The Cisco AnyConnect product line is Cisco’s industry leading SSL VPN solution. It is Cisco’s flagship VPN solution, and will eventually phase out the Cisco VPNClient, which is the IPSec version.
Back in 2009, Cisco updated its AnyConnect solution to offer different licensing options, depending on what features are needed within the AnyConnect product. Prior to this update, SSL VPN licensing was very expensive if you needed just a basic feature set. With the release of ASA code version 8.2(1), Cisco released AnyConnect Essentials and AnyConnect Premium. Since then, minor changes have been added to the product features as technology expands. AnyConnect version 2.5 is now available, and has added some performance and security enhancements to the 2.4 tree.
But, what are the major differences between these 2 options? Price, of course, as the premium tag denotes a premium price. But in terms of features, which one do you need? Let’s break this down, to help you purchase the license that best suits your needs, and also educate you on the available features within the AnyConnect product line:
AnyConnect Essentials
- Client based model. Client gets installed on Remote computers to connect into the Remote network via SSL.
- Single license per active device.
- Full tunneling access to Enterprise applications.
AnyConnect Premium
- Clientless SSL VPN (Connect to firewall via HTTPS to setup tunnel).
- Single or shared license model.
- Cisco Secure Desktop capabilities (If you would like to bundle in that software).
- Support for AnyConnect Secure Mobility.
- Full tunneling access to Enterprise applications.
Based on those features, the one that comes up the most is: if you need clientless access, and need more then 2 simultaneous users ( ASA default license ), then the AnyConnect Premium is what you need. If you would like a client that mimics that IPSec VPN client, then AnyConnect Essentials is what you need. Typically, I see this as the more prevalent license.
There are some a la carte licenses, too:
- Anyconnect Mobile – enables AnyConnect for the mobile OS platform. A per-device license.
- Advanced Endpoint Assessment – enables this advanced feature to check for posture prior to connecting.
- Cisco Secure Mobility – requires ASA version 8.3. Enforces security policy in every transaction.
- FIPS 140-2 Level 1 Compliance – if FIPS compliance is something that is required, this will make the AnyConnect software compliant.
Luckily for everyone, Cisco bundles 2 simultaneous users for all SSL VPN’s on all Cisco ASA 5500 series models. This way, you can test out your options to see which one works best in for your company. Upgrading the AnyConnect license is now painless and does not require a reboot, so the upgrade can be done at any time without any downtime.
If you have redundant Cisco ASA 5500 series models, you will need a license for each model. So, if you have an AnyConnect Essentials license on node 1, then you will need that same license on node 2. The firewalls will not become redundant if these licenses do not match, and if you have a pre-existing configured HA pair, if you only install the license on 1, Cisco will break the HA pair until you have the licenses equal; at that point, you can re-enable failover.
Hopefully, this post will help you better understand the licensing models available for the AnyConnect Product line, and allow you to purchase the license that works best for your enterprise.
