Cisco Cisco ScanSafe Wi-Fi Hotspot Security
Cisco CWS
– AnyConnect Web Security Deployment Guide
5
Test
Deploy
Prepare
Deploy
Configure AnyConnect Secure Mobile Client
– Web Security Module
This document is intended to provide an overview of the deployment process. For more detailed
information and troubleshooting, please refer to the
information and troubleshooting, please refer to the
Create an AnyConnect Web Security Service Profile Using the stand-alone Profile Editor
A service profile is simply a file containing configuration settings for the AnyConnect Web Security client.
This includes, but is not limited to, the ports AnyConnect Web Security will monitor for traffic, any
conversations between the client and host that AnyConnect Web Security should not broker, how
AnyConnect Web Security connects to scanning towers, client authentication to the Cisco Cloud Web
Security service, the service password for disabling the AnyConnect Web Security service, and end-user
identification for the purposes of web filtering policy and reporting.
This includes, but is not limited to, the ports AnyConnect Web Security will monitor for traffic, any
conversations between the client and host that AnyConnect Web Security should not broker, how
AnyConnect Web Security connects to scanning towers, client authentication to the Cisco Cloud Web
Security service, the service password for disabling the AnyConnect Web Security service, and end-user
identification for the purposes of web filtering policy and reporting.
The stand-alone service Profile Editor is an application that provides a GUI for creating and editing the
service profile. This application saves the configuration settings in a clear text xml file which can be used
to make changes to the service profile. It also encrypts configuration settings in a secondary WSO file
used by the AnyConnect Web Security client to configure itself.
service profile. This application saves the configuration settings in a clear text xml file which can be used
to make changes to the service profile. It also encrypts configuration settings in a secondary WSO file
used by the AnyConnect Web Security client to configure itself.
*Note: The stand-alone AnyConnect Web Security Profile Editor can be downloaded from
your ScanCenter portal Admin Download Secure Mobility AnyConnect Profile Editor
There are two conventions to bear in mind when using the pre-deploy or network push method. First, the
service profile name must be exactly websecurity_serviceprofile. It is not case-sensitive. Second, the
profile must be saved to a particular location. From the root of the installation point, you should have a
profiles folder containing a web security folder. It is the web security folder in which the MSI installer
expects to find the websecurity_serviceprofile.wso file. The xml version of the service profile can reside
here too, but technically there is no need for it.
service profile name must be exactly websecurity_serviceprofile. It is not case-sensitive. Second, the
profile must be saved to a particular location. From the root of the installation point, you should have a
profiles folder containing a web security folder. It is the web security folder in which the MSI installer
expects to find the websecurity_serviceprofile.wso file. The xml version of the service profile can reside
here too, but technically there is no need for it.
*Note: For security reasons, Cisco recommends the xml file be saved to a location where users do not
have read access, as a service password can clearly be read from the .xml service profile.
have read access, as a service password can clearly be read from the .xml service profile.
Reference video:
Be sure to have the following before you begin:
Ingress IPs of VPN gateways if using a VPN client in split tunnel mode
Authentication license key
NetBIOS domain name
Authentication license key
NetBIOS domain name
Step 1:
Download the AnyConnect Profile Editor to the desktop of the server that will be hosting the
AnyConnect Secure Mobility deployment installation files. The Profile Editor can be installed on any
Windows-based machine. It does not need to be a server.
Windows-based machine. It does not need to be a server.
*Note: The AnyConnect Profile Editor is only available for Windows
Step 2:
Run the installer. Select Custom Install. You will only need the Cisco Web Security Profile
Editor. All others can be deselected.