30-04-2021

Anyconnect Server List



AnyConnect client profiles are downloaded to clients along with the VPN AnyConnect client software. These profiles define many client-related options, such as auto-connect on startup and auto-reconnect, and whether the end-user can change the option from the AnyConnect client preferences and advanced settings.

If you configure a fully-qualified hostname (FQDN) for the outside interface when configuring the remote access VPN connection, the system creates a client profile for you. This profile enables the default settings. You must create and upload VPN AnyConnect client profiles only if you want non-default behavior. Note that client profiles are optional: if you do not upload one, AnyConnect clients will use default settings for all profile-controlled options.

The screenshot below shows a configured server ton the Server List Entry option. When configuration is complete, save the profile. It is recommended to use a unique file name to avoid profile overrides by other AnyConnect servers, t hen you can upload the file to the profile update section on. AnyConnect 4.9 on iOS adds support for Server Name Identification (SNI) for VPN connections. Caveats: On iOS 14 when tunnel DNS servers are configured without split DNS, failure to resolve an address via the tunnel DNS servers does not result in a fallback to the device's public DNS servers.

Note: You must include the FTDdevice’s outside interface in the VPN profile’s server list for the AnyConnect client to display all user-controllable settings on the first connection. If you do not add the address or FQDN as a host entry in the profile, then filters do not apply for the session. For example, if you create a certificate match and the certificate properly matches the criteria, but you do not add the device as a host entry in that profile, the certificate match is ignored.

You can also create AnyConnect client profile objects while editing a profile property by clicking the Create New AnyConnect Client Profile link shown in the object list.

Before you begin

List

Before you can upload VPN AnyConnect client profiles, you must do the following.

  • Download and install the stand-alone AnyConnect “Profile Editor - Windows / Standalone installer (MSI).” The installation file is for Windows only and has the file name anyconnect-profileeditor-win-<version>-k9.msi, where <version> is the AnyConnect version. For example, anyconnect-profileeditor-win-4.3.04027-k9.msi. You must also install Java JRE 1.6 (or higher) before installing the profile editor. Obtain the AnyConnect profile editor from https://software.cisco.com/download/home/283000185 in the AnyConnect Secure Mobility Client category.
  • Use the profile editor to create the profiles you need. You should specify the hostname or IP address of the outside interface in the profile. For detailed information, see the editor’s online help.

The following procedure explains how you can create and edit objects directly through the Objects page:

Create an AnyConnect Client Profile Object

  1. In the CDO navigation bar at the left, click Objects.
  2. Click the blue plus button.
  3. Click RA VPN Objects (ASA & FTD) > AnyConnect Client Profile.
  4. In the ObjectName field, enter a name for the AnyConnect client profile.
  5. Click Browse and select the file you created using the Profile Editor.
  6. Click Open to upload the profile.
  7. Click Add to add the object.
This article refers to the Cisco AnyConnect VPN. If you're looking for information on the Prisma Access VPN Beta that uses the GobalConnect app, see: Prisma Access VPN Landing Page.
If you're not sure which service you're using, see: How do I know if I'm using the Cisco AnyConnect VPN or the Prisma Access VPN?

Context

  • Cisco AnyConenct VPN service available via vpn.mit.edu
  • Using Internet Explorer via Windows Vista or Windows 7
  • VPN connections to MITnet

Answer

Under Windows 7 and Windows Vista Microsoft has improved internet security by allowing you to specify whether a particular internet connect, most commonly connections to wireless networks, are connections to you Home network, your Work network, or a Public network. Which setting you choose affects how much Windows trusts hosts on this network.

It is common for wireless connections to default to 'Public', especially if they are not encrypted. This is generally good security practice. However, in order to then successfully connect to MIT's new Cisco AnyConnect VPN service you need to add the VPN server, vpn.mit.edu to your list of trusted sites. You can do this as follows:

Open the Internet Properties window

Two ways to get there, by either:

Anyconnect Server List
  • Starting Internet Explorer
  • Going to the Tools menu
  • Selecting Internet Options

or by:

  • Going to your Control Panels
  • Selecting the Network and Internet section
  • Selecting Internet Options

Once in the Internet Properties window

Cisco Anyconnect Server List Location

  • Select the Security tab
  • Click the big green checkmark that says Trusted sites
  • Click the Sites button
  • In the box labeled Add this website to the zone enter https://vpn.mit.edu
  • Click the Add button (https://vpn.mit.edu should now appear in your list of trusted sites)
  • Click the Close button
  • Click OK to exit the Internet Properties window

Cisco Anyconnect Profile Settings

See also