All you need is the Essentials then - gives you the same functionality of the older IPSec client (full tunnel back to corporate). If you don't care about the WebVPN stuff, then you don't ever need to worry about upgrading again to Premium - just stick with the Essentials from here on out.
Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 10:43 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Yeah it makes sense but I wish they would have just stayed cut and dried and not followed the crowd and gone with this licensing structure. So do I need the Premium license or can I get away with an Essentials license. The AnyConnect will work on a Mac so I don't need or want the Web based VPN operational, which is how it is setup now. (No web based VPN) I have several staffers that on the next OS refresh will be going to X64 on their machines and they will need the VPN. Jon On Fri, Aug 7, 2009 at 10:26 AM, Rohyans, Aaron <arohy...@dpsciences.com> wrote: Well - you're describing two different licenses - so yes, back to your point, Cisco is getting difficult on license options J The ASA "platform" itself has several different licenses (Base, Security Plus, VPN Edition, etc.). All come with the 2 free Premium SSL Licenses. What we're referring to here is an *additional* license to buy on top of your Base/Security Plus/VPN Edition license to give you the capability to run more concurrent SSL users. SSL is just a licensed "feature" of your normal ASA license if that makes sense. As is Phone Proxy, Advanced Endpoint Assessment, etc. So, from what you're describing, your normal platform license will always remain the Security Plus license, but you will be upgrading the SSL features of the Security Plus license to include more concurrent SSL users. Hope that makes sense J Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 10:05 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit That last sounds expensive unless we can use a 5505 to be the license server. I think we have the Premium license now it is called Security Plus and gave me the 2 AnyConnects I have now but does give me an option to add additional licenses. Cisco is getting just as hard as Microsoft at dealing with on licenses. Jon On Fri, Aug 7, 2009 at 9:56 AM, Rohyans, Aaron <arohy...@dpsciences.com> wrote: Not entirely sure - but from what I've heard, it's either or... i.e. you buy 100 Essentials licenses now... then down the road you cannot "upgrade" to a premium... you have to purchase an entirely new set of 100 Premium licenses. Thus, your ASA becomes a "Premium only" SSL box. Your users will remain unaffected as it's the same AnyConnect client for both license structures. You'll just get the ability to do WebVPN proxy as well. That (IMHO) is why they made the Essentials package so much cheaper - +/-$200 now is justifiable for quick connectivity, but sooner or later you'll probably have to spend the real money on the Premium licenses. Also, with version 8.2 of the ASA code, Cisco now gives you the ability to do Flex Licensing. Flex Licensing allows you to buy, say 100 Essentials and 100 Premium licenses, throw them onto a License Server (another ASA), then have all 200 of your License Server licenses be allocated dynamically to multiple ASAs around your environment (each "child" ASA will enroll with the License server to request SSL licenses as the needs arise). Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 8:41 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Aaron, How hard is it to switch from one license form to another? I will be looking at that soon. Jon On Fri, Aug 7, 2009 at 8:32 AM, Rohyans, Aaron <arohy...@dpsciences.com> wrote: The older IPSec client is going away in favor of the AnyConnect SSL VPN Client (which works on all 32/64 bit platforms). Eventually, Cisco will add IPSec support for the AnyConnect client (so that it connect using SSL, or traditional methods), but for now it is completely SSL based. You get 2 free Premium licenses with the Base License of an ASA - standard. You can purchase AnyConnect Essentials licenses (which give you everything you need to create a full VPN tunnel) for about $200 for 100 users - so the price is reasonable. The Premium version of the licenses add the capability to do WebVPN Proxy as well, but will run you significantly more. You cannot run Essentials/Premium licenses simultaneously... it is one or the other. For simple VPN tunneling capabilities (like what the older IPSec client did)... the Essentials is what you want and you can pick up 100 licenses for next to nothing. As someone else mentioned, you can also generate a self-signed cert on the ASA for free, but your users will need to click through a few warnings in order to connect (similar to how IE forces you to acknowledge that you are going to a secure site that it doesn't trust). I always recommend enrolling with a 3rd party CA (Entrust, Verisign, GoDaddy, etc.) to make installations and subsequent connections go smoothly. Hope this helps! Aaron T. Rohyans Senior Network Engineer CCIE #21945, CCSP, CCNA, CQS-Firewall, CQS-IPS, CQS-VPN, ISSP, CISP, JNCIA-ER DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 arohy...@dpsciences.com http://www.dpsciences.com/ From: Owens, Michael [mailto:michael.ow...@dys.ohio.gov] Sent: Friday, August 07, 2009 8:24 AM To: NT System Admin Issues Subject: RE: Cisco VPN client on Vista 64 bit ahahhaah Well I guess theres that too. Wow it's early. ________________________________ From: David W. McSpadden [mailto:dav...@imcu.org] Sent: Friday, August 07, 2009 8:23 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit Just more licenses... ----- Original Message ----- From: Owens, Michael <mailto:michael.ow...@dys.ohio.gov> To: NT System Admin Issues <mailto:ntsysadmin@lyris.sunbelt-software.com> Sent: Friday, August 07, 2009 8:19 AM Subject: RE: Cisco VPN client on Vista 64 bit So wait - when Windows 7 comes out, (and supposedly everyone goes to it) Everyone will need to buy new ASAs, or more SSL lisenses? I read that Ncp secure entry client, works... I dont suppose anyone has given it a shot? http://www.ncp-e.com/en/solutions/vpn-products/secure-entry-client.html ________________________________ From: Jon Harris [mailto:jk.har...@gmail.com] Sent: Friday, August 07, 2009 8:11 AM To: NT System Admin Issues Subject: Re: Cisco VPN client on Vista 64 bit ASA will generate a self-signed cert for you and on X64 you will use AnyConnect. Depending on how you set it up you can make it so that only preinstalled users can access it. I just finished getting ours up and running with 2 clients using the AnyConnect, and now have to look at getting an expanded license so that I can use the AnyConnect more. Jon On Fri, Aug 7, 2009 at 8:02 AM, N Parr <npar...@mortonind.com> wrote: Load a cert and away you go, it's all web based. ________________________________ From: Owens, Michael [mailto:michael.ow...@dys.ohio.gov] Sent: Friday, August 07, 2009 6:59 AM To: NT System Admin Issues Subject: RE: Cisco VPN client on Vista 64 bit I was afraid you'd say that. It actually isn't MY ASA. I do side work for a company I used to work for... one of the big wigs there still refuses to use anyone but me, and he pays me well! Anyway I guess I walked into this one. :) With the SSL lisenses, how do you connect? Mike ________________________________ From: Eldridge, Dave [mailto:d...@parkviewmc.com] Sent: Friday, August 07, 2009 7:53 AM To: NT System Admin Issues Subject: RE: Cisco VPN client on Vista 64 bit Nadda. Did your asa come with 3 ssl licenses? Mine did and that is what I use. It will be interesting to see what they do with 64 bit 7. From: Owens, Michael [mailto:michael.ow...@dys.ohio.gov] Sent: Friday, August 07, 2009 5:50 AM To: NT System Admin Issues Subject: Cisco VPN client on Vista 64 bit I think I remember seeing someone post about this a while back... Is there something that will connect to an ASA (preferebly free) since apparently Cisco has never made (and has no intention of making) a 64 bit version of their client? I will accept limited juryrigging. :) I refuse to believe that Cisco has yet to come out with something for 64bit operationg systems? Its been like 7 years? Thanks! Mike ________________________________ This message, and any response to it, may constitute a public record and thus may be publicly available to anyone who requests it in accordance with Chapter 149 of the Ohio Revised Code. This e-mail contains the thoughts and opinions of the sender and does not represent official Parkview Medical Center policy. This communication is intended only for the recipient(s) named above, may be confidential and/or legally privileged: and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please return to sender and delete the message from your computer system. ________________________________ This message, and any response to it, may constitute a public record and thus may be publicly available to anyone who requests it in accordance with Chapter 149 of the Ohio Revised Code. ________________________________ This message, and any response to it, may constitute a public record and thus may be publicly available to anyone who requests it in accordance with Chapter 149 of the Ohio Revised Code. ________________________________ This message, and any response to it, may constitute a public record and thus may be publicly available to anyone who requests it in accordance with Chapter 149 of the Ohio Revised Code. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~