C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\prelogin.xml and the magic line is
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>To enable the feature from ASA you need to create a profile which is located under Remote Access VPN - Network (Client) Access - Anyconnect Client Profile. After profile is created, edit the profile and enable Use Start Before Logon.
Current issue is that SBL does not let you connect to the ASA gateway IP. An error is given:
Anyconnect cannot confirm it is connected to your secure gateway.I tried adding the ASA certificate to my computer certificate store under both the Trusted Root Certificate Authorities and Intermediate Certification Authorities- no luck.
The local network may not be trustworthy. Please try another network.
However connecting to a domain name then no error is issued. When connecting to the IP address of that domain name then the error is shown.
-update------
The error was shown because the certificate's hostname did not match the domain name resolved by the DNS server.
For SBL to work you need:
- ASA certificate must be added to Local Computer certificate store (Trusted Root Certification Authorities).
- Certificate's subject CN must match the DNS resolved name. Editing hosts file is also OK.
- ASA should have SBL enabled in the Anyconnect Client Profile (though you could manually edit the .xml on client's computer)
- ASA must be reachable via a domain name. IP address does not work.
Users downloading the Anyconnect software via web also must have SBL installed. That can be configured from ASDM, Network (Client) Access, Group Policies, <select policy>, Advanced, Anyconnect Client, Optional Client Modules to Download, tick Anyconnect SBL (vpngina).
You could also modify the manifest file VPNManifest.xml inside the anyconnect-win-3.1.05152-k9.pkg file.
You can change the included modules by modifying the value of is_core="no" to is_core="yes"
Read further Using the Manifest File
You could also modify the manifest file VPNManifest.xml inside the anyconnect-win-3.1.05152-k9.pkg file.
You can change the included modules by modifying the value of is_core="no" to is_core="yes"
Read further Using the Manifest File
This post is perfect and so is the comment made on 09 October, 2014 01:28
ReplyDeleteI encountered the same problem now and drew similar conclusions. But it didn't get the desired effect. I use the 4.6.03049 version of Cisco Annyconnect Client. Unfortunately I always get an error: "Anyconnect cannot confirm it is connected to your secure gateway". The local network may not be trustworthy. Please try another network." I tried editing the hosts file and adding static DNS records on the home router. I tried creating self-signed certificates with sha-1 and sha-2 hashing algorithm with no results. I'm confused.
ReplyDelete