OneSource Professional Training Solutions
OneSource Professional Training Solutions, Inc. presents

ASVPN - Cisco Advanced SSL VPN On-Site Training

This on-site training class is also available as Public Schedule Seminar.

ASVPN - Cisco Advanced SSL VPN

Course Description/Agenda

In this exclusive course, you will explore advanced SSL VPN topics including:

  • Customer requirements (clientless vs. client-based)
  • Certificates, including self-signed certificates, Microsoft Certificate Services, and default certificates
  • Connection profiles, group policies, and how they interact
  • How to combat brute-force attempts by using mutual authentication with digital certificates and user credentials

You'll push the boundaries of advanced topics by examining POST parameters on our Exchange OWA server and enabling auto sign-on. You'll examine and configure available plug-ins and contrast the concept to using smart tunnels, and you'll learn to check for registry and OS watermarks and create antivirus and firewall requirements.

You'll examine the newest features of AnyConnect 3.0, including Trusted Network Detection (TND) and firewall features in the client login scripts, and you will learn to skin your AnyConnect client with custom logos and settings to offer a rich feature set to your users.

You will cover Cisco Secure Desktop (CSD) topics in detail, and then you'll tie the components together by feeding the results of the policy checks into Dynamic Access Policies (DAPs) and examining the relationship between DAPs and group policies. You will take the configuration a step further by enabling Lightweight Directory Access Protocol (LDAP) authentication within a DAP. You will add a few web-type Access Control Lists (ACLs) to the mix and discover how the various components all work together.

You will wrap up the week by testing your knowledge with various troubleshooting tickets to fix a broken VPN design.

What You'll Learn

  • Client-based vs. clientless VPN solutions
  • Using ASA 8.4 code for SSL VPN
  • Basic and advanced features within the CiscAnyConnect client version 3.0, including firewall policy push, TND, login scripts, and profile editor in ASDM
  • Relationship between tunnel groups, group and user policies, connection profiles, and dynamic access policies
  • Kerberos Constrained Delegation (KCD) for VPN authentication
  • Basic and advanced features of the Clientless WebVPN solution, including smart tunnels, Web ACLs, plug-ins, autsign-on, bookmarks, and portal customization
  • Features and benefits of CSD and the fundamental differences between the pre-login policies and HostScan
  • How tuse CSD tintegrate Endpoint Assessment (EA) and Advanced Endpoint Assessment (AEA)
  • Configure DAPs
  • Enrolling the ASA with a third-party Certificate Authority (CA) and retrieval based on user-based certificates tprovide mutual authentication
  • How the username credential can be automatically populated and how the connection profile can be chosen automatically using the pre-fill and certificate mapping features in the ASA
  • Troubleshooting SSL VPNs

Who Should Attend

Anyone, including system engineers and network designers, administrators, engineers, and managers, seeking to learn the latest features of AnyConnect 3.0

Course Prerequisites

  • Skills and knowledge equivalent to those learned in any firewall fundamentals course, including SNAF, SNAA, FIREWALL, VPN, ASAE, or ASA Lab Camp
  • Working knowledge of the Microsoft Windows operating system, including Microsoft Internet Explorer or Firefox
  • Fundamental understanding of SSL and certificates

Course Outline

1. Feature Mapping and Scenario

  • SSL Technology
  • Clientless SSL Feature
  • AnyConnect Feature
  • Group Deployment Type (Clientless vs. AnyConnect)
  • License Requirements for Suggested Solution

2. Initializing ASA and Preparing for PKI and AAA Support

  • Basic ASA Configuration
  • Validating Licenses
  • Generating Self-Signed Certificate to be used with ASDM
  • Enrolling Digital Certificate from CA Server to be used for SSL VPN Access
  • Configuring Integration with AAA Servers (RADIUS, LDAP)
  • Logging

3. Connection Profile and Group Policy Configuration

  • Creating Connection Profiles and Group Policies
  • Configuring Group Policy
  • Creating Bookmarks

4. Enhanced Clientless WebVPN Features

  • Plug-Ins
  • Uploading the RDP Plug-In
  • Configuring Smart Tunnels
  • Auto Sign-On for HTTP/S Resources
  • Auto Sign-On for Forms-Based Authentication
  • KCD
  • Microsoft Extensions to KCD for VPN Authentication
  • Portal Customization

5. Enhanced AnyConnect Client Features

  • AnyConnect 3.0 Features
  • AnyConnect Secure Mobility
  • Trusted Network Detection
  • Always-On VPN
  • Login Script
  • AnyConnect Client Profile Configuration
  • AnyConnect Diagnostics

6. CSD and Pre-Login Assessment

  • Install and Configure CSD
  • Configure and Manage
  • Test and Troubleshoot CSD Issues

7. HostScan and DAPs

  • DAP Attributes
  • Configuring DAP
  • Using EA Policies with DAP
  • Working with Policy Objects

8. Securing Resources with Web-Type and Networks ACLs

  • Feature Overview
  • Configuring and Applying Web-Type ACLs
  • Configuring and Applying Network-Based ACLs

9. CSD Endpoint Assessment

  • Configuring CSD for Advanced HostScan
  • Configuring DAP Policy to Utilize Advanced HostScan
  • Testing and Troubleshooting the Configuration

10. Certificate-Based Authentication

  • Obtain a User Certificate
  • Configure VPN Authentication with Client Certificates
  • Configure Connection Profile Selection
  • Configure Group Policy Selection
  • Configure LDAP Attribute Maps for Authorization Settings
  • Two-Factor Authentication
  • Test and Verify the Configuration

11. Advanced Troubleshooting

  • SSL VPN Troubleshooting
  • AnyConnect Troubleshooting
  • Clientless SSL VPN Troubleshooting

12. Scaling SSL VPN

  • Configuring Load Balancing
  • Monitoring
  • Verifying and Troubleshooting
  • Configuring a Shared License


Lab 1: Lab Environment

Lab 2: Initializing the ASA and Preparing for PKI and AAA Support

  • Obtain Remote Access to the System
  • Bootstrap the ASA to a Baseline Configuration
  • Create a Self-Signed Certificate
  • Create a Certificate Request
  • AAA Server Setup
  • Verify the ASA Configuration

Lab 3: Configuring Basic Clientless and Client-Based SSL VPNs

  • Create Connection Profiles, IP Pools, and Group Policies
  • Assign Certificate to the Outside Interface
  • Connection Method Configuration
  • Create Bookmarks
  • Prepare for ASDM
  • Verify the ASA Configuration

Lab 4: Enhanced Clientless WebVPN Features

  • Configure RDP and SSH Plug-Ins for Application Access
  • Investigate the Use of Smart Tunnels
  • Use Auto Sign-On to Allow the Passing of Credentials
  • Verify the ASA Configuration

Lab 5:


More Seminar Information

OneSource Professional Training Solutions, Inc.
OneSource Professional Training Solutions

Delivery Method

On-Site Training On-Site Training

Also Available As

Seminar Seminar


Add to favorites Add to favorites
Email Email this page

On-Site Training
Information Request Form

Please complete the form for more information and/or a quote for this on-site class.




City and State


Number of students:
(at least 10 for consideration)

When do you want to hold the

How long would you like for the

Additional comments to trainer:

We value your privacy!