CISCO AnyConnect 5.0 Amintaccen Jagorar Mai Amfani da Abokin ciniki

CISCO AnyConnect 5.0 Amintaccen Jagorar Mai Amfani da Abokin ciniki

Gabatarwa daftarin aiki

Wadda ta shirya:
Cisco Systems, Inc. girma
170 West Tasman Dr.
San Jose, CA 95134

Wannan takaddun yana ba da Jagora ga ma'aikatan IT don TOE, Cisco Secure Client - AnyConnect 5.0 don iOS 16. Wannan takaddar Jagorar ta ƙunshi umarnin don shigar da nasarar shigar da TOE a cikin Muhalli na Aiki, umarni don sarrafa tsaro na TSF, da umarnin don samar da ikon gudanarwa mai kariya.

Tarihin Bita

Sigar	Kwanan wata	Canza
0.1	Mayu 1, 2023	Sigar farko
0.2	27 ga Yuli, 2023	Sabuntawa

Cisco da tambarin Cisco alamun kasuwanci ne ko alamun kasuwanci masu rijista na Cisco da/ko masu haɗin gwiwa a Amurka da wasu ƙasashe. Zuwa view jerin alamun kasuwanci na Cisco, je zuwa wannan URL: www.cisco.com/go/trademarks. Alamomin kasuwanci na ɓangare na uku da aka ambata mallakin masu su ne. Amfani da kalmar abokin tarayya baya nufin alaƙar haɗin gwiwa tsakanin Cisco da kowane kamfani. (1110R)

Abubuwan da ke ciki boye

1 Gabatarwa

2 Hanyoyi da Jagorar Ayyuka don Muhalli na IT

3 Hanyoyin Shirye-shiryen da Jagorar Ayyuka don TOE

4 Fara Cisco Secure Client-AnyConnect

5 Jagorar Ayyuka don TOE

6 Samun Takardu da ƙaddamar da Buƙatun Sabis

7 Tuntuɓar Cisco

8 Takardu / Albarkatu

8.1 Magana

9 Labarai masu alaka

Gabatarwa

Wannan Jagorar Mai Amfani da Aiki tare da Shirye-shiryen Shirye-shiryen tana ba da bayanan gudanarwar Cisco Secure ClientAnyConnect v5.0 don Apple iOS 16 TOE, kamar yadda aka ƙware a ƙarƙashin Sharuɗɗan gama gari. Cisco Secure Client-AnyConnect v5.0 na Apple iOS 16 ana iya yin nuni da shi a ƙasa ta hanyar gajarta mai alaƙa misali Abokin Ciniki na VPN ko kuma kawai TOE.

Masu sauraro
An rubuta wannan takarda don masu gudanarwa suna girka da daidaita TOE. Wannan takarda tana ɗauka cewa kun saba da mahimman ra'ayoyi da ƙa'idodin da ake amfani da su a cikin aikin intanet, kuma ku fahimci topology na cibiyar sadarwar ku da ka'idojin da na'urorin da ke cikin hanyar sadarwar ku za su iya amfani da su, cewa kai mutum ne mai amana, kuma an horar da kai don amfani da aiki. tsarin da kuke tafiyar da hanyar sadarwar ku a kansu.

Manufar
Wannan takarda ita ce Jagorar Mai Amfani mai Aiki tare da Shirye-shiryen Shirye-shiryen don kimanta ma'auni gama gari. An rubuta shi don haskaka ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun TOE da ayyukan gudanarwa da musaya waɗanda ke da mahimmanci don daidaitawa da kiyaye TOE a cikin tsarin da aka kimanta. Wannan takaddun ba ana nufin yin cikakken bayani kan takamaiman ayyuka da mai gudanarwa ya yi ba amma taswirar hanya ce don gano wuraren da suka dace a cikin takaddun Cisco don samun takamaiman cikakkun bayanai don daidaitawa da kiyaye ayyukan Abokin Ciniki na Amintacce na AnyConnect Secure Mobility. Duk umarnin da suka dace na tsaro don sarrafa bayanan TSF an bayar da su a cikin wannan takaddun a cikin kowane sashe na aiki.

Maganar Takardu
Wannan sashe yana jera takaddun Sisfofin Sisfofin Sisiko wanda kuma yanki ne na Jerin Abubuwan Kanfigareshan Sharuɗɗa na gama-gari (CI). Ana nuna takaddun da aka yi amfani da su a ƙasa a cikin Tebur 1. A cikin wannan takarda, za a yi amfani da jagororin ta hanyar "#", kamar [1].

Table 1 Cisco Takardun

#	Take	mahada
1	Amintaccen Abokin Ciniki na Cisco (gami da AnyConnect) Jagorar Gudanarwa, Saki 5	https://www.cisco.com/c/en/us/td/docs/security/vpn_cli ent/ Anyconnect/Cisco-Secure-Client-5/admin/jagora/b- cisco-aminci-abokin ciniki-admin-guide-5-0.html
2	Cisco AnyConnect Mobile Platform Administrator Guide, Sakin 4.1	https://www.cisco.com/c/en/us/td/docs/security/vpn_cli ent/ Anyconnect/ Anyconnect41/Gudanarwa/Jagora/Cisc o_AnyConnect_Mobile_Administrator_Guide_4-1.html
3	Jagoran Mai amfani na Apple iOS don Cisco AnyConnect Amintaccen Abokin Motsi, Sakin 4.6.x	https://www.cisco.com/c/en/us/td/docs/security/vpn_cli ent/ Anyconnect/ Anyconnect46/user/guide/Apple_iOS_Any Haɗa_User_Guide_4-6-x.html
4	Bayanan Saki don Cisco AnyConnect Amintaccen Abokin Motsi, Saki 4.9	https://www.cisco.com/c/en/us/td/docs/security/vpn_cli ent/ Anyconnect/ Anyconnect49/saki/bayanin kula/saki- bayanin kula-kowane haɗin kai-4-9.html
5	Bayanan Saki don Abokin Amintaccen Sisiko (gami da AnyConnect), Saki 5 don Apple iOS	https://www.cisco.com/c/en/us/td/docs/security/vpn_cli ent/ Anyconnect/Cisco-Secure-Client- 5/saki/bayanin kula/sakin-bayanin kula-apple-ios-cisco-amince- abokin ciniki-saki-5-0.html

KASHIN GABAview
TOE shine Cisco AnyConnect Secure Mobility Client (a nan bayan ana magana da shi azaman abokin ciniki na VPN, ko TOE). Abokin ciniki na Sisiko AnyConnect Secure Motsi yana ba masu amfani mai nisa amintattun hanyoyin IPsec (IKEv2) VPN zuwa Cisco 5500 Series Adaptive Security Appliance (ASA) VPN Gateway yana ba da damar shigar aikace-aikacen sadarwa kamar an haɗa kai tsaye zuwa cibiyar sadarwar kasuwanci.

Muhallin Aiki
TOE yana buƙatar abubuwan da aka haɗa na Muhalli na IT masu zuwa lokacin da aka saita TOE a cikin ƙayyadaddun tsarin sa:

Tebur 2. Kayan Aikin Muhalli

Bangaren	Bayanin Amfani/Manufa
Hukumomin Certificate	Ana amfani da Hukumar Takaddun shaida don samar da ingantattun takaddun shaida na dijital.
Dandalin Wayar hannu	TOE ya dogara da kowane ɗayan ingantattun dandamali na na'urar hannu ta CC mai zuwa: Apple iPhone 11/XR yana gudana iOS 16
ASA 5500-X jerin VPN Gateway	Cisco ASA 5500-X tare da sigar software 9.2.2 ko kuma daga baya tana aiki azaman Ƙofar VPN ta kai-ƙarshen.
Platform Gudanarwa ASDM	ASDM 7.7 tana aiki daga kowane ɗayan waɗannan tsarin aiki masu zuwa: Windows 7, 8, 10 Windows Server 2008, 2012, 2012 R2, 2016 da Server 2019 Apple OS X 10.4 ko kuma daga baya Lura cewa an shigar da software na ASDM akan kayan aikin ASA kuma ana amfani da dandamalin gudanarwa don haɗawa da ASA kuma gudanar da ASDM. Software kawai da aka shigar akan dandalin gudanarwa shine Cisco ASDM Launcher.

Dandali na Wayar hannu yana ba da wasu ayyukan tsaro da ake buƙata a MOD_VPNC_V2.4] kuma ana nuna su ta amfani da kalmar "Platform TOE" a cikin wannan takaddar.

Cisco AnyConnect TOE yana amfani da albarkatun kayan aikin cibiyar sadarwa akan dandamalin OS ta hannu don aikawa da karɓar fakitin rufaffiyar. TOE baya samun dama ga ma'ajiyar bayanai masu mahimmanci.

Nassoshi a cikin wannan takarda zuwa "ASA" suna nufin Ƙofar VPN

Ware Ayyuka

Ayyukan da aka jera a ƙasa ba a haɗa su cikin tsarin da aka kimanta ba.

Tebur 3. Banda Ayyuka da Dalilin

Banda Aiki	Dalilin dalili
Yanayin aiki marasa FIPS 140-2	TOE ya haɗa da yanayin aiki na FIPS. Hanyoyin FIPS suna ba da damar TOE suyi amfani da cryptography da aka amince kawai. Dole ne a kunna yanayin aiki na FIPS domin TOE ya yi aiki a cikin tsarin da aka kimanta.
Tunnel SSL tare da zaɓuɓɓukan rami na DLTS	[MOD_VPNC_V2.4] kawai yana ba da izinin rami na IPsec VPN.

Za a kashe waɗannan ayyukan ta hanyar daidaitawa. Keɓance wannan aikin baya shafar yarda da abin da ake da'awar Kariya Profiles.

Hanyoyi da Jagorar Ayyuka don Muhalli na IT

Don yin aiki a cikin ƙayyadaddun tsarin sa, TOE yana buƙatar ƙaramar (1) Takaddun shaida (CA), ɗaya (1) Ƙofar VPN, da ɗaya (1) na'urar hannu ta Apple iPhone.

Don yin kama da mahallin PKI abokin ciniki, mafita CA mai hawa biyu ta amfani da Tushen CA na Waje da Ƙarƙashin Kasuwancin CA da ke aiki da Microsoft 2012 R2 Certificate Authority (CA) a cikin wannan sashe. Ana iya amfani da wasu samfuran CA a madadin Microsoft.

An saita Tushen CA azaman uwar garken kadaitacce (Aikin Ƙungiya) yayin da aka saita Ƙarƙashin CA a matsayin wani yanki na yankin Microsoft tare da kunna ayyukan Directory Active. Hoto na gaba yana ba da hoto na gani na TOE da IT

Muhalli. TOE software ce da ke gudana akan iOS 13. Ana nuna iyakar ƙanwar ƙafa da layin ja na hash. Dubi hoto na 1 a ƙasa.

Hoto 1. TOE da Muhalli

Ƙarƙashin CA yana ba da takaddun shaida na dijital X.509 kuma yana ba da Lissafin Sake Shaida (CRL) zuwa Platform TOE da Ƙofar VPN.
A madadin, ɗaya (1) tushen Enterprise CA ɗaya za a iya tura shi.

Shigar kuma Sanya Hukumar Takaddun shaida

Idan amfani da bayani na CA mai hawa biyu na Microsoft, shigar kuma saita Tushen (GRAYCA) da Hukumar Takaddun Shaida ta Kasuwanci (GRAYSUBCA1) daidai da jagora daga mai siyarwa. Mai zuwa jagorar mataki-mataki ne don daidaita Sabis na Takaddun Shaida na Active Directory:

http://technet.microsoft.com/en-us/library/cc772393%28v=ws.10%29.aspx
Ana ɗauka duka takaddun shaida na Tushen CA (GRAYCA) da Takaddun shaida na Kasuwancin Kasuwanci (GRAYSUBCA1) waɗanda aka nuna a adadi 1 an shigar dasu kuma an amince dasu don tabbatar da amintaccen sarkar takardar shaida. Idan amfani da CA daga mai siyarwa ban da Microsoft, bi jagorar shigarwar CA mai siyarwa.

Ba tare da la'akari da samfurin CA da aka yi amfani da shi ba, takardar shaidar RSA akan ASA DOLE tana da maɓalli masu zuwa da Kaddarorin Amfani na Maɓalli:

Mabuɗin Amfani: Sa hannun Dijital, Yarjejeniyar Maɓalli
EKU: Tsaro na IP IKE matsakaici, tsarin tsaro na ƙarshen IP

Filayen Madadin Madadin Suna (SAN) a cikin ECDSA da takaddun shaida na RSA akan ASA dole ne su dace da bayanin haɗin da aka ƙayyade a cikin AnyConnect profile a kan abokin ciniki.

Shigar kuma Sanya Ƙofar VPN

Shigar Cisco ASA 9.1 (ko kuma daga baya), ba na zaɓi tare da ASDM, daidai da jagororin shigarwa da bayanan bayanan da suka dace da nau'ikan da za a girka. ASDM yana ba da damar sarrafa ASA daga mai amfani da hoto mai hoto. A madadin, idan mai gudanarwa ya fi so, ana iya amfani da matakan daidaitawa daidai layin umarni (CLI).

Bayanan Kanfigareshan: Kamar yadda akwai sigogi da ASA ke sarrafa, dole ne Mai Gudanar da Ƙofar ya bi matakan da ke cikin wannan sashe don tabbatar da TOE yana cikin tsarin da aka kimanta.

Kunna AnyConnect da IKEv2 akan ASA. A cikin ASDM, je zuwa Kanfigareshan> Samun Nesa VPN> Samun hanyar sadarwa (abokin ciniki)> AnyConnect Connection Pro.files kuma zaɓi Enable Cisco AnyConnect akwati kuma Bada damar shiga ƙarƙashin IKEv2.
A kan AnyConnect Connection Profileshafin da aka ambata a sama, zaɓi Takaddun Na'ura. Tabbatar Amfani da takardar shaidar na'urar iri ɗaya… BA a duba ba kuma zaɓi takardar shaidar EC ID ƙarƙashin takardar shaidar na'urar ECDSA. Sannan zaɓi Ok.
Ƙirƙiri manufofin crypto IKEv2 ta amfani da algorithms da aka ba da izini a cikin Tsarin Mahimmanci na gama gari da aka kimanta. A cikin ASDM, je zuwa Kanfigareshan> Samun Nesa VPN> Samun hanyar sadarwa (Abokin ciniki)> Babba> IPsec> Manufofin IKE kuma ƙara manufar IKEv2.

Zaɓi Ƙara kuma shigar da 1 don mafi girman fifiko. Kewayon shine 1 zuwa 65535, tare da 1 mafi fifiko.

Rufewa:
AES: Yana ƙayyade AES-CBC tare da ɓoyayyen maɓallin 128-bit don ESP.
AES-256: Yana ƙayyade AES-CBC tare da ɓoyayyen maɓallin 256-bit don ESP.
AES-GCM-128: Yana ƙayyadad da yanayin AES Galois Counter 128-bit boye-boye
AES-GCM-256: Yana ƙayyadad da yanayin AES Galois Counter 256-bit boye-boye

Ƙungiyar DH: Zaɓi mai gano ƙungiyar Diffie-Hellman. Wannan yana amfani da kowane takwarorinsu na IPsec don samun sirrin da aka raba, ba tare da aika wa junansu ba. Zaɓuɓɓuka masu inganci sune: 19 da 20.

Farashin PRF - Ƙayyade PRF da aka yi amfani da shi don gina kayan maɓalli don duk algorithms na ƙididdiga da aka yi amfani da su a cikin SA. Zaɓuɓɓuka masu inganci sune: sha256 da sha384

A cikin wannan exampdon daidaitawa zaɓi:

fifiko: 1

Yanayin AES Galois Counter (AES-GCM) boye-boye 256-bit: Lokacin da aka zaɓi GCM, yana hana buƙatun zaɓin ingantaccen algorithm. Wannan saboda an gina ingantattun damar iyakoki cikin GCM, sabanin CBC (Cipher-Block Chaining).

Rukunin Diffie-Hellman: 20
Mutunci Hash: Babu
PRF Hash: sha384
Rayuwa: 86400

Zaɓi Ko.

Bayanin Gudanarwa: Amfani da kowane Ƙarin boye-boye, DH-Group, Mutunci ko PRF Hash da ba a jera a sama ba ba a kimanta shi ba.

Bayanin Gudanarwa: Babban shafin yana nuna ma'aunin tilasta tilasta IKE. Tabbatar an duba ma'auni na Ƙarfin Ƙarfin Ƙungiyar Tsaro (SA). Wannan yana tabbatar da cewa ƙarfin IKEv2 ɓoyayyen cipher ɗin ya fi ƙarfin ɗansa na IPsec SA's boye-boye ciphers. Algorithms masu ƙarfi za a rage su.

Kwatankwacin CLI shine: crypto ipsec ikev2 sa-ƙarfin tilastawa

Ƙirƙiri tsari na IPSEC. A cikin ASDM, je zuwa Kanfigareshan> Samun Nesa VPN> Hanyar sadarwa (Abokin ciniki) Samun damar> Na ci gaba> IPsec> Sharuɗɗan IPsec (Saitunan Canji) kuma ƙara IKEv2 IPsec Proposal. sannan zaɓi Ok.
A cikin exampA ƙasa sunan da aka yi amfani da shi shine NGE-AES-GCM-256 tare da AES-GCM-256 don ɓoyewa da Null don Hash ɗin Mutunci:
Ƙirƙirar taswirar crypto mai ƙarfi, zaɓi tsarin IPsec kuma yi amfani da keɓancewar waje. A cikin ASDM, je zuwa Kanfigareshan> Samun Nesa VPN> Samun hanyar sadarwa (abokin ciniki)> Babba> IPsec> Taswirorin Crypto. Zaɓi Ƙara, zaɓi ƙirar waje da tsarin IKEv2.
Danna Babba Tab. Tabbatar da abubuwa masu zuwa:
Kunna NAT-T - Yana ba da damar NAT Traversal (NAT-T) don wannan manufar
Ƙungiyar Tsaro Saitin Rayuwa - an saita zuwa 8 hours (28800 seconds)
Ƙirƙiri wurin shakatawa na adireshi VPNUSERS wanda za a sanya wa masu amfani da VPN. Wuraren adireshi sun ƙunshi filayen masu zuwa:
Suna — Yana ƙayyade sunan da aka sanya wa tafkin adireshin IP.
Fara Adireshin IP — Yana ƙayyade adireshin IP na farko a cikin tafkin.
Ingare Adireshin IP — Yana ƙayyade adireshin IP na ƙarshe a cikin tafkin.
Subnet Mask- Yana zaɓar abin rufe fuska na subnet don amfani da adiresoshin da ke cikin tafkin.

A cikin ASDM, je zuwa Kanfigareshan> Samun Nesa VPN> Samun hanyar sadarwa (Abokin ciniki)> Sabis na adireshi> Tafkunan adireshi kuma ƙara tafkin IP da ke tantance filayen da ke sama sannan zaɓi Ok.

Ƙara manufar ƙungiya wacce za ta yi amfani da saitunan da ake so ga masu amfani da VPN. Manufofin rukuni suna ba ku damar sarrafa manufofin ƙungiyar AnyConnect VPN. Manufar rukuni na VPN tarin nau'i-nau'i ne masu dacewa da mai amfani da aka adana ko dai a cikin na'urar ASA. Haɓaka manufofin ƙungiyar VPN yana bawa masu amfani damar gadon halayen da ba ku tsara su ba a rukuni ɗaya ko matakin sunan mai amfani. Ta hanyar tsoho, masu amfani da VPN ba su da ƙungiyar manufofin ƙungiya. Ƙungiyoyin rami na VPN da asusun masu amfani suna amfani da bayanan manufofin ƙungiyar. A cikin ASDM, je zuwa Kanfigareshan> Samun Nesa VPN> Samun hanyar sadarwa (abokin ciniki)> Yan sanda na rukuni kuma Ƙara manufofin ƙungiyar ciki. Tabbatar cewa an saita ka'idar rami na VPN zuwa IKEv2 kuma tafkin IP ɗin da aka ƙirƙira a sama an yi nuni a cikin manufofin ta cire zaɓin akwatin rajistan Gado kuma zaɓi saitin da ya dace. Hakanan ana iya ƙara masu dacewa DNS, WINS da sunayen yanki a cikin manufofin cikin sashin Sabar.

Koma zuwa exampmanufofin kungiyar NGE-VPN-GP a kasa:

Ƙirƙiri sunan rukunin rami. Ƙungiyar rami ta ƙunshi manufofin haɗin rami don haɗin IPsec. Manufar haɗin kai na iya ƙayyadaddun tantancewa, izini, da sabar lissafin kuɗi, tsohuwar manufar ƙungiyar, da halayen IKE.

A cikin ASDM, je zuwa Kanfigareshan> Samun Nesa VPN> Samun hanyar sadarwa (abokin ciniki)> AnyConnect Connection Pro.files. A kasan shafin karkashin Connection Profiles, zaɓi Ƙara.

A cikin exampAna amfani da sunan rukunin rami a ƙasa NGE-VPN-RAS.

Nassoshi masu daidaitawa Tabbatar da takaddun shaida, manufofin ƙungiyar masu alaƙa NGE-VPN-GP da Enable IPsec (IKEv2). Hakanan ana iya ƙara sunan DNS da sunan yanki anan. Hakanan tabbatar da kawai IPsec ana amfani da shi ta hanyar rashin bincika ka'idar abokin ciniki na SSL VPN.

Ƙirƙiri taswirar takardar shaida, yin taswirar masu amfani da NGE VPN zuwa rukunin rami na VPN wanda aka ƙirƙira a baya. Za a yi amfani da taswirar takardar shaida ga masu amfani da AC. A cikin wannan yanayin, sunan gama gari na Subordinate CA ya dace don tabbatar da buƙatun dandamali na TOE mai shigowa tare da takardar shedar EC da aka bayar daga Ƙarƙashin CA za a tsara ta zuwa rukunin ramin da ya dace wanda aka ƙirƙira a baya. Masu amfani da VPN waɗanda ba a ba da takaddun shaida daga EC CA ba za su koma ga tsoffin ƙungiyoyin rami kuma
gaza tantancewa kuma za a hana shiga.
A cikin ASDM, je zuwa Kanfigareshan> Samun Nesa VPN> Na ci gaba> Takaddun shaida zuwa AnyConnect da Abokin Ciniki SSL VPN Connection Pro.file Taswirori. Karkashin Takaddun shaida zuwa Haɗin Profile Taswirori zaɓi Ƙara. Zaɓi Taswirar DefaultCertificateMap da ke da fifiko na 10 kuma ku yi la'akari da rukunin rami na NGE-RAS-VPN.

A cikin ASDM, je zuwa Kanfigareshan> Samun Nesa VPN> Na ci gaba> Takaddun shaida zuwa AnyConnect da Abokin Ciniki SSL VPN Connection Pro.file Taswirori. A ƙarƙashin Sharuɗɗan Taswira zaɓi Ƙara. Zaɓi Mai bayarwa don filin, Sunan gama gari (CN) don ɓangarori, Ya ƙunshi don Operator, sannan zaɓi Ok.

Tabbatar don zaɓar APPLY akan babban shafi kuma Ajiye tsarin.
Sanya ASA don karɓar haɗin VPN daga abokin ciniki na AnyConnect VPN, yi amfani da mayen AnyConnect VPN. Wannan mayen yana daidaita ka'idojin IPsec (IKEv2) VPN don samun damar hanyar sadarwa mai nisa. Koma ga umarnin nan:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/asdm710/vpn/asdm-710-vpnconfig/vpn-wizard.html#ID-2217-0000005b

Hanyoyin Shirye-shiryen da Jagorar Ayyuka don TOE

Don shigar da Abokin Cin Hanci na Cisco-AnyConnect TOE, bi matakan da ke ƙasa:

Bude App Store.
Zaɓi Bincika

A cikin Akwatin Bincike, shigar da Abokin Ciniki Amintaccen-AnyConnect
Matsa SHIGA APP
Zaɓi Shigar

Fara Cisco Secure Client-AnyConnect

Matsa alamar Cisco Secure Client-AnyConnect don fara aikace-aikacen. Idan wannan shine karo na farko da kuke farawa Cisco Secure Client-AnyConnect bayan shigarwa ko haɓakawa, zaɓi Ok don ba da damar TOE don tsawaita ikon na'urar ku ta Virtual Private Network (VPN).

Tabbatar da Mutunci

Ana yin aikin tabbatar da gaskiya a duk lokacin da aka loda app ɗin kuma zai jira tabbatar da amincin ya kammala. Ana kiran sabis ɗin sirrin da dandamalin iOS ke bayarwa don tabbatar da sa hannun dijital na aiwatar da TOE files. Idan tabbatar da mutuncin ya kasa cika cikin nasara, GUI ba zai yi lodi ba, yana mai da app ɗin mara amfani. Idan tabbacin ingancin ya yi nasara, GUI app zai yi lodi kuma yayi aiki akai-akai.

Sanya Mai Gano Magana

Wannan sashe yana ƙayyadaddun ƙayyadaddun ƙayyadaddun abubuwan ganowa don abokin ƙofofin VPN. A lokacin IKE fage na 1, TOE yana kwatanta mai gano ma'anar da mai ganowa ta hanyar VPN Gateway. Idan TOE ya ƙayyade ba su dace ba, tabbatarwa ba zai yi nasara ba.

Zaɓi Haɗi daga allon gida zuwa view An riga an saita shigarwar akan na'urarka. Ana iya lissafin shigarwar haɗin kai da yawa, wasu a ƙarƙashin taken Per-App VPN. Shigar da haɗin kai na iya samun hali mai zuwa:

An kunna - Mai sarrafa na'urar tafi da gidanka yana kunna wannan haɗin haɗin kuma ana iya amfani dashi don haɗawa.
Mai aiki - Wannan shigarwar haɗin mai alama ko alama tana aiki a halin yanzu.
Haɗe- Wannan haɗin haɗin yana aiki kuma yana aiki a halin yanzu.

An katse- Wannan shigarwar haɗin ita ce mai aiki amma a halin yanzu an katse kuma baya aiki.

Don umarni koma zuwa "Ƙara ko Gyara Abubuwan Shigar Haɗi da hannu" sashe na [3].

Sanya Amfani da Takaddun shaida

AnyConnect yana buƙatar takardar shedar X.509. Koma zuwa ga "Sanya Takaddun shaida" sashe na [3].

Toshe Sabar Mara Amintacce

Wannan saitin aikace-aikacen yana ƙayyade idan AnyConnect yana toshe haɗin gwiwa lokacin da ba zai iya gano amintacciyar ƙofar ba.
Wannan kariyar tana kunne ta tsohuwa kuma dole ne a kashe ta.

AnyConnect yana amfani da takardar shaidar da aka karɓa daga uwar garken don tabbatar da gano ta. Idan akwai kuskuren takaddun shaida saboda ƙarewar aiki ko kwanan wata mara aiki, amfani da maɓalli mara kyau, ko rashin daidaiton suna, an toshe haɗin.

Saita Yanayin FIPS na VPN
Yanayin FIPS na VPN yana amfani da ƙa'idodin sarrafa bayanan tarayya (FIPS) algorithms cryptography don duk haɗin VPN.

A cikin Cisco Secure Client-AnyConnect app, matsa Saituna.

Matsa Yanayin FIPS don kunna wannan saitin.

Don saduwa da buƙatun rubutun rubutu a cikin ST, yanayin FIPS dole ne a kunna. Bayan tabbatar da canjin yanayin FIPS ɗin ku, ƙa'idar ta fita kuma dole ne a sake farawa da hannu. Bayan sake kunnawa, saitin yanayin FIPS ɗinku yana aiki.

Yanayin Amintaccen Takaddun Shaida

Wannan saitin yana daidaita Abokin Ciniki Secure-AnyConnect TOE don hana takaddun shaida na Ƙofar VPN ta kai wanda ba zai iya tantancewa ta atomatik ba.

Daga gida taga, matsa Menu > Saituna.
Kunna Yanayin Amintaccen Takaddun Takaddun Takaddun shaida.

Bayan yunƙurin haɗin gwiwa na gaba, Za a kunna Amintaccen Takaddun Shaida

Duba Sake Takaddun Shaida

Wannan saitin yana sarrafa ko Cisco Secure Client-AnyConnect TOE zai ƙayyade matsayin soke takardar shaidar da aka karɓa daga Ƙofar VPN na kai-karshen. Dole ne wannan saitin ya kasance a kunne kuma kada a kashe shi.

Daga AnyConnect gida taga, matsa Menu> Saituna.
Kunna Shawarwar Takaddun Shaida don kunna wannan saitin.

Jagorar Ayyuka don TOE

Kafa Haɗin VPN

Koma zuwa ga “Kafa a VPN Connection" sashe na [3].

Ya kamata Mai Gudanarwa ya lura da waɗannan ka'idojin KARE, BYPASS, da DISCARD game da amfani da IPsec a AnyConnect:

KARE
Ana saita shigarwar don PROTECT ta hanyar manufofin ƙungiyar shiga nesa akan ASA ta amfani da ASDM. Don shigarwar TSARI, zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar zirga-zirgar ababen hawa tana bi ta cikin ramin IPsec VPN da TOE ta bayar. Ba a buƙatar saiti don rami na TOE duk zirga-zirga. Mai gudanarwa da zaɓin zai iya saita wannan ɗabi'a a sarari tare da umarni a cikin Manufofin Rukuninsu: tsaga-tunnel-policy tunnelall

RAYUWAR
TOE yana goyan bayan ayyukan BYPASS (lokacin da aka ba da izinin raba rami a sarari ta hanyar Manufofin Samun Nesa). Lokacin da aka kunna tsaga rami, Ƙofar ASA VPN tana tura jerin sassan cibiyar sadarwa zuwa TOE zuwa KARE. Duk sauran zirga-zirga suna tafiya ba tare da karewa ba tare da haɗa TOE don haka ketare kariyar IPsec.
An saita rabe-raben rami a cikin tsarin hanyar shiga hanyar sadarwa (Client). Mai gudanarwa yana da zaɓuɓɓuka masu zuwa:
Ban da takamaiman: Keɓe cibiyoyin sadarwa kawai da aka keɓance ta jeri-jerin hanyar sadarwa-tsaga-rami
Tunnel da aka ƙayyade: Ramin hanyoyin sadarwa kawai da aka kayyade ta jerin hanyoyin sadarwa na tsaga-ramin-rami Koma zuwa sashin “Game da Haɓaka Rarraba Rarraba don AnyConnect Traffic” a cikin jagorar daidaitawa na VPN ASDM kuma duba matakan da aka bayar a cikin “Sanya Rarraba-Tunneling don AnyConnect Traffic” sashe. Bayan yin canje-canje ga manufofin ƙungiyar a cikin ASDM, tabbatar cewa manufar ƙungiyar tana da alaƙa da Haɗin Profile a cikin Kanfigareshan> Samun Nesa VPN> Samun hanyar sadarwa (abokin ciniki)> AnyConnect Connection Profiles > Ƙara/gyara > Manufofin Ƙungiya. Ana samar da shigarwar BYPASS SPD ta hanyar dandamali ta hanyar fayyace ƙa'idodin izinin zirga-zirgar hanyar sadarwa. Ba a buƙatar saiti akan dandalin TOE don ba shi damar wuce wannan zirga-zirga.
JARIYA
Ka'idojin TSINTSUWA ana yin su ne ta hanyar dandalin TOE kawai. Babu wata hanyar sadarwa ta gudanarwa don tantance ƙa'idar KASANCEWA.

Saka idanu da Shirya matsala

Koma zuwa ga Saka idanu da Shirya matsala sashe na [3].

Fita Babban Abokin Ciniki na Cisco-AnyConnect
Fitar da app ɗin yana ƙare haɗin VPN na yanzu kuma yana dakatar da duk ayyukan TOE. Yi amfani da wannan aikin a hankali. Wasu ƙa'idodi ko matakai akan na'urarka na iya yin amfani da haɗin VPN na yanzu kuma fita daga aikace-aikacen amintaccen abokin ciniki na Cisco Secure-AnyConnect na iya yin illa ga aikinsu.

Daga gida taga, matsa Menu > Fita.

Taimakon Rubutu
TOE yana ba da cryptography don tallafawa IPsec tare da ESP simmetric cryptography don babban ɓoyayyen ɓoyewa/decryption AES da SHA-2 algorithm don hashing. Bugu da ƙari, TOE yana ba da cryptography don tallafawa musayar maɓallin maɓallin Diffie Hellman da aikin haɓaka da aka yi amfani da su a cikin ka'idojin IKEv2 da ESP. An bayyana umarnin don daidaita ayyukan sirrin a cikin sashin "Tsarin da Jagorar Ayyuka don Muhalli na IT" na wannan takaddar.

Amintattun Sabuntawa

Wannan sashe yana ba da umarni don karɓar TOE amintacce da duk wani sabuntawar TOE na gaba. "Sabuntawa" sabon sigar TOE ne.

Za a iya tambayar sigar TOE ta mai amfani. Daga allon gida matsa "Game da". Hakanan ana iya tambayar sigar sigar ta hanyar dandalin wayar hannu:

iPhone: Buɗe Saituna kuma je zuwa Gaba ɗaya> Amfani. A ƙarƙashin Adana, nemo Abokin Ciniki Amintaccen Duk wani Haɗin kai kuma matsa. Za a nuna bayanin sigar.

Sabuntawa ga abokin ciniki na Sisiko Secure-AnyConnect TOE ana sarrafa su ta hanyar Apple App Store ta amfani da hanyar da ke ƙasa.

Lura: Kafin haɓaka na'urarka dole ne ka cire haɗin zaman VPN idan an kafa ɗaya, kuma rufe aikace-aikacen idan yana buɗewa. Idan kun kasa yin wannan, ana buƙatar sake yin na'urarku kafin amfani da sabon sigar Cisco Secure Client-AnyConnect TOE.

Matsa alamar App Store akan shafin gida na iOS.
Matsa sanarwar haɓakawa ta Cisco Secure Client-AnyConnect.

Karanta game da sababbin fasali.
Danna Sabuntawa.
Shigar da Apple ID Password.

Taɓa KO.

Sabuntawa yana ci gaba.

Samun Takardu da ƙaddamar da Buƙatun Sabis

Don bayani kan samun takaddun shaida, ta amfani da Kayan Aikin Binciken Bug na Sisiko (BST), ƙaddamar da buƙatar sabis, da tara ƙarin bayani, duba. Menene Sabo a cikin Takardun Samfuran Cisco.

Don karɓar sabbin abubuwan fasaha na Cisco da aka sabunta kai tsaye zuwa tebur ɗin ku, zaku iya biyan kuɗi zuwa Menene sabo a cikin Takardun Samfuran RSS feed. Ciyarwar RSS sabis ne na kyauta.

Tuntuɓar Cisco

Cisco yana da ofisoshi sama da 200 a duk duniya. Ana jera adireshi, lambobin waya, da lambobin fax akan Cisco websaiti a www.cisco.com/go/offices.

Takardu / Albarkatu

CISCO AnyConnect 5.0 Amintaccen Abokin Ciniki [pdf] Jagorar mai amfani
5.0 don iOS 16, AnyConnect 5.0 Amintaccen Abokin Ciniki, 5.0 Amintaccen Abokin Ciniki, Amintaccen Abokin Ciniki, Abokin ciniki

Magana

Manual mai amfani