CISCO Any Connect Secure Mobility Client User Guide
- June 13, 2024
- Cisco
Table of Contents
- Any Connect Secure Mobility Client
- Supported Operating Systems
- License Options
- Features Matrix
- AnyConnect Core VPN Client
- Authentication and Encryption Features
- Interfaces
- AnyConnect Network Access Manager
- Umbrella Roaming Security Module
- References
- Read User Manual Online (PDF format)
- Download This Manual (PDF format)
Any Connect Secure Mobility Client
User Guide
Any Connect Secure Mobility Client
Any
Connect Secure Mobility Client
Features, Licenses, and OSs, Release 4.4
This document identifies the AnyConnect release 4.4 features, license requirements, and endpoint operating systems that AnyConnect features support.
Supported Operating Systems
Cisco AnyConnect Secure Mobility Client 4.4 supports the following operating systems.
| Operating System | Version |
|---|---|
| Windows | Windows 10 & 10 RS1, RS2 x86(32-bit) and x64(64-bit) Windows 8.1 |
x86(32-bit) and x64(64-bit)
Windows 8 x86(32-bit) and x64(64-bit)
Windows 7 SP1 x86(32-bit) and x64(64-bit)
Mac| Mac OS X 10.10, 10.11, and 10.12*
Linux| Red Hat 6 and 7 (64-bit)
Ubuntu 12.04 (LTS), 14.04 (LTS), and 16.04 (LTS) (all 64-bit)
*AnyConnect releases 4.3.3086 and 4.2.6014 are the minimum required releases for Mac OS X 10.12 support.
Note: Although versions other that those listed above may work, Cisco has
not performed full testing on any version other than those listed.
Note: Cisco no longer supports AnyConnect releases for Windows XP.
See the Release Notes for Cisco AnyConnect Secure Mobility Client for OS
requirements and support notes. See the Supplemental End User Agreement
(SEULA) for licensing terms and conditions. See the Cisco AnyConnect Ordering
Guide for a breakdown of orderability and the specific terms and conditions of
the various licenses.
See the Feature Matrix below for license information and operating system
limitations that apply to AnyConnect modules and features.
AnyConnect 4.3 (and later) has moved to the Visual Studio (VS) 2015 build
environment and requires VS redistributable files for its Network Access
Manager module functionality. These files are installed as part of the install
package. You can use the .msi files to upgrade the Network Access Manager
module to 4.3 (or later), but the AnyConnect Security Mobility Client must be
upgraded first and running release 4.3 (or later).
Also, with the addition of the AnyConnect Umbrella Roaming Security Module,
Microsoft .NET 4.0 is required.
License Options
Use of the AnyConnect Secure Mobility Client 4.4 requires that you purchase
either an AnyConnect Plus or AnyConnect Apex license. The license(s) required
depends on the AnyConnect VPN Client and Secure Mobility features that you
plan to use, and the number of sessions that you want to support. These user-
based licenses include access to support and software updates to align with
general BYOD trends.
AnyConnect 4.4 licenses are used with Cisco ASA 5500 Series Adaptive Security
Appliances (ASA), Integrated Services Routers (ISR), Cloud Services Routers
(CSR), and Aggregated Services Routers (ASR), as well as other non-VPN
headend such as Identity Services Engine (ISE), Cloud Web Security (CWS), and
Web Security Appliance (WSA). A consistent model is used regardless of the
headend, so there is no impact when headend migrations occur.
One or more of the following AnyConnect licenses may be required for your
deployment:
| License | Description |
|---|---|
| AnyConnect Plus | Supports basic AnyConnect features such as VPN functionality |
for PC and mobile platforms (AnyConnect and standards-based IPsec IKEv2
software clients), FIPS, basic endpoint context collection, 802.1x Windows
supplicant, and web security SSL VPN. Plus licenses are most applicable to
environments previously served by the AnyConnect Essentials license and users
of Network Access Manager or Web Security modules.
AnyConnect Apex| Supports all basic AnyConnect Plus features in addition to
advanced features such as clientless VPN, VPN posture agent, unified posture
agent, Next Generation Encryption/Suite B, SAML, all plus services and flex
licenses. Apex licenses are most applicable to environments previously served
by the AnyConnect Premium, Shared, Flex, and Advanced Endpoint Assessment
licenses.
VPN Only (Perpetual)| Supports VPN functionality for PC and mobile platforms,
clientless (browser-based) VPN termination on ASA, VPN-only compliance and
posture agent in conjunction with ASA, FIPS compliance, and next-generation
encryption (Suite B) with AnyConnect and third-party IKEv2 VPN clients. VPN
only licenses are most applicable to environments wanting to use AnyConnect
exclusively for remote access VPN services but with high or unpredictable
total user counts. No other AnyConnect function or service (such as Web
Security module, Cisco Umbrella Roaming, ISE Posture, Network Visibility
module, or Network Access Manager) is available with this licensee.
AnyConnect Plus and Apex Licenses
From the Cisco Commerce Workspace website, choose the service tier (Apex or
Plus) and the length of term (1, 3, or 5 year). The number of licenses that
are needed is based on the number of unique or authorized users that will make
use of AnyConnect. AnyConnect 4.4 is not licensed based on simultaneous
connections. You can mix Apex and Plus licenses in the same environment, and
only one license is required for each user. AnyConnect 4.4 licensed customers
are also entitled to earlier AnyConnect releases.
Features Matrix
AnyConnect 4.4 modules and features, with their minimum release requirements, license requirements, and supported operating systems are listed in the following sections:
-
AnyConnect Deployment and Configuration
-
AnyConnect Core VPN Client
— Core Features
— Connect and Disconnect Features
— Authentication and Encryption Features
— Interfaces -
AnyConnect Network Access Manager
-
AnyConnect Secure Mobility Modules
— Hosts can and Posture Assessment
— ISE Posture -
Customer Experience Feedback
— Customer Experience Feedback
— Diagnostic and Report Tool (DART) -
AMP Enabler
-
Network Visibility Module
-
Umbrella Roaming Security Module
AnyConnect Deployment and Configuration
Feature| Minimum ASA/ASDM Release| License Required|
Windows| Mac| Linux
---|---|---|---|---|---
Deferred Upgrades| ASA 9.0
ASDM 7.0| Plus| yes| yes| yes
Windows Services Lockdown| ASA 8.0(4)
ASDM 6.4(1)| Plus| yes| no| no
Update Policy, Software and Profile Lock| ASA 8.0(4)
ASDM 6.4(1)| Plus| yes| yes| yes
Auto Update| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
Web Launch (32 bit browsers only)| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
Pre-deployment| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
Feature| Minimum ASA/ASDM
Release| License Required| Windows| Mac| Linux
---|---|---|---|---|---
Auto Update Client Profiles| ASA 8.0(4)
ASDM 6.4(1)| Plus| yes| yes| yes
AnyConnect Profile Editor| ASA 8.4(1)
ASDM 6.4(1)| Plus| yes| yes| yes
User Controllable Features| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| no
AnyConnect Core VPN Client
Core Features
Feature| Minimum ASA/ASDM
Release| License Required| Windows| Mac| Linux
---|---|---|---|---|---
SSL (TLS & DTLS), including Per App VPN| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
TLS Compression| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
DTLS fallback to TLS| ASA 8.4.2.8
ASDM 6.3(1)| Plus| yes| yes| yes
IPsec/IKEv2| ASA 8.4(1)
ASDM 6.4(1)| Plus| yes| yes| yes
Split tunneling| ASA 8.0(x)
ASDM 6.3(1)| Plus| yes| yes| yes
Split DNS| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| no
Ignore Browser Proxy| ASA 8.3(1)
ASDM 6.3(1)| Plus| yes| yes| no
Proxy Auto Config (PAC) file generation| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| no| no
Internet Explorer tab lockdown| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| no| no
Optimal Gateway Selection| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| no
Global Site Selector (GSS) compatibility| ASA 8.0(4)
ASDM 6.4(1)| Plus| yes| yes| yes
Local LAN Access| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
Tethered device access via client firewall rules, for synchronization| ASA
8.3(1)
ASDM 6.3(1)| Plus| yes| yes| yes
Local printer access via client firewall rules| ASA 8.3(1)
ASDM 6.3(1)| Plus| yes| yes| yes
IPv6| ASA 9.0
ASDM 7.0| Plus| yes| yes| no
Further IPv6 implementation| ASA 9.7.1
ASDM 7.7.1| Plus| yes| yes| yes
Connect and Disconnect Features
Feature| Minimum ASA/ASDM
Release| License Required| Windows| Mac| Linux
---|---|---|---|---|---
Simultaneous Clientless & AnyConnect connections| ASA8.0(4)
ASDM 6.3(1)| Apex| yes| yes| yes
Start Before Logon (SBL)| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| no| no
Run script on connect & disconnect| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
Minimize on connect| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
Auto connect on start| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
Auto reconnect (disconnect on system suspend, reconnect on system resume)| ASA
8.0(4)
ASDM 6.3(1)| Plus| yes| yes| no
Remote User VPN Establishment (permitted or denied)| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| no| no
Logon Enforcement (terminate VPN session if another user logs in)| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| no| no
Retain VPN session (when user logs off, and then when this or another user
logs in)| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| no| no
Trusted Network Detection (TND)| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
Always on (VPN must be connected to access network)| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| no
Always on exemption via DAP| ASA 8.3(1)
ASDM 6.3(1)| Plus| yes| yes| no
Connect Failure Policy (Internet access allowed or disallowed if VPN
connection fails)| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| no
Captive Portal Detection| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
Captive Portal Remediation| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| no
Authentication and Encryption Features
Feature| Minimum ASA/ASDM
Release| License Required| Windows| Mac| Linux
---|---|---|---|---|---
Certificate only authentication| ASA 8.0(4)
ASDM 6.3(1)| Plus| yes| yes| yes
RSA SecurID /Soft ID integration| Plus| yes| no| no
Smartcard support| Plus| yes| yes| no
SCEP (requires Posture Module if Machine ID is used)| Plus| yes| yes| no
List & select certificates| Plus| yes| no| no
FIPS| Plus| yes| yes| yes
SHA-2 for IPsec IKEv2 (Digital Signatures, Integrity, & PRF)| ASA 8.0(4)
ASDM 6.4(1)| Plus| yes| yes| yes
Strong Encryption (AES-256 & 3des-168)| Plus| yes| yes| yes
NSA Suite-B (IPsec only)| ASA 9.0
ASDM 7.0| Apex| yes| yes| yes
Enable CRL check| n/a| Apex| yes| no| no
SAML 2.0 SSO| ASA 9.7.1
ASDM 7.7.1| Apex or VPN only| yes| yes| yes
Multiple-certificate authentication| ASA 9.7.1
ASDM 7.7.1| Plus, Apex, or VPN only| yes| yes| yes
Interfaces
Feature| Minimum ASA/ASDM
Release| License Required| Windows| Mac| Linux
---|---|---|---|---|---
GUI| ASA 8.0(4)
ASDM 6.3(1)
| Plus| yes| yes| yes
Command Line| yes| yes| yes
API| yes| yes| yes
Microsoft Component Object Module (COM)| yes| no| no
Localization of User Messages| yes| yes| no
Custom MSI transforms| yes| no| no
User defined resource files| yes| yes| no
Client Help| ASA 9.0
ASDM 7.0| yes| yes| yes
AnyConnect Network Access Manager
Feature| Minimum ASA/ASDM
Release| License Required| Windows| Mac| Linux
---|---|---|---|---|---
Core| ASA 8.4(1)
ASDM 6.4(1)| Plus| yes| no| no
Wired support IEEE 802.3| yes
Wireless support IEEE 802.11| yes
Pre-logon & Single Sign on Authentication| yes
IEEE 802.1X| yes
IEEE 802.1AE Makes| yes
EAP methods| yes
FIPS 140-2 Level 1| yes
Mobile Broadband support| ASA 8.4(1)
ASDM 7.0| yes
IPv6| ASA 9.0
ASDM 7.0| yes
NGE and NSA Suite-B| yes
AnyConnect Secure Mobility Modules
Hosts can and Posture Assessment
Feature| Minimum ASA/ASDM
Release| License Required| Windows| Mac| Linux
---|---|---|---|---|---
Endpoint Assessment| ASA 8.0(4)
ASDM 6.3(1)| Apex| yes| yes| yes
Endpoint Remediation| Apex| yes| yes| yes
Quarantine| Apex| yes| yes| yes
Quarantine status & terminate message| ASA 8.3(1)
ASDM 6.3(1)| Apex| yes| yes| yes
Hosts can Package Update| ASA 8.4(1)
ASDM 6.4(1)| Apex| yes| yes| yes
Host Emulation Detection| Apex| yes| no| no
OPSWAT v4| ASA 9.7(1)
ASDM 7.7(1)| Apex| yes| yes| yes
ISE Posture
Feature| Minimum AnyConnect Release| Minimum ASA/ASDM
Release| Minimum ISE Release| License Require d| Window
s| Mac| Linux
---|---|---|---|---|---|---|---
Change of Authorization (CoA)| 4.0| ASA 9.2.1
ASDM 7.2.1| 1.4| Plus| yes| yes| yes
ISE Posture Profile Editor| 4.0| ASA 9.2.1
ASDM 7.2.1| n/a| Apex| yes| yes| yes
AC Identity Extensions (Acido)| 4.0| n/a| 1.4| Plus| yes| yes| yes
ISE Posture Module| 4.0| n/a| 1.4| Apex| yes| yes| no
Detection of USB mass storage devices ( v4 only)| 4.3| n/a| 2.1| Apex| yes|
no| no
OPSWAT v4| 4.3| n/a| 2.1| Apex| yes| yes| no
Stealth Agent for posture| 4.4| n/a| 2.2| Apex| yes| yes| no
Continuous endpoint monitoring| 4.4| n/a| 2.2| Apex| yes| yes| no
Next-generation provisioning and discovery| 4.4| n/a| 2.2| Apex| yes| yes| no
Application kill and uninstall capabilities| 4.4| n/a| 2.2| Apex| yes| yes| no
Web Security
Feature| Minimum ASA/ASDM
Release| License Required| Windows| Mac| Linux
---|---|---|---|---|---
Core| ASA 8.4(1)
ASDM 6.4(1)| Plus| Yes
Yes
| yes| no
Cloud-Hosted Configuration
Secure Trusted Network Detection| ASA 8.4(1)
ASDM 7.0
Dynamic Configuration Elements
Fail Close / Fail Open Policy
AMP Enabler
Feature| Minimum ASA/ASDM Release| Minimum ISE Release|
License Required| Windows| Mac| Linux
---|---|---|---|---|---|---
AMP enabler| ASDM 7.4.2
ASA 9.4.1| ISE 1.4| Plus| Yes| Yes| No
Network Visibility Module
Feature| Minimum ASA/ASDM Release| Minimum ISE Release|
License Required| Windows| Mac| Linux
---|---|---|---|---|---|---
Network Visibility Module| ASDM 7.5.1
ASA 9.5.1| no ISE dependency| Apex| Yes| Yes| Yes
Adjustment to the rate at which data is sent| ASDM 7.5.1
ASA 9.5.1| no ISE dependency| Apex| Yes| Yes| Yes
Customization of NVM timer| ASDM 7.5.1
ASA 9.5.1| no ISE dependency| Apex| Yes| Yes| Yes
Broadcast and multicast option for data collection| ASDM 7.5.1
ASA 9.5.1| no ISE dependency| Apex| Yes| Yes| Yes
Creation of anonymization profiles| ASDM 7.5.1
ASA 9.5.1| no ISE dependency| Apex| Yes| Yes| Yes
Broader data collection and anonymization with hashing| ASDM 7.7.1
ASA 9.7.1| no ISE dependency| Apex| Yes| Yes| Yes
Support for Java as a container| ASDM 7.7.1
ASA 9.7.1| no ISE dependency| Apex| Yes| Yes| Yes
Configuration of cache to customize| ASDM 7.7.1
ASA 9.7.1| no ISE dependency| Apex| Yes| Yes| Yes
Periodic flow reporting| ASDM 7.7.1
ASA 9.7.1| no ISE dependency| Apex| Yes| Yes| Yes
Umbrella Roaming Security Module
Feature| Minimum ASA/ASDM Release| Minimum ISE Release|
License Required| Windows| Mac| Linux
---|---|---|---|---|---|---
Umbrella Roaming Security Module| ASDM 7.6.2
ASA 9.4.1| ISE 1.3| Either Plus or Apex
Umbrella licensing is mandatory| Yes| Yes| No
For information on Umbrella licensing, see
https://www.opendns.com/enterprise-security/threat-enforcement/packages/.
Reporting and Troubleshooting Modules
Customer Experience Feedback
Feature| Minimum ASA/ASDM
Release| License Required| Windows| Mac| Linux
---|---|---|---|---|---
Customer Experience Feedback| ASA 8.4(1)
ASDM 7.0| Plus| yes| yes| no
Diagnostic and Report Tool (DART)
Log Type| Minimum ASA/ASDM
Release| License Required| Windows| Mac| Linux
---|---|---|---|---|---
VPN| ASA 8.0(4)
ASDM 6.3(1)| Plus
Apex| yes| yes| yes
Network Access Manager| ASA 8.4(1)
ASDM 6.4(1)| yes| no| no
Posture Assessment| yes| yes| yes
Web Security| yes| yes| no
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco
and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to this URL:
www.cisco.com/go/trademarks. Third-party
trademarks mentioned are the property of their respective owners. The use of
the word partner does not imply a partnership relationship between Cisco and
any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document
are not intended to be actual addresses and phone numbers. Any examples,
command display output, network topology diagrams, and other figures included
in the document are shown for illustrative purposes only. Any use of actual IP
addresses or phone numbers in illustrative content is unintentional and
coincidental
© 2017 Cisco Systems, Inc. All rights reserved.
References
- Cisco Secure Client (including AnyConnect) - Release Notes - Cisco
- Cisco Trademarks - Cisco
- Cisco Umbrella Packages - Cisco Umbrella
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>