Anyconnect XML Preferences. Cisco community
What is an XML profile?
You can enable Cisco AnyConnect Secure Mobility client features in AnyConnect profiles — XML files that contain configuration settings for the primary client with their VPN functionality. ASA publishes profiles during installation of AnyConnect and updates. Users cannot manage or modify profiles directly
Where is the XML profile located?
Windows 7 and 8
%ProgramData%CiscoCisco AnyConnect Secure Mobility ClientProfile
Mac OS X
/ opt / cisco / anyconnect / profile
/ opt / cisco / anyconnect / profile
How to access an XML profile?
Anyconnect profile can be placed on the ASDM.
Configuration > Remote Access VPN > Network Access > Anyconnect Client Profile.
Preferences Part 1
Use start before logging in
Get started before login is a feature for the user to see the Anyconnect login screen before logging in on the windows device.
This feature is available for the following Windows platforms and is disabled by default:
Windows 8 and 8.1
Some examples of SBL usage:
- The user’s computer is linked to the Active Directory infrastructure.
- The user cannot store cached credentials on the computer, i.e. if the group policy does not allow cached credentials.
- The user must run login scripts that are executed from a network resource or that require access to a network resource.
- The user has mapped network drives that require authentication with the Active Directory infrastructure.
- Networking components, such as MS NAP / CS NAC, can require connectivity to the infrastructure.
For SBL to work you need:
- The ASA certificate must be added to the local computer certificate store (Trusted Root Certification Authorities). (Self-signing certificate only) Or a third-party certificate must be installed on the ASA.
- The name of the certificate subject must match the name that is resolved in the DNS. Editing the hosts file is also fine.
- SBL must be enabled in ASA in the Anyconnect Client Profile (although you can edit the .xml file manually on the client computer)
- ASA must be accessed via the domain name. IP address is not working.
- FQDN equals in xml definition file:
ASA required configuration:
Hostname (config)# SBL-VPN Group Policy Attributes
hostname (config-group-policy) # webvpn
hostame (config-group-webvpn) # svc modules value vpngina
Show previously connected message
Enables the administrator to display a one-time message before the users first connection attempt. For example, the message can remind users to insert their smart card into its reader.
This message can be customized on the following path:
ASDM > Configuration > Remote Access VPN > Customize / Localize Anyconnect > GUI Scripts and Messages > Edit
The message appears in the file with the label “This is a pre-connected reminder”
Controls which certificate store(s) Anyconnect uses to store and read certificates. The default setting (all) is suitable for most cases. Do not change this setting unless you have a specific reason or a required scenario for doing so.
- All: (Default) Instructs the Anyconnect client to use all certificate stores to locate certificates.
- Device: Instructs the Anyconnect client to restrict the lookup of the certificate in the local machine certificate store in Windows.
- User: Instructs the Anyconnect client to restrict certificate search to local user certificate stores.
Note: If you are using SBL, you must have this setting with ALL or Device Store, when Anyconnect is in SBL mode unable to read user certificates.
Certificate store bypass
It allows the administrator to instruct Anyconnect to look for certificates in the Windows device certificate store when the user does not have administrator privileges on their device, this will prevent permission issues when the user is not an administrator on the device.
Auto connect on start
When Anyconnect starts, it automatically establishes a VPN connection to the secure gateway specified by the Anyconnect profile, or to the last gateway the client connected to.
Minimize on call
After the VPN connection is established, the Anyconnect GUI reduces.
Local LAN Access
It allows the user to have full access to the local LAN connected to the remote computer during the VPN to ASA session.
Enabling local LAN access can create a security vulnerability from the public network through the user’s computer to the corporate network. Activating this feature is not recommended, instead use the exception specified under Anyconnect Group Policy or Anyconnect Firewall feature.
Anyconnect tries to re-establish the VPN connection if you lose the connection
Disconnect when hanging: (Default) Anyconnect frees resources for the VPN session when the system is down and does not attempt to reconnect after the system resumes.
Call back after resume: Anyconnect tries to re-establish the VPN connection if you lose the connection.
When selected, it enables automatic client update. You can download a newer version on ASA to automatically upgrade the VPN client on the user’s computer.
RSA Secure ID Integration (Windows only)
Controls how the user interacts with RSA. By default, Anyconnect defines the correct way for RSA interaction (automatic setting: both hardware and software tokens are accepted).
Windows login enforcement
Allows creation of a VPN session from a Remote Desktop Protocol (RDP) session. Split tunneling must be configured in Group Policy.
Anyconnect disconnects the VPN when the user who created the VPN connection logs out. If the connection is established by a remote user, and that remote user logs out, the VPN connection will be terminated.
- Single local login (default): Only one local user is allowed to log in during the entire VPN connection. Also, a local user can establish a VPN connection while one or more remote users are logged into the client computer.
- Single login: Only one user is allowed to log in while the VPN is fully connected. If more than one user is logged in, either locally or remotely, while the VPN connection is being established, the connection will not be allowed. If a second user logs in, either locally or remotely, during the VPN connection, the VPN connection is terminated.
Windows VPN Foundation
Determines the behavior of Anyconnect when a user who is remotely logged on to the client computer establishes a VPN connection.
- Local users only (default): It prevents the user who is logged in remotely from creating a VPN connection.
- Allow remote users: To allow remote users to establish a VPN connection.. Remote users must wait 90 seconds after the VPN is created if they want to disconnect the remote login session without causing the VPN connection to terminate.
Scan the smart card PIN
Once the Anyconnect session is terminated, the SmartCard PIN is deleted from the computer’s cache.
Supported IP Protocol
For clients with an IPv4 and IPv6 address trying to connect to ASA using Anyconnect, they need to specify which IP protocol to use to initiate the connection. By default Anyconnect initially attempts to connect using IPv4. If that doesn’t work, Anyconnect tries to initiate the connection using IPv6.
Preferences Part 2
Disable automatic certificate selection (Windows only)
Disable automatic certificate selection by the client and prompt the user to select the authentication certificate. This setting can be disabled on the Anyconnect GUI as well.
Defines a policy in the Anyconnect profile to control client access to a proxy server. Use this when the proxy configuration prevents the user from creating a tunnel from outside the corporate network.
- Native (default): causes the client to use both proxy settings preconfigured by Anyconnect, and proxy settings configured in the browser. Proxy settings configured in General User Preferences are previously tied to the browser’s proxy settings.
- Ignore Proxy: Ignores the proxy server settings for the browser on the user’s computer. It does not affect proxies that can access the ASA.
- Bypass: Configure the public proxy server address manually. A generic proxy is the only type of proxy supported for Linux.
Allow local proxy connections
Anyconnect is enabled by default, and it allows Windows users to create a VPN session through a transparent or opaque proxy service on the local PC. Deselect this parameter if you want to disable support for local proxy connections.
Enable optimum gate selection
OGS is a feature that can be used to determine which gate has the least round trip time (RTT) and connect to that gateway. One can use the OGS feature to reduce the latency of the internet traffic without user intervention.
OGS works best with the latest Anyconnect client and ASA software version 9.1 (3) or later.
How it works?
The client sends three HTTP/443 requests to each header address that appears in the merge of all profiles. These HTTP probes are referred to as OGS connection checks in the logs
OGS locates the user based on network information, such as the Domain Name System (DNS) suffix and the IP address of the DNS server. The results of the RTT are stored, along with this location, in the OGS cache.
OGS site entries are cached for 14 days, clearing this cache is not user configurable. This means that the OGS process runs every 14 days, if the user moves from the site the OGS process will not run again.
Currently, OGS runs checks only if the user exits the suspension, and the threshold is exceeded. OGS does not connect to a different ASA if the used ASA is connected with a crash or becomes unavailable. OGS communicates only with the primary servers in the profile in order to determine the optimal server, even if the user’s device has other profiles, it will not be able to select any of them until OGS is disabled.
When using OGS, if the connection to the gateway users are connected to is lost, Anyconnect connects to the servers in the backup server list and not to the next OGS host.
OGS only communicates with the primary servers in order to determine the optimal server. Once defined, the calling algorithm is:
- Try to connect to the optimal server.
- If that fails, try the server optimum backup server list.
- If that fails, try each server that remains in the OGS selection list, sorted by their selection results.
When the administrator configures the backup server list, the current profile editor only allows the administrator to enter the fully qualified domain name (FQDN) of the backup server, but not the user group as is possible for the primary server:
Comment time limit (in hours): The elapsed time from disconnecting from the current secure gateway to reconnecting to another secure gateway. If users experience too many transitions between portals, increase this time.
Performance improvement threshold (%):Improved performance that prompts the client to connect to another secure gateway. The default is 20%.
If AAA is used, users may have to re-enter their credentials when navigating to a different secure portal. The use of certificates eliminates this problem.
More information about OGS
Automatic VPN Policy (Trusted Network Discovery)
TND gives you the ability for Anyconnect to automatically disconnect the VPN when the user is inside the corporate network (the trusted network) and initiate the VPN connection when the user is outside the corporate network (the untrusted network).
If Anyconnect is also running Start before login (SBL), and the user has gone to the trusted network, the SBL window displayed on the computer will automatically close.
TND does not interfere with a user’s ability to manually establish a VPN connection. VPN does not disconnect…