Cisco Cisco AnyConnect Secure Mobility Client v4.x Release Notes
in some cases, AnyConnect prompts the user to enter credentials for every full authentication if the active
profile requires it.
profile requires it.
User Guideline for Cisco Cloud Web Security Behavior with IPv6 Web Traffic
Unless an exception for an IPv6 address, domain name, address range, or wild card is specified, IPv6 web
traffic is sent to the scanning proxy where it performs a DNS lookup to see if there is an IPv4 address for the
URL the user is trying to reach. If the scanning proxy finds an IPv4 address, it uses that for the connection.
If it does not find an IPv4 address, the connection is dropped.
traffic is sent to the scanning proxy where it performs a DNS lookup to see if there is an IPv4 address for the
URL the user is trying to reach. If the scanning proxy finds an IPv4 address, it uses that for the connection.
If it does not find an IPv4 address, the connection is dropped.
If you want all IPv6 traffic to bypass the scanning proxies, you can add this static exception for all IPv6 traffic:
/0. Doing this makes all IPv6 traffic bypass all scanning proxies. This means that IPv6 traffic is not protected
by Cisco Cloud Web Security.
/0. Doing this makes all IPv6 traffic bypass all scanning proxies. This means that IPv6 traffic is not protected
by Cisco Cloud Web Security.
Preventing Other Devices in a LAN from Displaying Hostnames
After one uses AnyConnect to establish a VPN session with Windows 7 or later on a remote LAN, the network
browsers on the other devices in the user’s LAN display the names of hosts on the protected remote network.
However, the other devices cannot access these hosts.
browsers on the other devices in the user’s LAN display the names of hosts on the protected remote network.
However, the other devices cannot access these hosts.
To ensure the AnyConnect host prevents the hostname leak between subnets, including the name of the
AnyConnect endpoint host, configure that endpoint to never become the master or backup browser.
AnyConnect endpoint host, configure that endpoint to never become the master or backup browser.
1
Enter regedit in the Search Programs and Files text box.
2
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Browser\Parameters\
3
Double-click MaintainServerList.
The Edit String window opens.
1
Enter No.
2
Click OK.
3
Close the Registry Editor window.
Revocation Message
An AnyConnect certificate revocation warning popup window opens after authentication if AnyConnect
attempts to verify a server certificate that specifies the distribution point of an LDAP certificate revocation
list (CRL) if the distribution point is only internally accessible.
attempts to verify a server certificate that specifies the distribution point of an LDAP certificate revocation
list (CRL) if the distribution point is only internally accessible.
If you want to avoid the display of this popup window, do one of the following:
• Obtain a certificate without any private CRL requirements.
• Disable server certificate revocation checking in Internet Explorer.
Disabling server certificate revocation checking in Internet Explorer can have severe
security ramifications for other uses of the OS.
security ramifications for other uses of the OS.
Caution
Release Notes for Cisco AnyConnect Secure Mobility Client, Release 4.3
24
Release Notes for AnyConnect Secure Mobility Client, Release 4.3
User Guideline for Cisco Cloud Web Security Behavior with IPv6 Web Traffic