Cisco Anyconnect - Overview of Client Profile or XML Profile

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome back first of all i would like to thank you for supporting me in doing the scripture i want you to know that i always try to bring accurate and clear information to you the sole purpose of me creating these videos is to help you understand those concepts that you always wanted to learn at the end of this video if you find it helpful please do like comment and share if you are new to this channel also hit the subscribe button in right bottom corner with that being said let's see what we have got today [Music] any connect client profile xml profile you can say need to understand what is the need for this client profile why do we need it so to understand that let me first show you so this is the setup that i'm using an as3 and two inside computers and then this is internet and remote user this windows pc is a remote user so let's power it up so in this pc i've already got a profile let me get rid of that so you'll also see where are the profiles stored there in c drive program data program data is a hidden folder so you won't see it there you just have to type cisco any connect and then profiles so you see there is a profile profile with named test2 so delete let me open any connect and type in the ip address of my ese which is 192.168. all right it's connected if you see every time a user has to connect he has to type an ip address to connect which is easy if your ip address is pretty simple but usually the ip addresses are public ips and they are not very simple to remember like 64.1 maybe 159 that way these type of ip addresses are difficult to remember and not very user friendly setup so what do we do we aim to make it user friendly so that users get you know a better experience with this so how do you do that for now i'm just going to disconnect it go back to asa on the asa you need astm to configure the xml profile the client profile you need astm access so let's get astm you might be confused that i'm trying to log into 192.168.1.105 while my session is with 1.106. so i'll clarify that as well why am i logging to 105. let's say show ip that's the interface where i have my internet connection connected yeah this asa has got access to internet as well should be able to think 8.8.8 of course i've netted this when it's going out so there's another parallel to firewall sitting and that's netting this ip all right so to locate a profile or create a profile for the first time you go to configuration remote access vpn network client or network access client go to any connect client profile you will see i already have some so let's get rid of them delete uh delete everything delete this guy as well all right apply done let me just enable preview commands before sending to the device right so how do you create a profile just click on add give it a name this name is locally significant by that i mean it's not something that user will see it's just significant to the asa and to the local pc so you can give this name anything the profile name can be anything but it's usually recommended that you give it a sensible name so that you can identify it so i'm going to say it vpn profile all right profile uses any connected vpn profile of course there are many different uses possible for umbrella you can create a profile and for ice posturing nem services we are going to create this for any kind of vpn profile profile location it's by default it's going to take disk 0 if you wish to change you can of course do not just assign a group policy to it just create it at the moment say apply so you see it's going to send these commands web vpn and anyconnect profile it calls a profile by name the name that we just gave it vpn profile and then it points to the location where the profile is stored so profile gets created as it dot xml send all right now it's since it's created so you go and edit it aim of today's session is to give you an overview of what options are available in this client profile and what basic settings we need to get a user up and running so i'll not be going too deep into all the options but of course we'll cover all of them in the future videos so the preference is part one you have you start before logon option to be enabled so you can forcefully enable start before logon option which is also known as spl what this function is that before the user even logs into the laptop anything should be connected that is going to start before logon the user controllable option here a stick mark that means it gives the user the capability to control this option to enable or disable it directly from any connect so if you give user controllable user can manually enable or disable any option that where you have ticked user controllable like here let's say certificate store override there is no user controller option auto connect on start so it's a user controllable option already by default right so if user can already control it that any connect should automatically connect to the last connected profile last connected gateway moment it starts minimizing connect when the anyconnect is connected minimize it automatically this is again a user controller option you can uncheck it and user will no longer have ability to control this option local lan access when the user is connected with any connect should he be able to access his local lan there can be multiple pcs in his local lan or maybe printers or servers so this is again a controllable option a user controllable option if you enable it then user can manually you know control it via any connect if he wants local and access or not of course this is not the only one required thing to enable or disable local line access there is there are few more things that we will discuss when we talk about local lan access disable captive portal detection sometimes when there is really no captive portal anything detects captive portal that you know what is captive portal captive portal is a network or a wi-fi network that you connect to and which will ask you to you know authenticate yourself maybe register for the first time like the network wi-fi network that you use at the airports or coffee shops that kind of network is a captive portal network when you connect to it it won't ask you username and password you you can just connect right away after connecting when you try to browse something it opens a browser and takes you to a login page which will then ask you to register enter your mobile number it sends an otp you enter the otp and you get it you know the timed session maybe 45 minutes and you have internet access for those 45 minutes for free so this kind of networks are captive portal sometimes any connect detects a normal network as a captive portal so then there is an option to disable it that any connect should not detect then captive portal auto reconnect at times your connectivity just drops internet connectivity might flap and there is a feature to automatically reconnect so any connect will automatically reconnect without any user intervention auto reconnect behavior let's say any controllable feature how you want to auto reconnect reconnect after resume or disconnect and suspend or to update say on your asa you have any connect 4.5 on your pc you have any connect 4.3 by default auto update option is enabled so if this user who has any connect 4.3 installed in his laptop or computer he is connecting to this asa who has any connect version 4.5 for the first time then it will compare does the client have same version of any connect that i have if it doesn't then it automatically updates that client's any connected version and of course if the asa was on any connect 4.3 and somehow a pc has got any connect 4.5 and then he is connecting to this asa then it will not automatically downgrade it the the reverse compatible so it is going to connect but this will not be downgraded to 4.3 asc will not force its lower version to the client pc only the higher version will be pushed back to the client at times the requirement is that we just want to update the image on the asa but we don't want this version to be pushed back to the clients not just yet we'll first have to see it how it works and if it everything is fine then we'll finally push it to the client it's going to push it to the client pcs because auto update is enabled by default to achieve this you'll have to uncheck this option that do not automatically update once this option is unchecked if a client pc has 4.3 islc 4.5 when is connecting it will not automatically update the client pc to the higher version and of course while doing that you have to make sure that you do not leave this option as user controllable because you don't want it to be user controllable so keep this option unchecked rsa secure id integration you can integrate your rsas here if you have any rss server windows logon enforcement who can log in windows vpn establishment who can connect to vpn local user only or remote users as well allow remote users as well that means if you have done rdp to a computer and from that pc you are trying to connect to any connect so that won't allow you because in that case you are a remote user not you're not a local user on that pc to achieve that you have to create a profile and allow remote users in preferences part two you have disabled automatic certificate selection that's related to certificate allow local proxy connections if your environment is using any proxy enable optimal gateway selection optimal gateway selection is a feature you are a multinational company and you have vpn gateways and you know at in multiple countries and you want your users to connect to them based on their locations your location so you can enable you know you can enable optimal get your selection option that they get connected to the closest one the nearest gateway possible so this feature helps to achieve that automatic vpn policy automatic vpn policy what it does it connects to the vpn automatically based on some settings that you define here but of course vpn connects automatically then there is server list so in the server list click on add here you give a name it can be any display name so let's say id vpn you'll understand where this name is required or what's the importance of this name fqdn or ip address of your asa so in my case i do not have an fqdn but usually you will see something like this vpn.cisco.com or vpn.abc.com i have an ip address so 192.168.1.105 is the ip of my asa make sure the primary protocol is selected as ssl sometimes when your profile gets corrupted you will see that the profile changes automatically to ipsec so you have to correct that make sure it's not ip unless you're really doing like v2 so any connect can also work with ikv2 which of course uses ipsec give it a name this name is just a display name it will be displayed in your anyconnect you will see where and then this ip address put the ip address here so how however whatever difficult ip address it is put it there you are the administrator so it just one times off for you put it there say okay and then hit ok apply now you have to assign a group policy to this profile so change group policy and to which group policy do you want to apply this profile so it can be applied to all group policies or specific group policy you can create multiple profiles and apply each profile with each group policy that you have so i'm going to apply it with it vpn all you have to do is select the policy and drag it to the right side put the click button say okay the policy appears there now uh what's that existing profile test to use of type users do you want to overwrite looks like we had some other profiles you see we got an error because it could not apply the group policy here so let's try one more time if that doesn't work then we'll have to do it other way so it vpn apply so you see the commands it's going to send it says group policy then go to web vpn attributes and say no any connect profile value test to type user so this is one mistake that astm makes so to get rid of this you have to use cli and copy and paste this command to here for now just let's just give it a shot i'm sure it's going to throw up an error so you see there it says error in this command go to config t group policy go to webvpn and then say no if you do a question mark here there's nothing else in fact uh it actually doesn't even take the name so you just have to give this much command you don't have to even specify the name here so this time it should not throw up an error yeah it didn't so the group policy has been successfully applied so let's just see it here show run group policy and you see the new profile has come up let's test it now so now the profile it's on the asa where is it it's in your flash profile name was test.xml this is the one i know i started creating this video with itv profile and ended up with test profiles so if you see i've done this recording in two parts that's why the name had changed it should not matter anyways so let's go to our test machine open any connect and type in hold on if i still have to type in the ip address what's the use so the use is you have created a profile it's on the asa so there are two ways to deploy to the client pc one you export it from here and then give it to your system administrator he using the group policies of windows he pushes that profile to every computer that your company has or you can you know your id people can have this profile handy and when they build a laptop they can put this profile in there as a default so that's the way it should be deployed but if it hasn't been deployed that way and your itis administrators they're not using windows group policy feature to deploy anything on client pc so this profile can be automatically deployed if a user connects using ip address so upon a successful authentication the computer downloads a profile so 192.168.1.105 connect i actually wanted to get rid of if there were any old profile in here so i go to c drive and the profiles are in a hidden folder program data cisco so scanning connect profile i want to get rid of this test too so delete okay it's asking me to select a group id vpn username cisco and my password is five times star so upon a successful authentication the moment your authentication gets successful and before it completes the connection it downloads the profile in there okay profile must have been downloaded by now let's just confirm that i know i shouldn't have closed that window program data cisco you can execute mobility client profile and there it is test right okay where is any connection it's connected so here it is let's just disconnect it now and see what difference does it make to the user so now the user if he let's say quit this so he it was just a one-time job that user had to do he opened cisco any connect and sees the profile right there it says connect to idvpn user doesn't have to remember the ip address anymore he just needs to click here and select the relevant profile if he has many and if there is only one then all he has to do is make sure it's you know it make sure the profile name is in there it's in the drop down and then hit connect in the background you know that it's a display name that you selected in you know while creating the profile if i go to server list again here this was the display name edit you see host display name so that's the name the name is getting displayed here but in the backend this name triggers a connection to this ip address or it could be an fqdn connect okay so we enter username and password here establishing vpn downloading updates if there are any and it's most likely going to connect activating vpn adapters so so it's connected and you see the display name is now it vpn connected to it vpn which makes more sense than the ip address so i hope that explains the usage of an xml profile and how it makes it you know any connect user friendly for a uh non-technical user who doesn't have to remember ip address anymore and it's a one-time job for the it administrator you know this xml profile has some more options such as if i just go to edit here and let's see i have two asas and you know let's say two data centers or probably three data centers and i have vpn setup in there so let's say 1.105 106 and 107. so let's say a1 a2 a3 so these are three essays this is 105.106.107 right these three data centers i have and i want that if users are not able to connect to this asa then any connect should automatically try and connect to the backup ones these two are my backup asas they somehow provide similar connectivity but these are my backup vpn uh these are my backup vpn is you have to configure that right and that can be done using your profile so in the profile you configure backup server list here so you add 192. 168.1.106 1.107 so if added two backup servers say okay okay apply sensible file applies the profile again okay uh so now i won't be able to show you what exactly happens you know i don't have multiple asas here what i can show you i'm gonna shut this interface down and then you will see that any connector is trying to make attempts to connect to 106 and 107 all right so let's say config t interface gig 0 0 interface gigs excuse me let's shut it down show interface ibpr so the status is admin down let's go back to the pc ready to connect let's try i won't tell you what exactly what's going to happen so let's just give it a shot so just so you know what have we done we modified the xml profile on asa and added two backup servers 106 107. that if 105 does not respond yeah this condition is if 105 does not respond if the primary server does not respond then only it is going to connect to you know try to make an attempt to connect to the backup servers but if the primary one is responding or maybe it's rejecting your authentication or for any reason it's not letting you connect then anything won't try to but you know then any kind of one attempt connection to the backup server it will only attempt connection to backup server when your primary one does not respond at all if it responds then it won't go to backups let's see here so i hit connect contacting it vpn manages let's see what happens really slow because i've got this connection through another parallel to firewall and that really has been with limitation okay anyway it says connection attempt failed please try again well let's check the messages here message history so ready to connect contacting it vpn connection attempt has failed i'm gonna give a shot one more time so it says connection attempt just timed out please verify internet connectivity that means i do not have internet connectivity either which which i do or the asc that i'm trying to reach is unavailable it's not reachable but wait did i not see that it should make an attempt to 106 and 107 because we added them as a backup server so let's see if it really did if it does it should display that here looks like it didn't and why did it not make an attempt to go to 106 and 107 take a guess because we only modified the profile on the asa the new profile hasn't been updated on the client pc and how do you verify that you go to client pc open the profile that's already in there and you can check it the the server list is at the end so you see here server list hostname it vpn host address 192.168.1.105. and there is no mention of 106.107 because the profile hasn't been updated yet when does the profile get updated it updates upon a successful authentication and last time when we make it when we made a change in the profile we were connected so when you are connected and you are making a change to the profile it doesn't update directly on the client pc you have to make a connection attempt successful connection attempt so for the moment i'm just going to say say no shirt make a connection make sure the profile gets updated so it'll just download it 11 am that matches with the time on my machine the new profile has been downloaded or at least has been updated let's see what's in there so i'm trying to open it i don't know what are you what is this okay so host entry it vpn your main server is 105 and then there is a backup server list 106 107. that looks updated close this window i'm gonna minimize this we might need it again open any connect hit disconnect shut down the interface again hit connect contacting it vpn all right failed contacting 105 trying backup 106. so if i really had an ac whose ip address was 106. it also failed 106 trying backup 107. and unfortunately i don't have anyone up but you get the point you get the concept right how does it work connection attempt has timed out please verify internet connectivity go ahead you're checking the message history scroll it down failed contacting 105 trying the backup connection attempt has failed so this is for backup one failed contacting 106 trying backup another backup 107 and that also failed so it says your setup is full of crap the point i was trying to make that you can use this profile in so many different ways to make it to you know to make your user experience much better right so in this case user doesn't even know what's happening in the background and if the primary one goes down it automatically connects him to the backup one just think of the situation when you have to manually tell the user that if you can't connect to 105 you have to manually type in 106 and then connect to it how bad it is going to look but with the help of this xml profile makes it so simple that's all for now i hope this has been informative to you and i would like to thank you for watching it it is your support your likes comments that keep me motivated for bringing up more stuff like this please let me know if this has helped you if you are new to this channel also hit the subscribe button

Info

Channel: ASAme2

Views: 4,815

Rating: undefined out of 5

Keywords: Cisco Anyconnect, understand cisco anyconnect, client profile, how to create a client profile, importance of xml profile, importance of client profile in cisco anyconnect, anyconnect client profile explained, client profile - server list, backup server list

Id: cGc2ojkCjjc

Channel Id: undefined

Length: 32min 56sec (1976 seconds)

Published: Sun Aug 16 2020