Cisco recently released a new GUI tool that makes creating custom profiles for their Cisco Anyconnect SSLVPN client a point and click exercise. Previous to the tool, ASA SSLVPN admins would have to create, or modify existing, XML profile files. This required the admin to download and learn the schema used in the files so they could apply their customization to them. Here's a look at how to use the tool.
The Cisco Anyconnect Profile Editor is a fully TAC supported Tool. You can download it free at cisco.com. The editor is a java program that only runs on windows platforms. The main purpose of a profile is to set the VPN headend names that always appear in a users Anyconnect client for them to click on and connect to. A profile can be assigned to a group policy or per user if necessary. This allows you to customize what profile a user is given based on what group they are a member of.
The above screenshot shows how to put multiple default servers in the custom profile with their corresponding backup servers.
The Preferences tab has all sorts of client options the most popular being auto-connect at start and Auto Reconnect. Auto reconnect allows the Anyconnect client to try and reconnect the SSLVPN if it drops or your PC is coming out of hibernation mode. For some, the start before logon feature (brings up the SSLVPN before you logon to windows) is needed to map drives and run login scripts.
The Certificate Match tab allows for setting the criteria that the Anyconnect client will use to select a local user certificate from the cert store. The idea is, if a user has multiple certificates on their PC then instead of asking the user every time what one to use the profile settings will auto-select certificates based on match criteria.
The Mobile Policy tab allows you to set the device lock settings that must be in place on a Windows Mobile device before the SSLVPN is allowed to connect to the ASA. It does not make the changes but rather enforces them.
Once you're done creating your policy go to File and Save it as
.xml
Next import the file into your asa
Then assign it to a group policy. The policy will be auto downloaded by the Anyconnect clients in the group. You can also choose the package your profile file with the Anyconnect.msi if your using a software deployment solution like Altiris.
Have fun customizing your Anyconnect clients! Download the Anyconect Profile Editor here
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.*
*
*
*
*