Table Of Contents
Supported VPN Platforms, Cisco ASA 5500 Series
ASA, ASDM, Cisco Secure Desktop, and AnyConnect Compatibility
Browser-based SSL VPN Support for Computer OSs
Browser-based SSL VPN Support for Mobile Devices
AnyConnect 2.4 Supported Computer OSs
AnyConnect 2.4 Supported Windows Mobile Devices
AnyConnect 2.3 Supported Computer OSs
AnyConnect 2.3 Supported Windows Mobile Devices
AnyConnect 2.0 - 2.2 Supported Computer OSs
Cisco Secure Desktop 3.5 Support for AnyConnect and Browser-based SSL
Cisco Secure Desktop 3.1 - 3.4 Support for AnyConnect and Browser-based SSL
Host Scan Support for Antivirus, Antispyware, and Firewall Applications
IPsec Support for Computer Software and Hardware Clients
IPsec Support for Mobile Clients
IPsec Support for Windows Mobile
L2TP/IPsec Client Support for Mobile Devices
IPsec Support Offered by Other Mobile Devices
Supported VPN Platforms, Cisco ASA 5500 Series
Revised: January 22, 2010, OL-19674-06This document, previously titled Adaptive Security Appliance VPN Compatibility Reference, includes the following compatibility and VPN platform information:
Compatibility of the ASA 5500 series adaptive security appliance software releases with the Adaptive Security Device Manager, Cisco Secure Desktop, and Cisco AnyConnect VPN client releases.
ASA, ASDM, Cisco Secure Desktop, and AnyConnect Compatibility
Web browsers supported by browser-based (clientless) SSL VPN access to ASAs running Releases 8.0(2)-8.2(2).
Endpoint OSs supported by Cisco AnyConnect VPN Client Releases 2.0-2.4.
Endpoint OSs and browsers supported by Cisco Secure Desktop Releases 3.1-3.5.
IPsec clients supported for VPN access to the ASA.
Note
We have tested the features on the operating systems (OSs) and web browsers named in this document; however, they might work on other OSs and browsers.
For more information, go to the release notes and configuration guides for the products named in this document.
ASA, ASDM, Cisco Secure Desktop, and AnyConnect Compatibility
The following table shows the compatibility of the adaptive security appliance with Adaptive Security Device Manager, Cisco Secure Desktop, and the AnyConnect VPN client:
8.0(4) and later1
6.1(3) and later
3.3.0.118 and later
Cisco AnyConnect Client 2.2.0133 and later
8.0(3)
6.1(3) and later
3.2.1.103 or 3.3.0.118 and later
Cisco AnyConnect Client 2.1.0128 to 2.1.0148
8.0(2)
6.1(3) and later
3.2.0.136 (subsequently referenced as "3.2")
Cisco AnyConnect Client 2.0.0343 (subsequently referenced as "2.0")
7.1(x) - 7.2(x)
5.1(x) - 5.2(x)
3.1.1.45 (subsequently referenced as "3.1.1")2
Cisco SSL VPN Client 1.x
1 ASA 8.x and later do not support Cisco SSL VPN Client 1.x.
2 Cisco Secure Desktop does not support Cisco SSL VPN Client 1.x.
Browser-based SSL VPN
The following sections list the VPN platforms supported by browser-based SSL VPN access:
•
•
Browser-based SSL VPN Support for Computer OSs
Adaptive security appliances running Releases 8.0(2) - 8.2(1) support SSL VPN connections over browser-based sessions from the following OSs and browsers.
Windows Vista SP2
Vista SP1 with KB952876 or later.
Microsoft Internet Explorer 7
Firefox 2.0 or later.
Windows Vista does not support Windows Shares (CIFS) Web Folders.
Additional requirements and limitations apply to smart tunnel and port forwarding.
Windows XP SP2 or later.
Microsoft Internet Explorer 7 and 6
Firefox 2.0 or later.
Windows XP SP2 or later requires Microsoft KB892211 hotfix to support Web Folders.
Additional requirements and limitations apply to smart tunnel and port forwarding.
Windows 2000 SP4.
Microsoft Internet Explorer 7 and 6
Firefox 2.0 or later.
Windows Vista does not support Windows Shares (CIFS) Web Folders.
Windows 2000 SP4 requires Microsoft KB892211 hotfix to support Web Folders.
Additional requirements and limitations apply to smart tunnel and port forwarding.
Apple: Mac OS X 10.4 and 10.5
Safari 2.0 or later, or Firefox 2.0 or later.
Certificate authentication, including the DoD Common Access Card and SmartCard, works with the Safari keychain only.
Web folders do not support Mac OS.
Additional requirements and limitations apply to smart tunnel and port forwarding.
Linux
Firefox 2.0 or later.
Web folders and smart tunnel do not support Linux.
Additional requirements apply to port forwarding.
1 For Microsoft Outlook Exchange communication using the MAPI protocol, remote users must use AnyConnect.
Browser-based SSL VPN Support for Mobile Devices
You can access Clientless SSL VPN from your Pocket PC or other certified personal digital assistant (PDA). Neither the ASA administrator nor the Clientless SSL VPN user need do anything special to use Clientless SSL VPN with a certified mobile device. Cisco has certified the following mobile devices for SSL VPN clientless connections:
Other mobile devices (e.g., the BlackBerry) might work but are not supported.
The iPhone does not have a Java Runtime Environment (JRE) and does not support SSL, so the following SSL VPN features are not supported: application access, auto applet download, client/server plug-ins, and e-mail proxy.
Note
AnyConnect
The following sections list the VPN platforms that AnyConnect supports:
•
•
•
•
•
AnyConnect 2.4 Supported Computer OSs
AnyConnect VPN Client 2.4 supports the following computer OSs.
Microsoft Windows
AnyConnect 2.4 supports the following Windows OSs:
•
AnyConnect requires a clean install if you upgrade from Windows XP to Windows 7.
If you upgrade from Windows Vista to Windows 7, manually uninstall AnyConnect first, then after the upgrade, reinstall it manually or by establishing a web-based connection to a security appliance configured to install it. Uninstalling AnyConnect before the upgrade and reinstalling it afterwards is necessary because the upgrade does not preserve the Cisco AnyConnect Virtual Adapter.
•
AnyConnect requires a clean install if you upgrade from Windows XP to Windows Vista.
•
Requirements
•
•
•
•
–
–
–
•
If you are using Internet Explorer, use version 5.0, SP2 or later. For WebLaunch, use 32-bit Internet Explorer 6.0 or later, or Firefox 2.0 or later, and enable ActiveX or enable Sun JRE 5 Update 1.5 or later (JRE 6 recommended)
Apple
AnyConnect 2.4 supports the following versions of Mac OS:
•
•
50 MB hard disk space required
Linux
AnyConnect supports the following distributions:
•
•
We do not validate other Linux distributions. We will consider requests to validate other Linux distributions for which you experience issues, and provide fixes at our discretion.
AnyConnect supports only standalone installations on Linux.
See the AnyConnect Linux Requirements for AnyConnect 2.4.
Cisco AnyConnect Client, when launched as a standalone client, supports any browser.
To install AnyConnect through a web browser (WebLaunch), the user platform must match one of those in the "Browser-based SSL VPN" section, with one exception: WebLaunch requires the 32-bit version of Internet Explorer. Please instruct users of x64 (64-bit) Windows versions supported by AnyConnect to use the 32-bit version of Internet Explorer or Firefox to install WebLaunch. (At this time, Firefox is available only in a 32-bit version.)
AnyConnect does not support virtualization software such as VMware and Parallels Desktop.
AnyConnect 2.4 Supported Windows Mobile Devices
We designed AnyConnect 2.4 for compatibility with Windows Mobile 6.1, 6.0 and 5.0 Professional and Classic for touch-screens only. Users have reported success with most touch-screens running these versions of Windows Mobile. However, to ensure interoperability, we guarantee compatibility only with the devices we test. The following table lists the supported devices with their corresponding service providers and supported operating system versions. AnyConnect 2.4 adds support for the HTC and Samsung devices.
AnyConnect 2.3 Supported Computer OSs
AnyConnect VPN Client 2.3 supports the following computer OSs.
Microsoft Windows:
•
AnyConnect requires a clean install if you upgrade from Windows XP to Windows Vista.
•
•
Requirements
•
•
•
•
–
–
–
•
If you are using Internet Explorer, use version 5.0, SP2 or later. For WebLaunch, use Internet Explorer 6.0 or later, or Firefox 2.0 or later, and enable ActiveX or install Sun JRE 5 Update 1.5 or later (JRE 6 recommended).
Apple: Mac OS X 10.4 and 10.5
50 MB hard disk space required
Linux
AnyConnect supports Linux Kernel releases 2.4 and 2.6 on 32-bit architectures, and 64-bit architectures that support biarch (that is, that run 32-bit code).
AnyConnect supports only standalone installations on Linux.
The following Linux distributions follow the AnyConnect Linux Requirements and work with the AnyConnect Client:
•
•
•
•
•
•
Cisco AnyConnect Client, when launched as a standalone client, supports any browser; however to install AnyConnect through a web browser (WebLaunch), the user platform must match one of those in the "Browser-based SSL VPN" section.
AnyConnect does not support virtualization software such as VMware and Parallels Desktop.
AnyConnect 2.3 Supported Windows Mobile Devices
We designed AnyConnect 2.3 for compatibility with Windows Mobile 6.1, 6.0 and 5.0 Professional and Classic for touch-screens only. Users have reported success with most touch-screens running these versions of Windows Mobile. However, to ensure interoperability, we guarantee compatibility only with the devices we test. The following table lists the supported devices with their corresponding service providers and supported operating system versions.
AnyConnect 2.0 - 2.2 Supported Computer OSs
AnyConnect VPN Client 2.0 - 2.2 supports the following computer OSs.
Microsoft Windows1 :
•
AnyConnect requires a clean install if you upgrade from Windows XP to Windows Vista.
•
•
•
•
Requirements
•
•
•
•
–
–
–
•
If you are using Internet Explorer, use version 5.0, SP2 or later. For WebLaunch, use Internet Explorer 6.0 or later, or Firefox 2.0 or later, and enable ActiveX or install Sun JRE 5 Update 1.5 or later (JRE 6 recommended).
50 MB hard disk space required
Linux2
AnyConnect supports Linux Kernel releases 2.4 and 2.6 on 32-bit architectures, and 64-bit architectures that support biarch (that is, that run 32-bit code). The following Linux distributions follow the AnyConnect Linux Requirements and work with the AnyConnect Client:
•
•
•
•
•
•
1 Start Before Logon supported beginning with AnyConnect 2.2 and Cisco Secure Desktop 3.2.1.
2 Start Before Logon not supported on x64 Windows XP SP2, Mac OS, and Linux.
3 Safari keychain required on Mac OS for certificate authentication, including DoD Common Access Card and SmartCard support.
4 WebLaunch support of Mac OS 10.5 beginning with AnyConnect 2.1
Cisco AnyConnect Client, when launched as a standalone client, supports any browser; however to install AnyConnect through a web browser (WebLaunch), the user platform must match one of those in the "Browser-based SSL VPN" section.
AnyConnect does not support virtualization software such as VMware and Parallels Desktop.
Cisco Secure Desktop
The following sections list the platforms and link to the lists of applications that Cisco Secure Desktop supports:
•
•
•
Cisco Secure Desktop 3.5 Support for AnyConnect and Browser-based SSL
Cisco Secure Desktop 3.5 supports only AnyConnect and browser-based SSL VPN connections. The following table shows the Cisco Secure Desktop modules and the OSs they support.
Host Scan
x86 (32-bit) and x64 (64-bit): Windows 7, Vista, Vista SP1, and Vista SP2
x64 (64-bit) Windows XP SP2, and x86 (32-bit) Windows XP SP2 and SP3
Windows Mobile versions 6.0, 6.1, 6.1.4, and 6.5 for touch screen devices only (Windows Mobile Professional).
32-bit and 64-bit Mac OS X 10.6, 10.6.1, 10.6.2
32-bit and 64-bit Mac OS X 10.5.x
32-bit and 64-bit biarch Redhat Enterprise Linux 3
32-bit and 64-bit biarch Redhat Enterprise Linux 4
32-bit and 64-bit biarch Fedora Core 4 and later
Ubuntu
32-bit and 64-bit biarch Linux operating systems (that is, 64-bit operating systems that can run 32-bit code) require the 32-bit versions of these libraries to run Host Scan: libxml2, libcurl (with openssl support), openssl, glibc 2.3.2 or later, and libz.
Secure Desktop (Vault), Keystroke Logger Detection, and Host Emulation Detection
x86 (32-bit) Windows Vista, SP1, and SP2 (KB935855 must be installed.)
x86 (32-bit) Windows XP SP2 and SP3
Not Supported:
•
•
Cache Cleaner
32-bit browsers only on the following OSs:
•
•
•
•
•
•
32-bit and 64-bit biarch Linux operating systems (that is, 64-bit operating systems that can run 32-bit code) require the 32-bit versions of these libraries to run Cache Cleaner: libxml2, libcurl (with openssl support), openssl, glibc 2.3.2 or later, and libz.
To enable Host Scan with WebStart, the remote user must do the following:
Step 1
Step 2
Step 3
Step 4
Do not associate jnlp files with javaws or Applications/Utilities/Java/Java Web Start.
Cisco Secure Desktop 3.1 - 3.4 Support for AnyConnect and Browser-based SSL
Cisco Secure Desktop supports only AnyConnect and browser-based SSL VPN connections. The following tables show the Cisco Secure Desktop modules and the OSs they support.
Host Scan
x64 (64-bit)1 Microsoft Windows Vista SP2, or Vista SP1 with KB952876 (Cisco Secure Desktop 3.4.1 or later)
x86 (32-bit) Microsoft Windows Vista SP2 (Cisco Secure Desktop 3.4.1 or later)
x86 (32-bit) Microsoft Windows Vista and Vista SP1 with KB952876 (Cisco Secure Desktop 3.2.1.118 or later)
x86 (32-bit) Windows XP SP2 or SP3
x64 (64-bit) Windows XP SP2
x86 (32-bit) Windows 2000 SP4
64-bit Mac OS X 10.4 and 10.5 (Cisco Secure Desktop 3.4.1 or later)
32- bit Mac OS X 10.4 and 10.5 (Cisco Secure Desktop 3.2.1 or later; 3.2.18 or later recommended)
32- and 64-bit biarch (that is, 64-bit that can run 32-bit code) Linux with the following requirements: libxml2, libcurl (with openssl support), openssl, glibc 2.3.2 or later, and libz (Cisco Secure Desktop 3.2.1 or later; 3.2.1.118 or later recommended)
Secure Desktop (Vault), Keystroke Logger Detection, and Host Emulation Detection
x86 (32-bit) Windows Vista with KB935855 (or later) must be installed. The AnyConnect standalone client does not support the Vault on Windows Vista; however you can use WebLaunch with Windows Vista. Also, Secure Desktop does not let Internet Explorer run outside the Vault on a host computer running Windows Vista.
x86 (32-bit) Windows XP SP2 and SP3.
x86 (32-bit) Windows 2000 SP4.
Note: AnyConnect does not support the Vault.
Cache Cleaner
x86 (32-bit) and x64 (64-bit) Windows Vista and later.
x86 (32-bit) Windows XP SP2 and SP3.
x86 (32-bit) and x64 (64-bit) Windows XP SP2.
x86 (32-bit) Windows 2000 SP4.
32- and 64-bit Mac OS X 10.4 - 10.5 with Safari 1.0 or later, or Firefox 2.0 or later.
32- or 64-bit biarch Linux with libxml2, libcurl (with openssl support), openssl, glibc 2.3.2 or later, and libz. WebLaunch requires Sun Java 1.5 or later and Firefox 2.0 or later.
1 Host Scan, Cache Cleaner, and AnyConnect via WebLaunch do not support 64-bit versions of Internet Explorer. Please instruct users of x64 (64-bit) Windows OSs to use the 32-bit version of Internet Explorer or Firefox to avoid VPN connection issues if you configure the adaptive security appliance to install Host Scan or Cache Cleaner on the VPN endpoint, or if users install AnyConnect via WebLaunch. (At this time, Firefox is available only in a 32-bit version.)
To enable Host Scan with WebStart, the remote user must do the following:
Step 1
Step 2
Step 3
Step 4
Do not associate jnlp files with javaws or Applications/Utilities/Java/Java Web Start.
Host Scan Support for Antivirus, Antispyware, and Firewall Applications
Host Scan examines the remote computer connecting to the VPN for antivirus and antispyware applications, and software firewalls for compliance with configured, corporate security policies. To access the list of packages that Host Scan supports, go to the webpage that applies:
•
•
•
IPsec
The following sections identify the IPsec clients that connect to the ASA.
•
•
IPsec Support for Computer Software and Hardware Clients
All releases of the ASA support the following IPsec clients:
•
Cisco VPN Client 5.0.0.6 supports Microsoft Windows 7 x86 (32-bit), Vista all released x86 versions, and Windows XP x86.This release does not support Microsoft Windows 2000 and Tablet PC 2004/2005, although it may work with these OSs. Windows x64 (64-bit) requires the Cisco AnyConnect VPN Client.
Cisco VPN Client Releases 5.0.00.0340 - 5.0.01.0600 supports Windows 7 x86 (32-bit), Vista x86 (32-bit), and XP x86; Mac OS X 10.4 & 10.5; Linux (Intel); and Solaris UltraSparc (32 and 64-bit)
•
•
•
•
•
IPsec Support for Mobile Clients
The following sections identify the mobile IPsec clients that connect to the ASA.
IPsec for Apple iPhone 3G
The Apple iPhone 3G ships with advanced VPN Client capabilities for Cisco IPsec connectivity already installed. Original iPhone users can upgrade to the iPhone 2.0 software to take advantage of this new capability. Features of the VPN Client include:
•
–
–
–
–
–
–
–
•
•
The Cisco ASA 5500 series and PIX Firewalls work with the Cisco VPN Client on the iPhone. We highly recommend the 8.0(x) software release or later, but you can also use the 7.2(x) software.
IPsec Support for Windows Mobile
For Windows Mobile, the following third-party vendors offer a VPN client that works with the ASA: Antha, Apani, Bluefire, Microsoft, and NCP.DE. Cisco supports the Microsoft client; the respective vendors support the other clients.
L2TP/IPsec Client Support for Mobile Devices
The following mobile OSs support a built-in L2TP/IPsec client that Cisco has tested successfully with the ASA:
•
•
•
The iPhone supports MS-CHAP v2 (preferred) for PPP. It has also been tested for MS-CHAP v1 and PAP support for PPP authentication. The VPN Client on the iPhone 3G supports pre-shared keys and certificates.
Windows Mobile based handheld devices support MS-CHAP v1 and v2, and pre-shared keys.
Some Windows Mobile 2003 (HP iPAQ h4150) and 5.0 (HP iPAQ hx 2495b) PDAs support enrollment with an available certificate authority server and can use certificate-based authentication.
IPsec Support Offered by Other Mobile Devices
Bluefire offers a version of the Palm Treo that has an IPsec client that works with the ASA.
Nokia provides support for Symbian on the Nokia 92xx Communicator series, Nokia 6600 and Nokia E61.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2010 Cisco Systems, Inc. All rights reserved.
Guest
