Cisco Cisco ASA 5555-X Adaptive Security Appliance

Page 8 of 16

The Apple iOS Connect on Demand feature enables the establishment of VPN connections specified in the

domain list without user interactions. All applications on the device, including Cisco Jabber, can take advantage of

this feature. Connect on Demand supports only certificate-authenticated connections.

Three options are available with this feature.

Always Connect: For domains in the Always Connect list, Apple iOS will always attempt to initiate a VPN

connection.

Connect If Needed: For domains in the Connect If Needed list, Apple iOS will attempt to initiate a VPN

connection only if it could not resolve the address using DNS.

Never Connect: Apple iOS will never attempt to initiate a VPN connection to addresses in the Never Connect list.

Figure 3. Domain List for On-Demand VPN

Step 1. In the AnyConnect client profile, define an on-demand domain list under the Connect If Needed list. The

domain list can include wild-card options, such as .cisco.com (Figure 3). As explained earlier, this profile
can be created using the ASDM profile editor or iPCU or MDM software.

Step 2. Configure the On-Demand VPN URL as part of the Jabber device settings under Cisco Unified

Communications Manager. For example, let’s say we entered ccm-sjc-1.cisco.com as the On-Demand
VPN URL (See Appendix A1).

When Jabber is launched, it will initiate a DNS query to the URL ccm-sjc-1.cisco.com. Since this URL matches the

On-Demand domain list entry (.cisco.com) defined in step 1, the AnyConnect VPN connection will be initiated.

Note: There is a known defect (CDETS): The On-Demand VPN functionality does not work with Jabber on the

iPad. However, It does currently function with the Apple iPhone version.