You can configure your enterprise network server to securely pass corporate information to the user’s device over Cisco's AnyConnect VPN.

To do this, you must perform some steps so that your Adaptive Security Appliances (ASA) firewall recognizes the user’s device and trusts it is the device belonging to an authorized user. This process is accomplished by authenticating the user and their device with an Identity Certificate provided from an external certificate authority (CA).

Regardless of the ASA firewall equipment or proprietary AnyConnect VPN being configured, the methodology is the same. Before proceeding, ensure you understand the methodology, have the technical expertise, and have a strong understanding of the hardware and software.

Integrate the Firewall with an External CA

First, your firewall must be integrated with an external CA. This step ensures it can trust that incoming Identity Certificates originated from a valid, trusted source and can be used for authentication. Specifically while configuring Cisco AnyConnect for certificate authentication, this process entails:

  • Disabling the Local CA on the ASA firewall
  • Generating a Certificate Signing Request (CSR) on the ASA firewall
  • Installing the external CA’s certificate on the ASA firewall
  • Installing the Identity Certificate on the ASA firewall

Configure the Firewall for SSL VPN Using Certificate Authentication

The next step is to configure the remaining SSL VPN settings. For Cisco AnyConnect, this process entails:

  • Enabling AnyConnect access (SSL VPN feature)
  • Creating a Group Policy
  • Creating a Connection Profile and Tunnel Group for the AnyConnect client connections

Configure Workspace ONE UEM to Deploy an Identity Certificate and VPN Profile to Devices

At this point, SSL VPN has been properly configured to allow devices to connect with certificates from an external CA. However, it requires a manual process of generating and deploying Identity Certificates to all devices, and also configuring the appropriate VPN settings on each. Automating this process with Workspace ONE UEM entails:

  • Integrating Workspace ONE UEM with the external CA
  • Deploying a VPN and certificate profile to devices
  • Deploying the AnyConnect application to devices