Cisco Cisco ASA 5555-X Adaptive Security Appliance
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 8 of 16
The Apple iOS Connect on Demand feature enables the establishment of VPN connections specified in the
domain list without user interactions. All applications on the device, including Cisco Jabber, can take advantage of
this feature. Connect on Demand supports only certificate-authenticated connections.
Three options are available with this feature.
Always Connect: For domains in the Always Connect list, Apple iOS will always attempt to initiate a VPN
connection.
Connect If Needed: For domains in the Connect If Needed list, Apple iOS will attempt to initiate a VPN
connection only if it could not resolve the address using DNS.
Never Connect: Apple iOS will never attempt to initiate a VPN connection to addresses in the Never Connect list.
Figure 3. Domain List for On-Demand VPN
Step 1. In the AnyConnect client profile, define an on-demand domain list under the Connect If Needed list. The
domain list can include wild-card options, such as .cisco.com (Figure 3). As explained earlier, this profile
can be created using the ASDM profile editor or iPCU or MDM software.
can be created using the ASDM profile editor or iPCU or MDM software.
Step 2. Configure the On-Demand VPN URL as part of the Jabber device settings under Cisco Unified
Communications Manager. For example, let’s say we entered ccm-sjc-1.cisco.com as the On-Demand
VPN URL (See Appendix A1).
VPN URL (See Appendix A1).
When Jabber is launched, it will initiate a DNS query to the URL ccm-sjc-1.cisco.com. Since this URL matches the
On-Demand domain list entry (.cisco.com) defined in step 1, the AnyConnect VPN connection will be initiated.
Note: There is a known defect (CDETS): The On-Demand VPN functionality does not work with Jabber on the
iPad. However, It does currently function with the Apple iPhone version.