Cisco AnyConnect Remote Access
Contents
VPN Client Installation 1
Client Installation via Setup@Micron 1
Gateway client install (non pre-deployed or unmanaged assets). 1
Uninstall Client 3
VPN Client Use 3
VPN Client Troubleshooting 4
Client-side issues 4
Other References 8
VPN Client Installation
There are two mechanisms that can be used to install the client:
- A Micron installation package. This package is provided for Micron managed devices. (ref case INC000001002102). Micron has created a SCCM installation package to be applied to managed assets and an install has been made available via Setup@Micron.
- Direct from the VPN gateway. This method is used as an alternate installation method for Micron managed devices and as a primary installation for non-Micron managed device (e.g. home users).
Client Installation via Setup@Micron
Open the Setup@Micron page and search for “AnyConnect”. This is the preferred, supported installation method.
Gateway client install (non pre-deployed or unmanaged assets).
Prerequisites:
· Ensure your system has current security patches installed. Your system will be assessed for security posture prior to installation and the installation may fail if patches are not current.
· The Java Runtime Environment (JRE) 1.6 or higher is installed on your system. You can verify if your system has a JRE installed and/or download the latest version from www.java.com. The JRE requires less than 100M of hard disk space.
· This installation method is not supported via IE x64. You will be provided warnings if using IE x64.
o If you are running as a non-administrator on your system, you will need to launch IE via the Run as administrator (right click IE shortcut) to have appropriate privileges to install the client.
· If you have multiple users logged in to your system when you attempt to connect, the SSL VPN client will not work. You must be the sole authenticated user on the system.
· Add Micron to the list of trusted sites in your browser security, as follows:
1. Choose Internet Options. To do so, use the following method:
o Open Internet Explorer and choose Tools > Internet Options.
2. Click the Security tab.
3. Click the Trusted sites icon, and then click the Sites button below.
4. Type https://*.micron.com in the Trusted Sites window.
5. Click Add.
6. Click OK.
7. Click OK on the Security tab.
Installation Steps:
- Two-factor authentication is required. Have your SecurID SoftID running or your SecurID hardware fob available.
- Browse to https://connect.micron.com/
3. The VPN gateway will evaluate your system and present you with an AnyConnect Secure Mobility Client installation option.
a. On Windows, you may be prompted with a User Account Control (UAC) prompt and/or an ActiveX dynamic control security prompt. You may safely accept each.
b. For Mac users, you must ensure that the Java applet is allowed / enabled. If Java is not installed and configured on your system, you will see a link in the lower left which reads Inactive Plug-in. If Java is installed, while the Cisco WebLaunch is running during the “Java Detection” phase and you see the Inactive Plug-in link, you may need to open the Java preferences in your browser and check the “Enable applet plug-in” option.
- You will be presented with a web page requesting authentication to Micron. Enter your username and passcode from your SecurID (Your passcode is NOT your Micron password; it will be on your Secure ID Soft ID or Hardware FOB).
- You may once again be presented with an AnyConnect Secure Mobility Client installation page and various pop-up boxes indicating the client is being installed. Be patient at this point, as the system initiates and completes the VPN client installation.
- Once the client installation completes, the system will automatically connect back to the VPN gateway with the newly installed VPN client software. At this point you are connected to Micron via the SSL VPN client and may safely click “Logout” on the web page and close your browser. Note: If upon initial connection, the Windows Network Identification Wizard prompts you to name the newly created connection, simply name it “Micron SSLVPN”.
- You should now have an AnyConnect icon in your system tray (Windows).
- To disconnect the VPN client, you may right-click the AnyConnect icon in your system tray and choose “VPN Disconnect”.
- To reconnect, simply right-click the AnyConnect icon in your system tray and choose “VPN Connect”. Then, enter your username and SecurID passcode (not your Micron password) in the resulting dialog box.
- After the initial connection to a Micron VPN gateway, the AnyConnect client will now have a list of trusted gateways listed in the dropdown available to connect to. Choose the gateway server closest to your geographic location. This list will be updated as we deploy more VPN gateways in the enterprise.
Uninstall Client
To completely and cleanly uninstall the client:
- Go to Control panel > Uninstall Programs
- Select Cisco Diagnostics And Reporting Tool and Cisco AnyConnect Mobility Client
- Delete c:\ProgramData\Cisco
- Delete c:\Program Files (x86)\Cisco
- Delete C:\Users\username\AppData\Local\Cisco
- Delete C:\Users\username\AppData\Roaming\Cisco
- Reboot your system
VPN Client Use
See also the Quick Reference Card (QRC)
Launch the client
- After the initial connection to a Micron VPN gateway and subsequent launch of the AnyConnect client, the client will now have a list of trusted gateways listed in the dropdown available to connect to. Choose the gateway server closed to your geographic location. This list will be updated as we deploy more VPN gateways in the enterprise.
Two-factor authentication
· If the client has a SecurID SoftID installed on their local device, the user can launch their SoftID, enter their PIN and copy and paste the resulting PASSCODE into the AnyConnect dialog box. Manual entry of the PASSCODE into the AnyConnect dialog box works as well.
· If the client has only a SecurID hardware fob, they will be required to enter the PIN + tokencode displayed on their SecurID hardware fob as the requested PASSCODE.
IMPORTANT: Do NOT enter your Micron password as a PASSCODE. Use the security credentials from the Secure ID you are using (SoftID or hardware FOB).
Once connected, if you are connecting with a non-Micron managed device, you will receive the following notification message indicating limited port access as per policy. Otherwise you will be connected with full port access and not further message will be displayed.
VPN Client Troubleshooting
Client-side issues
Minimum requirements for opening a case or assisting in connectivity resolution:
§ Verify basic client network connectivity and that the user can ping the gateways. Example:
o ping connect.micron.com –t
o ping connect-qgil.micron.com –t
o … other gateways as applicable.
§ Verify if the user can reach other network resources. For example, request user to browse to a web resource. This will further verify basic network connectivity.
§ Ask the user to gather and send basic Cisco AnyConnect logs
o From the AnyConnect GUI, have the user click Advanced -> Message History tab, copy and provide that detail.
Advanced diagnostics information gathering:
We have implemented the Cisco Diagnostic And Reporting Tool (DART) providing clients a means to assist in determining connection issues. It will gather all AnyConnect related logs including Windows event logs it generates and package them up into a .zip file.
· Quit/exit your AnyConnect client and restart it.
· Open the AnyConnect client, click on “Advanced” at the bottom then choose the Statistics tab. You should now see a “Diagnostics” button in the upper right area of the dialog box.
· Click that Diagnostics button and follow the prompts to generate a DART diagnostics file. Select the options shown here:
· It takes a few minutes to run and gather information, so be patient.
· Please send the resulting file (which will be placed on your desktop by default), to support to aid in root cause determination.
Other configuration items to check and knowledgebase
There is a Cisco AnyConnect Secure Mobility Agent service that must be running for the client to work.
· The service should be set to Automatic and run as the Local System.
· It should also be enabled in the Startup tab of MSCONFIG.
· If that service is not running, the user may see the following:
Internet Connection Sharing (ICS). For security reasons we do not allow a client to share their internet connection, or in this case, the VPN tunnel connection to Micron with other clients. The AnyConnect client does not allow this by policy and the client will not connect at all with this Windows setting enabled. Micron has a GPO option to disable this setting on XP profile and the Windows 7 profile on Micron managed devices.
For home users, they must not have Internet Connection Sharing enabled on the network connection properties they are using to connect. This option must be unchecked/not selected.
The AnyConnect client runs a security posture assessment upon connection. This can fail for a variety of reasons, but most often due to outdated system patches or pending reboot following a patch that has been applied.
Solution: Verify system has current patches and reboot host. At minimum, perform a reboot of the system.
Other References
AnyConnect Admin guide
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml#step5
Linux client (unsupported by Micron presently, for reference only)
Requires installation and configuration of Java Runtime Environment and browser plug-in.
See http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html
Linux (32-bit and 32-bit running on 64-bit) Note Host Scan is a 32-bit application and requires the core 32-bit libraries to be installed on 64-bit Linux operating systems. Host Scan does not provide these 32-bit libraries at the time it is installed. Customers need to install the 32-bit libraries on the endpoints themselves, if they are not already provisioned.
Step 1 Firefox is installed
Step 2 The trust settings of the VeriSign Class 3 Public Primary Certification Authority - G5 root certificate authority include trust for identifying software makers. Modern versions of Firefox contain this VeriSign root CA certificate. After the AnyConnect client is installed, no additional user or administrator action is required.
This requirement for the Firefox certificate store does not apply to pre-deploy (manual) installation of the 3.1 AnyConnect client on Linux.
If the certificate and trust are not correct, Web Deployment fails to install the client, and the AnyConnect web portal displays a link for users to manually download and install the client. Users can either edit the trust settings in their Firefox browser, and try again, or simply download the client and install it themselves. During installation, the client configures the PEM store with the VeriSign root, verifies the code signing certificate, and configures the VeriSign root. When AnyConnect launches, it uses the VeriSign root in the PEM store for code signing verification.
To set trust in Firefox for Linux web deployment
1. In the Firefox tool bar, select Edit->Preferences.
2. Select the Advance tab, then choose the Encryption sub-tab.
3. Choose View Certificates, and then select the Authorities tab.
4. Scroll down and select VeriSign Class 3 Public Primary Certification Authority - G5.
5. Click Edit Trust, and check This certificate can identify software makers.
Connecting with Mobile Broadband Cards
Some 3G or 4g cards require configuration steps before connecting to AnyConnect. For example, the Verizon Access Managers has three settings:
• modem manually connect
• modem auto connect except when roaming
• lan adapter auto connect
If you choose lan adapter auto connect, you can set the preference to NDIS mode. NDIS is an always on connection where you can stay connected even when the VZAccess Manager is closed. The VZAccess Manager shows an auto-connect LAN adapter as the device connection preference when it is ready for AnyConnect installation. When an AnyConnect interface is detected, the 3G manager drops the interface and allows the AnyConnect connection. When you move to a higher priority connection, wired networks are the highest priority, followed by wi-fi, and then mobile broadband, AnyConnect will make the new connection before breaking the old one.