 7, Vista, and XP
Ignore Proxy—Bypass Internet Explorer proxy configuration on endpoint.
Note: Requires ASA 8.3(1) or later.
Windows 7, Vista, and XP
Mac OS X Safari Proxy.
Note: Requires ASA 8.3(1) or later.
Mac OS X (10.5, 10.6, and 10.7)
Proxy auto-configuration file generation for browser-based (clientless) support.
Windows 7, Vista, and XP
Internet Explorer Connections tab lockdown.
Windows 7, Vista, and XP
IPv6 VPN access—Allows access to IPv6 resources over a public IPv4 connection.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Local LAN access.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Tethered device support (phone synchronization).
Windows 7, Vista, and XP
Local printer access through endpoint firewall rules.
Windows 7, Vista, and XP
Trusted network detection (TND).
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Captive portal (hotspot) detection.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Session resume.
Windows 7, Vista, and XP
Optimal gateway selection.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Start before logon (SBL).
Windows 7, Vista, and XP
Auto connect on start.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Windows Mobile
Network roaming, also called auto reconnect.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Windows Mobile
Resume session after loss of connectivity.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Auto update AnyConnect.
Note: Requires ASA 8.0(x) or later.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Auto update AnyConnect profile.
Note: Requires ASA 8.0(x) or later.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Logon enforcement to terminate the VPN session if a second user logs onto Windows.
Windows 7, Vista, and XP
Permit or deny a user who is remotely logged onto a PC to use it to establish a VPN session.
Windows 7, Vista, and XP
Retain VPN session if the user logs off Windows and whether to disconnect the VPN session if a different, local user logs onto Windows.
Windows 7, Vista, and XP
Diagnostic AnyConnect Reporting Tool (DART).
Windows 7, Vista, and XP
Federal Information Processing Standard (FIPS) security.
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
1 For Red Hat Enterprise Linux 5 Desktop and Ubuntu 9.x requirements, see the Release Notes for Cisco AnyConnect Secure Mobility Client, Release 2.5.
Table 2 lists the advanced features, network and license requirements, and supported VPN endpoints.
Table 2 Advanced AnyConnect Features
Clientless access lets you use a browser to establish a VPN session and lets specific applications use the browser to access that session.
AnyConnect Premium SSL VPN Edition license
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Simultaneous AnyConnect client and clientless connections. Each connection has its own tunnel.
Both of the following:
•
ASA 8.0(x) or later
•
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
SSL VPN support for touch-screen devices running Windows Mobile.
Both of the following:
•
•
Windows Mobile OS touch-screen devices. For the supported device list, see the Release Notes for Cisco AnyConnect Secure Mobility Client, Release 2.5.
Endpoint assessment for laptops and desktops ensures that your choice of antivirus software versions, antispyware versions, associated update definitions, firewall software versions, and corporate property verification checks comply with policies to qualify a session to be granted access to the VPN.
All of the following:
•
•
•
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Endpoint assessment for Windows Mobile supports the configuration of dynamic access policies that check for the following:
•
•
•
•
•
•
•
•
All of the following:
•
•
•
•
•
Windows Mobile
Endpoint remediation attempts to resolve endpoint failures to satisfy corporate requirements for antivirus, antispyware, firewall software, and definitions file requirements
All of the following:
•
•
•
•
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Post Log-in Always-on VPN establishes a VPN session automatically after the user logs in to a computer. It includes the following features:
•
•
•
Either of the following:
•
•
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Malware defense, acceptable use policy enforcement and data leakage prevention for the web
All of the following:
•
•
•
•
•
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Windows Mobile
Business continuity increases the number of licensed remote access VPN sessions to prepare for temporary spikes in usage during cataclysmic events such as pandemics.
Both of the following:
•
•
Windows 7, Vista, and XP
Mac OS X (10.5, 10.6, and 10.7)
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
Windows Mobile
Table 3 lists the AnyConnect Profile editor API, and customization options; and the supporting OSs.
Table 4 shows which licenses you can combine with the AnyConnect Essentials and AnyConnect Premium SSL VPN Edition licenses.
Table 4 Advanced AnyConnect License Options
AnyConnect Essentials
(base license)
Cisco Secure Mobility for AnyConnect Essentials
AnyConnect Premium SSL VPN Edition
(base license)
Cisco Secure Mobility for AnyConnect Premium
Advanced Endpoint Assessment
Flex1
1 A flex license provides business continuity support for malware defense, acceptable use policy enforcement, data leakage prevention on the web, and endpoint remediation features only if those features are licensed.
The following licenses require activation on a Cisco adaptive security appliance (ASA) running 8.0(x) or later:
•
•
•
•
You can activate either an AnyConnect Essentials or an AnyConnect Premium SSL VPN Edition license, but you cannot activate both licenses together on the same ASA. Some features require later versions of the ASA, as indicated in the Tables 1 and 2.
The Cisco Secure Mobility licenses requires activation on a Cisco IronPort Web Security Appliance (WSA) running 7.0 or later.
The activation of an AnyConnect Mobile license on the ASA supports mobile access, but does not provide support for the features in this table. It is available as an option with either an AnyConnect Essentials or an AnyConnect Premium SSL VPN Edition license.
Cisco Secure Remote Access: VPN Licensing Overview provides brief descriptions of the AnyConnect license options and example SKUs.
Licensing Information contains a Managing Feature Licenses document for each ASA release. Each one lists the licenses available for each ASA model, and describes how to obtain and activate these licenses.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2010 Cisco Systems, Inc. All rights reserved.
