Not entirely sure - but from what I've heard, it's either or... i.e. you buy 100 Essentials licenses now... then down the road you cannot "upgrade" to a premium... you have to purchase an entirely new set of 100 Premium licenses. Thus, your ASA becomes a "Premium only" SSL box. Your users will remain unaffected as it's the same AnyConnect client for both license structures. You'll just get the ability to do WebVPN proxy as well. That (IMHO) is why they made the Essentials package so much cheaper - +/-$200 now is justifiable for quick connectivity, but sooner or later you'll probably have to spend the real money on the Premium licenses.
Also, with version 8.2 of the ASA code, Cisco now gives you the ability to do Flex Licensing. Flex Licensing allows you to buy, say 100 Essentials and 100 Premium licenses, throw them onto a License Server (another ASA), then have all 200 of your License Server licenses be allocated dynamically to multiple ASAs around your environment (each "child" ASA will enroll with the License server to request SSL licenses as the needs arise). Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 8:41 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Aaron, How hard is it to switch from one license form to another? I will be looking at that soon. Jon On Fri, Aug 7, 2009 at 8:32 AM, Rohyans, Aaron <arohy...@dpsciences.com> wrote: The older IPSec client is going away in favor of the AnyConnect SSL VPN Client (which works on all 32/64 bit platforms). Eventually, Cisco will add IPSec support for the AnyConnect client (so that it connect using SSL, or traditional methods), but for now it is completely SSL based. You get 2 free Premium licenses with the Base License of an ASA - standard. You can purchase AnyConnect Essentials licenses (which give you everything you need to create a full VPN tunnel) for about $200 for 100 users - so the price is reasonable. The Premium version of the licenses add the capability to do WebVPN Proxy as well, but will run you significantly more. You cannot run Essentials/Premium licenses simultaneously... it is one or the other. For simple VPN tunneling capabilities (like what the older IPSec client did)... the Essentials is what you want and you can pick up 100 licenses for next to nothing. As someone else mentioned, you can also generate a self-signed cert on the ASA for free, but your users will need to click through a few warnings in order to connect (similar to how IE forces you to acknowledge that you are going to a secure site that it doesn't trust). I always recommend enrolling with a 3rd party CA (Entrust, Verisign, GoDaddy, etc.) to make installations and subsequent connections go smoothly. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Owens, Michael [mailto:michael.ow...@dys.ohio.gov] Sent: Friday, August 07, 2009 8:24 AM To: NT System Admin Issues Subject: RE: Cisco VPN client on Vista 64 bit ahahhaah Well I guess theres that too. Wow it's early. ________________________________ From: David W. McSpadden [mailto:dav...@imcu.org] Sent: Friday, August 07, 2009 8:23 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Just more licenses... ----- Original Message ----- From: Owens, Michael <mailto:michael.ow...@dys.ohio.gov> To: NT System Admin Issues <mailto:ntsysadmin@lyris.sunbelt-software.com> Sent: Friday, August 07, 2009 8:19 AM Subject: RE: Cisco VPN client on Vista 64 bit So wait - when Windows 7 comes out, (and supposedly everyone goes to it) Everyone will need to buy new ASAs, or more SSL lisenses? I read that Ncp secure entry client, works... I dont suppose anyone has given it a shot? http://www.ncp-e.com/en/solutions/vpn-products/secure-entry-client.html ________________________________ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 8:11 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit ASA will generate a self-signed cert for you and on X64 you will use AnyConnect. Depending on how you set it up you can make it so that only preinstalled users can access it. I just finished getting ours up and running with 2 clients using the AnyConnect, and now have to look at getting an expanded license so that I can use the AnyConnect more. Jon On Fri, Aug 7, 2009 at 8:02 AM, N Parr <npar...@mortonind.com> wrote: Load a cert and away you go, it's all web based. ________________________________ From: Owens, Michael [mailto:michael.ow...@dys.ohio.gov] Sent: Friday, August 07, 2009 6:59 AM To: NT System Admin Issues Subject: RE: Cisco VPN client on Vista 64 bit I was afraid you'd say that. It actually isn't MY ASA. I do side work for a company I used to work for... one of the big wigs there still refuses to use anyone but me, and he pays me well! Anyway I guess I walked into this one. :) With the SSL lisenses, how do you connect? Mike ________________________________ From: Eldridge, Dave [mailto:d...@parkviewmc.com] Sent: Friday, August 07, 2009 7:53 AM To: NT System Admin Issues Subject: RE: Cisco VPN client on Vista 64 bit Nadda. Did your asa come with 3 ssl licenses? Mine did and that is what I use. It will be interesting to see what they do with 64 bit 7. From: Owens, Michael [mailto:michael.ow...@dys.ohio.gov] Sent: Friday, August 07, 2009 5:50 AM To: NT System Admin Issues Subject: Cisco VPN client on Vista 64 bit I think I remember seeing someone post about this a while back... Is there something that will connect to an ASA (preferebly free) since apparently Cisco has never made (and has no intention of making) a 64 bit version of their client? I will accept limited juryrigging. :) I refuse to believe that Cisco has yet to come out with something for 64bit operationg systems? Its been like 7 years? Thanks! Mike ________________________________ This message, and any response to it, may constitute a public record and thus may be publicly available to anyone who requests it in accordance with Chapter 149 of the Ohio Revised Code. This e-mail contains the thoughts and opinions of the sender and does not represent official Parkview Medical Center policy. This communication is intended only for the recipient(s) named above, may be confidential and/or legally privileged: and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please return to sender and delete the message from your computer system. ________________________________ This message, and any response to it, may constitute a public record and thus may be publicly available to anyone who requests it in accordance with Chapter 149 of the Ohio Revised Code. ________________________________ This message, and any response to it, may constitute a public record and thus may be publicly available to anyone who requests it in accordance with Chapter 149 of the Ohio Revised Code. ________________________________ This message, and any response to it, may constitute a public record and thus may be publicly available to anyone who requests it in accordance with Chapter 149 of the Ohio Revised Code. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~