Manual Block Adobe From Checking Validation Engineer
112617by admin

Manual Block Adobe From Checking Validation Engineer

This guide is a collection of thoughts on and techniques for securing a modern Apple Mac computer ('MacBook') using macOS (formerly known as OS X) version 10.12. Pkgutil --check-signature /Applications/Install macOS Sierra.app Package 'Install macOS Sierra.app': Status: signed by a certificate trusted by Mac OS X. When you manually sign a document, you guarantee your agreement to the text content. A digital signature does the same thing and adds even more information. It guarantees signature authenticity by proving that you are the person who signed, it ensures document integrity, meaning that it has not been modified since the.

Manual Block Adobe From Checking Validation Engineer

In, I related the latest round of Android security woes to Adobe. Anyone that has worked in IT during the last 10 years knows that Adobe products (Acrobat Reader, Flash, etc.) have had some of the worst security records of any products.

Strong security and Adobe were never used in the same sentence, if only as a joke. In the Android article, I stated that 'Android is the new Adobe,' but after chatting over email with a senior manager of corporate communications with Adobe, I may have to revise that statement a bit. Not because they want me to, but because I was made aware of significant changes that Adobe has made, all based on their security record and public perception. Now, public perception dictates that Adobe products are unsecure by default, but based on the material I was offered to read through, Adobe has taken definite steps to improve not only product development, but how the company utilizes community engagement to build better, more secure applications. I truly appreciate Adobe taking the time to enlighten me on their new security focus. And, I'm sure you'll appreciate it, too, since the majority of what Adobe has done isn't public knowledge.

We agreed that it's valuable for you all to know exactly what Adobe has done internally, to help fix public perception and get back to focusing on the true security offenders like Android. As passed on to me, here's the details of what Adobe has accomplished to tighten security and provide a better operating landscape for users of their products: Security Teams at Adobe Adobe has a team in place (the Adobe Secure Software Engineering Team – ASSET), which is dedicated to ensuring our products are designed, engineered and validated using security best practices. A second team within ASSET (the Product Security Incident Response Team – PSIRT) is responsible for responding to and communicating about security issues.

ASSET and PSIRT (as they exist today) were put in place during the integration of Macromedia and Adobe in late 2005 by combining the corresponding security teams from each company, and these teams continue to evolve to best address the threat landscape facing Adobe’s products. All engineering teams at Adobe work very closely and proactively with the Adobe Secure Software Engineering Team (ASSET) during each phase of the Adobe Secure Product Lifecycle (SPLC). In addition, product teams have dedicated security development and testing groups in place. As a result of changes in the threat landscape, we have about seven times as many engineers dedicated to security today compared to 2009. The Adobe Secure Product Lifecycle (SPLC) ASSET owns the Adobe Secure Product Lifecycle (SPLC), which is the equivalent to Microsoft's Security Development Lifecycle (SDL).

All code and features in Adobe products are subject to the SPLC. The SPLC integrates standard secure software activities such as threat modeling, automated and manual security code reviews, and fuzzing into the standard Adobe Product Lifecycle we follow for all projects.

The graphic/screen shot below shows the different phases of the SPLC as well as key aspects of each phase. The ASSET Certification Program A program that was introduced by ASSET in February 2009 and which has become a critical part of the SPLC is the “ASSET Certification Program.” This is an internal program for Adobe engineering and product teams designed to raise security awareness and implement best practices prior to and during the planning and design phases of a product to ensure potential areas for vulnerabilities are identified and addressed early. A majority of Adobe’s product/engineering team members have gone through the program. Product Security Incident Response Adobe also has significant investment in our reactive capabilities in the event of a security incident. The Product Security Incident Response Team (PSIRT) coordinates with the security community (including vendors and researchers) as well as the internal engineering teams and communications teams to get relevant information such as threat mitigations out to users as soon as possible. Product Security Initiatives Over the last three years in particular, we have increased the investment in our security efforts with focused initiatives, faster response times, and improved communication to customers and stakeholders. This included improving the security of legacy sections of the code base by targeting high risk areas of the application for fuzzing, static code analysis, manual code review, threat modeling, and strengthening input validation.

And we significantly improved incident response processes for regularly scheduled updates as well as for urgent situations, such as a zero-day. We also made a number of significant security enhancements specifically to Adobe Reader and Acrobat: • With the Adobe Reader / Acrobat update in October 2009, we included security enhancements around Adobe Reader and Acrobat’s handling of JavaScript—at the time one of the main attack vectors for PDF/Adobe Reader. These include the ability to disable JavaScript using an improved “gold bar” user interface (improvement from previous pop-up box), significant improvements to strengthen input validation on all JavaScript calls, as well as the introduction of a JavaScript blacklisting mechanism. • With the April 13, 2010 Adobe Reader / Acrobat update, Adobe activated a.

The new updater is designed to keep end-users up-to-date in a much more streamlined and automated way. It was introduced because the majority of attacks we are seeing are exploiting software installations that are not up-to-date with the latest security updates. With the activation of the new updater, Windows users have the option to download and install updates for Adobe Reader and Acrobat automatically, without user interaction. The following three update options are available to users: • Automatic: Updates are downloaded and installed automatically, without user interaction. Adobe recommends this option for most end-users. ( Available for Windows users only.) • Semi-Automatic: Updates are downloaded automatically, but the user has to choose whether or not to install the update.

• Manual: The user has to manually check for updates and kick off the installation. This option may appropriate in particular for administrators in businesses following patch cycles specific to their organization. During the first phase of the roll-out of the new updater, Adobe utilized the user’s existing update settings found in the Preferences because the automatic update option was a significant change to the way most Windows users were accustomed to updating their product installations.

With the quarterly update delivered on June 14, 2011, we by turning the automatic update option on by default for all Adobe Reader users on Windows. Because honoring the user’s choice is important to Adobe, the user was presented with a screen for the automatic update option for the first time when the Adobe Reader Updater detected for the availability of the September 13, 2011 update.

• On November 18, 2010, Adobe the availability of Adobe Reader X with Protected Mode (aka sandboxing) under Windows. Adobe Reader Protected Mode represented an exciting new advancement in mitigating the impact of attempted attacks. Even if exploitable security vulnerabilities are found by an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files or installing malware on potential victims’ computers. Note that since we added sandbox protection to Adobe Reader in November 2010, the exploit announced in our February 13, 2013 security advisory is the very first exploit in the wild that break out of the Adobe Reader Protected Mode sandbox. • With the Adobe Reader / Acrobat update on June 14, 2011, Adobe Adobe Acrobat X (10.1) Protected View (aka sandboxing).

This security enhancement for Adobe Acrobat extends the concept of Adobe Reader Protected to the Acrobat browser plugin; it also introduces Adobe Acrobat Protect View for document viewing with Acrobat in standalone mode. Adobe Acrobat Protected View offers similar mitigations and user workflows to Microsoft Office 2010 Protected View. Acrobat Protected View provides an additional layer of protection for Acrobat X users and will ultimately result in a safer experience, fewer urgent patches, and lower total cost of ownership in enterprise environments. On January 10, 2012, Adobe a new JavaScript whitelisting capability in Adobe Reader and Acrobat X (10.1.2) and 9.5, allowing JavaScript execution in PDF files based on document trust.

If a document is trusted, JavaScript execution will be allowed; but if it is untrusted, Adobe Reader and Acrobat will prevent all JavaScript execution. • With the Adobe Reader / Acrobat update on April 10, 2012, Adobe the following changes: o Rendering Flash (SWF) Content in Adobe Reader and Acrobat 9.5.1: We added an Application Programming Interface (API) to both Adobe Reader/Acrobat 9.5.1 and Flash Player to allow Adobe Reader/Acrobat 9.5.1 to communicate directly with a Netscape Plugin Application Programming Interface (NPAPI) version of Flash Player installed on the user’s system. Starting with the release of Adobe Reader 9.5.1 and Acrobat 9.5.1, Adobe Reader and Acrobat 9.x on Windows and Macintosh will use the Adobe Flash Player plugin version installed on the user's system (rather than the Authplay component that ships with Adobe Reader and Acrobat) to render any Flash (SWF) content contained in PDF files. From a security perspective, this means that Adobe Reader/Acrobat 9.x users will no longer have to update Adobe Reader/Acrobat each time we make available an update for Flash Player. This will be particularly beneficial to customers in managed environments because fewer updates help reduce the overhead for IT administration.

O Rendering 3D Content in PDF Files With the Adobe Reader and Acrobat 9.5.1 updates, 3D content is turned off by default, since the majority of consumers do not typically open PDF files that include 3D content. 3D content in untrusted documents can pose a security risk, so we disabled the option by default to cut down on potential risk for users of Adobe Reader and Acrobat 9.x. O Further Alignment of the Adobe Reader/Acrobat Update Cycle with Microsoft’s Model After three years of shipping a security update once a quarter and announcing the date of the next update the same day we ship the current update, we are making a change. We are shifting to a model that more closely aligns with the 'Microsoft Patch Tuesday' cadence. Since we introduced the quarterly update cycle in 2009, we have come a long way in putting mitigations into place that make Adobe Reader and Acrobat a less attractive attack target. Sandboxing and, in particular, has led to greater than expected results.

Attackers have indicated through their target selection thus far that the extra effort required to attack version X is no longer worth it. Additionally, we have seen a lower volume of vulnerability reports against Adobe Reader and Adobe Acrobat. Given the shift in the threat landscape and the lower volume of vulnerability reports, we feel that a strict quarterly release cycle is no longer warranted. • Most recently (in October 2012), Adobe a number of new or improved security capabilities with Adobe Reader and Acrobat XI: o Adobe Reader XI Protected Mode (Enhanced) In our Adobe Reader X sandbox implementation, the sandboxing architecture’s primary focus was on “write protection” to prevent the attacker from installing malware on the user’s machine and from monitoring the user’s keystrokes when the user interacts with another program. In Adobe Reader XI, we added data theft prevention capabilities by extending the sandbox to restrict read-only activities to help protect against attackers seeking to read sensitive information on the user’s computer.

O Adobe Reader Protected View (New) and Adobe Acrobat Protected View (Enhanced) To provide an additional layer of defense and strengthen the sandbox protection in Adobe Reader and Acrobat even further, we implemented a separate desktop and WinStation in Adobe Reader and Acrobat XI, which will block, for instance, screen scraping attacks. This mode effectively introduces a new Protected View in Adobe Reader and enhances the Protected View implementation in Adobe Acrobat even further. Protected View behaves identically for Adobe Reader and Acrobat, whether viewing PDF files in the standalone product or in the browser. North Mississippi Allstars Boulderado Rar File there.

O Force ASLR Support in Adobe Reader/Acrobat XI Adobe Reader and Acrobat leverage platform mitigations such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), etc. In Adobe Reader and Acrobat XI, we enabled support for Force ASLR on Windows 7 and Windows 8. Force ASLR improves the effectiveness of existing ASLR implementations by ensuring that all DLLs loaded by Adobe Reader or Acrobat XI, including legacy DLLs without ASLR enabled, are randomized.

By enabling Force ASLR in Adobe Reader and Acrobat XI, we are making it even more difficult for an attacker to exploit vulnerabilities. O PDF Whitelisting Framework For high-assurance, managed enterprise environments, we’ve added the Adobe PDF Whitelisting Framework, which allows administrators to selectively enable advanced functionality, such as JavaScript for specific PDF files, sites or hosts, on both Windows and Mac OS.

On the Flash Player side, note the following significant security (and privacy) enhancements made over the last two years: • On December 1, 2010, Adobe and Google the development of a sandbox for Flash Player within the Google Chrome browser. This first iteration of Chrome’s Flash Player sandbox for all Windows platforms introduced a modified version of Chrome’s existing sandbox technology that protects certain sensitive resources from being accessed by malicious code, while allowing applications to use less sensitive ones. This implementation represented a significant step in further reducing the potential attack surface of the browser and protecting users against common malware.

• With the launch of Flash Player 10.3 on May 12, 2011, Adobe a number of important security and privacy features: Flash Player 10.3 included a new auto-update notification mechanism for the Macintosh platform. With this new feature, Macintosh users started receiving Flash Player update notifications when new updates became available. (Note that this functionality was already previously in place for Windows users.) On the privacy side, Adobe worked closely with representatives from several key companies/open-source browsers—including Google and Mozilla—to define a new browser API () for clearing local data.

Any browser that implements the new API is able to clear local storage for any plugin that also implements the API. Flash Player was the first plugin to support the new API, providing users with a simpler way to clear local storage from the browser settings interface, similar to how they clear their browser cookies. In addition to coordinating with the open-source browsers, Adobe also teamed up with Microsoft to provide equivalent functionality within Internet Explorer. With the launch of Flash Player 10.3, users were able to take advantage of this functionality in Internet Explorer 8 and 9. And last but not least, Flash Player 10.3 introduced a redesigned Flash Player Settings Manager to make it easier for users to manage their Flash Player settings, which allowed Windows, Mac and Linux users to access the Flash Player Settings Manager directly from the Control Panel or System Preferences on their computers. • On September 21, 2011, Adobe several security enhancements for Flash Player, including the addition of, which will make it easier for developers to protect the data they stream over the Flash Player raw socket connections, and a. • On February 6, 2012, Adobe a public beta of Flash Player with sandboxing (aka “Protected Mode”) for the Firefox browser.

Adobe Flash Player Protected Mode for Firefox 4.0 or later on June 8, 2012. It is supported on both Windows Vista and Windows 7. • With the release of Flash Player 11.2 on March 28, 2012, Adobe a new background update mechanism for Windows users, designed to keep end-users up-to-date in a much more streamlined and automated way. Windows users have the option to download and install updates for Adobe Flash Player automatically, without user interaction. After a successful installation of Adobe Flash Player 11.2, users were presented with a dialog box to choose an update method. The following three update options are available to users: • Allow Adobe to install updates (recommended) • Notify me to install updates • Never check for updates (not recommended) Additionally, the user can change the update preferences at any time via the Flash Player Settings Manager, which for Windows users can be accessed via the Control Panel. The new Adobe Flash Player background updater updates all instances of a release version of Adobe Flash Player for all Web browsers on a computer.

Previously, users had to perform separate updates for each Web browser running on their system. A Mac version of the Flash Player background updater was delivered with the on June 8, 2012.

Community Engagement In addition to working very closely with the security research community, ASSET/PSIRT have great working relationships with counterparts in other organizations—such as Microsoft, Symantec and McAfee—which we leverage for the exchange of technical and process information as well as telemetry regarding attack data and techniques. As part of our collaboration with Microsoft, that Microsoft would extend its to include vulnerability information sharing from Adobe. See for additional information on this announcement.

In another example, Adobe has been working closely with Microsoft to help improve the software update experience for our mutual customers. In 2011, we introduced support for Microsoft System Center Updates Publisher (SCUP) in Adobe Reader X and Adobe Flash Player, making it easier for Microsoft System Center Configuration Manager (SCCM) and Microsoft System Center Essentials (SCE) customers to import Adobe updates through the Microsoft System Center Updates Publisher (SCUP) and manage their distribution to client computers. In October 2012, Flash Player started shipping with Internet Explorer 10 on Windows 8. Flash Player installed with Internet Explorer 10 on Windows 8 is now being updated via the Microsoft Windows Update mechanism customers are familiar with. In September 2009, Adobe joined SAFECode (Software Assurance Forum for Excellence in Code), a non-profit organization focused on the advancement of effective software assurance methods. As a SAFECode member, Adobe is actively involved in partnering with other SAFECode members to share lessons that we’ve learned with the software industry.

Brad Arkin (senior director, security, Adobe products and services) is a member of the SAFECode board. Adobe is also one of the original participants of the “Building Security In Maturity Model” (BSIMM) study and a member of the BSIMM Advisory Board. BSIMM was first launched in March 2009, and is the industry’s first and only structured set of best practices for software security based on real-world data. The BSIMM project is led by Fortify Software and Cigital, and is designed to help software vendors determine where they stand with their software security initiative and how to evolve their efforts over time. The original nine companies contributing to the BSIMM were Adobe, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, Microsoft, QUALCOMM, Wells Fargo and two un-named financial institutions. And last but not least, the Adobe Product Security Incident Response Team (PSIRT) is a member of the Forum of Incident Response and Security Teams (FIRST). FIRST brings together a wide variety of security and incident response teams, including product security teams from the government, commercial, and academic sectors.

Brad Arkin is also a member of the BSIMM (Building Security In Maturity Model) advisory board, the SAP Security Advisory Board, and the customer advisory boards for security consultancy iSec Partners and security tools vendor Veracode. Adobe Security Resources • Adobe Security Portal: • Adobe Secure Software Engineering Team (ASSET) Blog: • Adobe Product Security Incident Response Team (PSIRT) Blog: • Adobe Security on Twitter: • Brad Arkin on Twitter.

Configure VPN Access Connect and Disconnect to a VPN AnyConnect VPN Connectivity Options The AnyConnect client provides many options for automatically connecting, reconnecting, or disconnecting VPN sessions. These options provide a convenient way for your users to connect to your VPN, and they also support your network security requirements. Starting and Restarting AnyConnect Connections to provide the names and addresses of the secure gateways your users will manually connect to.

Choose from the following AnyConnect capabilities to provide convenient, automatic VPN connectivity: • • • Also, consider using the following Automatic VPN Policy options to enforce greater network security or restrict network access to the VPN only: • • • Renegotiating and Maintaining the AnyConnect Connection You can limit how long the ASA keeps an AnyConnect VPN connection available to the user even with no activity. If a VPN session goes idle, you can terminate the connection or re-negotiate the connection. • Keepalive—The ASA sends keepalive messages at regular intervals. These messages are ignored by the ASA, but are useful in maintaining connections with devices between the client and the ASA. For instructions to configure Keepalive with the ASDM or CLI, see the Enable Keepalive section in the. • Dead Peer Detection—The ASA and AnyConnect client send 'R-U-There' messages.

These messages are sent less frequently than IPsec's keepalive messages. You can enable both the ASA (gateway) and the AnyConnect client to send DPD messages, and configure a timeout interval. • If the client does not respond to the ASA’s DPD messages, the ASA tries once more before putting the session into 'Waiting to Resume' mode. This mode allows the user to roam networks, or enter sleep mode and later recover the connection.

If the user does not reconnect before the idle timeout occurs, the ASA will terminate the tunnel. The recommended gateway DPD interval is 300 seconds. • If the ASA does not respond to the client's DPD messages, the client tries again before terminating the tunnel. The recommended client DPD interval is 30 seconds. For instructions to configure DPD within the ASDM, refer to Configure Dead Peer Detection in the appropriate release of the. • Best Practices: • Set Client DPD to 30 seconds (Group Policy >Advanced >AnyConnect Client >Dead Peer Detection).

• Set Server DPD to 300 seconds (Group Policy >Advanced >AnyConnect Client >Dead Peer Detection). • Set Rekey, for both SSL and IPsec to 1 hour (Group Policy >Advanced >AnyConnect Client >Key Regeneration). Terminating an AnyConnect Connection Terminating an AnyConnect connection requires the user to re-authenticate their endpoint to the secure gateway and create a new VPN connection. The following connection parameters terminate the VPN session based on timeouts: • Maximum Connect Time—Sets the maximum user connection time in minutes. At the end of this time, the system terminates the connection. You can also allow unlimited connection time(default). • VPN Idle Timeout—Terminates any user’s session when the session is inactive for the specified time.

If the VPN idle timeout is not configured, then the default idle timeout is used. • Default Idle Timeout—Terminates any user’s session when the session is inactive for the specified time. The default value is 30 minutes. The default is 1800 second. See the Specify a VPN Session Idle Timeout for a Group Policy section in the appropriate release of the to set these parameters. Games Serial Key Generator Software Free Download more. Configure VPN Connection Servers The AnyConnect VPN server list consists of host name and host address pairs identifying the secure gateways that your VPN users will connect to.

The host name can be an alias, an FQDN, or an IP address. The hosts added to the server list display in the Connect to drop-down list in the AnyConnect GUI.

The user can then select from the drop-down list to initiate a VPN connection. The host at the top of the list is the default server, and appears first in the GUI drop-down list. If the user selects an alternate server from the list, the selected server becomes the new default server. Once you add a server to the server list, you can view its details and edit or delete the server entry. To add a server to the server list, follow this procedure. Procedure Step 1 Open the VPN Profile Editor and choose Server List from the navigation pane. Step 2 Click Add.

Step 3 Configure the server’s host name and address: • Enter a Host Display Name, an alias used to refer to the host, an FQDN, or an IP address. Do not use '&' or ' Remote Access VPN >Network (Client) Access >Group Policies.

Step 2 Select a group policy and click Edit or Add a new group policy. Step 3 Select Advanced >AnyConnect Client in the left navigation pane.

Step 4 Uncheck Inherit for the Optional Client Module for Download setting. Step 5 Select the AnyConnect SBL module in the drop-down list. Enable SBL in the AnyConnect Profile Before You Begin • SBL requires a network connection to be present at the time it is invoked. In some cases, this might not be possible, because a wireless connection might depend on credentials of the user to connect to the wireless infrastructure.

Since SBL mode precedes the credential phase of a logon, a connection would not be available in this scenario. In this case, the wireless connection needs to be configured to cache the credentials across logon, or another wireless authentication needs to be configured, for SBL to work. • If the Network Access Manager is installed, you must deploy machine connection to ensure that an appropriate connection is available. Procedure Step 1 Open the VPN Profile Editor and choose Preferences (Part 1) from the navigation pane.

Step 2 Select Use Start Before Logon. Step 3 (Optional) To give the remote user control over SBL, select User Controllable. Note The user must reboot the remote computer before SBL takes effect. Troubleshoot Start Before Logon Procedure Step 1 Ensure that the AnyConnect profile is loaded on the ASA, ready to be deployed. Step 2 Delete prior profiles (search for them on the hard drive to find the location, *.xml).

Step 3 Using Windows Add/Remove Programs, uninstall the SBL Components. Reboot the computer and retest. Step 4 Clear the user’s AnyConnect log in the Event Viewer and retest. Step 5 Browse back to the security appliance to install AnyConnect again. Step 6 Reboot once. On the next reboot, you should be prompted with the Start Before Logon prompt.

Step 7 Collect a DART bundle and send it to your AnyConnect Administrator. Step 8 If you see the following error, delete the user’s AnyConnect profile: Description: Unable to parse the profile C: Documents and Settings All Users Application Data Cisco Cisco AnyConnect Secure Mobility Client Profile VABaseProfile.xml. Host data not available. Step 9 Go back to the.tmpl file, save a copy as an.xml file, and use that XML file as the default profile. Automatically Start VPN Connections When AnyConnect Starts This feature called Auto Connect On Start, automatically establishes a VPN connection with the secure gateway specified by the VPN client profile when AnyConnect starts. Auto Connect On Start is disabled by default, requiring the user to specify or select a secure gateway.

Procedure Step 1 Open the VPN Profile Editor and choose Preferences (Part 1) from the navigation pane. Step 2 Select Auto Connect On Start. Step 3 (Optional) To give the user control over Auto Connect on Start, select User Controllable. Configure Start Before Logon (PLAP) on Windows Systems The Start Before Logon (SBL) feature starts a VPN connection before the user logs in to Windows. This ensures that users connect to their corporate infrastructure before logging on to their computers. The SBL AnyConnect feature is known as the Pre-Login Access Provider (PLAP), which is a connectable credential provider.

This feature lets programmatic network administrators perform specific tasks, such as collecting credentials or connecting to network resources before logon. PLAP provides SBL functions on all of the supported Windows operating systems. PLAP supports 32-bit and 64-bit versions of the operating system with vpnplap.dll and vpnplap64.dll, respectively. The PLAP functions supports x86 and x64. • • • Install PLAP The vpnplap.dll and vpnplap64.dll components are part of the existing installation, so you can load a single, add-on SBL package on the security appliance, which then installs the appropriate component for the target platform. PLAP is an optional feature. The installer software detects the underlying operating system and places the appropriate DLL in the system directory.

On Windows 7 or later, or the Windows 2008 server, the installer determines whether the 32-bit or 64-bit version of the operating system is in use and installs the appropriate PLAP component. Note If you uninstall AnyConnect while leaving the PLAP component installed, the PLAP component is disabled and is not visible to the remote user. Once installed, PLAP is not active until you modify the user profile file to activate SBL. After activation, the user invokes the Network Connect component by clicking Switch User, then the Network Connect icon in the lower, right part of the screen. Note If the user mistakenly minimizes the user interface, the user can restore it by pressing the Alt + Tab key combination.

Log on to a Windows PC Using PLAP Procedure Step 1 At the Windows start window, users press the Ctrl+Alt+Del key combination. The logon window appears with a Switch User button. Step 2 The user clicks Switch User. The Network Connect window displays. If the user is already connected through an AnyConnect connection and clicks Switch User, that VPN connection remains.

If the user clicks Network Connect, the original VPN connection terminates. If the user clicks Cancel, the VPN connection terminates. Step 3 The user clicks the Network Connect button in the lower-right corner of the window to launch AnyConnect. The AnyConnect logon window opens. Step 4 The user uses this GUI to log in as usual. This example assumes AnyConnect is the only installed connection provider. If there are multiple providers installed, the user must select the one to use from the items displayed on this window.

Step 5 When the user connects, the user sees a screen similar to the Network Connect window, except that it has the Microsoft Disconnect button in the lower-right corner. This button is the only indication that the connection was successful. Step 6 The user clicks the icon associated with their logon.

Once the connection is established, you have a few minutes to log on. The user logon session times out after approximately a two minute idle timeout and a disconnect is issued to the AnyConnect PLAP component, causing the VPN tunnel to disconnect. Disconnect from AnyConnect Using PLAP After successfully establishing a VPN session, the PLAP component returns to the original window, this time with a Disconnect button displayed in the lower-right corner of the window.

When the user clicks Disconnect, the VPN tunnel disconnects. In addition to explicitly disconnecting in response to the Disconnect button, the tunnel also disconnects in the following situations: • When a user logs on to a PC using PLAP but then presses Cancel. • When the PC is shut down before the user logs on to the system.

• When Windows times out the user logon session and returns to the 'Press CTRL + ALT + DEL to log on' screen. This behavior is a function of the Windows PLAP architecture, not AnyConnect. Automatically Restart VPN Connections When Auto Reconnect is enabled (default), AnyConnect recovers from VPN session disruptions and reestablishes a session, regardless of the media used for the initial connection. For example, it can reestablish a session on wired, wireless, or 3G.

When Auto Reconnect is enabled, you also specify the reconnect behavior upon system suspend or system resume. A system suspend is a low-power standby, such as Windows “hibernation” or macOS or Linux “sleep.” A system resume is a recovery following a system suspend. If you disable Auto Reconnect, the client does not attempt to reconnect regardless of the cause of the disconnection. Cisco highly recommends using the default setting (enabled) for this feature.

Disabling this setting can cause interruptions in VPN connectivity over unstable connections. Procedure Step 1 Open the VPN Profile Editor and choose Preferences (Part 1) from the navigation pane.

Step 2 Select Auto Reconnect. Step 3 Choose the Auto Reconnect Behavior: • Disconnect On Suspend—(Default) AnyConnect releases the resources assigned to the VPN session upon a system suspend and does not attempt to reconnect after the system resume. • Reconnect After Resume—The client retains resources assigned to the VPN session during a system suspend and attempts to reconnect after the system resume. Use Trusted Network Detection to Connect and Disconnect About Trusted Network Detection Trusted Network Detection (TND) gives you the ability to have AnyConnect automatically disconnect a VPN connection when the user is inside the corporate network (the trusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network). TND does not interfere with the ability of the user to manually establish a VPN connection.

It does not disconnect a VPN connection that the user starts manually in the trusted network. TND only disconnects the VPN session if the user first connects in an untrusted network and moves into a trusted network. For example, TND disconnects the VPN session if the user makes a VPN connection at home and then moves into the corporate office. Note For the equivalent feature for the Web Security module, see in the Configure Web Security chapter. You configure TND in the AnyConnect VPN Client profile. No changes are required to the ASA configuration. You need to specify the action or policy AnyConnect takes when recognizing it is transitioning between trusted and untrusted networks, and identify your trusted networks and servers.

Guidelines for Trusted Network Detection • Because the TND feature controls the AnyConnect GUI and automatically starts connections, the GUI should run at all times. If the user exits the GUI, TND does not automatically start the VPN connection. • If AnyConnect is also running Start Before Logon (SBL), and the user moves into the trusted network, the SBL window displayed on the computer automatically closes. • Trusted Network Detection with or without Always-On configured is supported on IPv6 and IPv4 VPN connections to the ASA over IPv4 and IPv6 networks. • Multiple profiles on a user computer may present problems if the TND configuration is different. If the user has received a TND-enabled profile in the past, upon system restart, AnyConnect attempts to connect to the security appliance it was last connected to, which may not be the behavior you desire.

To connect to a different security appliance, they must manually disconnect and re-connect to that headend. The following workarounds will help you prevent this problem: • Enable TND in the client profiles loaded on all the ASAs on your corporate network. • Create one profile listing all the ASAs in the host entry section, and load that profile on all your ASAs. • If users do not need to have multiple, different profiles, use the same profile name for the profiles on all the ASAs.

Each ASA overrides the existing profile. Configure Trusted Network Detection Procedure Step 1 Open the VPN Profile Editor and choose Preferences (Part 1) from the navigation pane. Step 2 Select Automatic VPN Policy. Step 3 Choose a Trusted Network Policy.

This is the action the client takes when the user is inside the corporate network (the trusted network). The options are: • Disconnect—(Default) The client terminates the VPN connection in the trusted network. • Connect—The client starts a VPN connection in the trusted network. • Do Nothing—The client takes no action in the trusted network. Setting both the Trusted Network Policy and Untrusted Network Policy to Do Nothing disables Trusted Network Detection (TND). • Pause—AnyConnect suspends the VPN session (instead of disconnecting it) if a user enters a network configured as trusted after establishing a VPN session outside the trusted network. When the user goes outside the trusted network again, AnyConnect resumes the session.

This feature is for the user’s convenience because it eliminates the need to establish a new VPN session after leaving a trusted network. Step 4 Choose an Untrusted Network Policy.

This is the action the client takes when the user is outside the corporate network. The options are: • Connect—The client starts a VPN connection upon the detection of an untrusted network. • Do Nothing—The client takes no action upon detection of an untrusted network. This option disables Always-On VPN. Setting both the Trusted Network Policy and Untrusted Network Policy to Do Nothing disables Trusted Network Detection.

Step 5 Specify Trusted DNS Domains. Specify the DNS suffixes (a string separated by commas) that a network interface may have when the client is in the trusted network. You can assign multiple DNS suffixes if you add them to the split-dns list and specify a default domain on the ASA. The AnyConnect client builds the DNS suffix list in the following order: • The domain passed by the head end.

• The split-DNS suffix list passed by the head end. • The public interface’s DNS suffixes, if configured. If not, the primary and connection-specific suffixes, along with the parent suffixes of the primary DNS suffix (if the corresponding box is checked in the Advanced TCP/IP Settings). To Match This DNS Suffix: Use This Value for TrustedDNSDomains: example.com (only) *example.com example.com AND anyconnect.example.com *.example.com OR example.com, anyconnect.example.com asa.example.com AND anyconnect.example.com *.example.com OR asa.example.com, anyconnect.example.com Wildcards (*) are supported for IPv4 DNS suffixes. (They are not supported for IPv6 DNS suffixes. Step 6 Specify Trusted DNS Servers.

All DNS server addresses (a string separated by commas) that a network interface may have when the client is in the trusted network. For example: 203.0.113.1,2001:DB8::1. Wildcards (*) are supported for IPv4 DNS server addresses. (They are not supported for IPv6 DNS server addresses.) You must have a DNS entry for the headend server that is resolvable via DNS. If your connections are by IP address, you need a DNS server that can resolve mus.cisco.com. If mus.cisco.com is not resolvable via DNS, captive portal detection will not work as expected.

Note You can configure either TrustedDNSDomains, TrustedDNSServers, or both. If you configure TrustedDNSServers, be sure to enter all your DNS servers, so your site(s) will all be part of the Trusted Network. An active interface will be considered as an In-Trusted-Network if it matches all the rules in the VPN profile. Step 7 Specify a host URL that you want to add as trusted. You must have a secure web server that is accessible with a trusted certificate to be considered trusted. After you click Add, the URL is added and the certificate hash is pre-filled.

If the hash is not found, an error message prompts the user to enter the certificate hash manually and click Set. Note You can configure this parameter only when at least one of the Trusted DNS Domains or Trusted DNS Servers is defined. If Trusted DNS Domains or Trusted DNS Servers are not defined, this field is disabled. Require VPN Connections Using Always-On • • • • About Always-On VPN Always-On operation prevents access to Internet resources when the computer is not on a trusted network, unless a VPN session is active. Enforcing the VPN to always be on in this situation protects the computer from security threats. When Always-On is enabled, it establishes a VPN session automatically after the user logs in and upon detection of an untrusted network.

The VPN session remains open until the user logs out of the computer, or the session timer or idle session timer (specified in the ASA group policy) expires. AnyConnect continually attempts to reestablish the connection to reactivate the session if it is still open; otherwise, it continually attempts to establish a new VPN session. When Always-On is enabled in the VPN Profile, AnyConnect protects the endpoint by deleting all the other downloaded AnyConnect profiles and ignores any public proxies configured to connect to the ASA. The following AnyConnect options also need to be considered when enabling Always-On: • Allowing the user to Disconnect the Always-On VPN session: AnyConnect provides the ability for the user to disconnect Always-On VPN sessions. If you enable Allow VPN Disconnect, AnyConnect displays a Disconnect button upon the establishment of a VPN session. By default, the profile editor enables the Disconnect button when you enable Always-On VPN.

Pressing the Disconnect button locks all interfaces to prevent data from leaking out and to protect the computer from internet access except for establishing a VPN session. Users of Always-On VPN sessions may want to click Disconnect so they can choose an alternative secure gateway due to performance issues with the current VPN session, or reconnection issues following the interruption of a VPN session. • Setting a Connect Failure Policy: The connect failure policy determines whether the computer can access the internet if Always-On VPN is enabled and AnyConnect cannot establish a VPN session. • Handling Captive Portal Hotspots: See. Limitations of Always-On VPN • If Always-On is enabled, but the user does not log on, AnyConnect does not establish the VPN connection. AnyConnect starts the VPN connection only post-login.

• Always-On VPN does not support connecting though a proxy. Guidelines for Always-On VPN To enhance protection against threats, we recommend the following additional protective measures if you configure Always-On VPN: • We strongly recommend purchasing a digital certificate from a certificate authority (CA) and enrolling it on the secure gateways. The ASDM provides an Enroll ASA SSL VPN with Entrust button on the Configuration >Remote Access VPN >Certificate Management >Identity Certificates panel to facilitate enrollment of a public certificate. • Pre-deploy a profile configured with Always-On to the endpoints to limit connectivity to the pre-defined ASAs. Predeployment prevents contact with a rogue server. • Restrict administrator rights so that users cannot terminate processes.

A PC user with admin rights can bypass an Always-On policy by stopping the agent. If you want to ensure fully-secure Always-On, you must deny local admin rights to users. • Restrict access to the Cisco sub-folders on Windows computers, typically C: ProgramData.

• Users with limited or standard privileges may sometimes have write access to their program data folders. They could use this access to delete the AnyConnect profile file and thereby circumvent the Always-On feature. • Pre-deploy a group policy object (GPO) for Windows users to prevent users with limited rights from terminating the GUI. Predeploy equivalent measures for macOS users.

Configure Always-On VPN Procedure Step 1. Step 2 (Optional). Step 3 (Optional). Configure Always-On in the AnyConnect VPN Client Profile Before You Begin Always-On VPN requires that a valid, trusted server certificate be configured on the ASA; otherwise, it fails and logs an event indicating the certificate is invalid. In addition, ensuring that the server certificate can pass Strict Certificate Trust mode prevents the download of an Always-On VPN profile that locks a VPN connection to a rogue server. Procedure Step 1 Open the VPN Profile Editor and choose Preferences (Part 2) from the navigation pane. Step 2 Select Automatic VPN Policy.

Step 4 Select Always On. Step 5 (Optional) Select or un-select Allow VPN Disconnect. Step 6 (Optional).

Step 7 (Optional). Add Load-Balancing Backup Cluster Members to the Server List Always-On VPN affects the load balancing of AnyConnect VPN sessions. With Always-On VPN disabled, when the client connects to a master device within a load balancing cluster, the client complies with a redirection from the master device to any of the backup cluster members. With Always-On enabled, the client does not comply with a redirection from the master device unless the address of the backup cluster member is specified in the server list of the client profile. Therefore, be sure to add any backup cluster members to the server list. To specify the addresses of backup cluster members in the client profile, use ASDM to add a load-balancing backup server list by following these steps: Procedure Step 1 Open the VPN Profile Editor and choose Server List from the navigation pane. Step 2 Choose a server that is a master device of a load-balancing cluster and click Edit.

Step 3 Enter an FQDN or IP address of any load-balancing cluster member. Exempt Users from Always-On VPN You can configure exemptions to override an Always-On policy. For example, you might want to let certain individuals establish VPN sessions with other companies or exempt the Always-On policy for noncorporate assets. Exemptions set in group policies and dynamic access policies on the ASA override the Always-On policy. You specify exceptions according to the matching criteria used to assign the policy.

If an AnyConnect policy enables Always-On and a dynamic access policy or group policy disables it, the client retains the disable setting for the current and future VPN sessions as long as its criteria match the dynamic access policy or group policy on the establishment of each new session. This procedure configures a dynamic access policy that uses AAA endpoint criteria to match sessions to noncorporate assets. Procedure Step 1 Choose Configuration >Remote Access VPN >Network (Client) Access >Dynamic Access Policies >Add or Edit.

Step 2 Configure criteria to exempt users from Always-On VPN. For example, use the Selection Criteria area to specify AAA attributes to match user logon IDs. Step 3 Click the AnyConnect tab on the bottom half of the Add or Edit Dynamic Access Policy window.

Step 4 Click Disable next to “ Always-On VPN for AnyConnect client.' Set a Connect Failure Policy for Always-On • • • About the Connect Failure Policy The connect failure policy determines whether the computer can access the internet if Always-On VPN is enabled and AnyConnect cannot establish a VPN session. This can occur when a secure gateway is unreachable, or when AnyConnect fails to detect the presence of a captive portal hotspot. An open policy permits full network access, letting users continue to perform tasks where access to the Internet or other local network resources is needed. A closed policy disables all network connectivity until the VPN session is established.

AnyConnect does this by enabling packet filters that block all traffic from the endpoint that is not bound for a secure gateway to which the computer is allowed to connect. Regardless of the connect failure policy, AnyConnect continues to try to establish the VPN connection.

Guidelines for Setting the Connect Failure Policy Consider the following when using an open policy which permits full network access: • Security and protection are not available until the VPN session is established; therefore, the endpoint device may get infected with web-based malware or sensitive data may leak. • An open connect failure policy does not apply if you enable the Disconnect button and the user clicks Disconnect. Consider the following when using a closed policy which disables all network connectivity until the VPN session is established: • A closed policy can halt productivity if users require Internet access outside the VPN. • The purpose of closed is to help protect corporate assets from network threats when resources in the private network that protect the endpoint are not available.The endpoint is protected from web-based malware and sensitive data leakage at all times because all network access is prevented except for local resources such as printers and tethered devices permitted by split tunneling. • This option is primarily for organizations where security persistence is a greater concern than always-available network access. • A closed policy prevents captive portal remediation unless you specifically enable it. • You can allow the application of the local resource rules imposed by the most recent VPN session if Apply Last VPN Local Resources is enabled in the client profile.

For example, these rules could determine access to active sync and local printing. • The network is unblocked and open during an AnyConnect software upgrade when Always-On is enabled regardless of a closed policy. • If you deploy a closed connection policy, we highly recommend that you follow a phased approach. For example, first deploy Always-On with a connect failure open policy and survey users for the frequency with which AnyConnect does not connect seamlessly. Then deploy a small pilot deployment of a connect failure closed policy among early-adopter users and solicit their feedback. Expand the pilot program gradually while continuing to solicit feedback before considering a full deployment. As you deploy a connect failure closed policy, be sure to educate the VPN users about the network access limitation as well as the advantages of a connect failure closed policy.

Caution A connect failure closed policy prevents network access if AnyConnect fails to establish a VPN session. Use extreme caution when implementing a connect failure closed policy. Configure a Connect Failure Policy You configure a Connect Failure Policy only when the Always-On feature is enabled. By default, the connect failure policy is closed, preventing Internet access if the VPN is unreachable. To allow Internet access in this situation the connect failure policy must be set to open. Procedure Step 1 Open the VPN Profile Editor and choose Preferences (Part 2) from the navigation pane. Step 2 Set the Connect Failure Policy parameter to one of the following settings: • Closed—(Default) Restricts network access when the secure gateway is unreachable.

• Open—Permits network access by browsers and other applications when the client cannot connect to the secure gateway. Step 3 If you specified a closed policy: •. • Select Apply Last VPN Local Resources if you would like to retain the last VPN session’s local device rules while network access is disabled. Use Captive Portal Hotspot Detection and Remediation • • • About Captive Portals Many facilities that offer Wi-Fi and wired access, such as airports, coffee shops, and hotels, require the user to pay before obtaining access, to agree to abide by an acceptable use policy, or both.

These facilities use a technique called captive portal to prevent applications from connecting until the user opens a browser and accepts the conditions for access. Captive portal detection is the recognition of this restriction, and captive portal remediation is the process of satisfying the requirements of a captive portal hotspot in order to obtain network access. Captive portals are detected automatically by AnyConnect when initiating a VPN connection requiring no additional configuration. Also, AnyConnect does not modify any browser configuration settings during captive portal detection and does not automatically remediate the captive portal.

It relies on the end user to perform the remediation. AnyConnect reacts to the detection of a captive portal depending on the current configuration: • If Always-On is disabled, or if Always-On is enabled and the Connect Failure Policy is open, the following message is displayed on each connection attempt: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session.

You can try this by visiting any website with your browser. The end user must perform captive portal remediation by meeting the requirements of the provider of the hotspot. These requirements could be paying a fee to access the network, signing an acceptable use policy, both, or some other requirement defined by the provider. • If Always-On is enabled and the connect failure policy is closed, captive portal remediation needs to be explicitly enabled.

If enabled, the end user can perform remediation as described above. If disabled, the following message is displayed upon each connection attempt, and the VPN cannot be connected. The service provider in your current location is restricting access to the Internet. The AnyConnect protection settings must be lowered for you to log on with the service provider.

Your current enterprise security policy does not allow this. Configure Captive Portal Remediation You configure captive portal remediation only when the Always-On feature is enabled and the Connect Failure Policy is set to closed. In this situation, configuring captive portal remediation allows AnyConnect to connect to the VPN when a captive portal is preventing it from doing so. If the Connect Failure Policy is set to open or Always-On is not enabled, your users are not restricted from network access and are capable of remediating a captive portal without any specific configuration in the AnyConnect VPN client profile.

By default, captive portal remediation is disabled to provide the greatest security. Procedure Step 1 Open the VPN Profile Editor and choose Preferences (Part 1) from the navigation pane.

Step 2 Select Allow Captive Portal Remediation. This setting lifts the network access restrictions imposed by the closed connect failure policy. Step 3 Specify the Remediation Timeout. Enter the number of minutes for which AnyConnect lifts the network access restrictions.

The user needs enough time to satisfy the captive portal requirements. Troubleshoot Captive Portal Detection and Remediation AnyConnect can falsely assume that it is in a captive portal in the following situations. • If AnyConnect attempts to contact an ASA with a certificate containing an incorrect server name (CN), then the AnyConnect client will think it is in a “captive portal” environment.

To prevent this, make sure the ASA certificate is properly configured. The CN value in the certificate must match the name of the ASA server in the VPN client profile. • If there is another device on the network before the ASA, and that device responds to the client's attempt to contact an ASA by blocking HTTPS access to the ASA, then the AnyConnect client will think it is in a “captive portal” environment.

This situation can occur when a user is on an internal network, and connects through a firewall to connect to the ASA. If you need to restrict access to the ASA from inside the corporation, configure your firewall such that HTTP and HTTPS traffic to the ASA’s address does not return an HTTP status.

HTTP/HTTPS access to the ASA should either be allowed or completely blocked (also known as black-holed) to ensure that HTTP/HTTPS requests sent to the ASA will not return an unexpected response. If users cannot access a captive portal remediation page, ask them to try the following: • Terminate any applications that use HTTP, such as instant messaging programs, e-mail clients, IP phone clients, and all but one browser to perform the remediation. The captive portal may be actively inhibiting DoS attacks by ignoring repetitive attempts to connect, causing them to time out on the client end. The attempt by many applications to make HTTP connections exacerbates this problem. • Disable and re-enable the network interface. This action triggers a captive portal detection retry. • Restart the computer.

Configure AnyConnect over L2TP or PPTP ISPs in some countries require support of the Layer 2 Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP). To send traffic destined for the secure gateway over a Point-to-Point Protocol (PPP) connection, AnyConnect uses the point-to-point adapter generated by the external tunnel. When establishing a VPN tunnel over a PPP connection, the client must exclude traffic destined for the ASA from the tunneled traffic intended for destinations beyond the ASA. To specify whether and how to determine the exclusion route, use the PPP Exclusion setting in the AnyConnect profile. The exclusion route appears as a non-secured route in the Route Details display of the AnyConnect GUI. Procedure Step 1 Open the VPN Profile Editor and choose Preferences (Part 2) from the navigation pane.

Step 2 Choose a PPP Exclusion method. Also, check User Controllable for this field to let users view and change this setting: • Automatic—Enables PPP exclusion. AnyConnect automatically uses the IP address of the PPP server. Instruct users to change the value only if automatic detection fails to get the IP address. • Override—Also enables PPP exclusion.

If automatic detection fails to get the IP address of the PPP server, and the PPP Exclusion UserControllable value is true, instruct users to follow the instructions in the next section to use this setting. • Disabled—PPP exclusion is not applied.

Step 3 In the PPP Exclusion Server IP field, enter the IP address of the PPP server used for the connection. Checking User Controllable for this field lets users change this IP address of the PPP Server via the preferences.xml file. What to Do Next Refer to the 'Instruct Users to Override PPP Exclusion' section for information about changing the preferences.xml file. Instruct Users to Override PPP Exclusion If automatic detection does not work and you configured the PPP Exclusion fields as user controllable, the user can override the setting by editing the AnyConnect preferences file on the local computer.

Procedure Step 1 Use an editor such as Notepad to open the preferences XML file. This file is at one of the following paths on the user’s computer: • Windows:%LOCAL_APPDATA% Cisco Cisco AnyConnect Secure Mobility Client preferences.xml. For example, • macOS: /Users/username/.anyconnect • Linux: /home/username/.anyconnect Step 2 Insert the PPPExclusion details under, while specifying the Override value and the IP address of the PPP server.

The address must be a well-formed IPv4 address. For example: Override 192.168.22.44 Step 3 Save the file. Step 4 Exit and restart AnyConnect. Configure AnyConnect Proxy Connections About AnyConnect Proxy Connections AnyConnect supports VPN sessions through Local, Public, and Private proxies: • Local Proxy Connections: A local proxy runs on the same PC as AnyConnect, and is sometimes used as a transparent proxy. Some examples of a transparent proxy service include acceleration software provided by some wireless data cards, or a network component on some antivirus software, such as Kaspersky. The use of a local proxy is enabled or disabled in the AnyConnect VPN client profile, see. • Public Proxy Connections: Public proxies are usually used to anonymize web traffic.

When Windows is configured to use a public proxy, AnyConnect uses that connection. Public proxy is supported on macOS and Linux for both native and override. Configuring a public proxy is described in. • Private Proxy Connections: Private proxy servers are used on a corporate network to prevent corporate users from accessing certain Web sites based on corporate usage policies, for example, pornography, gambling, or gaming sites. You configure a group policy to download private proxy settings to the browser after the tunnel is established. The settings return to their original state after the VPN session ends.

Note AnyConnect SBL connections through a proxy server are dependent on the Windows operating system version and system (machine) configuration or other third-party proxy software capabilities; therefore, refer to system wide proxy settings as provided by Microsoft or whatever third-party proxy application you use. Control Client Proxy with VPN Client Profile The VPN Client profile can block or redirect the client system's proxy connection. For Windows and Linux, you can configure, or you can allow the user to configure, the address of a public proxy server.

For more information about configuring the proxy settings in the VPN client profile, see Proxy Auto-Configuration File Generation for Clientless Support Some versions of the ASA require AnyConnect configuration to support clientless portal access through a proxy server after establishing an AnyConnect session. AnyConnect uses a proxy auto-configuration (PAC) file to modify the client-side proxy settings to let this occur. AnyConnect generates this file only if the ASA does not specify private-side proxy settings. Requirements for AnyConnect Proxy Connections OS support of proxy connections varies as shown: Proxy Connection Type Windows macOS Linux Local Proxy Yes No No Private Proxy Yes (on Internet Explorer) Yes (on Safari) No Public Proxy Yes (IE and Override) No Yes (Override) Limitations on Proxy Connections • IPv6 proxies are not supported for any type of proxy connection. • Connecting through a proxy is not supported with the Always-On feature enabled.

• A VPN client profile is required to allow access to a local proxy. Allow a Local Proxy Connection Procedure Step 1 Open the VPN Profile Editor and choose Preferences (Part 2) from the navigation pane. Step 2 Select (default) or unselect Allow Local Proxy Connections. Local proxy is disabled by default.

Configure a Public Proxy Connection, Windows Follow these steps to configure a public proxy connection on Windows. Procedure Step 1 Open Internet Options from Internet Explorer or the Control Panel. Step 2 Select the Connections Tab, and click the LAN Settings button. Step 3 Configure the LAN to use a proxy server, and enter the IP address of the proxy server. Configure a Private Proxy Connection Procedure Step 1 Configure the private proxy information in the ASA group policy.

See the section in the Cisco ASA Series VPN Configuration Guide. Note In a macOS environment, the proxy information that is pushed down from the ASA (upon a VPN connection) is not viewed in the browser until you open up a terminal and issue a scutil --proxy. Step 2 (Optional).

Step 3 (Optional). Configure the Client to Ignore Browser Proxy Settings You can specify a policy in the AnyConnect profile to bypass the Microsoft Internet Explorer or Safari proxy configuration settings on the user’s PC.

This prevents the user from establishing a tunnel from outside the corporate network, and prevents AnyConnect from connecting through an undesirable or illegitimate proxy server. Procedure Step 1 Open the VPN Profile Editor and choose Preferences (Part 2) from the navigation pane.

Step 2 In the Proxy Settings drop-down list, choose IgnoreProxy. Ignore Proxy causes the client to ignore all proxy settings. No action is taken against proxies that are downloaded from the ASA. Lock Down the Internet Explorer Connections Tab Under certain conditions, AnyConnect hides the Internet Explorer Tools >Internet Options >Connections tab.

When exposed, this tab lets the user set proxy information. Hiding this tab prevents the user from intentionally or unintentionally circumventing the tunnel. The tab lockdown is reversed on disconnect, and it is superseded by any administrator-defined policies applied to that tab. The conditions under which this lock down occurs are the following: • The ASA configuration specifies Connections tab lockdown. • The ASA configuration specifies a private-side proxy. • A Windows group policy previously locked down the Connections tab (overriding the no lockdown ASA group policy setting). You can configure the ASA to allow or not allow proxy lockdown, in the group policy.

To do this using ASDM, follow this procedure: Procedure Step 1 In ASDM go to Configuration >Remote Access VPN >Network (Client) Access >Group Policies. Step 2 Select a group policy and click Edit or Add a new group policy.

Step 3 In the navigation pane, go to Advanced >Browser Proxy. The Proxy Server Policy pane displays.

Step 4 Click Proxy Lockdown to display more proxy settings. Step 5 Uncheck Inherit and select Yes to enable proxy lockdown and hide the Internet Explorer Connections tab for the duration of the AnyConnect session or; select No to disable proxy lockdown and expose the Internet Explorer Connections tab for the duration of the AnyConnect session.

Step 6 Click OK to save the Proxy Server Policy changes. Step 7 Click Apply to save the Group Policy changes. Verify the Proxy Settings • For Windows: Find the proxy settings in the registry under: HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion Internet Settings • For macOS: Open a terminal window, and type: scutil --proxy Select and Exclude VPN Traffic Configure IPv4 or IPv6 Traffic to Bypass the VPN You can configure how the AnyConnect client manages IPv4 traffic when the ASA is expecting only IPv6 traffic or how AnyConnect manages IPv6 traffic when the ASA is only expecting IPv4 traffic using the Client Bypass Protocol setting. When the AnyConnect client makes a VPN connection to the ASA, the ASA can assign the client an IPv4, IPv6, or both an IPv4 and IPv6 address.

If Client Bypass Protocol is enabled for an IP protocol and an address pool is not configured for that protocol (in other words, no IP address for that protocol was assigned to client by the ASA), any IP traffic using that protocol will not be sent through the VPN tunnel. It will be sent outside the tunnel.

If Client Bypass Protocol is disabled, and an address pool is not configured for that protocol, the client drops all traffic for that IP protocol once the VPN tunnel is established. For example, assume that the ASA assigns only an IPv4 address to an AnyConnect connection and the endpoint is dual stacked. When the endpoint attempts to reach an IPv6 address, if Client Bypass Protocol is disabled, the IPv6 traffic is dropped. If Client Bypass Protocol is enabled, the IPv6 traffic is sent from the client in the clear. You configure the Client Bypass Protocol on the ASA in the group policies. Procedure Step 1 In ASDM go to Configuration >Remote Access VPN >Network (Client) Access >Group Policies.

Step 2 Select a group policy and click Edit or Add a new group policy. Step 3 Select Advanced >AnyConnect. Step 4 Next to Client Bypass Protocol, uncheck Inherit if this is a group policy other than the default group policy. Step 5 Choose one of these options: • Click Disable to drop IP traffic for which the ASA did not assign an address.

• Click Enable to send that IP traffic in the clear. Step 6 Click OK. Step 7 Click Apply. Configure a Client Firewall with Local Printer and Tethered Device Support See the section in the Cisco ASA Series Configuration Guide. Configure Split Tunneling Split tunneling is configured in a Network (Client) Access group policy. See the Configure Split Tunneling for AnyConnect Traffic section in the.

After making changes to the group policy in ASDM, be sure the group policy is associated with a Connection Profile in Configuration >Remote Access VPN >Network (Client) Access >AnyConnect Connection Profiles >Add/Edit >Group Policy. Split DNS When split DNS is configured in the Network (Client) Access group policy, AnyConnect tunnels specific DNS queries to the private DNS server (also configured in the group policy). All other DNS queries go to the DNS resolver on the client operating system, in the clear, for DNS resolution.

If split DNS is not configured, AnyConnect tunnels all DNS queries. • • • • Requirements for Split DNS Split DNS supports standard and update queries (including A, AAAA, NS, TXT, MX, SOA, ANY, SRV, PTR, and CNAME). PTR queries matching any of the tunneled networks are allowed through the tunnel. AnyConnect split DNS is supported on Windows and macOS platforms.

For macOS, AnyConnect can use true split-DNS for a certain IP protocol only if one of the following conditions is met: • Split-DNS is configured for one IP protocol (such as IPv4), and Client Bypass Protocol is configured for the other IP protocol (such as IPv6) in the group policy (with no address pool configured for the latter IP protocol). • Split-DNS is configured for both IP protocols. Configure Split DNS To configure split DNS in the group policy, do the following: Procedure Step 1 Configure at least one DNS server. See the Configure Server Attributes for an Internal Group Policy section in the. Ensure the private DNS servers specified do not overlap with the DNS servers configured for the client platform.

If they do, name resolution does not function properly and queries may be dropped. Step 2 Configure split-include tunneling: On the Configuration >Remote Access VPN >Network (Client) Access >Group Policies >Advanced >Split Tunneling pane, choose the Tunnel Network List Below policy, and specify a Network List of addresses to be tunneled. Split-DNS does not support the Exclude Network List Below split-tunneling policy.

You must use the Tunnel Network List Below split-tunneling policy to configure split-DNS. Step 3 Configure split DNS: On the Configuration >Remote Access VPN >Network (Client) Access >Group Policies >Advanced >Split Tunneling pane, uncheck Send All DNS lookups through tunnel, and specifying the names of the domains whose queries will be tunneled in DNS Names. What to Do Next After making changes to the group policy in ASDM, be sure the group policy is associated with a Connection Profile in Configuration >Remote Access VPN >Network (Client) Access >AnyConnect Connection Profiles >Add/Edit >Group Policy.

Verify Split DNS Using AnyConnect Logs To verify if split-DNS is enabled, search the AnyConnect logs for an entry containing “Received VPN Session Configuration Settings.” That entry indicates Split DNS is enabled. There are separate log entries for IPv4 and IPv6 split DNS. Check Which Domains Use Split DNS You can use any tool or application that relies on the operating system’s DNS resolver for domain name resolution. For example, you can use a ping or web browser to test the split DNS solution.

Other tools such as nslookup or dig circumvent the OS DNS resolver. To use the client to check which domains are used for split DNS, follow these steps: Procedure Step 1 Run ipconfig/all and record the domains listed next to DNS Suffix Search List. Step 2 Establish a VPN connection and again check the domains listed next to DNS Suffix Search List.

Those extra domains added after establishing the tunnel are the domains used for split DNS. Note This process assumes that the domains pushed from the ASA do not overlap with the ones already configured on the client host.

Manage VPN Authentication Important Security Considerations • We do not recommend using a self-signed certificate on your secure gateway because of the possibility that a user could inadvertently configure a browser to trust a certificate on a rogue server and because of the inconvenience to users of having to respond to a security warning when connecting to your secure gateway. • We strongly recommend that you enable Strict Certificate Trust for the AnyConnect client for the following reasons: To configure Strict Certificate Trust, see the Local Policy Parameters and Values section:. Configure Server Certificate Handling Server Certificate Verification • The AnyConnect client does not support certificate verification using certificate revocation lists (CRL). Many sites position the Certificate Authority they use to validate server certificates inside the corporate network. That means that a client cannot verify CRL when it is trying to connect to a headend, since the CRL is not accessible on the public network. The client operating system can be configured to verify CRL in Windows and Mac OS X, but we ignore that setting.

• (Windows only) For both SSL and IPsec VPN connections, you have the option to perform Certificate Revocation List (CRL) checking. When enabled in the profile editor, AnyConnect retrieves the updated CRL for all certificates in the chain. It then verifies whether the certificate in question is among those revoked certificates which should no longer be trusted; and if found to be a certificate revoked by the Certificate Authority, it does not connect. Refer to for further information. • When a user connects to an ASA that is configured with a server certificate, the checkbox to trust and import that certificate will still display, even if there is a problem with the trust chain (Root, Intermediate, etc.) If there are any other certificate problems, that checkbox will not display. • SSL connections being performed via FQDN do not make a secondary server certificate verification with the FQDN's resolved IP address for name verification if the initial verification using the FQDN fails. • IPsec and SSL connections require that if a server certificate contains Key Usage, the attributes must contain DigitalSignature AND (KeyAgreement OR KeyEncipherment).

If the server certificate contains an EKU, the attributes must contain serverAuth (for SSL and IPsec) or ikeIntermediate (for IPsec only). Note that server certificates are not required to have a KU or an EKU to be accepted. • IPsec connections perform name verification on server certificates. The following rules are applied for the purposes of IPsec name verification: • If a Subject Alternative Name extension is present with relevant attributes, name verification is performed solely against the Subject Alternative Name. Relevant attributes include DNS Name attributes for all certificates, and additionally include IP address attributes if the connection is being performed to an IP address. • If a Subject Alternative Name extension is not present, or is present but contains no relevant attributes, name verification is performed against any Common Name attributes found in the Subject of the certificate. • If a certificate uses a wildcard for the purposes of name verification, the wildcard must be in the first (left-most) subdomain only, and additionally must be the last (right-most) character in the subdomain.

Any wildcard entry not in compliance is ignored for the purposes of name verification. • For OSX, expired certificates are displayed only when Keychain Access is configured to “Show Expired Certificates.” Expired certificates are hidden by default, which may confuse users. Invalid Server Certificate Handling In response to the increase of targeted attacks against mobile users on untrusted networks, we have improved the security protections in the client to help prevent serious security breaches. The default client behavior has been changed to provide an extra layer of defense against Man-in-the-middle attacks. User Interaction When the user tries to connect to a secure gateway, and there is a certificate error (due to expired, invalid date, wrong key usage, or CN mismatch), the user sees a red-colored dialog with Change Settings and Keep Me Safe buttons. Note The dialogs for Linux may look different from the ones shown in this document.

• Clicking Keep Me Safe cancels the connection. • Clicking Change Settings opens AnyConnect’s Advanced >VPN >Preferences dialog, where the user can enable connections to untrusted servers. The current connection attempt is canceled. If the user un-checks Block connections to untrusted servers, and the only issue with the certificate is that the CA is untrusted, then the next time the user attempts to connect to this secure gateway, the user will not see the Certificate Blocked Error Dialog dialog; they only see the following dialog: If the user checks Always trust this VPN server and import the certificate, then future connections to this secure gateway will not prompt the user to continue. Note If the user checks Block connections to untrusted servers in AnyConnect Advanced >VPN >Preferences, or if the user’s configuration meets one of the conditions in the list of the modes described under the guidelines and limitations section, then AnyConnect rejects invalid server certificates.

Improved Security Behavior When the client accepts an invalid server certificate, that certificate is saved in the client's certificate store. Previously, only the thumbprint of the certificate was saved. Note that invalid certificates are saved only when the user has elected to always trust and import invalid server certificates. There is no administrative override to make the end user less secure automatically. To completely remove the preceding security decisions from your end users, enable Strict Certificate Trust in the user’s local policy file.

When Strict Certificate Trust is enabled, the user sees an error message, and the connection fails; there is no user prompt. For information about enabling Strict Certificate Trust in the local policy file, see the AnyConnect Local Policy Parameters and Values section:. Guidelines and Limitations Invalid server certificates are rejected when: • Always On is enabled in the AnyConnect VPN client profile and is not turned off by an applied group policy or DAP. • The client has a Local Policy with Strict Certificate Trust enabled.

• AnyConnect is configured to start before logon. • A client certificate from the machine certificate store is used for authentication. Configure Certificate-Only Authentication You can specify whether you want users to authenticate using AAA with a username and password or using a digital certificate (or both). When you configure certificate-only authentication, users can connect with a digital certificate and are not required to provide a user ID and password. To support certificate-only authentication in an environment where multiple groups are used, you may provision more than one group-url.

Each group-url would contain a different client profile with some piece of customized data that would allow for a group-specific certificate map to be created. For example, the Department_OU value of Engineering could be provisioned on the ASA to place the user in this group when the certificate from this process is presented to the ASA. Note The certificate used to authenticate the client to the secure gateway must be valid and trusted (signed by a CA). A self-signed client certificate will not be accepted. Procedure Step 1 Go to Configuration >Remote Access VPN >Network (Client) Access >AnyConnect Connection Profiles.

Select a connection profile and click Edit. The Edit AnyConnect Connection Profile window opens. Step 2 If it is not already, click the Basic node of the navigation tree on the left pane of the window. In the right pane of the window, in the Authentication area, enable the method Certificate. Step 3 Click OK and apply your changes. Configure Certificate Enrollment The Cisco AnyConnect Secure Mobility Client uses the Simple Certificate Enrollment Protocol (SCEP) to provision and renew a certificate as part of client authentication. Certificate enrollment using SCEP is supported by AnyConnect IPsec and SSL VPN connections to the ASA in the following ways: • SCEP Proxy: The ASA acts as a proxy for SCEP requests and responses between the client and the Certificate Authority (CA).

• The CA must be accessible to the ASA, not the AnyConnect client, since the client does not access the CA directly. • Enrollment is always initiated automatically by the client.

No user involvement is necessary. • Legacy SCEP: The AnyConnect client communicates with the CA directly to enroll and obtain a certificate. • The CA must be accessible to the AnyConnect client, not the ASA, through an established VPN tunnel or directly on the same network the client is on.

• Enrollment is initiated automatically by the client and may be initiated manually by the user if configured. Related References SCEP Proxy Enrollment and Operation The following steps describe how a certificate is obtained and a certificate-based connection is made when AnyConnect and the ASA are configured for SCEP Proxy. • The user connects to the ASA headend using a connection profile configured for both certificate and AAA authentication. The ASA requests a certificate and AAA credentials for authentication from the client. • The user enters his/her AAA credentials, but a valid certificate is not available. This situation triggers the client to send an automatic SCEP enrollment request after the tunnel has been established using the entered AAA credentials. • The ASA forwards the enrollment request to the CA and returns the CA’s response to the client.

• If SCEP enrollment is successful, the client presents a (configurable) message to the user and disconnects the current session. The user can now connect using certificate authentication to an ASA tunnel group. If SCEP enrollment fails, the client displays a (configurable) message to the user and disconnects the current session. The user should contact his/her administrator. Other SCEP Proxy operational considerations: • If configured to do so, the client automatically renews the certificate before it expires, without user intervention. • SCEP Proxy enollment uses SSL for both SSL and IPsec tunnel certificate authentication.

Legacy SCEP Enrollment and Operation The following steps describe how a certificate is obtained and a certificate-based connection is made when AnyConnect is configured for Legacy SCEP. • When the user initiates a connection to the ASA headend using a tunnel group configured for certificate authentication, the ASA requests a certificate for authentication from the client. • A valid certificate is not available on the client. The connection cannot be established. This certificate failure indicates that SCEP enrollment needs to occur. • The user must then initiate a connection to the ASA headend using a tunnel group configured for AAA authentication only whose address matches the Automatic SCEP Host configured in the client profile. The ASA requests the AAA credentials from the client.

• The client presents a dialog box for the user to enter AAA credentials. If the client is configured for manual enrollment and the client knows it needs to initiate SCEP enrollment (see Step 2), a Get Certificate button displays on the credentials dialog box. If the client has direct access to the CA on his/her network, the user will be able to manually obtain a certificate by clicking this button at this time.

Note If access to the CA relies on the VPN tunnel being established, manual enrollment cannot be done at this time because there is currently no VPN tunnel established (AAA credentials have not been entered). • The user enters AAA credentials and establishes a VPN connection. • The client knows it needs to initiate SCEP enrollment (see Step 2).

It initiates an enrollment request to the CA through the established VPN tunnel, and a response is received from the CA. • If SCEP enrollment is successful, the client presents a (configurable) message to the user and disconnects the current session. The user can now connect using certificate authentication to an ASA tunnel group. If SCEP enrollment fails, the client displays a (configurable) message to the user and disconnects the current session. The user should contact his/her administrator. Other Legacy SCEP operational considerations: • If the client is configured for manual enrollment and the Certificate Expiration Threshold value is met, a Get Certificate button displays on a presented tunnel group selection dialog box. Users can manually renew their certificate by clicking this button.

• If the certificate expires and the client no longer has a valid certificate, the client repeats the Legacy SCEP enrollment process. Certificate Authority Requirements • All SCEP-compliant CAs, including IOS CS, Windows Server 2003 CA, and Windows Server 2008 CA, are supported. • The CA must be in auto-grant mode; polling for certificates is not supported. • You can configure some CAs to email users an enrollment password for an additional layer of security. The CA password is the challenge password or token that is sent to the certificate authority to identify the user. The password can then be configured in the AnyConnect client profile, which becomes part of SCEP request that the CA verifies before granting the certificate. If you use manual Legacy SCEP enrollment, we recommend that you enable the CA password in the client profile.

Guidelines for Certificate Enrollment • Clientless (browser-based) VPN access to the ASA does not support SCEP proxy, but WebLaunch (clientless-initiated AnyConnect) does. • ASA Load balancing is supported with SCEP enrollment. • The ASA does not indicate why an enrollment failed, although it does log the requests received from the client.

Connection problems must be debugged on the CA or the client. • Certificate-Only Authentication and Certificate Mapping on the ASA: To support certificate-only authentication in an environment where multiple groups are used, you may provision more than one group-url. Each group-url would contain a different client profile with some piece of customized data that would allow for a group-specific certificate map to be created.

For example, the Department_OU value of Engineering could be provisioned on the ASA to place the user in this tunnel group when the certificate from this process is presented to the ASA. • Identifying Enrollment Connections to Apply Policies: On the ASA, the aaa.cisco.sceprequired attribute can be used to catch the enrollment connections and apply the appropriate policies in the selected DAP record. • Windows Certificate Warning: When Windows clients first attempt to retrieve a certificate from a certificate authority they may see a warning. When prompted, users must click Yes. This allows them to import the root certificate. It does not affect their ability to connect with the client certificate. Configure SCEP Proxy Certificate Enrollment Configure a VPN Client Profile for SCEP Proxy Enrollment Procedure Step 1 Open the VPN Profile Editor and choose Certificate Enrollment from the navigation pane.

Step 2 Select Certificate Enrollment. Step 3 Configure the Certificate Contents to be requested in the enrollment certificate. For definitions of the certificate fields, see. Note • If you use%machineid%, then Hostscan/Posture must be loaded for the desktop client. • For mobile clients, at least one certificate field must be specified. Configure the ASA to Support SCEP Proxy Enrollment For SCEP Proxy, a single ASA connection profile supports certificate enrollment and the certificate authorized VPN connection.

Procedure Step 1 Create a group policy, for example, cert_group. Set the following fields: • On General, enter the URL to the CA in SCEP Forwarding URL. • On the Advanced >AnyConnect Client pane, uncheck Inherit for Client Profiles to Download and specify the client profile configured for SCEP Proxy.

For example, specify the ac_vpn_scep_proxy client profile. Step 2 Create a connection profile for certificate enrollment and certificate authorized connection, for example, cert_tunnel. • Authentication: Both (AAA and Certificate). • Default Group Policy: cert_group. • On Advanced >General, check Enable SCEP Enrollment for this Connction Profile.

• On Advanced >GroupAlias/Group URL, create a Group URL containing the group (cert_group) for this connection profile. Configure Legacy SCEP Certificate Enrollment Configure a VPN Client Profile for Legacy SCEP Enrollment Procedure Step 1 Open the VPN Profile Editor and choose Certificate Enrollment from the navigation pane. Step 2 Select Certificate Enrollment. Step 3 Specify an Automatic SCEP Host to direct the client to retrieve the certificate.

Enter the FQDN or IP address, and the alias of the connection profile (tunnel group) that is configured for SCEP certificate retrieval. For example, if asa.cisco.com is the host name of the ASA and scep_eng is the alias of the connection profile, enter asa.cisco.com/scep-eng. When the user initiates the connection, the address chosen or specified must match this value exactly for Legacy SCEP enrollment to succeed. For example, if this field is set to an FQDN, but the user specifies an IP address, SCEP enrollment will fail. Step 4 Configure the Certificate Authority attributes: Note Your CA server administrator can provide the CA URL and thumbprint. Retrieve the thumbprint directly from the server, not from a “fingerprint” or “thumbprint” attribute field in an issued certificate. • Specify a CA URL to identify the SCEP CA server.

Enter an FQDN or IP address. For example: • (Optional) Check Prompt For Challenge PW to prompt users for their username and one-time password. • (Optional) Enter a thumbprint for the CA certificate. Use SHA1 or MD5 hashes.

For example: 8475B6D4BB223A464E6AAB8CA123AB. Step 5 Configure which Certificate Contents to request in the enrollment certificate. For definitions of the certificate fields, see. Note If you use%machineid%, load HostScan/Posture on the client. Step 6 (Optional) Check Display Get Certificate Button to permit users to manually request provisioning or renewal of authentication certificates.

The button is visible to users if the certificate authentication fails. Step 7 (Optional) Enable SCEP for a specific host in the server list. Doing this overrides the SCEP settings in the Certificate Enrollment pane described above. • Choose Server List from the navigation pane.

• Add or Edit a server list entry. • Specify the Automatic SCEP Host and Certificate Authority attributes as described in Steps 5 and 6 above. Configure the ASA to Support Legacy SCEP Enrollment For Legacy SCEP on the ASA, you must create a connection profile and group policy for certificate enrollment and a second connection profile and group policy for the certificate authorized VPN connection. Procedure Step 1 Create a group policy for enrollment, for example, cert_enroll_group. Set the following fields: On the Advanced >AnyConnect Client pane, uncheck Inherit for Client Profiles to Download and specify the client profile configured for Legacy SCEP. For example, specify the ac_vpn_legacy_scep client profile.

Step 2 Create a second group policy for authorization, for example, cert_auth_group. Step 3 Create a connection profile for enrollment, for example, cert_enroll_tunnel. Set the following fields: • On the Basic pane, set the Authentication Method to AAA.

• On the Basic pane, set the Default Group Policy to cert_enroll_group. • On Advanced >GroupAlias/Group URL, create a Group URL containing the enrollment group (cert_enroll_group) for this connection profile. • Do not enable the connection profile on the ASA.

It is not necessary to expose the group to users in order for them to have access to it. Step 4 Create a connection profile for authorization, for example, cert_auth_tunnel.

Set the following fields. • On the Basic pane, set the Authentication Method to Certificate. • On the Basic pane, set the Default Group Policy to cert_auth_group. • Do not enable this connection profile on the ASA. It is not necessary to expose the group to users in order for them to access it. Step 5 (Optional) On the General pane of each group policy, set Connection Profile (Tunnel Group) Lock to the corresponding SCEP connection profile, which restricts traffic to the SCEP-configured connection profile. Set Up a Windows 2008 Server Certificate Authority for SCEP If your Certificate Authority software is running on a Windows 2008 server, you may need to make one of the following configuration changes to the server to support SCEP with AnyConnect.

Disable the SCEP Password on the Certificate Authority The following steps describe how to disable the SCEP challenge password, so that clients will not need to provide an out-of-band password before SCEP enrollment. Procedure Step 1 On the Certificate Authority server, launch the Registry Editor.

You can do this by selecting Start >Run, typing regedit, and clicking OK. Step 2 Navigate to HKEY_LOCAL_MACHINE SOFTWARE Microsoft Cryptography MSCEP EnforcePassword. If the EnforcePassword key does not exist, create it as a new Key. Step 3 Edit EnforcePassword, and set it to '0'.

If it does not exist, create it as a REG-DWORD. Step 4 Exit regedit, and reboot the certificate authority server. Setting the SCEP Template on the Certificate Authority The following steps describe how to create a certificate template, and assign it as the default SCEP template. Procedure Step 1 Launch the Server Manager. You can do this by selecting Start >Admin Tools >Server Manager.

Step 2 Expand Roles >Certificate Services (or AD Certificate Services). Step 3 Navigate to CA Name >Certificate Templates.

Step 4 Right-click Certificate Templates >Manage. Step 5 From the Cert Templates Console, right-click User template and choose Duplicate Step 6 Choose Windows Server 2008 version for new template, and click OK. Step 7 Change the template display name to something descriptive, such as NDES-IPSec-SSL. Step 8 Adjust the Validity Period for your site.

Most sites choose three or more years to avoid expired certificates. Step 9 On the Cryptography tab, set the minimum key size for your deployment. Step 10 On the Subject Name tab, select Supply in Request. Step 11 On the Extensions tab, set the Application Policies to include at least: • Client Authentication • IP security end system • IP security IKE intermediate • IP security tunnel termination • IP security user These values are valid for SSL or IPsec. Step 12 Click Apply, then OK to save new template.

Step 13 From Server manager >Certificate Services-CA Name, right-click Certificate Templates. Select New >Certificate Template to Issue, select the new template you created (in this example, NDES-IPSec-SSL), and click OK. Step 14 Edit the registry. You can do this by selecting Start >Run, regedit, and clicking OK.

Step 15 Navigate to HKEY_LOCAL_MACHINE SOFTWARE Microsoft Cryptography MSCEP. Step 16 Set the value of the following three keys to NDES-IPSec-SSL.

• EncryptionTemplate • GeneralPurposeTemplate • SignatureTemplate Step 17 Click Save, and reboot the certificate authority server. Configure a Certificate Expiration Notice Configure AnyConnect to warn users that their authentication certificate is about to expire. The Certificate Expiration Threshold setting specifies the number of days before the certificate’s expiration date that AnyConnect warns users that their certificate is expiring. AnyConnect warns the user upon each connect until the certificate has actually expired or a new certificate has been acquired.

Note The Certificate Expiration Threshold feature cannot be used with RADIUS. Procedure Step 1 Open the VPN Profile Editor and choose Certificate Enrollment from the navigation pane.

Step 2 Select Certificate Enrollment. Step 3 Specify a Certificate Expiration Threshold. This is the number of days before the certificate expiration date, that AnyConnect warns users that their certificate is going to expire. The default is 0 (no warning displayed). The range is 0 to 180 days.

Step 4 Click OK. Configure Certificate Selection The following steps show all the places in the AnyConnect profiles where you configure how certificates are searched for and how they are selected on the client system. None of the steps are required, and if you do not specify any criteria, AnyConnect uses default key matching. AnyConnect reads the browser certificate stores on Windows. For macOS and Unix, you must create a Privacy Enhanced Mail (PEM) formatted file store.

Procedure Step 1 Windows and macOS: Specify which certificate stores are used by AnyConnect in the VPN client profile. Step 2 Windows Only: Configure AnyConnect to present a list of valid certificates to users and let them choose the certificate to authenticate the session.

Step 3 For macOS and Linux environments: Step 4 For macOS and Linux environments: Select which certificate stores to exclude in the VPN Local Policy profile. Step 5 Configure keys that AnyConnect tries to match, when searching for a certificate in the store. You can specify keys, extended keys, and add custom extended keys. You can also specify a pattern for the value of an operator in a distinguished name for AnyConnect to match.

Configure Which Certificate Stores to Use Windows provides separate certificate stores for the local machine and for the current user. Specify which certificate stores are used by AnyConnect in the VPN client profile. By default, it searches both, but you can configure AnyConnect to use only one. Users with administrative privileges on the computer have access to both certificate stores. Users without administrative privileges only have access to the user certificate store. Usually, Windows users do not have administrative privileges.

Selecting Certificate Store Override allows AnyConnect to access the machine store, even when the user does not have administrative privileges. Note Access-control for the machine store can vary depending on the Windows version and security settings. Because of this, the user may be unable to use certificates in the machine store even though they have administrative privileges.

In this case, select Certificate Store Override to allow machine store access. The following table describes how AnyConnect searches for certificates on a client based on what Certificate Store is searched, and whether Certificate Store Override is checked. Certificate Store Setting Certificate Store Override Setting AnyConnect Search Strategy All (for Windows) cleared AnyConnect searches all certificate stores. AnyConnect is not allowed to access the machine store when the user does not have administrative privileges. This setting is the default. This setting is appropriate for most cases. Do not change this setting unless you have a specific reason or scenario requirement to do so.

All (for Windows) checked AnyConnect searches all certificate stores. AnyConnect is allowed to access the machine store when the user does not have administrative privileges.

Machine (not a multi-cert option) checked AnyConnect searches the machine certificate store. AnyConnect is allowed to search the machine store when the user does not have administrative privileges. Machine (not a multi-cert option) cleared AnyConnect searches the machine certificate store.

AnyConnect is not allowed to search the machine store when the user does not have administrative privileges. Note This configuration can be used when only a limited group of users is allowed to authenticate using a certificate.

User (for Windows) does not apply AnyConnect searches in the user certificate store only. The certificate store override is not applicable because users without administrative rights can have access to this certificate store. With Basic Certificate Authentication Procedure Step 1 Set Certificate Store. • All—(Default) Directs the AnyConnect client to use all certificate stores for locating certificates.

• Machine—Directs the AnyConnect client to restrict certificate lookup to the Windows local machine certificate store. • User—Directs the AnyConnect client to restrict certificate lookup to the local user certificate stores. Step 2 Choose Certificate Store Override if you want to allow AnyConnect to search the machine certificate store when users do not have administrative privileges. Prompt Windows Users to Select Authentication Certificate You can configure the AnyConnect to present a list of valid certificates to users and let them choose the certificate to authenticate the session. An expired certificate is not necessarily considered invalid.

For example, if you are using SCEP, the server might issue a new certificate to the client. Eliminating expired certificates might keep a client from connecting at all; thus requiring manual intervention and out-of-band certificate distribution. AnyConnect only restricts the client certificate based on security-related properties, such as key usage, key type and strength, and so on, based on configured certificate matching rules. This configuration is available only for Windows. By default, user certificate selection is disabled. Procedure Step 1 Open the VPN Profile Editor and choose Preferences (Part 2) from the navigation pane. Step 2 To enable certificate selection, uncheck Disable Certificate Selection.

Step 3 Uncheck User Controllable, unless you want users to be able to turn automatic certificate selection on and off in the Advanced >VPN >Preferences pane. Create a PEM Certificate Store for macOS and Linux AnyConnect supports certificate retrieval from a Privacy Enhanced Mail (PEM) formatted file store. AnyConnect reads PEM-formatted certificate files from the file system on the remote computer, verifies, and signs them. Before You Begin In order for the client to acquire the appropriate certificates under all circumstances, ensure that your files meet the following requirements: • All certificate files must end with the extension.pem. • All private key files must end with the extension.key. • A client certificate and its corresponding private key must have the same filename. For example: client.pem and client.key.

Tip Instead of keeping copies of the PEM files, you can use soft links to PEM files. To create the PEM file certificate store, create the paths and folders listed below. Place the appropriate certificates in these folders: PEM File Certificate Store Folders Type of Certificates Stored ~/.cisco/certificates/ca(1) ~ Note This is the home directory.

Trusted CA and root certificates ~/.cisco/certificates/client Client certificates ~/.cisco/certificates/client/private Private keys Machine certificates are the same as PEM file certificates, except for the root directory. For machine certificates, substitute /opt/.cisco for ~/.cisco.

Otherwise, the paths, folders, and types of certificates listed apply. Configure Certificate Matching AnyConnect can limit its search of certificates to those certificates that match a specific set of keys. Certificate matchings are global criteria that are set in an AnyConnect VPN client profile, in the Certificate Matching pane. The criteria are: • Key Usage • Extended Key Usage • Distinguished Name Related References Configure Key Usage Selecting the Key Usage keys limits the certificates that AnyConnect can use to those certificates that have at least one of the selected keys. The supported set is listed in the Key Usage list on the VPN client profile, and it includes: • DECIPHER_ONLY • ENCIPHER_ONLY • CRL_SIGN • KEY_CERT_SIGN • KEY_AGREEMENT • DATA_ENCIPHERMENT • KEY_ENCIPHERMENT • NON_REPUDIATION • DIGITAL_SIGNATURE If one or more criteria are specified, a certificate must match at least one to be considered a matching certificate. Configure Extended Key Usage Selecting the Extended Key Usage keys limits the certificates that AnyConnect can use to the certificates that have these keys. The following table lists the well-known set of constraints with their corresponding object identifiers (OIDs).

Constraint OID ServerAuth 1.3.6.1.5.5.7.3.1 ClientAuth 1.3.6.1.5.5.7.3.2 CodeSign 1.3.6.1.5.5.7.3.3 EmailProtect 1.3.6.1.5.5.7.3.4 IPSecEndSystem 1.3.6.1.5.5.7.3.5 IPSecTunnel 1.3.6.1.5.5.7.3.6 IPSecUser 1.3.6.1.5.5.7.3.7 TimeStamp 1.3.6.1.5.5.7.3.8 OCSPSign 1.3.6.1.5.5.7.3.9 DVCS 1.3.6.1.5.5.7.3.10 IKE Intermediate 1.3.6.1.5.5.8.2.2 Configure Custom Extended Match Key All other OIDs (such as 1.3.6.1.5.5.7.3.11, used in some examples in this document) are considered “custom.” As an administrator, you can add your own OIDs if the OID that you want is not in the well-known set. Configure Certificate Distinguished Name The Distinguished Name table contains certificate identifiers that limit the certificates that the client can use to the certificates that match the specified criteria and criteria match conditions. Click the Add button to add criteria to the list and to set a value or wildcard to match the contents of the added criteria.