Just last week Cisco Systems announced the availability of the new version of the well-received AnyConnect VPN Client, now referred to as the Cisco AnyConnect Secure Mobility Client. I wanted to take a few paragraphs here to discuss the new features and direction for this product in light of past offerings.
The first new feature which caught my attention is entitled Post Log-in Always-on VPN. The release notes describe this as automatic VPN establishment immediately following user logon that remains in place until the user logs off. While reminiscent of the IPSec Automatic Client Initiation feature, since AnyConnect uses digital certificates a valid server certificate issued by a valid Certification Authority is required. Two important caveats are:
- connection through a proxy is not supported and
- this feature can be overridden (i.e. disabled) through the use of Dynamic Access Policies.
The above feature is further enhanced if the administrator implements a fail-open or fail-close policy. In the fail-open example, full network access is possible if the SSL VPN session cannot be established; in the fail-close scenario only local network servers and printers can be accessed.
Another welcome new feature for users of the client (particularly those who are guests in WiFi hotspots or hotels) is Captive Portal Hotspot Detection. When activated, a warning message informs the VPN user that access is restricted. Cisco combined this feature with the ability to allow/disallow users to take corrective action, a configurable option entitled Captive Portal Remediation.
Users of the IPSec client are acquainted with its Local LAN option, as well as its embedded Cisco Integrated Client firewall. A client firewall was added in the new version of AnyConnect, that pushes rules down on connection, similar to what occurred in IPSec mode configuration. Cisco warns that a VPN user with administrative rights will be able to disable the firewall rules, however.
A final feature worth mentioning is called Optimal Gateway Selection. When the software detects better VPN performance at a distributed branch location than what is in use at the main gateway, the better VPN server is automatically selected. Round trip time is the primary metric used here, and the threshold at which the switch of servers is made is administratively configurable.
Author: Doug McKillip