Some background info: On a Cisco ASA, the contents of the installed AnyConnect web deploy packages are accessed through https://ASA/CACHE/stc/{1,2,3,...}. So if the gateway has 4 web deploy packages installed, it looks like this: ciscoasa# show run webvpn webvpn enable outside anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1 anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2 anyconnect image disk0:/anyconnect-macosx-i386-2.3.2016-k9.pkg 3 anyconnect image disk0:/anyconnect-linux-64-3.1.04066-k9.pkg 4 anyconnect enable tunnel-group-list enable These packages are used to feed the Java installer contraption if the user navigates to https://ASA/ in a web browser. The ASA's web server uses the regex line from headinfo.txt in *.pkg to try to determine which package matches the client's OS, based on the User-Agent header. The URL => ASA pathname mappings for the ASA shown above are: https://ASA/CACHE/stc/1/Windows => cache:/stc/1/Windows https://ASA/CACHE/stc/2/Linux => cache:/stc/2/Linux https://ASA/CACHE/stc/3/Darwin_i386 => cache:/stc/3/Darwin_i386 https://ASA/CACHE/stc/4/Linux_64 => cache:/stc/4/Linux_64 Each *.pkg file is just a zip archive. The 0-byte Windows/Linux_64/... files are at the top level of the archive, each of which gets unpacked into cache:/stc/<ID>/ inside the ASA. After authenticating and receiving a webvpn cookie, the AnyConnect client application probes for the presence of these files to try to find the matching package for its OS: GET /CACHE/stc/1/index.html (if it exists, the gateway has package #1 installed, otherwise give up) GET /CACHE/stc/1/Linux_64 (if it doesn't exist, assume #1 is for another OS and check package #2) GET /CACHE/stc/2/index.html (exists, good) GET /CACHE/stc/2/Linux_64 (assuming this succeeds, then...) GET /CACHE/stc/2/binaries/update.txt (compare version numbers to see if an update is needed) The https://ASA/CACHE/stc/* links are only accessible after authenticating, either through a browser or through a VPN client. In XML POST mode the gateway will explicitly specify the base: <base-package-uri>/CACHE/stc/2</base-package-uri> If this node is unavailable, as is the case on ocserv, part of the path is extracted from the webvpnc cookie (bu:/CACHE/stc) and the client tries each number sequentially until it finds the correct package or gets a 404 on index.html. ocserv omits the /CACHE/stc prefix; so far this seems harmless. Kevin Cernekee (4): README: Update dependencies Fix auto-update regression on AnyConnect clients Add support for Mac AnyConnect client Remove unnecessary AnyConnect /2/* files README | 6 +++--- src/worker-extras.c | 2 +- src/worker-vpn.c | 10 ++-------- 3 files changed, 6 insertions(+), 12 deletions(-) -- 1.8.2.1
