Using the Cisco AnyConnect Secure Mobility Client

With the introduction of the Cisco AnyConnect Secure Mobility Client in the last few years and the slow depreciation of their VPN client, many companies are in a situation of trying to decide when to make the move from the older client to the newer one. This article will provide a quick review of the differences between the older and the newer client along with some information about the licensing differences between the two and recommendations on when to make the switch.

Cisco AnyConnect vs Cisco VPN Client

To start off, you may want to check out a previous article in which I discuss the differences between the Cisco VPN Client vs Cisco AnyConnect Client. At a high level, there are two major differences between the two clients: First, the AnyConnect client supports both SSL and IPsec VPN options (including support for IKE 2.0 and NSA Suite B IPsec), while the VPN client only supports IPsec. Second, the AnyConnect client has been developed as a solution that reaches outside the simple VPN client through the use of modules.

Cisco AnyConnect VPN

Cisco AnyConnect Module Options

The Cisco AnyConnect Secure Mobility Client is not limited to its support as a VPN client – it also has a number of other options that can be integrated as modules, including the following.

  • AnyConnect VPN – This is the most obvious module, providing the ability to use the client as a VPN endpoint.
  • AnyConnect VPN Start Before Login – This module allows the user to establish a VPN connection into the enterprise before logging into Windows.
  • AnyConnect Diagnostic and Reporting Tool (DART) – This module is used to perform both diagnostics and reporting about the AnyConnect installation and connection. DART works by assembling the logs, status, and diagnostic information for analysis by Cisco.
  • AnyConnect Network Access Manager – This module is used to provide a secure Layer 2 network connection by following a centralized security policy. Features include pre-login authentication using Windows Credentials, Single-Sign On (SSO) using Windows Credentials, IEEE 802.1x support, and IEEE MACsec wired encryption.
  • AnyConnect Posture (HostScan Application) – This module provides the ability to identify the Operating System (OS), the AntiVirus, the AntiSpyware, and the firewall that are currently installed on a host. This information is then used along with a policy to determine whether the host will be able to connect to the network.
  • AnyConnect Telemetry – This module works in conjunction with the Cisco Ironport Web Security Appliance (WSA) by sending information about the origin of malicious content to the WSA. The WSA will then react based on the collected information.
  • AnyConnect Web Security – This module works in conjunction with the Cisco Cloud Web Security proxy. HTTP traffic is sent through this proxy and evaluated based on a number of elements including HTTP content and Flash and Java elements. Each of these is independently analyzed and malicious (or unacceptable) content is dropped.

AnyConnect Licensing

One of the common complaints that has been circulating about the AnyConnect Secure Mobility Client is that it requires a number of different licensing types depending on which pieces are intended to be used.

  • The AnyConnect Essentials license includes support for secure remote access (this includes full tunneling access). This license is purchased per ASA device model in increments of simultaneous users supported.
  • The AnyConnect Premium license includes support for secure remote access and clientless SSL VPN, as well as support for all of the capabilities of the AnyConnect desktop platform mentioned above. This license is purchased per simultaneous users and is available as a single device license or a shared license.
  • The AnyConnect Mobile license includes support for Mobile platforms and is licensed per ASA device model. This license is required as an add-on to either the Essentials or the Premium license.

The AnyConnect client is obviously a much bigger entity then the older Cisco VPN client, and it includes support for a number of different capabilities that are common issues in today’s networks. However, if the intent is to only provide VPN access and the use of IPsec is not an issue, then the price of the Cisco VPN client is certainly tempting. However, if the organization is really looking to implement some of the other technologies that are offered, it is certainly worth looking at how the licensing structure and cost compares against the net gain in overall client security and control.

The decision to implement or not at this point is subjective and specific to each environment; recommending one over the other includes too many factors at this time as long as Cisco continues to support the older client (even minimally).