Cisco Secure Client (AnyConnect)
Institutes and facilities of the TU Dresden can use the Cisco Secure Client (AnyConnect) software in order to have protected access from the according institute networks to the TU Dresden network.
Cisco Secure Client (AnyConnect) uses VPN Tunnel via the default SSL port (TCP 443) and DTLS port (UDP 443). Both ports must be opened in your firewall otherweise the performance could get low.
When building the VPN connection your PC will get an IP address from within the according network.
Cisco Secure Client (AnyConnect) has some features to afford:
- obviously less connection problems from within external networks, because HTTPS is not as restricted as IPSec VPN
- automatical reconnection during a network change, e.g. via WLAN
- siginificantly easier installation of the software
- automatic software update via the VPN-Gateway
- Linux version independent from the kernel version
Installation
Secure Client (AnyConnect) is supported by the following operating systems:
| Operating System | Automatical Installation via Browser |
Configuration for manual Installation |
supported versions |
|---|---|---|---|
Windows 10 and 11 x86(32bit) and x64(64bit) |
Yes | Windows | Windows 11 (64-bit) and current Microsoft supported versions of Windows 10 x86 (32-bit) and x64 (64-bit) |
| Linux 64bit | No | Linux 64bit | officially supported are: Linux Red Hat 9.x and 8.x & Ubuntu LTS 22.04 and 20.04 ( it may also work with other distributions) |
| Apple | Yes | Apple | iPhone: iOS 13.0 or newer. iPad: iPadOS 13.0 or newer. iPod touch: iOS 13.0 or newer. Mac: macOS 11.0 (or newer) und einen Mac mit Apple M1-Chip (or newer). |
| Android | No | Android | Current Version as listed in Store |
Cisco AnyConnect Software
The Client Software Cisco Secure Client (AnyConnect) is necessary for the use of SSL VPN. Due to trademark and licensing laws a software download is only allowed with a valid ZIH Login. Admin rights are necessary for the first installation.
From 11.01.2024, the VPN Gateway will have a new server certificate and Secure Client (AnyConnect) will check this against the new TU Dresden root certificate:
VPNSectigoChain.pem
If you get an error like "Untrusted VPN server certificate" you can import this root certificate chain to the trusted root certificate store on your local system.
Windows - ATTENTION: when upgrading Windows the Cisco Secure Client (AnyConnect) Client should be deinstalled before the upgrade. Otherwise, the software may not work any longer.
The installation files for Windows have to be stored as *.msi files and the Transform-File as *.mst . If this should not work automatically, you have to right-click on the link and choose the option "save target as...". Afterwards you have to select "All files" and complete the file's name with ".msi" and ".mst" respectively. The file is stored properly then.
TAKE CARE: check whether the correct link text is displayed in the URL line of the browser:
"https://tu-dresden.de/zih/dienste/service-katalog/arbeitsumgebung/zugang_datennetz/vpn/ssl_vpn"
You should also check the authenticity of the certificate by clicking on the small lock symbol to the left of the URL. The connection must be secure and the certificate valid. Otherwise the website is fake and someone wants to phish your credentials or offer you malware for download, in which case you should contact the Service Desk.
Version AnyConnect (Secure Client) 5.1.6.103
- AnyConnect for Linux 64bit (Version 5.1.6.103)
- AnyConnect for Windows (Version 5.1.6.103)
When using the NAM module for 802.1x download the AnyConnect msi, the .mst file AND the NAM module file before starting the installation. Then install AnyConnect VPON Client first and the NAM module right after that. - Transform file (.mst) for Windows - turn off Customer Experience Feedback(CEF) :
To enable the transform file run the following command in cmd window (so CEF is being turned OFF):
msiexec -i cisco-secure-client-win-5-1-6-103-core-vpn-predeploy-k9.msi TRANSFORMS=anyconnect-win-disable-customer-experience-feedback_5-1-6-103.mst
- NAM (Version 5.1.6.103) - Network Access Management Tool for Windows
for network access management in Windows when using 802.1X for network authentication on dyport.- to manage cable and WiFi data network connections via the NAM module, the file tud-nam-profile.nsp has to be copied to
C:\ProgramData\Cisco\Cisco Secure Client\Network Access Manager\system and rename it to "configuration.xml" - to manage only cable data network connections via the NAM module and WiFi connections via the on-board tools of the Windows operating system, the file
tud-nam-profile_NoWifi.nsp has to be copied to
C:\ProgramData\Cisco\Cisco Secure Client\Network Access Manager\system and rename it to "configuration.xml"
- to manage cable and WiFi data network connections via the NAM module, the file tud-nam-profile.nsp has to be copied to
- PE (Version 5.1.6.103) - Profile Editor Tool for Windows
- DART (Version 5.1.6.103) - Analysetool for AnyConnect errors in Windows
- SBL (Version 5.1.6.103) - for SBL
- AnyConnect for MacOSX can't be made available via WebCMS anymore. As soon as the software is activated on the VPN gateway it can be downloaded via https://vpn2.zih.tu-dresden.de (login with your ZIH credentials
<username>@tu-dresden.de and password).
Version AnyConnect 4.10.08025
- AnyConnect for Linux 64bit (Version 4.10.08025)
- AnyConnect for Mac OS X on ARM and Intel Platform (Version 4.10.08025)
- AnyConnect for Windows (Version 4.10.08025)
- Transform-File (.mst) for Windows - Turn Customer Experience Feedback (CEF) off:
To enable the transform file run the following command in cmd window (so CEF is being turned OFF):
msiexec -i anyconnect-win-4_10_08025-core-vpn-predeploy-k9.msi TRANSFORMS=anyconnect-win-disable-customer-experience-feedback-4_10_08025.mst - NAM (Version 4.10.08025) - Network Access Management Tool for Windows
for network access management in Windows when using 802.1X for network authentication on dyport.- to manage cable and WiFi data network connections via the NAM module, the file tud-nam-profile.nsp has to be copied to
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system and rename it to "configuration.xml" - to manage only cable data network connections via the NAM module and WiFi connections via the on-board tools of the Windows operating system, the file
tud-nam-profile_NoWifi.nsp has to be copied to
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system and rename it to "configuration.xml"
- to manage cable and WiFi data network connections via the NAM module, the file tud-nam-profile.nsp has to be copied to
- PE (Version 4.10.08025) - Profile Editor Tool for Windows
- DART (Version 4.10.08025) - AnyConnect Problem Analyzer for Windows
- GINA (Version 4.10.08025) - for SBL
- AnyConnect for Windows ARM (Version 4.10.08025)
!! older versions are not recommended anymore due to vulnerabilities !!
Old AnyConnect versions for "Windows Mobile" (not supported anymore).
Tunnel-Groups
Beim Aufruf des Cisco AnyConnect können bei "Group:" verschiedene Tunnel-Groups ausgewählt werden. Diese werden hier erläutert:
- A-Tunnel-TU-Networks
Datennetzverbindungen in alle TU-Netze laufen durch den VPN-Tunnel, das sind:
141.30.0.0/16, 141.76.0.0/16, 172.16.0.0/12, 192.168.0.0/16 - B-Tunnel-Public-TU-Networks
Datennetzverbindungen zu öffentlichen TU-Netzen laufen durch den VPN-Tunnel, das sind: 141.30.0.0/16, 141.76.0.0/16 - C-Tunnel-All-Networks
alle Datennetzverbindungen laufen durch den VPN Tunnel - TUD-vpn-lic
Verwendung ausschließlich für den Zugriff auf den Lizenzserver (MathCAD u.a.)
Authorisierung über die DOM Domain (der Nutzer muss explizit durch seinen IT-Administrator in einer bestimmten ActiveDirectory Group der DOM Domain dafür eingetragen werden)