Cisco Cisco ASA 5555-X Adaptive Security Appliance 發佈版本通知
25
Release Notes for Cisco ASDM, Version 6.4(x)
New Features
Mobile Posture
(formerly referred to as
AnyConnect
Identification
Extensions for Mobile
Device Detection)
AnyConnect
Identification
Extensions for Mobile
Device Detection)
You can now configure the ASA to permit or deny VPN connections to mobile devices, enable or
disable mobile device access on a per-group basis, and gather information about connected mobile
devices based on the mobile device posture data. The following mobile platforms support this
capability: AnyConnect for iPhone/iPad/iPod Versions 2.5.x and AnyConnect for Android Version
2.4.x. You do not need to enable CSD to configure these attributes in ASDM.
disable mobile device access on a per-group basis, and gather information about connected mobile
devices based on the mobile device posture data. The following mobile platforms support this
capability: AnyConnect for iPhone/iPad/iPod Versions 2.5.x and AnyConnect for Android Version
2.4.x. You do not need to enable CSD to configure these attributes in ASDM.
Licensing Requirements
Enforcing remote access controls and gathering posture data from mobile devices requires an
AnyConnect Mobile license and either an AnyConnect Essentials or AnyConnect Premium license
to be installed on the ASA. You receive the following functionality based on the license you install:
AnyConnect Mobile license and either an AnyConnect Essentials or AnyConnect Premium license
to be installed on the ASA. You receive the following functionality based on the license you install:
•
AnyConnect Premium License Functionality
Enterprises that install the AnyConnect Premium license will be able to enforce DAP policies,
on supported mobile devices, based on these DAP attributes and any other existing endpoint
attributes. This includes allowing or denying remote access from a mobile device.
on supported mobile devices, based on these DAP attributes and any other existing endpoint
attributes. This includes allowing or denying remote access from a mobile device.
•
AnyConnect Essentials License Functionality
Enterprises that install the AnyConnect Essentials license will be able to do the following:
–
Enable or disable mobile device access on a per-group basis and to configure that feature
using ASDM.
using ASDM.
–
Display information about connected mobile devices via CLI or ASDM without having the
ability to enforce DAP policies or deny or allow remote access to those mobile devices.
ability to enforce DAP policies or deny or allow remote access to those mobile devices.
We modified the following screen: Configuration > Remote Access VPN > Network (Client)
Access > Dynamic Access Policies > Add/Edit Endpoint Attributes > Endpoint Attribute
Type:AnyConnect.
Access > Dynamic Access Policies > Add/Edit Endpoint Attributes > Endpoint Attribute
Type:AnyConnect.
Also available in Version 8.4(2).
Split Tunnel DNS policy
for AnyConnect
for AnyConnect
This release includes a new policy pushed down to the AnyConnect Secure Mobility Client for
resolving DNS addresses over split tunnels. This policy applies to VPN connections using the SSL
or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses through
the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client
does not try to resolve the address through public DNS servers.
resolving DNS addresses over split tunnels. This policy applies to VPN connections using the SSL
or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses through
the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client
does not try to resolve the address through public DNS servers.
By default, this feature is disabled. The client sends DNS queries over the tunnel according to the
split tunnel policy—tunnel all networks, tunnel networks specified in a network list, or exclude
networks specified in a network list.
split tunnel policy—tunnel all networks, tunnel networks specified in a network list, or exclude
networks specified in a network list.
We modified the following screen: Configuration > Remote Access VPN > Network (Client)
Access > Group Policies > Add/Edit Group Policy > Advanced > Split Tunneling (see the Send All
DNS Lookups Through Tunnel check box).
Access > Group Policies > Add/Edit Group Policy > Advanced > Split Tunneling (see the Send All
DNS Lookups Through Tunnel check box).
Also available in Version 8.4(2).
Table 10
New Features for ASA Version 8.2(5)/ASDM Version 6.4(3) (continued)
Feature
Description