notes: from internet
need put server address, other wise the profile won't show in the client select list
The Cisco AnyConnect 3.0 Security Mobility Client has made some really neat changes. In doing some development recently I have had the opportunity to spend some time working with this version. I have to say that I do like it. But there are little gotcha’s that I figured I would share.
My Lab Topology is fairly simple. Basically I have a client on the outside and a server on the inside.
I’m not so concerned with connecting to the server right now, but more so, I’m concerned with how I can centrally apply policy to my clients and then have them updated. To make the changes to the client, including company customization I am using the AnyConnect Profile Editor that’s embedded in ASDM. You can see the configuration page in the image below.
Creating a Client Profile, Changing Client Parameters, Applying the Profile to a Group.
You need to begin by adding a Client Profile.
Now that a profile has been created you can start making changes to these options. The image below is the “Edit” page of a profile that I named “MY-PROFILE.” I’m not going to go into the details of what each of these options do, nor am I going to explain each configuration page. I simply want to convey to you that his is how you make changes to the AnyConnect client that is already installed on a end user device.
So now we’ll assume that you have made some changes to the Client Profile. Next you’ll want to ensure that it’s applied to a group. Now in the client profile configuration you can define what group the profile is for, but in the image below we are actually editing the group to define the profile.
First, open the AnyConnect Client settings for a group.
Next, Apply the profile to the group.
Of course at this point you would save and apply your changes.
Getting the Policy on the Client.
This next step is simple. To get the policy onto a client you simply connect. Once the client connects in they will download the profile to the directory C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profileif you’re using Windows 7. Check the Cisco Documentation for the location of the profile on other operating systems.
In the following image you can see the client looking for updated profile information:
And once the profile has been downloaded you can browse to the aforementioned directory and verify that it has been downloaded.
Overall it’s a pretty simple process, but I strongly recommend testing this in a lab first. The biggest issue I ran into was that I would make a change, the profile wouldn’t match up and would not allow a connection to update the profile. The fix for me was to delete the profile on the client machine and connect again with no profile loaded. The client would then download the latest profile, including any changes and all was well.
Another nice aspect of this Client Profile is that it’s all XML. When you browse to the directory and look at the profile you can actually tell if the changes have been made pretty easily.
Wrap Up
My take on the AnyConnect Client Profiles is that they are handy for making changes but at the same time they are a bit tedious. Not much more to say about it. They work. But don’t take my word for it. Lab it up using a new “TEST” group on your own ASA and enjoy!
No comments:
Post a Comment