Group Policy AnyConnect Options

These specifications apply to the operation of the AnyConnect VPN client.

Navigation

Objects > Object Management > VPN > Group Policy. Click Add Group Policy or choose a current policy to edit. Then select the AnyConnect tab.

Profile Fields

Profile—Choose or create a file object containing an AnyConnect Client Profile. See FTD File Objects for object creation details.

An AnyConnect Client Profile is a group of configuration parameters stored in an XML file. The AnyConnect software client uses it to configure the connection entries that appear in the client's user interface. These parameters (XML tags) also configure settings to enable more AnyConnect features.

Use the GUI-based AnyConnect Profile Editor, an independent configuration tool, to create an AnyConnect Client Profile. See the AnyConnect Profile Editor chapter in the appropriate release of the Cisco AnyConnect Secure Mobility Client Administrator Guide for details.

Management Profile Fields

A Management VPN Tunnel provides connectivity to the corporate network whenever the endpoint is powered up, even if end-user does not connect over VPN.

Management VPN Profile—The Management Profile file contains settings for enabling and establishing Management VPN Tunnel on endpoint.

The Standalone Management VPN Tunnel profile editor can be used to create a new profile file or modify an existing file. You can download the profile editor from Cisco Software Download Center.

For more information about adding a profile file, see FTD File Objects.

Client Modules Fields

Cisco AnyConnect VPN client offers enhanced security through various built-in modules. These modules provide services such as web security, network visibility into endpoint flows, and off-network roaming protection. Each client module includes a client profile that includes a group of custom configurations as per your requirement.

The following AnyConnect modules are optional and you can configure these modules to be downloaded when a VPN user downloads AnyConnect:

  • AMP Enabler —Deploys advanced malware protection (AMP) for endpoints.

  • DART—Captures a snapshot of system logs and other diagnostic information, which can be sent to the Cisco TAC for troubleshooting.

  • ISE Posture —Uses the OPSWAT library to perform posture checks to assess an endpoint's compliance.

  • Network Access Manager —Provides 802.1X (Layer 2) and device authentication for access to both wired and wireless networks.

  • Network Visibility —Enhances the enterprise administrator's ability to do capacity and service planning, auditing, compliance, and security analytics.

  • Start Before Login —Forces the user to connect to the enterprise infrastructure over a VPN connection before logging on to Windows by starting AnyConnect before the Windows login dialog box appears.

  • Umbrella Roaming Security —Provides DNS-layer security when no VPN is active.

  • Web Security —Analyzes the elements of a web page, allows acceptable content, and blocks malicious or unacceptable content based on a defined security policy.

Click Add and select the following for each client module:

  • Client Module—Select an AnyConnect module from the list.

  • Profile to download—Choose or create a file object containing an AnyConnect Client Profile. See FTD File Objects for object creation details.

  • Enable module download—Select to enable endpoints to download the client module along with the profile. If not selected, the endpoints can download only the client profile.

Use the GUI-based AnyConnect Profile Editor, an independent configuration tool to create a client profile for each module. Download the AnyConnect Profile Editor from Cisco Software Download Center. See the AnyConnect Profile Editor chapter in the appropriate release of the Cisco AnyConnect Secure Mobility Client Administrator Guide for details.

SSL Settings Fields

  • SSL Compression—Whether to enable data compression, and if so, the method of data compression to use, Deflate, or LZS. SSL Compression is Disabled by default.

    Data compression speeds up transmission rates, but also increases the memory requirement and CPU usage for each user session. Therefore, decreasing the overall throughput of the security appliance.

  • DTLS Compression—Whether to compress Datagram Transport Layer Security (DTLS) connections for this group using LZS or not. DTLS Compression is Disabled by default.

  • MTU Size—The maximum transmission unit (MTU) size for SSL VPN connections established by the Cisco AnyConnect VPN Client. Default is 1406 Bytes, valid range is 576 to 1462 Bytes.

    • Ignore DF Bit—Whether to ignore the Don't Fragment (DF) bit in packets that need fragmentation. Allows the forced fragmentation of packets that have the DF bit set, allowing them to pass through the tunnel.

Connection Settings Fields

  • Enable Keepalive Messages between AnyConnect Client and VPN gateway. And its Interval setting.—Whether to exchange keepalive messages between peers to demonstrate that they are available to send and receive data in the tunnel. Default is enabled. Keepalive messages transmit at set intervals. If enabled, enter the time interval (in seconds) that the remote client waits between sending IKE keepalive packets. The default interval is 20 seconds, the valid range is 15 to 600 seconds.

  • Enable Dead Peer Detection on .... And their Interval settings.—Dead Peer Detection (DPD) ensures that the VPN secure gateway or the VPN client quickly detects when the peer is no longer responding, and the connection has failed. Default is enabled for both the gateway and the client. DPD messages transmit at set intervals. If enabled, enter the time interval (in seconds) that the remote client waits between sending DPD messages. The default interval is 30 seconds, the valid range is 5 to 3600 seconds.

  • Enable Client Bypass Protocol—Allows you to configure how the secure gateway manages IPv4 traffic (when it is expecting only IPv6 traffic), or how it manages IPv6 traffic (when it is expecting only IPv4 traffic).

    When the AnyConnect client makes a VPN connection to the headend, the headend assigns it an IPv4, IPv6, or both an IPv4 and IPv6 address. If the headend assigns the AnyConnect connection only an IPv4 address or only an IPv6 address, you can configure the Client Bypass Protocol to drop network traffic for which the headend did not assign an IP address (default, disabled, not checked), or allow that traffic to bypass the headend and be sent from the client unencrypted or “in the clear” (enabled, checked).

    For example, assume that the secure gateway assigns only an IPv4 address to an AnyConnect connection and the endpoint is dual-stacked. When the endpoint attempts to reach an IPv6 address, if Client Bypass Protocol is disabled, the IPv6 traffic is dropped; however, if Client Bypass Protocol is enabled, the IPv6 traffic is sent from the client in the clear.

  • SSL rekey—Enables the client to rekey the connection, renegotiating the crypto keys and initialization vectors, increasing the security of the connection. This is disabled by default. When enabled, the renegotiation can be done at a specified interval and rekey the existing tunnel or create a new tunnel by setting the following fields:

    • Method—Available when SSL rekey is enabled. Create a New Tunnel (default), or renegotiate, the Existing Tunnel's specifications.

    • Interval—Available when SSL rekey is enabled. Set to a default of 4 minutes with a range of 4-10080 minutes (1 week).

  • Client Firewall Rules—Use the Client Firewall Rules to configure firewall settings for the VPN client's platform. Rules are based on criteria such as source address, destination address, and protocol. Extended Access Control List building block objects are used to define the traffic filter criteria. Choose or create an Extended ACL for this group policy. Define a Private Network Rule to control data flowing to the private network, a Public Network Rule to control data flowing "in the clear", outside of the established VPN tunnel, or both.

    Note

    Ensure that the ACL contains only TCP/UDP/ICMP/IP ports and source network as any, any-ipv4 or any-ipv6.

    Only VPN clients running Microsoft Windows can use these firewall settings.

Custom Attributes Fields

This section lists the AnyConnect Custom attributes that are used by the AnyConnect client to configure features such as Per App VPN, Allow or defer upgrade, and Dynamic split tunneling. Click Add to add custom attributes to the group policy.

  1. Select an AnyConnect Attribute:Per App VPN, Allow Defer Update, or Dynamic Split Tunneling.

  2. Select a Custom Attribute Object from the list.

    Note

    Click Add (+) to create a new custom attribute object for the selected AnyConnect attribute. You can also create a custom attribute object at Objects > Object Management > VPN > Custom Attribute. See Add AnyConnect Custom Attributes Objects.

  3. Click Add to save the attributes to the group policy and then click Save to save the changes to the group policy.