Apple posted the Cisco Anyconnect client to the App Store late last week. Now users of the Cisco ASA VPN platform can take advantage of the new features being offered in the iPhone version of the Cisco AnyConnect client. If you are already using the Cisco IPSEC client that is built into iOS then I have some good news for you. The transition to the AnyConnect client is incredibly easy. I'll touch on how you do that in a minute, but first here are the features you'll get in the AnyConnect iPhone client:
- TLS and DTLS tunneling support. AnyConnect will try the must faster UDP based DTLS tunneling first, if it can't be used at the location then it will automatically fail back to the normal TLS connection method. The performance increases that come with DTLS ensure that your voice and video apps work seamlessly.
- Seamless and persistent connectivity even when roaming, changing IP addresses, or moving from 3G to WiFi. The AnyConnect client will always maintain your SSLVPN connection no matter what. This makes the end-user experience flawless.
- Digital Certificates are fully supported. You can deploy them via the iOS certificate deployment mechanism or via Simple Certificate Enrollment Protocol (SCEP). See my previous blog for info on setting up certificate auth and SCEP on the Cisco ASA. If you have a choice the standards based SCEP is the best way to go as it offers a completely transparent end-user certificate process.
- On-demand connectivity option means that AnyConnect willl automatically establish a tunnel when any application needs it. This is done by using a list of domains that require AnyConnect.
- IPV4 and IPV6 support
- Anyconnect security policies can be either user configurable or downloaded from the headend Cisco ASA VPN Headend.
- Last but not least you can of course configure either full tunneling or split tunneling for your tunnel.
In order to migrate your users from IPSEC to AnyConnect all you need to do is make sure that you allow the SSLVPN client access method in your existing tunnel group policy. That's all there is to it. The same policies that you already have in place for IPSEC will then be used for AnyConnect users. If you have a need to setup iPhone specific policies then you can do that too, just setup a new tunnel group policy for those users. Here are the very important pre-requisites you'll need in place before you can use the AnyConnect iPhone app. -ASA Headend running 220.127.116.11 or later code -ASA license for AnyConnect Mobile (L-ASA-AC-M-5540=) "replace 5540 with your model number" -ASA license for Anyconnect Essential or Premium "this license is based on number of concurrent AnyConnect users connected. -iPhone 3G, 3GS, 4, iPod touch 2G or later -Support for iPad expected with iOS 4.2 release To intall the app just go to the Apple App Store and install AnyConnect just like any other iPhone app. The app itself is free to download but you'll need the above licenses in order to connect it to an ASA headend.
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.