AnyConnect Secure Mobility Client Features, Licenses, And OSs, Release 4

AnyConnect Secure Mobility ClientFeatures, Licenses, and OSs, Release 4.3This document identifies the AnyConnect release 4.3 features, license requirements, and endpoint operatingsystems that AnyConnect features support.Supported Operating SystemsCisco AnyConnect Secure Mobility Client 4.3 supports the following operating systems.Operating SystemVersionWindowsWindows 10 x86(32-bit) and x64(64-bit)Windows 8.1 x86(32-bit) and x64(64-bit)Windows 8 x86(32-bit) and x64(64-bit)Windows 7 SP1 x86(32-bit) and x64(64-bit)MacMac OS X 10.9, 10.10, 10.11, and 10.12*LinuxRed Hat 6 (64-bit)Ubuntu 12.04 (LTS) and 14.04 (LTS) (64-bit)AnyConnect releases 4.3.3086 and 4.2.6014 are the minimum required releases for Mac OS X 10.12support.Note: Cisco no longer supports AnyConnect releases for Windows XP.See the Release Notes for Cisco AnyConnect Secure Mobility Client for OS requirements and support notes. Seethe Supplemental End User Agreement (SEULA) for licensing terms and conditions. See the Cisco AnyConnectOrdering Guide for a breakdown of orderability and the specific terms and conditions of the various licenses.See the Feature Matrix below for license information and operating system limitations that apply to AnyConnectmodules and features.AnyConnect 4.3 has moved to the Visual Studio (VS) 2015 build environment and requires VS redistributable filesfor its Network Access Manager module functionality. These files are installed as part of the install package. Youcan use the .msi files to upgrade the Network Access Manager module to 4.3, but the AnyConnect SecurityMobility Client must be upgraded first and running release 4.3.Also, with the addition of the AnyConnect Umbrella Roaming Security Module, Microsoft .NET 4.0 is required.License OptionsUse of the AnyConnect Secure Mobility Client 4.3 requires that you purchase either an AnyConnect Plus orAnyConnect Apex license. The license(s) required depends on the AnyConnect VPN Client and Secure Mobilityfeatures that you plan to use, and the number of sessions that you want to support. These user-based licensesinclude access to support and software updates to align with general BYOD trends.Cisco Systems, Inc.www.cisco.com1

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.3Features MatrixAnyConnect 4.3 licenses are used with Cisco ASA 5500 Series Adaptive Security Appliances (ASA), IntegratedServices Routers (ISR), Cloud Services Routers (CSR), and Aggregated Services Routers (ASR), as well as othernon-VPN headends such as Identity Services Engine (ISE), Cloud Web Security (CWS), and Web SecurityAppliance (WSA). A consistent model is used regardless of the headend, so there is no impact when headendmigrations occur.One or more of the following AnyConnect licenses may be required for your deployment:LicenseDescriptionAnyConnect PlusSupports basic AnyConnect features such as VPN functionalityfor PC and mobile platforms (AnyConnect and standards-basedIPsec IKEv2 software clients), FIPS, basic endpoint contextcollection, 802.1x Windows supplicant, and web security SSLVPN. Plus licenses are most applicable to environmentspreviously served by the AnyConnect Essentials license andusers of Network Access Manager or Web Security modules.AnyConnect ApexSupports all basic AnyConnect Plus features in addition toadvanced features such as clientless VPN, VPN posture agent,unified posture agent, Next Generation Encryption/Suite B, allplus services and flex licenses. Apex licenses are mostapplicable to environments previously served by the AnyConnectPremium, Shared, Flex, and Advanced Endpoint Assessmentlicenses.AnyConnect Plus and Apex LicensesFrom the Cisco Commerce Workspace website, choose the service tier (Apex or Plus) and the length of term (1,3, or 5 year). The number of licenses that are needed is based on the number of unique or authorized users thatwill make use of AnyConnect. AnyConnect 4.3 is not licensed based on simultaneous connections. You can mixApex and Plus licenses in the same environment, and only one license is required for each user.AnyConnect 4.3 licensed customers are also entitled to earlier AnyConnect releases.Features MatrixAnyConnect 4.3 modules and features, with their minimum release requirements, license requirements, andsupported operating systems are listed in the following sections: AnyConnect Deployment and Configuration AnyConnect Core VPN Client— Core Features— Connect and Disconnect Features— Authentication and Encryption Features— Interfaces AnyConnect Network Access Manager AnyConnect Secure Mobility Modules— Hostscan and Posture Assessment— ISE Posture2

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.3Features Matrix Customer Experience Feedback— Customer Experience Feedback— Diagnostic and Report Tool (DART)AnyConnect Deployment and equiredWindowsMacLinuxDeferred UpgradesASA esyesPlusyesyesnoASDM 7.0Windows ServicesLockdownASA 8.0(4)Update Policy,Software and ProfileLockASA 8.0(4)Auto UpdateASA 8.0(4)ASDM 6.4(1)ASDM 6.4(1)ASDM 6.3(1)Web LaunchASA 8.0(4)(32 bit browsers only)ASDM 6.3(1)Pre-deploymentASA 8.0(4)ASDM 6.3(1)Auto Update ClientProfilesASA 8.0(4)AnyConnect ProfileEditorASA 8.4(1)User ControllableFeaturesASA 8.0(4)ASDM 6.4(1)ASDM 6.4(1)ASDM 6.3(1)3

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.3Features MatrixAnyConnect Core VPN ClientCore edWindowsMacLinuxSSL (TLS & DTLS),including Per App VPNASA 8.0(4)PlusyesyesyesTLS CompressionASA esyesPlusyesyesyesPlusyesyesnoASDM 6.3(1)ASDM 6.3(1)DTLS fallback to TLSASA 8.4.2.8ASDM 6.3(1)IPsec/IKEv2ASA 8.4(1)ASDM 6.4(1)Split tunnelingASA 8.0(x)ASDM 6.3(1)Split DNSASA 8.0(4)ASDM 6.3(1)Ignore Browser ProxyASA 8.3(1)ASDM 6.3(1)Proxy Auto Config(PAC) file generationASA 8.0(4)Internet Explorer tablockdownASA 8.0(4)Optimal GatewaySelectionASA 8.0(4)Global Site Selector(GSS) compatibilityASA 8.0(4)Local LAN AccessASA 8.0(4)ASDM 6.3(1)ASDM 6.3(1)ASDM 6.3(1)ASDM 6.4(1)ASDM 6.3(1)Tethered deviceaccess via clientfirewall rules, forsynchronizationASA 8.3(1)Local printer access viaclient firewall rulesASA 8.3(1)IPv6ASA 9.0ASDM 6.3(1)ASDM 6.3(1)ASDM 7.04

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.3Features MatrixConnect and Disconnect edWindowsMacLinuxSimultaneousClientless &AnyConnectconnectionsASA8.0(4)ApexyesyesyesStart Before Logon(SBL)ASA 8.0(4)PlusyesnonoRun script on connect& disconnectASA 8.0(4)PlusyesyesyesMinimize on connectASA SDM 6.3(1)ASDM 6.3(1)ASDM 6.3(1)ASDM 6.3(1)Auto connect on startASA 8.0(4)ASDM 6.3(1)Auto reconnect(disconnect on systemsuspend, reconnect onsystem resume)ASA 8.0(4)Remote User VPNEstablishment(permitted or denied)ASA 8.0(4)Logon Enforcement(terminate VPN sessionif another user logs in)ASA 8.0(4)Retain VPN session(when user logs off,and then when this oranother user logs in)ASA 8.0(4)Trusted NetworkDetection (TND)ASA 8.0(4)Always on (VPN mustbe connected toaccess network)ASA 8.0(4)Always on exemptionvia DAPASA 8.3(1)Connect Failure Policy(Internet accessallowed or disallowed ifVPN connection fails)ASA 8.0(4)Captive PortalDetectionASA 8.0(4)Captive PortalRemediationASA 8.0(4)ASDM 6.3(1)ASDM 6.3(1)ASDM 6.3(1)ASDM 6.3(1)ASDM 6.3(1)ASDM 6.3(1)ASDM 6.3(1)ASDM 6.3(1)ASDM 6.3(1)ASDM 6.3(1)5

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.3Features MatrixAuthentication and Encryption edWindowsMacLinuxCertificate onlyauthenticationASA 8.0(4)PlusyesyesyesRSA SecurID /SoftIDintegrationPlusyesnonoSmartcard supportPlusyesyesnoSCEP (requires PostureModule if Machine ID isused)PlusyesyesnoList & select yesPlusyesyesyesApexyesyesyesSHA-2 for IPsec IKEv2(Digital Signatures,Integrity, & PRF)ASDM 6.3(1)ASA 8.0(4)ASDM 6.4(1)Strong Encryption(AES-256 & 3des-168)NSA Suite-B (IPseconly)ASA 9.0Enable CRL censeRequiredWindowsMacLinuxGUIASA 8.0(4)PlusyesyesyesCommand LineASDM 6.3(1)yesyesyesAPIyesyesyesMicrosoft ComponentObject Module (COM)yesnonoLocalization of UserMessagesyesyesnoCustom MSI transformsyesnonoUser defined resourcefilesyesyesnoyesyesyesASDM 7.0InterfacesClient HelpASA 9.0ASDM 7.06

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.3Features MatrixAnyConnect Network Access dWindowsMacLinuxCoreASA 8.4(1)PlusyesnonoASDM 6.4(1)Wired support IEEE802.3yesWireless support IEEE802.11yesPre-logon & SingleSign onAuthenticationyesIEEE 802.1XyesIEEE 802.1AEMACsecyesEAP methodsyesFIPS 140-2 Level 1yesMobile BroadbandsupportASA 8.4(1)yesIPv6ASA 9.0yesNGE and NSA Suite-BASDM 7.0yesASDM 7.07

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.3Features MatrixAnyConnect Secure Mobility ModulesHostscan and Posture iredWindowsMacLinuxEndpoint AssessmentASA 8.0(4)ApexyesyesyesEndpoint RemediationASDM esyesyesApexyesnonoQuarantineQuarantine status &terminate messageASA 8.3(1)Hostscan PackageUpdateASA 8.4(1)ASDM 6.3(1)ASDM 6.4(1)Host EmulationDetectionISE SDMReleaseMinimum ISEReleaseLicenseRequiredWindowsMacLinuxChange ofAuthorization (CoA)4.0ASA 9.2.11.4PlusyesyesyesISE Posture ProfileEditor4.0n/aApexyesyesyesAC Identity Extensions(ACIDex)4.0n/a1.4PlusyesyesyesISE Posture Module4.0n/a1.4ApexyesyesnoDetection of USBmass storage devices(OPSWAT v4 only)4.3n/a2.1ApexyesnonoOPSWAT v44.3n/a2.1ApexyesyesnoASDM 7.2.1ASA 9.2.1ASDM 7.2.18

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.3Features MatrixWeb edWindowsMacLinuxCoreASA 8.4(1)PlusYesyesnoCloud-HostedConfigurationASDM 6.4(1)Secure TrustedNetwork DetectionASA 8.4(1)YesASDM 7.0DynamicConfigurationElementsFail Close / Fail OpenPolicy9

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.3Features MatrixAMP EnablerFeatureMinimumASA/ASDMReleaseMinimum ISEReleaseLicenseRequiredWindowsMacLinuxAMP enablerASDM 7.4.2ISE 1.4PlusYesYesNoASA 9.4.1Network Visibility ModuleFeatureMinimumASA/ASDMReleaseMinimum ISEReleaseLicenseRequiredWindowsMacLinuxNetwork VisibilityModuleASDM 7.5.1no ISEdependencyApexYesYesNoAdjustment to theASDM 7.5.1rate at which data isASA 9.5.1sentno ISEdependencyApexYesYesNoCustomization ofNVM timerno ISEdependencyApexYesYesNoBroadcast andASDM 7.5.1multicast option forASA 9.5.1data collectionno ISEdependencyApexYesYesNoCreation ofanonymizationprofilesno ISEdependencyApexYesYesNoASA 9.5.1ASDM 7.5.1ASA 9.5.1ASDM 7.5.1ASA 9.5.110

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.3Features MatrixUmbrella Roaming Security ModuleFeatureMinimumASA/ASDMReleaseMinimum ISEReleaseLicenseRequiredWindowsMacLinuxUmbrella RoamingSecurity ModuleASDM 7.6.2ISE 1.3Either Plus orApexYesYesNoASA 9.4.1Umbrellalicensing ismandatoryFor information on Umbrella licensing, eat-enforcement/packages/.Reporting and Troubleshooting ModulesCustomer Experience edWindowsMacLinuxCustomer ExperienceFeedbackASA 8.4(1)PlusyesyesnoASDM 7.0Diagnostic and Report Tool (DART)Log cLinuxVPNASA 8.0(4)PlusyesyesyesyesnonoyesyesyesyesyesnoASDM 6.3(1)Network AccessManagerPosture AssessmentWeb SecurityASA 8.4(1)ASDM 6.4(1)Apex11

AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.3Features MatrixCisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. Toview a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the propertyof their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any othercompany. (1110R)Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phonenumbers. Any examples, command display output, network topology diagrams, and other figures included in the document areshown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional andcoincidental. 2016 Cisco Systems, Inc. All rights reserved.12

Mobility Client must be upgraded first and running release 4.3. Also, with the addition of the AnyConnect Umbrella Roaming Security Module, Microsoft .NET 4.0 is required. License Options Use of the AnyConnect Secure Mobility Client 4.3 requires that you purchase either an AnyConnect Plus or AnyConnect Apex license. The license(s) required .