The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
||
|
Step 2 |
||
|
Step 3 |
||
|
Step 4 |
Service discovery enables clients to automatically detect and locate services on your enterprise network. Expressway for Mobile and Remote Access allows you to access the services on your enterprise network. You should meet the following requirements to enable the clients to connect through Expressway for Mobile and Remote Access and discover services:
DNS requirements
Certificate requirements
Test external SRV _collab-edge.
The DNS requirements for service discovery through remote access are:
Configure a _collab-edge DNS SRV record on an external DNS server.
Configure a _cisco-uds DNS SRV record on the internal name server.
Optionally, for a hybrid cloud-based deployment with different domains for the IM and Presence server and the voice server, configure the Voice Services Domain to locate the DNS server with the _collab-edge record.
 Note |
Jabber attempts connections to a maximum of three SSO-enabled servers, which are chosen randomly from all SSO-enabled servers that the DNS SRV records (_collab-edge and _cisco-uds) identify. If Jabber fails to connect three times, it considers Edge SSO unsupported. |
Before you configure remote access, download the Cisco VCS Expressway and Cisco Expressway-E Server certificate. The Server certificate is used for both HTTP and XMPP.
For more information on configuring Cisco VCS Expressway certificate, see Configuring Certificates on Cisco VCS Expressway.
After creating your SRV records test to see if they are accessible.
 Tip |
You can also use the SRV check tool on the Collaboration Solutions Analyzer site if you prefer a web-based option. |
|
Step 1 |
Open a command prompt. |
|
Step 2 |
Enter nslookup. The default DNS server and address is displayed. Confirm that this is the expected DNS server. |
|
Step 3 |
Enter set type=SRV. |
|
Step 4 |
Enter the name for each of your SRV records. For example,
|
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
||
|
Step 2 |
||
|
Step 3 |
||
|
Step 4 |
After you download the Cisco AnyConnect Secure Mobility Client to their device, the ASA must provision a configuration profile to the application.
The configuration profile for the Cisco AnyConnect Secure Mobility Client includes VPN policy information such as the company ASA VPN gateways, the connection protocol (IPSec or SSL), and on-demand policies.
You can provision application profiles for Cisco Jabber for iPhone and iPad in one of the following ways:
We recommend that you use the profile editor on the ASA Device Manager (ASDM) to define the VPN profile for the Cisco AnyConnect Secure Mobility Client.
When you use this method, the VPN profile is automatically downloaded to the Cisco AnyConnect Secure Mobility Client after the client establishes the VPN connection for the first time. You can use this method for all devices and OS types, and you can manage the VPN profile centrally on the ASA.
For more information, see the Creating and Editing an AnyConnect Profile topic of the Cisco AnyConnect Secure Mobility Client Administrator Guide for your release.
You can provision iOS devices using an Apple configuration profile that you create with the iPhone Configuration Utility (iPCU). Apple configuration profiles are XML files that contain information such as device security policies, VPN configuration information, and Wi-Fi, mail, and calendar settings.
The high-level procedure is as follows:
Use iPCU to create an Apple configuration profile.
For more information, see the iPCU documentation.
Export the XML profile as a .mobileconfig file.
Email the .mobileconfig file to users.
After a user opens the file, it installs the AnyConnect VPN profile and the other profile settings to the client application.
You can provision iOS devices using an Apple configuration profile that you create with third-party Mobile Device Management (MDM) software. Apple configuration profiles are XML files that contain information such as device security policies, VPN configuration information, and Wi-Fi, mail, and calendar settings.
The high-level procedure is as follows:
Use MDM to create the Apple configuration profiles.
For information on using MDM, see the Apple documentation.
Push the Apple configuration profiles to the registered devices.
To provision application profiles for Cisco Jabber for Android, use the profile editor on the ASA Device Manager (ASDM) to define the VPN profile for the Cisco AnyConnect Secure Mobility Client. The VPN profile is automatically downloaded to the Cisco AnyConnect Secure Mobility Client after the client establishes the VPN connection for the first time. You can use this method for all devices and OS types, and you can manage the VPN profile centrally on the ASA. For more information, see the Creating and Editing an AnyConnect Profile topic of the Cisco AnyConnect Secure Mobility Client Administrator Guide for your release.
When users open Cisco Jabber from outside the corporate Wi-Fi network, Cisco Jabber needs a VPN connection to access the Cisco UC application servers. You can set up the system to allow Cisco AnyConnect Secure Mobility Client to automatically establish a VPN connection in the background, which helps ensure a seamless user experience.
Note |
Even if VPN is set to automatic connection, VPN is not launched before Expressway Mobile and Remote Access because that has the higher connection priority. |
The Trusted Network Detection feature enhances the user experience by automating the VPN connection based on the user's location. When the user is inside the corporate Wi-Fi network, Cisco Jabber can reach the Cisco UC infrastructure directly. When the user leaves the corporate Wi-Fi network, Cisco Jabber automatically detects that it is outside the trusted network. After this occurs, Cisco AnyConnect Secure Mobility Client initiates the VPN to ensure connectivity to the UC infrastructure.
Note |
The Trusted Network Detection feature works with both certificate- and password-based authentication. However, certificate-based authentication provides the most seamless user experience. |
|
Step 1 |
Using ASDM, open the Cisco AnyConnect client profile. |
||
|
Step 2 |
Enter the list of Trusted DNS Servers and Trusted DNS Domain Suffixes that an interface can receive when the client is within a corporate Wi-Fi network. The Cisco AnyConnect client compares the current interface DNS servers and domain suffix with the settings in this profile.
|
The Apple iOS Connect On Demand feature enhances the user experience by automating the VPN connection based on the user's domain.
When the user is inside the corporate Wi-Fi network, Cisco Jabber can reach the Cisco UC infrastructure directly. When the user leaves the corporate Wi-Fi network, Cisco AnyConnect automatically detects if it is connected to a domain that you specify in the AnyConnect client profile. If so, the application initiates the VPN to ensure connectivity to the UC infrastructure. All applications on the device including Cisco Jabber can take advantage of this feature.
Note |
Connect On Demand supports only certificate-authenticated connections. |
The following options are available with this feature:
Always Connect — Apple iOS always attempts to initiate a VPN connection for domains in this list.
Connect If Needed — Apple iOS attempts to initiate a VPN connection to the domains in the list only if it cannot resolve the address using DNS.
Never Connect — Apple iOS never attempts to initiate a VPN connection to domains in this list.
Attention |
Apple plans to remove the Always Connect option in the near future. After the Always Connect option is removed, users can select the Connect If Needed option. In some cases, Cisco Jabber users may have issues when using the Connect If Needed option. For example, if the hostname for the Cisco Unified Communications Manager is resolvable outside the corporate network, iOS will not trigger a VPN connection. The user can work around this issue by manually launching Cisco AnyConnect Secure Mobility Client before making a call. |
|
Step 1 |
Use the ASDM profile editor, iPCU, or MDM software to open the AnyConnect client profile. |
|
Step 2 |
In the AnyConnect client profile, under the Connect if Needed section, enter your list of on-demand domains. The domain list can include wild-card options (for example, cucm.cisco.com, cisco.com, and *.webex.com). |
The mobile device must be set up for on-demand access to VPN with certificate-based authentication. For assistance with setting up VPN access, contact the providers of your VPN client and head end.
For requirements for Cisco AnyConnect Secure Mobility Client and Cisco Adaptive Security Appliance, see the Software Requirements topic.
For information about setting up Cisco AnyConnect, see the Cisco AnyConnect VPN Client Maintain and Operate Guides.
|
Step 1 |
Identify a URL that will cause the client to launch VPN on Demand. |
|
Step 2 |
Open the Cisco Unified CM Administration interface. |
|
Step 3 |
Navigate to the device page for the user. |
|
Step 4 |
In the Product Specific Configuration Layout section, in the On-Demand VPN URL field, enter the URL that you identified and used in Cisco AnyConnect in Step 1. The URL must be a domain name only, without a protocol or path. |
|
Step 5 |
Select Save. When Cisco Jabber opens, it initiates a DNS query to the URL. If this URL matches the On-Demand domain list entry that you defined in this procedure (for example, cisco.com), Cisco Jabber indirectly initiates the AnyConnect VPN connection. |
Test this feature.
Enter the URL into the Internet browser on the iOS device and verify that VPN launches automatically. You should see a VPN icon in the status bar.
Verify that the iOS device can connect to the corporate network using VPN. For example, access a web page on your corporate intranet. If the iOS device cannot connect, contact the provider of your VPN technology.
Verify with your IT department that your VPN does not restrict access to certain types of traffic (for example, if the administrator set the system to allow only email and calendar traffic).
Verify that you set up the client to connect directly to the corporate network.
For detailed information on AnyConnect requirements and deployments review the documentation for your release at the following: https://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-user-guide-list.html
You can configure ASA session parameters to improve performance for secure connections. For the best user experience, you should configure the following ASA session parameters:
Datagram Transport Layer Security (DTLS) — DTLS is an SSL protocol that provides a data path that prevents latency and data loss.
Auto Reconnect — Auto reconnect, or session persistence, lets Cisco AnyConnect Secure Mobility Client recover from session disruptions and re-establish sessions.
Session Persistence — This parameter allows the VPN session to recover from service disruptions and re-establish the connection.
Idle Timeout — Idle timeout defines a period of time after which ASA terminates secure connections, if no communication activity occurs.
Dead-Peer Detection (DTD) — DTD ensures that ASA and Cisco AnyConnect Secure Mobility Client can quickly detect failed connections.
We recommend that you set up the ASA session parameters as follows to optimize the end user experience for Cisco AnyConnect Secure Mobility Client.
|
Step 1 |
Set up Cisco AnyConnect to use DTLS. For more information, see the Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections topic in the Configuring AnyConnect Features Using ASDM chapter of the Cisco AnyConnect VPN Client Administrator Guide, Version 2.0. |
|
Step 2 |
Set up session persistence (auto-reconnect).
For more information, see the Configuring Auto Reconnect topic in the Configuring AnyConnect Features chapter (Release 2.5) or Configuring VPN Access chapter (releases 3.0 or 3.1) of the Cisco AnyConnect Secure Mobility Client Administrator Guide for your release. |
|
Step 3 |
Set the idle timeout value.
For more information, see the vpn-idle-timeout section of the Cisco ASA 5580 Adaptive Security Appliance Command Reference for your release |
|
Step 4 |
Set up Dead Peer Detection (DPD).
For more information, see the Enabling and Adjusting Dead Peer Detection topic of the Configuring VPN chapter of the Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6. |
Feedback