This commit replaces the old profile.xml with the Example Configuration from the Administrator Guide while not locking down the client and allow AnyConnect sessions from remote desktop connections. Source: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect23/administration/23adminapa.html Signed-off-by: Thomas Glanzmann <thomas at glanzmann.de> --- doc/profile.xml | 343 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 316 insertions(+), 27 deletions(-) diff --git a/doc/profile.xml b/doc/profile.xml index af0bd36..8157a4b 100644 --- a/doc/profile.xml +++ b/doc/profile.xml @@ -1,31 +1,320 @@ <?xml version="1.0" encoding="UTF-8"?> +<!-- + This is a sample of a Cisco AnyConnect VPN Client Profile XML file. + + Please refer to the Cisco AnyConnect VPN Client Administrator Guide + for information regarding profile management and examples of all + available options. In short: + + - A Profile should be uniquely named for your Company. An example is: + CiscoProfile.xml + + - The profile name should be the same even if different for individual + group within the company. + + This file is intended to be maintained by a Secure Gateway administrator + and then distributed with the client software. The profile based on + this XML can be distributed to clients at any time. The distribution + mechanisms supported are as a bundled file with the software distribution + or as part of the automatic download mechanism. The automatic download + mechanism only available with certain Cisco Secure Gateway products. + + NOTE: Administrators are strongly encouraged to validate XML profile they + create using an online validation tool or via the profile import + functionality in ASDM. Validation can be accomplished with the + AnyConnectProfile.xsd found in this directory. + + + AnyConnectProfile is the root element representing the AnyConnect Client + Profile. + --> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> + <!-- + The ClientInitialization section represents global settings for the + client. In some cases (e.g. BackupServerList) host specific overrides + are possible. + --> + <ClientInitialization> + <BypassDownloader>true</BypassDownloader> + + <!-- + The Start Before Logon feature can be used to activate the VPN as + part of the logon sequence. + + UserControllable: + Does the administrator of this profile allow the user to control + this attribute for their own use. Any user setting associated + with this attribute will be stored elsewhere. + --> + <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon> + <!-- + This control allows automatic certificate selection to be + disabled. When this is disabled a user certificate selection + dialog is displayed if the GUI is available. + + This setting only applies to the Microsoft Windows version of + AnyConnect and has no effect on other platforms. + --> + <AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection> + <!-- + This control enables an administrator to have a one time message + displayed prior to a users first connection attempt. As an example, + the message could be used to remind a user to insert their smart + card into it's reader. + + The message to be used with this control is localizable and can be + found in the AnyConnect message catalog. + (default: "This is a pre-connect reminder message.") + --> + <ShowPreConnectMessage>false</ShowPreConnectMessage> + <!-- + This setting allows an administrator to specify which certificate + store AnyConnect will use for locating certificates. + + This setting only applies to the Microsoft Windows version of + AnyConnect and has no effect on other platforms. + --> + <CertificateStore>All</CertificateStore> + <!-- + This setting allows an administrator to direct AnyConnect to search + for certificates in the Windows machine certificate store. This is + useful in cases where certificates are located in this store and + users do not have administrator privileges on their machine. + --> + <CertificateStoreOverride>false</CertificateStoreOverride> + <!-- + Controls AnyConnect client behavior when started. By default, the + client will attempt to contact the last Gateway a user connected + to or the first one in the list from the AnyConnect profile. In + the case of certificate-only authentication, this will result in + the establishment of a VPN tunnel when the client is started. + --> + <AutoConnectOnStart UserControllable="true">true</AutoConnectOnStart> + <!-- + Controls AnyConnect GUI behavior when a VPN tunnel is established. + By default, the GUI will minimize when the VPN tunnel is + established. + --> + <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect> + <!-- + If Local LAN access is enabled for remote clients on the Secure + Gateway, this setting can be used to allow the user to accept or + reject this access. + --> + <LocalLanAccess UserControllable="true">true</LocalLanAccess> + <!-- + This setting allows an administrator to control how a client will + behave when the VPN tunnel is interrupted. Control can optionally + be given to the user. + --> + <AutoReconnect UserControllable="true">true + <AutoReconnectBehavior>ReconnectAfterResume</AutoReconnectBehavior> + </AutoReconnect> + <!-- + This setting allows the adminstrator to turn off the dynamic + update functionality of AnyConnect. Control of this can also be + given to the user. + --> + <AutoUpdate UserControllable="false">true</AutoUpdate> + <!-- + This setting allows the adminstrator to control how the user will + interact with RSA. By default, AnyConnect will determine the + correct method of RSA interaction. The desired setting can be + locked down by the administrator or control can be given to the + user. + --> + <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration> + <!-- + This setting allows the adminstrator to control if more than one + user may be logged into the client PC during a VPN connection. + --> + <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement> + <!-- + This setting allows the adminstrator to control if a VPN + connection may be initiated by a remote user. + --> + <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment> + <!-- + This setting determines whether to keep the VPN session + when the user logs off a Windows OS + --> + <RetainVpnOnLogoff>false + <UserEnforcement>SameUserOnly</UserEnforcement> + </RetainVpnOnLogoff> + <!-- + This section enables the definition of various attributes that + can be used to refine client certificate selection. + --> + <CertificateMatch> + <!-- + Certificate Key attributes that can be used for choosing + acceptable client certificates. + --> + <KeyUsage> + <MatchKey>Non_Repudiation</MatchKey> + <MatchKey>Digital_Signature</MatchKey> + </KeyUsage> + <!-- + Certificate Extended Key attributes that can be used for + choosing acceptable client certificates. + --> + <ExtendedKeyUsage> + <ExtendedMatchKey>ClientAuth</ExtendedMatchKey> + </ExtendedKeyUsage> + </CertificateMatch> + <MobilePolicy> + <!-- + DeviceLockRequired indicates that a Windows Mobile device must + be configured with a password or PIN prior to establishing a + VPN connection. This configuration is only valid on Windows + Mobile devices that use the Microsoft Default Local + Authentication Provider (LAP). + + The following attributes can be specified to check additional + settings. The platforms for which each additional check is + performed as specified with "WM5AKU2+" for Windows Mobile 5 with + the Messaging and Security Feature Pack delivered as part of + Adaption Kit Upgrade 2 (AKU2). + + MaximumTimeoutMinutes - when set to non-negative + number, specifies the maximum number of minutes + that must be configured before device lock takes + effect. (WM5/WM5AKU2+) + MinimumPasswordLength - when set to a non-negative number, + specifies that any PIN/password used for device lock + must be equal to or longer than the specified value, + in characters. This setting must be pushed down to + the mobile device by syncing with an Exchange server + before it can be enforced. (WM5AKU2+) + PasswordComplexity - when present checks for the following + password subtypes: + "alpha" - Requires an alphanumeric password + "pin" - Numeric PIN required + "strong" - Strong alphanumeric password defined by + Microsoft as containing at least 7 + characters, including at lesst 3 from + the set of uppercase, lowercase, + numerals, and punctuation. + + This setting must be pushed down to the mobile device + by syncing with an Exchange server before it can be + enforced. (WM5AKU2+) - <ClientInitialization> - <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon> - <StrictCertificateTrust>false</StrictCertificateTrust> - <RestrictPreferenceCaching>false</RestrictPreferenceCaching> - <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols> - <BypassDownloader>true</BypassDownloader> - <CertEnrollmentPin>pinAllowed</CertEnrollmentPin> - <CertificateMatch> - <KeyUsage> - <MatchKey>Digital_Signature</MatchKey> - </KeyUsage> - <ExtendedKeyUsage> - <ExtendedMatchKey>ClientAuth</ExtendedMatchKey> - </ExtendedKeyUsage> - </CertificateMatch> - - <BackupServerList> - <HostAddress>localhost</HostAddress> - </BackupServerList> - </ClientInitialization> - - <ServerList> - <HostEntry> - <HostName>VPN Server</HostName> - <HostAddress>localhost</HostAddress> - </HostEntry> - </ServerList> + Note that this configuration setting merely enforces policy - + it does not actually change local device policy. + --> + <DeviceLockRequired + MaximumTimeoutMinutes="60" + MinimumPasswordLength="4" + PasswordComplexity="pin"/> + </MobilePolicy> + <!-- + Automatic VPN policy defines policy for automatically connecting + and disconnecting the VPN tunnel based on network state. + --> + <AutomaticVPNPolicy>false + <!-- + When a client machine has one of the following DNS suffixes or DNS + server addresses, it will be treated as though it is on a Trusted + Network. When the client machine is not in the Trusted Network, + it is considered to be on an Untrusted Network. When the client + transitions to a Trusted Network or Untrusted Network, it will perform + the action in the corresponding policy setting. Typically this is + used to have the client automatically initiate a VPN connection when + the user???s laptop is at home, and disconnect when they reach the Trusted + Network at work. To get started using Trusted Network Detection, replace + the values containing placeholder values with the appropriate settings + for your enterprise. + --> + <TrustedDNSDomains>REPLACE_company.com</TrustedDNSDomains> + <TrustedDNSServers>REPLACE_1.2.3.4</TrustedDNSServers> + <TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy> + <UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy> + <!-- + The AlwaysOn setting configures a client machine to establish a VPN + connection when the user logs in to their computer. If the connection + cannot be established, the ConnectFailurePolicy can be used to control + whether or not the user may access other network resources. Please + read the Cisco AnyConnect Secure Mobility Client Administrator Guide + before enabling AlwaysOn. + --> + <AlwaysOn>true + <ConnectFailurePolicy>Open + <!-- + When ConnectFailurePolicy is set to "Closed", the + AllowCaptivePortalRemediation setting controls whether the user will + be permitted to log into a captive portal to allow VPN establishment + to continue. This is typically turned on to allow users to VPN from + hotels and coffee shops that require a web-based login before VPN + connections can be established. + --> + <AllowCaptivePortalRemediation>true + <!-- + Specifies the amount of time, in minutes, that HTTP and HTTPS + traffic is permitted out after a network change that results in + a "Closed" ConnectFailurePolicy. After this time expires, the + user will be unable to send web traffic. + --> + <CaptivePortalRemediationTimeout>5</CaptivePortalRemediationTimeout> + </AllowCaptivePortalRemediation> + <!-- + Firewall and split-exclude rules can be cached locally on the client + when in Always-On mode. This setting controls whether the last set + of firewall and split-exclude rules from the ASA will be applied even + when the VPN connection is not established. + --> + <ApplyLastVPNLocalResourceRules>false</ApplyLastVPNLocalResourceRules> + </ConnectFailurePolicy> + </AlwaysOn> + </AutomaticVPNPolicy> + <!-- + When Optimal Gateway Selection (OGS) is enabled, the client will contact each of + the servers in the ServerList, and connect to the one with the lowest + round trip time (RTT). When a client machine comes out of a system resume of at + least the duration in hours specified by AutoServerSelectionSuspendTime, it + will connect to a different host only if the RTT improves by the percentage + specified by AutoServerSelectionImprovement. The examples below allow a + user that suspends their laptop during a transatlantic flight of at least + 4 hours to switch from North American to European servers if there is at + least a 20% reduction in latency. + --> + <EnableAutomaticServerSelection UserControllable="true">false + <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement> + <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime> + </EnableAutomaticServerSelection> + <!-- + Amount of time, in seconds, that the client waits for authentication to be completed. By default, the client + expects to receive a response in 12 seconds; therefore, if the authentication process takes longer than this, + the connection fails. For example, the secure gateway is configured to contact a RADIUS server which first + authenticates the username and then initiates a phone call to the user who then needs to press # for the + RADIUS server to accept the request, this process can take more than 20 seconds. + --> + <AuthenticationTimeout>30</AuthenticationTimeout> + </ClientInitialization> + <!-- + This section contains the list of hosts the user will be able to + select from. + --> + <ServerList> + <!-- + This is the data needed to attempt a connection to a specific + host. + --> + <HostEntry> + <!-- + Can be an alias used to refer to the host or an FQDN or + IP address. If an FQDN or IP address is used, a + HostAddress is not required. + --> + <HostName>PUT_THE_FQDN_OF_YOUR_OCSERV_HERE</HostName> + <HostAddress>PUT_THE_FQDN_OF_YOUR_OCSERV_HERE</HostAddress> + </HostEntry> + <!-- + <HostEntry> + <HostName>REPLACE_AsaName2</HostName> + <HostAddress>REPLACE_10.94.146.172</HostAddress> + <UserGroup>REPLACE_TunnelGroup</UserGroup> + </HostEntry> + --> + </ServerList> </AnyConnectProfile> -- 1.7.10.4
