cisco asa update cisco anyconnect update€¦ · cisco asa with firepower rene straube cse, cisco...
TRANSCRIPT
Cisco ASA Update Cisco Anyconnect Update
Rene Straube
CSE, Cisco Germany
May 2015
Cisco ASA with FirePower
Rene Straube
CSE, Cisco Germany
May 2015
Platform Update
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introducing Cisco ASA with FirePOWER Services for SMB, Midsized, & Distributed Enterprise
Refresh for 5505 FirePOWER Services
Default
Desktop Form Factor
5506-X 5506W-X Wireless
Enable additional SMB & branch deployments
Integrated Wireless AP
5508-X
Green field opportunity with new
pricing point
1 RU Rack-Mount
5516-X
1 RU Rack-Mount
Higher performance Refresh for 5512 and
5515
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
7.92” x 8.92” x 1.73”
Desktop 5506-X
Parameter Value
CPU Multicore [email protected] GHz
Accelerator Hardware Crypto Accelerator
RAM / Storage 4 GB /64 GB mSata
Management Ports 1 Management Port with 10/100/1000 Base-T
Console Port RJ45, Mini USB
USB Port Type ‘A’ supports 2.0
Data Ports 8 * 1 G Interface, All L3 interfaces
Cooling Convection
Power AC external, No DC
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wireless Desktop 5506W-X
Parameter Value
Wireless AP ASA5506_AP702, IEEE 802.11n, 2 x 2 MIMO. Dual band AP 2.5 GHz and 5GHz
Port 8 x External Data ports, 1 Access Point (attached to 1 internal data port - g1/9)
Management Port Any data Data Port of g1/1 - g1/8, Management 1/1 is used only for firewall management
Management Autonomous (AP OnBox GUI) or Cisco’s Wireless LAN Controller
* 5506W-X configuration is same as Desktop 5506-X. Below is the information on wireless.
7.92” x 8.92” x 1.73”
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Rackmount 5508-X / 5516-X
17.2” x 11.11” x 1.72”
CPU Complex CPU Intel Rangeley 8
Core 2 GHz
CPU: DRAM 8GB for Intel 1GB for
Octeon
Accelerator Cavium CN7020 2
Core 1GHz
Console Port 1 RJ 45, Mini USB
(Mini USB has priority)
8 x 1GE data interface
Ports ad 1 Management port (10
/100/1000)
USB port type ’A’ support with 2.0
FAN cooling, No DC and No POE
120 GB SSD
Parameter Value
CPU Multicore 5508-X@2 GHz [email protected]
Accelerator Hardware Crypto Accelerator
RAM / Storage 8 GB Intel /120 GB SSD
Ports 1 Management Port with 10/100/1000 Base-T
Console Port RJ45, Mini USB
USB Port Type ‘A’ supports 2.0
Memory 8 * 1 G Interface, All L3 interfaces
Cooling FAN
Power AC internal, No DC
Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
New! Combines Control Over Access Policies and Advanced Threat Defense Functions. The enhanced UI provides quick views on trends and the ability to drill-down for details.
On Box Manager: ASDM 7.3.x
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Provides security teams with:
Management for multiple devices
Comprehensive visibility and control over network activity
Optimal remediation through infection scoping and root cause determination
Centralized Management Centralized Management:
Same as larger models — uses CSM &
FireSIGHT
BEFORE Discover Enforce Harden
DURING Detect Block
Defend
AFTER Scope Contain
Remediate
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Which ASA with FirePOWER platform?
Maximum AVC and IPS throughput
Branch Locations
150 Mbps NGFW
100K Connections
10,000 CPS
ASA 5512-X
250Mbps NGFW
250K Connections
15,000 CPS
ASA 5515-X
Small/Medium Internet Edge
650Mbps NGFW
500K Connections
20,000 CPS
ASA 5525-X
1 Gbps NGFW
750K Connections
30,000 CPS
ASA 5545-X
1.25 Gbps NGFW
1 M Connections
50,000 CPS
ASA 5555-X
ASA 5506-X
125 Mbps NGFW
50K Connections
5,000 CPS
ASA 5508-X ASA 5516-X
600Mbps NGFW
250K Connections
20,000 CPS
250Mbps NGFW
100K Connections
10,000 CPS
Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
440 byte HTTP Transactional test in Mbps
IPS uses Balanced Profile, AVC uses Network Discovery: Applications
As with all performance discussions, YOUR MILEAGE MAY VARY!!
Model 5506-
X 5508-X 5512-X 5515-X 5516-X 5525-X 5545-X 5555-X 5585-10
5585-20
5585-40
5585-60
FirePOWER IPS or AVC
90 180 100 150 300 375 575 725 1200 2000 3500 6000
FirePOWER IPS + AVC
65 115 75 100 200 255 360 450 800 1200 2100 3500
FirePOWER IPS + AVC +
AMP 40 85 60 85 150 205 310 340 550 850 1500 2300
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
IPS
URL
URL
IPS
TAMC TAC TA
URL
URL
AMP
IPS
TAM
AMP
IPS
• Security plus (HA) • Anyconnect licenses • Security Context (only 5508X
and 5516X)
ASA Licensing NGFW Licensing
1,3 and 5 year subscription, AVC updates are available with SmartNet.
Licensing overview Same model as on existing ASA Platforms
NGFW License (AVC) included
Cisco AnyConnect
Rene Straube
CSE, Cisco Germany
May 2015
Update
Cisco Confidential 13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect 4.x Update
New Licensing Scheme for AnyConnect 4.0
How to migrate to the new Licensing?
Agenda
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Simply and securely work anywhere on any device
Delivers reliable and transparent secure remote access for the off-premises user based on VPN
Helps ensure endpoint integrity Multiple authentication options Comprehensive posture checks
Provides secure connectivity End-to-end encryption Integrated web security Per-app VPN for mobile
Cisco AnyConnect Secure Mobility Client Extending Control of Context to the Endpoint
Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect NAM
• Wired & Wireless Connection Manager
• 802.1x Supplicant
• 802.1ae (MACsec) Link Encryption
• Various authentication methods (user/pass, certs, OTP)
• As of now available only for Windows OS
AnyConnect VPN
• VPN Profile & Connection Manager
• SSL-VPN Client
• IPSec/IKEv2 Client (only works with ASA headend, IOS support planned)
• Various authentication methods (user/pass, certs, OTP)
• Available for MacOS, Windows, Linux
AnyConnect Websecurity
• ScanSafe Mobility Client
• Intercepts all Web traffic on the client
• Builds a tunnel to a ScaSafe Datacenter and forwards all Web traffic
• Authentication via user or group key
• As of now available only for Windows OS
Cisco AnyConnect Module Details
Cisco Confidential 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Supports device posture and authorization across multiple access methods
Simplifies management with only one agent to manage
Prevents noncompliant devices from accessing the network
What’s New in Cisco AnyConnect 4.0? Posture Check and Secure VPN Access with Unified Agent and Cisco ISE 1.3
Cisco Confidential 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Common Context-Based Access Policy Services (Cisco ISE + Cisco AnyConnect®)
Cisco Prime™ Cisco® ISE Third-Party MDM
Office Wired Access Office Wireless Access Remote Access
Wired Network Devices
Cisco Catalyst® Switches
ASA Firewall
Centralized Endpoint Secure Access Policy
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Selectively Tunnels Traffic Through VPN
Provide secure remote access for selected applications by user, role, device, etc. (per-app VPN)
Reduce the potential for non-approved applications to compromise enterprise data
Support a range of remote users and endpoints (employees, partners, contractors), streamlining IT operations
WWW
What’s New in Cisco AnyConnect 4.0? Connect Only Approved Applications over VPN
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Desktop User FireAMP PORTAL
Cisco ASA
Deploying AMP Connector to endpoints with AnyConnect
What’s New in Cisco AnyConnect 4.1? Cisco AnyConnect AMP Enabler
Cisco Confidential 20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Request Connect
Credentials
Auth Challenge
AMP Portal
VPN Desktop
ASA
Config with AC/AMP Profile
Download AMP connector image (via https)
Enterprise Hosted Server
FA connector image
1
3
2
What’s New in Cisco AnyConnect 4.1? AMP Enabler Flow with ASA
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect on Windows Phone 8.x (beta already started)
AnyConnect on Blackberry 10 (this summer)
AnyConnect on LinuxARM for IoT Use Cases (2HCY15)
What‘s coming up next?
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect 4.x Update
New Licensing Scheme for AnyConnect 4.0
How to migrate to the new Licensing?
Agenda
Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect o Simplify
o Feature / value alignment
o Remove lock to appliance (helps with ASA migrations & RMA Process)
o Consistent model regardless of headend
o Solve Share / Flex / Essentials + Premium mix challenges
ISE o Adapt to new ISE feature content / AC integration in 1.3
- Unified Agent (single agent for compliance)
o Consistency with AC selling motion
o Different 3rd Party MDM offer structure
Why we Change the AnyConnect Licensing?
Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
FLEX License (for 54 days daily use)
Good for Short Periods of High Demand (Emergencies, Events, etc.; per box)
MOBILE License
(per ASA model)
MOBILE License
(per ASA)
ADVANCED ENDPOINT
ASSESSMENT License (per ASA)
Premium Licenses Shared by Multiple Cisco® ASA Devices
SHARED License
(per user + per ASA)
ESSENTIALS License (per ASA model)
Basic Remote Access Connectivity
Or Always-On, Clientless, Posture Assessment, Mobile Posture,
Suite B
PREMIUM License (per user for each ASA)
Other Licenses:
VPN Phone & FIPS (per ASA model)
AnyConnect Licensing – Today
This is too complex, even if we‘re all got used to it ...
Cisco Confidential 25 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Per user (with their multiple devices)
Plus License Apex License
IPSec/SSL VPN Mobile per-app
VPN (new) Web security Network access
manager Any Headend
Plus features
Unified Endpoint Compliance (new)
Clientless
Suite B
Any Headend
New endpoint licensing portable across any hardware platforms, simplifying transfer
New two-tiered licensing structure to allow customers to grow based on new enterprise mobility needs
New Licensing in Cisco AnyConnect 4.0 Simpler Licensing with Greater Flexibility
Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
New AC Features & Licensing
“PLUS” • Basic PC + Mobile Services
• Device VPN / Per app VPN • Always On • ASA, ISE, ASR, CSR • FIPS • CWS / Web Security • NAM
Current AnyConnect 3.X
New!
New AnnyConnect 4.X
Essentials (Perpetual)
Premium (Perpetual)
Shared (Perpetual)
Mobile (Perpetual)
AEA (Perpetual)
“APEX” • Advanced PC + Mobile Services
• Unified Endpoint Compliance /Remediation (Posture)
• Suite B • Clientless • Includes PLUS !!!
Flex (Perpetual)
* VPN Phone goes away because of VCS gateway
Non-Lic (NAM, CWS)
New!
Loose with • ASA • ISR • ASR • CSR • CWS
Tied only to ASA
Cisco Confidential 27 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
APEX (Term) Two Licensing Models to choose
or
• 25-250K per user* pricing ($)
• “Right to Use” based on user/seat count vs concurrency
• 1, 3 and 5 Yr options (includes
support) • Compliance -> Trust (Phase 1)
• Built in “Shared, Flex” functionality
• Covers PC and Mobile
• Includes “near” zero day OS support
for all supported platforms
PLUS (Perpetual)
PLUS (Term)
• 25-250K per user* pricing ($$$)
• “Right to Use” based on user/seat
count vs concurrency • Support (SASU) ordered separately • Compliance -> Trust (Phase 1)
• Built in “Shared, Flex” functionality
• Covers PC and Mobile
• Includes “near” zero day OS support
for all supported platforms
* Please be aware of „user“ based licensing not device based !!
Cisco Confidential 28 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect Premium & Essentials Licensing
Essentials – almost free
Essentials – Perpetual License
Premium – Perpetual License
Essential & Premium cannot be mixed on one device
Premium & Essentials are charged based on concurrent connections
Licenses applied on a device
Plus – not free anymore
Plus – Perpetual or Subscription License
Apex – Subscription License only
Plus & Apex can be mixed in a single customer deployment
Apex & Plus are charged per User
Licenses applied to all devices needed
AnyConnect Apex & Plus Licensing
Cisco Confidential 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ASA + AC Support Matrix
AC Mobile AC Desktop
3.x 4.x 3.x 4.x
End of Sale Announcement
Q4 CY 2014 N/A Q4 CY 2014 N/A
End of New OS Support
Q2 CY 2015 N/A Q2 CY 2015 N/A
End-of-Sale Date (All AC and ASA+AC SKUs)
Q2 CY 2015 NA Q2 CY 2015 NA
5500 ✔ ✔ ✔ ✔
5500-X ✔ ✔
✔ ✔
Standard End of Sale Policies Apply
Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Frequently Answered Questions
Does a customer need to upgrade to Plus/Apex from Essentials/Premium? AnyConnect Plus/Apex licenses required for AnyConnect 4.x software (Desktop & Mobile)
New AnyConnect 4.0 capabilities like Per-app VPN functions will require Plus or Apex licenses along with ASA 5500-X with 9.3.1 or later
Essentials and Premium licenses and version 3.x AnyConnect software will be phased out but can further be used with current software versions an features
Can AnyConnect 4.x be used without a Plus or Apex license? No, with one exception: basic mobile VPN use cases through April 2016 (see below)
AnyConnect 4.x usage requires Plus or Apex license, this includes Network Access Manager, Cloud Web Security and all VPN use cases, regardless of the Cisco head-end
AnyConnect 4.x Apex license also authorizes clientless SSL VPN
How is the 4.x conversion being handled for the mobile versions of AnyConnect? Customer cannot remain on old versions of AnyConnect for iOS & Android All 3.x customers will be permitted to utilize AnyConnect 4.x on mobile devices until April 30,
2016
After this date, a customer will no longer be entitled to utilize AnyConnect on mobile devices without converting licensing models
The Per App VPN capabilities in AnyConnect 4.0 are not available to customers using the original AnyConnect Essentials/Premium licenses
Cisco Confidential 31 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect 4.x Update
New Licensing Scheme for AnyConnect 4.0
How to migrate to the new Licensing?
Agenda
Cisco Confidential 32 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Not tied to specific ASA release though some features like per app will only work with 9.3.x+
Don’t have to move to AC 4.x right away but should start planning particularly if interested in New PC/Mobile OS support New features
Special migration offers for existing customers reduces financial impact with even more services (e.g. ISE context sharing)
General Things to Consider
Cisco Confidential 33 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Users o How many users will utilize AC services?
Services o How many users need basic services?
o How many users need advanced services?
Headend Sizing o How many active sessions at any given time?
o What headend platform/s?
o How many locations?
It’s importand to understand that Users/Services and Headend Sizing are decoupled completely
Much easier to scale the deployment, even afterwards
How to Design a Deployment?
PLUS APEX
Cisco Web Security
Cisco ASA Cisco ISE
Router
Cisco Confidential 34 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Yes, there is no migration offer for Plus perpetual !!
Migration Strategy
Existing AC licenses AC APEX Migration Licenses ($0 for 3 Yr, Any User Count)
Premium (Perpetual)
Shared (Perpetual)
AC PLUS Migration Licenses (50% Discount on 5/3/1 Yr licenses, Any User Count)
Old ASA New ASA
APEX (Term)
PLUS (Term)
PLUS (Term)
Essentials (Perpetual)
Non-Lic (NAM, CWS)
Thank you.
Cisco Confidential 36 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introducing Cisco ASA with FirePOWER Services for SMB, Midsized, & Distributed Enterprise
Refresh for 5505 FirePOWER Services
Default
Desktop Form Factor
5506-X 5506W-X Wireless
Enable additional SMB & branch deployments
Integrated Wireless AP
5508-X
Green field opportunity with new
pricing point
1 RU Rack-Mount
5516-X
1 RU Rack-Mount
Higher performance Refresh for 5512 and
5515
Cisco Confidential 37 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
7.92” x 8.92” x 1.73”
Desktop 5506-X
Parameter Value
CPU Multicore [email protected] GHz
Accelerator Hardware Crypto Accelerator
RAM / Storage 4 GB /64 GB mSata
Management Ports 1 Management Port with 10/100/1000 Base-T
Console Port RJ45, Mini USB
USB Port Type ‘A’ supports 2.0
Data Ports 8 * 1 G Interface, All L3 interfaces
Cooling Convection
Power AC external, No DC
Cisco Confidential 38 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wireless Desktop 5506W-X
Parameter Value
Wireless AP ASA5506_AP702, IEEE 802.11n, 2 x 2 MIMO. Dual band AP 2.5 GHz and 5GHz
Port 8 x External Data ports, 1 Access Point (attached to 1 internal data port - g1/9)
Management Port Any data Data Port of g1/1 - g1/8, Management 1/1 is used only for firewall management
Management Autonomous (AP OnBox GUI) or Cisco’s Wireless LAN Controller
* 5506W-X configuration is same as Desktop 5506-X. Below is the information on wireless.
7.92” x 8.92” x 1.73”
Cisco Confidential 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Rackmount 5508-X / 5516-X
17.2” x 11.11” x 1.72”
CPU Complex CPU Intel Rangeley 8
Core 2 GHz
CPU: DRAM 8GB for Intel 1GB for
Octeon
Accelerator Cavium CN7020 2
Core 1GHz
Console Port 1 RJ 45, Mini USB
(Mini USB has priority)
8 x 1GE data interface
Ports ad 1 Management port (10
/100/1000)
USB port type ’A’ support with 2.0
FAN cooling, No DC and No POE
120 GB SSD
Parameter Value
CPU Multicore 5508-X@2 GHz [email protected]
Accelerator Hardware Crypto Accelerator
RAM / Storage 8 GB Intel /120 GB SSD
Ports 1 Management Port with 10/100/1000 Base-T
Console Port RJ45, Mini USB
USB Port Type ‘A’ supports 2.0
Memory 8 * 1 G Interface, All L3 interfaces
Cooling FAN
Power AC internal, No DC
Cisco Confidential 40 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
New! Combines Control Over Access Policies and Advanced Threat Defense Functions. The enhanced UI provides quick views on trends and the ability to drill-down for details.
On Box Manager: ASDM 7.3.x
Cisco Confidential 41 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Provides security teams with:
Management for multiple devices
Comprehensive visibility and control over network activity
Optimal remediation through infection scoping and root cause determination
Centralized Management Centralized Management:
Same as larger models — uses CSM &
FireSIGHT
BEFORE Discover Enforce Harden
DURING Detect Block
Defend
AFTER Scope Contain
Remediate
Cisco Confidential 42 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Which ASA with FirePOWER platform?
Maximum AVC and IPS throughput
Branch Locations
150 Mbps NGFW
100K Connections
10,000 CPS
ASA 5512-X
250Mbps NGFW
250K Connections
15,000 CPS
ASA 5515-X
Small/Medium Internet Edge
650Mbps NGFW
500K Connections
20,000 CPS
ASA 5525-X
1 Gbps NGFW
750K Connections
30,000 CPS
ASA 5545-X
1.25 Gbps NGFW
1 M Connections
50,000 CPS
ASA 5555-X
ASA 5506-X
125 Mbps NGFW
50K Connections
5,000 CPS
ASA 5508-X ASA 5516-X
600Mbps NGFW
250K Connections
20,000 CPS
250Mbps NGFW
100K Connections
10,000 CPS
Cisco Confidential 43 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
440 byte HTTP Transactional test in Mbps
IPS uses Balanced Profile, AVC uses Network Discovery: Applications
As with all performance discussions, YOUR MILEAGE MAY VARY!!
Model 5506-
X 5508-X 5512-X 5515-X 5516-X 5525-X 5545-X 5555-X 5585-10
5585-20
5585-40
5585-60
FirePOWER IPS or AVC
90 180 100 150 300 375 575 725 1200 2000 3500 6000
FirePOWER IPS + AVC
65 115 75 100 200 255 360 450 800 1200 2100 3500
FirePOWER IPS + AVC +
AMP 40 85 60 85 150 205 310 340 550 850 1500 2300
Cisco Confidential 44 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
IPS
URL
URL
IPS
TAMC TAC TA
URL
URL
AMP
IPS
TAM
AMP
IPS
• Security plus (HA) • Anyconnect licenses • Security Context (only 5508X
and 5516X)
ASA Licensing NGFW Licensing
1,3 and 5 year subscription, AVC updates are available with SmartNet.
Licensing overview Same model as on existing ASA Platforms
NGFW License (AVC) included
Cisco AnyConnect
Rene Straube
CSE, Cisco Germany
May 2015
Update
Cisco Confidential 46 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect 4.x Update
New Licensing Scheme for AnyConnect 4.0
How to migrate to the new Licensing?
Agenda
Cisco Confidential 47 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Simply and securely work anywhere on any device
Delivers reliable and transparent secure remote access for the off-premises user based on VPN
Helps ensure endpoint integrity Multiple authentication options Comprehensive posture checks
Provides secure connectivity End-to-end encryption Integrated web security Per-app VPN for mobile
Cisco AnyConnect Secure Mobility Client Extending Control of Context to the Endpoint
Cisco Confidential 48 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect NAM
• Wired & Wireless Connection Manager
• 802.1x Supplicant
• 802.1ae (MACsec) Link Encryption
• Various authentication methods (user/pass, certs, OTP)
• As of now available only for Windows OS
AnyConnect VPN
• VPN Profile & Connection Manager
• SSL-VPN Client
• IPSec/IKEv2 Client (only works with ASA headend, IOS support planned)
• Various authentication methods (user/pass, certs, OTP)
• Available for MacOS, Windows, Linux
AnyConnect Websecurity
• ScanSafe Mobility Client
• Intercepts all Web traffic on the client
• Builds a tunnel to a ScaSafe Datacenter and forwards all Web traffic
• Authentication via user or group key
• As of now available only for Windows OS
Cisco AnyConnect Module Details
Cisco Confidential 49 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Supports device posture and authorization across multiple access methods
Simplifies management with only one agent to manage
Prevents noncompliant devices from accessing the network
What’s New in Cisco AnyConnect 4.0? Posture Check and Secure VPN Access with Unified Agent and Cisco ISE 1.3
Cisco Confidential 50 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Common Context-Based Access Policy Services (Cisco ISE + Cisco AnyConnect®)
Cisco Prime™ Cisco® ISE Third-Party MDM
Office Wired Access Office Wireless Access Remote Access
Wired Network Devices
Cisco Catalyst® Switches
ASA Firewall
Centralized Endpoint Secure Access Policy
Cisco Confidential 51 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Selectively Tunnels Traffic Through VPN
Provide secure remote access for selected applications by user, role, device, etc. (per-app VPN)
Reduce the potential for non-approved applications to compromise enterprise data
Support a range of remote users and endpoints (employees, partners, contractors), streamlining IT operations
WWW
What’s New in Cisco AnyConnect 4.0? Connect Only Approved Applications over VPN
Cisco Confidential 52 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Desktop User FireAMP PORTAL
Cisco ASA
Deploying AMP Connector to endpoints with AnyConnect
What’s New in Cisco AnyConnect 4.1? Cisco AnyConnect AMP Enabler
Cisco Confidential 53 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Request Connect
Credentials
Auth Challenge
AMP Portal
VPN Desktop
ASA
Config with AC/AMP Profile
Download AMP connector image (via https)
Enterprise Hosted Server
FA connector image
1
3
2
What’s New in Cisco AnyConnect 4.1? AMP Enabler Flow with ASA
Cisco Confidential 54 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect on Windows Phone 8.x (beta already started)
AnyConnect on Blackberry 10 (this summer)
AnyConnect on LinuxARM for IoT Use Cases (2HCY15)
What‘s coming up next?
Cisco Confidential 55 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect 4.x Update
New Licensing Scheme for AnyConnect 4.0
How to migrate to the new Licensing?
Agenda
Cisco Confidential 56 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect o Simplify
o Feature / value alignment
o Remove lock to appliance (helps with ASA migrations & RMA Process)
o Consistent model regardless of headend
o Solve Share / Flex / Essentials + Premium mix challenges
ISE o Adapt to new ISE feature content / AC integration in 1.3
- Unified Agent (single agent for compliance)
o Consistency with AC selling motion
o Different 3rd Party MDM offer structure
Why we Change the AnyConnect Licensing?
Cisco Confidential 57 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
FLEX License (for 54 days daily use)
Good for Short Periods of High Demand (Emergencies, Events, etc.; per box)
MOBILE License
(per ASA model)
MOBILE License
(per ASA)
ADVANCED ENDPOINT
ASSESSMENT License (per ASA)
Premium Licenses Shared by Multiple Cisco® ASA Devices
SHARED License
(per user + per ASA)
ESSENTIALS License (per ASA model)
Basic Remote Access Connectivity
Or Always-On, Clientless, Posture Assessment, Mobile Posture,
Suite B
PREMIUM License (per user for each ASA)
Other Licenses:
VPN Phone & FIPS (per ASA model)
AnyConnect Licensing – Today
This is too complex, even if we‘re all got used to it ...
Cisco Confidential 58 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Per user (with their multiple devices)
Plus License Apex License
IPSec/SSL VPN Mobile per-app
VPN (new) Web security Network access
manager Any Headend
Plus features
Unified Endpoint Compliance (new)
Clientless
Suite B
Any Headend
New endpoint licensing portable across any hardware platforms, simplifying transfer
New two-tiered licensing structure to allow customers to grow based on new enterprise mobility needs
New Licensing in Cisco AnyConnect 4.0 Simpler Licensing with Greater Flexibility
Cisco Confidential 59 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
New AC Features & Licensing
“PLUS” • Basic PC + Mobile Services
• Device VPN / Per app VPN • Always On • ASA, ISE, ASR, CSR • FIPS • CWS / Web Security • NAM
Current AnyConnect 3.X
New!
New AnnyConnect 4.X
Essentials (Perpetual)
Premium (Perpetual)
Shared (Perpetual)
Mobile (Perpetual)
AEA (Perpetual)
“APEX” • Advanced PC + Mobile Services
• Unified Endpoint Compliance /Remediation (Posture)
• Suite B • Clientless • Includes PLUS !!!
Flex (Perpetual)
* VPN Phone goes away because of VCS gateway
Non-Lic (NAM, CWS)
New!
Loose with • ASA • ISR • ASR • CSR • CWS
Tied only to ASA
Cisco Confidential 60 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
APEX (Term) Two Licensing Models to choose
or
• 25-250K per user* pricing ($)
• “Right to Use” based on user/seat count vs concurrency
• 1, 3 and 5 Yr options (includes
support) • Compliance -> Trust (Phase 1)
• Built in “Shared, Flex” functionality
• Covers PC and Mobile
• Includes “near” zero day OS support
for all supported platforms
PLUS (Perpetual)
PLUS (Term)
• 25-250K per user* pricing ($$$)
• “Right to Use” based on user/seat
count vs concurrency • Support (SASU) ordered separately • Compliance -> Trust (Phase 1)
• Built in “Shared, Flex” functionality
• Covers PC and Mobile
• Includes “near” zero day OS support
for all supported platforms
* Please be aware of „user“ based licensing not device based !!
Cisco Confidential 61 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect Premium & Essentials Licensing
Essentials – almost free
Essentials – Perpetual License
Premium – Perpetual License
Essential & Premium cannot be mixed on one device
Premium & Essentials are charged based on concurrent connections
Licenses applied on a device
Plus – not free anymore
Plus – Perpetual or Subscription License
Apex – Subscription License only
Plus & Apex can be mixed in a single customer deployment
Apex & Plus are charged per User
Licenses applied to all devices needed
AnyConnect Apex & Plus Licensing
Cisco Confidential 62 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ASA + AC Support Matrix
AC Mobile AC Desktop
3.x 4.x 3.x 4.x
End of Sale Announcement
Q4 CY 2014 N/A Q4 CY 2014 N/A
End of New OS Support
Q2 CY 2015 N/A Q2 CY 2015 N/A
End-of-Sale Date (All AC and ASA+AC SKUs)
Q2 CY 2015 NA Q2 CY 2015 NA
5500 ✔ ✔ ✔ ✔
5500-X ✔ ✔
✔ ✔
Standard End of Sale Policies Apply
Cisco Confidential 63 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Frequently Answered Questions
Does a customer need to upgrade to Plus/Apex from Essentials/Premium? AnyConnect Plus/Apex licenses required for AnyConnect 4.x software (Desktop & Mobile)
New AnyConnect 4.0 capabilities like Per-app VPN functions will require Plus or Apex licenses along with ASA 5500-X with 9.3.1 or later
Essentials and Premium licenses and version 3.x AnyConnect software will be phased out but can further be used with current software versions an features
Can AnyConnect 4.x be used without a Plus or Apex license? No, with one exception: basic mobile VPN use cases through April 2016 (see below)
AnyConnect 4.x usage requires Plus or Apex license, this includes Network Access Manager, Cloud Web Security and all VPN use cases, regardless of the Cisco head-end
AnyConnect 4.x Apex license also authorizes clientless SSL VPN
How is the 4.x conversion being handled for the mobile versions of AnyConnect? Customer cannot remain on old versions of AnyConnect for iOS & Android All 3.x customers will be permitted to utilize AnyConnect 4.x on mobile devices until April 30,
2016
After this date, a customer will no longer be entitled to utilize AnyConnect on mobile devices without converting licensing models
The Per App VPN capabilities in AnyConnect 4.0 are not available to customers using the original AnyConnect Essentials/Premium licenses
Cisco Confidential 64 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
AnyConnect 4.x Update
New Licensing Scheme for AnyConnect 4.0
How to migrate to the new Licensing?
Agenda
Cisco Confidential 65 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Not tied to specific ASA release though some features like per app will only work with 9.3.x+
Don’t have to move to AC 4.x right away but should start planning particularly if interested in New PC/Mobile OS support New features
Special migration offers for existing customers reduces financial impact with even more services (e.g. ISE context sharing)
General Things to Consider
Cisco Confidential 66 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Users o How many users will utilize AC services?
Services o How many users need basic services?
o How many users need advanced services?
Headend Sizing o How many active sessions at any given time?
o What headend platform/s?
o How many locations?
It’s importand to understand that Users/Services and Headend Sizing are decoupled completely
Much easier to scale the deployment, even afterwards
How to Design a Deployment?
PLUS APEX
Cisco Web Security
Cisco ASA Cisco ISE
Router
Cisco Confidential 67 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Yes, there is no migration offer for Plus perpetual !!
Migration Strategy
Existing AC licenses AC APEX Migration Licenses ($0 for 3 Yr, Any User Count)
Premium (Perpetual)
Shared (Perpetual)
AC PLUS Migration Licenses (50% Discount on 5/3/1 Yr licenses, Any User Count)
Old ASA New ASA
APEX (Term)
PLUS (Term)
PLUS (Term)
Essentials (Perpetual)
Non-Lic (NAM, CWS)
Thank you.