AnyConnect Client profile: group-url in server-list with OGS doesn't work propertly

Similar Messages

• AnyConnect Client Profile Backup Server Configuration

  I'm trying to understand the use of Backup Server option in AnyConnect Client Profile
  Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Edit > Backup Server
  (Screenshot attached)
  My questions:
  1. In what all scenarios do we add servers (ASA devices) in this tab
  2. If I have same information in two different locations (Site A and Site B) for AnyConnect user, can I add Site A-ASA and Site B-ASA into Backup Server tab as a failover mechanism for end user.
  3. Or is it only used to mention ASA devices configured in failover unit
  4. In case of failover unit, does it support stateful failover
  I could not find answers to above questions from Google search. So, asking here

  I think we need to be careful when we talk about failover. The original post was clearly asking about two different scenarios
  1) ASAs at two different sites
  2) ASAs configured as a High Availability failover pair (Active/Standby).
  The profile does work to provide failover in 1) but does not work to provide failover in 2).
  I do not know the authoritative answer to the question about IP phones use of the profile. I believe that the answer ought to be that yes the phone would receive the profile after its first connection and would use the backup server identified in the profile is the primary server was not available. That is a basic functionality of the AnyConnect client and if the phone is using the AnyConnect client then it ought to support that failover. 
  If someone does have an authoritative answer then please speak up. Several of us would like to know the right answer here.
  HTH
  Rick

• Anyconnect Client profile files deleted after client upgrade

  L.S.
  I am running anyconnect version 3.1.02040 on a Windows 7 64-bit machine with UAC turned on.
  The ASA I am connecting to is a 5510 running ASA OS 8.4.5
  The problem I have is the following:
  We are using machine certificate authentication combined with RADIUS user authentication.
  The machine certificates are stored in the Machine/Personal container in the local machine.
  By default, the anyconnect client does not have the rights to access this certificate store when run by the user in non-elevated mode.
  We do not want to have the user run the client as administrator (in elevated mode) all the time.
  Therefor we have made an Anyconnect Client profile that sets the Certificate Store Override parameter to true and attached it to the group policy.
  With this XML in place (in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder)
  the users can connect to the ASA and authenticate using the certificate without the need for elevated rights. This is all working perfectly.
  The anyconnect client and XML file are distributed to the clients using a software distribution system (Microsoft SCCM).
  The problem happens when I update the Anyconnect package on the ASA. I recently updated the package to release 3.1.03103. This is what happens:
  The user can connect using the 3.1.02040 client (certicate authentication works without elevation, since the XML Anyconnect Client Profile is present)
  The Anyconnect software updates itself to the new version during the connection, pushed from the ASA.
  The VPN is established.
  However, the XML file that is associated with the group policy is deleted during the upgrade process and not placed back in the Profile folder on the client after the upgrade.
  This means the user cannot connect without using elevated rights the next time he wants to connect.
  If he uses elevated rights after the upgrade, the XML is pushed back from the ASA normally, allowing the user to connect without elevation again any subsequent times.
  Is there any way to push the XML profile to the client from the ASA after the upgrade of the Anyconnect software?

  Hi poiu720408 ,
  1.  You need to set up a web-url or group-alias under the group policy as web have enable the "tunnel-group-list enable" under the webvpn configuration.  So once the user connect to the proper URL/alias the profile will be applied. 
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
  2. Yes the Anycopnnect store a "Cache " information on the PC , if you want to clan up you have to go to the anyconnect folder on C: on the PC and delete the global_preferences.xml profile.
  3. This behavior is totally expected and they should disappear  after a some minutes , however if you wan to force this , you can use the command "vpn-sessionsdb logoff webvpn noconfirm"
  Please rate helpful post !
  Hope this helps
  - Randy -

• Assigning AnyConnect Client Profiles based on the machine?

  I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.
  If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.
  If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.
  What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.
  It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.
  If at all possible, I do not users to have to pick a conenction profile or use different URL's.
  Is there anyway to accomplish this?

  Hi
  Did you ever resolve this issue?  I am trying to assign a specific IP address based on the hostname or machine cert but the certificate matching doesn't seem to look at the machine cert.
  Has anyone got any idea how I could do this?
  thanks
  Steve

• "Anyconnect client profile" option missing in ASDM

  Hello,
  I'm in the process of setting up Anyconnect on the ASA, and have successfully updated the licensing, as well as uploaded the anyconnect pkg for web deployment. I enabled anyconnect on the outside interface and can now have the ASA push the client to the machine. Works fine. However, I want to add backup servers that the client will attempt to reach in the event the primary is down. I understand that "client profiles" can be created to customize settings like this. Problem is, when I follow the configuration guide with instructions for making client profiles at this location:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac02asaconfig.html#wp1289905
  It shows that I should have an option for Anyconnect Client Profile and Anyconnect Client Settings.
  I don't have either of those options in ASDM. Here's what mine shows:
  I have another "SSL Client profiles" option, but it doesn't seem the same as the options above.
  Can someone assist with what I need to do to get the Client Profiles option to be available so I can add backup server information to the client? Thanks!

  Thanks for the response Marvin,
  It shows the ASA and ASDM versions are 8.2 and 6.2 respectively.
  Result of the command: "sh version"
  Cisco Adaptive Security Appliance Software Version 8.2(1)
  Device Manager Version 6.2(1)
  Result of the command: "sh act | i Ess"
  AnyConnect Essentials        : Enabled 
  I don't have the premium license, just the Anyconnect Essentials and Mobile licenses. I would imagine essentials should have the same profile configuration options, though. If it is in fact because I'm running an older version of ASDM, do I need to update both the ASA IOS and ASDM together, or can I just upgrade ASDM on its own? Thanks again.

• Your Client Does not Support Opening this list with Windows Explorer on Windows Server 2012 R2

  I am trying to open a document library in Internet Explorer 11 on a Windows 2012 R2 server and I am receiving Your Client Does not Support Opening this list with Windows Explorer

  Hi,
  According to your post, my understanding is that you wanted to open a document library with the Internet Explorer 11 on a Windows 2012 R2 server. But you received the following error message: Your client
  does not support opening this list with Windows Explorer.
  There can be multiple reasons for it.
  So, I recommend you can check with the following steps:
  Go to the “Server Manager” of “Administrative Tools” > Enable the “Desktop Experience” feature in your environment.
  Go to the “Services” of “Administrative Tools” >
  Ensure the “WebClient” service is started.
  Ensure that your computer has supported Web browser.
  Ensure that Internet Explorer is configured correctly to add
  https://*.sharepoint.com to Local intranet site in the “Security Tab” of “Internet Options”.
  Ensure that
  you have applied the latest updates on the system.
  For more information, you can refer to the following articles:
  http://blogs.technet.com/b/asiasupp/archive/2011/06/13/error-message-quot-your-client-does-not-support-opening-this-list-with-windows-explorer-quot-when-you-try-to-quot-open-with-explorer-quot-on-a-sharepoint-document-library-in-office-365-site.aspx
  http://mcgeeky.blogspot.com/2010/02/your-client-does-not-support-opening.html
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• AnyConnect Client Profile in ASDM

  I am trying to configure a client profile under the AnyConnect Client Profile tab in the ASDM but keep getting an error message stating "Check that you have a proper AnyConnect package installed in the AnyConnect Client Software menu.  Also check that your ASDM username have enough privelege."
  My user has sufficient privilege but I am not sure which AnyConnect software I should have to enable this.  Righ now I have
  anyconnect-win-3.0.10055-k9.pkg installed.
  This is a lab setup using GNS3.
  Any ideas?

  Hi Marius,
  I would assume you are running ASA 8.0x, right?
  Please check this out:
  "If you wish to use the ASDM-integrated Profile Editor to configure any of AnyConnect's components, you must use ASDM version 6.4(1) or later."
  Security Appliance Software Requirements
  So at this point, I would suggest to try to upgrade your ASDM to 6.4 or try with AnyConnect 2.5.
  Let me know.
  Thanks.
  Portu
  Please rate any posts you find helpful.

• ASDM Anyconnect client profile - unable to edit preferences

  Hi,
  I have a functioning vpn set up, my problem is that I'm trying to set up anyconnect start before login. I navigate to the anyconnect client profile section in the remote access vpn and create a profile xml file by clicking the add button. I can add a profile but as soon as I save the file I can no longer edit it. The edit button is greyed out and if I double click the file the asdm returns the error: "Input is not a well-formed, schema-compliant XML file."
  I'm running the following versions of software:
  asdm: 7.1(5)100
  anyconnect: 3.1.05152
  asa: 8.2(3) <----asa hardware doesn't support running a newer version.
  I have not been able to find any info on this particular problem but maybe someone here can help?

  Hello Ryan,
  Do you run into the same problem if you upload AnyConnect 2.5 and perform the same task?
  Also, have you tried this operation from a different machine with and old JAVA version like 1.6?
  HTH.

• ADSM AnyConnect Client Profile Editor will not close...

  When I fire up ADSM and go into the AnyConnect Client Profile Editor It will not let me close the Editor.
  If I go it and jsut hit cancel, or OK, or the X, nothing happens.   The only way to exit is to Close down Java.
  I've run ADSM on a few machines all with the same results.
  ADSM Version 6.3(4)
  Thanks

  I Upgraded to ADSM 7.1(2)
  This resolved my issue.

• SharePoint Foundation 2010 - Your client does not support opening this list with windows explorer when clicking Open with Explorer

  when I tried to open document library in Windows explorer view by click 'Open with Explorer', it popped up “Your client does not support opening list with windows explorer”
  OS: Windows Server 2008 Enterprise x64
  IE: 9.0 32bit
  webcient service is runing
  HKLM\System\CurrentControlSet\services\WebClient\Parameters and changed the BasicAuthLevel to 2 instead of 1.
  Anybody knows how?
  Thanks.

  Did you add your site to trusted site list?
  http://sharepoint.stackexchange.com/questions/15098/your-client-does-not-support-opening-this-list-with-windows-explorer
  --Cheers

• Trying to open a sharepoint library in Windows Explorer via IE 8 results in the error "your client does not support opening this list with windows explorer"

  I am attempting to connect to a Microsoft Sharepoint library, via the "Actions -> Open in Windows Explorer" option from the Sharepoint page.  When I do so, I get the error message "your client does not support opening this list with windows explorer".  In short, I am trying to get the "drag and drop" functionality of a Sharepoint library.
  I am running Windows 7 64-bit and IE8.  The target Sharepoint environment is a MOSS 2007 EE.  My Windows "WebClient" service is running, and I have no problem connecting to this exact library via a Windows XP computer running IE8.

  Verify that the Webclient is started automatically from the Services.msc
  Verify that your Portal is in the Intranet local security zone (You can reach it from Your Internet Explorer Browser Security Tag) if not add it to the list
  restart the WebClient service if it's work good
  If not you have to create a network share to your portal URL directly not your documents library.
  Open Windows Explorer or My Computer from the Windows Start Menu.
  From the Tools menu, click Map Network Drive…. A new Map Network Drive window opens.
  In the Map Network Drive window, choose an available drive letter from the dropdown list located next to the "Drive:" option. Any drives already mapped will have a shared folder name displayed inside the dropdown list, next to the drive letter.
  Type the name of the folder to map wich is in this case your SharePoint Portal URL (Don't include the documents libraries)
  Click the "Reconnect at login" checkbox if this network drive should be mapped permanently. Otherwise, this drive will un-map when the user logs out of this computer.
  If the remote computer that contains the shared folder requires a different username and password to log in, click the "different user name" hyperlink to enter this information.
  Click Finish.
  I am looking for a suite method :)

• Error: Your client does not support opening this list with Windows Explorer.

  I have enabled both authentication (Windows and FBA) on default zone, now when I want to open any document library on windows explorer it showing me an error.
  Your client does not support opening this list with Windows Explorer.
  Web client service is running on server.
  Desktop Experience feature is also enabled on server
  Windows explorer is working fine when FBA is disbled on default zone.
  Need both authentcation on default zone.

  Hi,
  According to your post, my understanding is that you got “Your client does not support opening this list with Windows Explorer” error.
  You can use compatibility mode to check whether it works.
  Open IE->Tools->Compatibility View Settings
  You can also add the site into Trusted sites.
  Open the IE->Internet Options->Security->Sites->add the site into the Websites, then check whether it works.
  In addition, you can also try to enable Basic authentication on the client computer, by setting the BasicAuthLevel registry entry of the following key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
  For detailed steps, visit the following KB page.
  http://support.microsoft.com/kb/841215/en-us
  There are some similar threads for your reference.
  http://social.msdn.microsoft.com/Forums/en-US/e9a07773-db23-46e9-8d1d-7015cd5aa13b/your-client-does-not-support-opening-this-list-with-windows-explorer?forum=sharepointgeneralprevious
  http://blogs.technet.com/b/asiasupp/archive/2011/06/13/error-message-quot-your-client-does-not-support-opening-this-list-with-windows-explorer-quot-when-you-try-to-quot-open-with-explorer-quot-on-a-sharepoint-document-library-in-office-365-site.aspx
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• Explorer View - Your client does not support opening this list with Windows Explorer MOSS 2007 '

  We recently had a major deployement, after which Explorer View started giving error message.
  Before deployement, all was working fine.
  Error: Your client does not support opening this list with Windows Explorer
  Webclient service is already enabled.
  The site has been added to trusted site lists.
  All Active-x controls have been enabled.
  Browser: Internet Explorer 8 - 32 bit.
  Microsoft Office 32 bit is also installed.
  Thanx in advance.

  You could try updating the following registry key on a client PC as a test: HKLM\System\CurrentControlSet\Services\WebClient\Paramenters\AuthForwardServerList to include the URL of your sharpoint site. Add the root site and it might enable this functionality.
  Steven Andrews
  SharePoint Business Analyst: LiveNation Entertainment
  Blog: baron72.wordpress.com
  Twitter: Follow @backpackerd00d
  My Wiki Articles:
  CodePlex Corner Series
  Please remember to mark your question as "answered" if this solves (or helps) your problem.

• Your client does not support opening this list with windows explorer - related to multiple uploads?

  Hi folks -
  I've read through some threads regarding "Your client does not support opening this list with windows explorer" and it seems a lot of folks have a lot of solutions throughout the forum posts.  Is there anything official or semi-official regarding
  this? 
  I've tried a lot of the fixes including:
  checking to see if the WebClient service is on
  modifying so-and-so registry (I've since changed them back since they seem to have no effect)
  and changing various settings in Internet Options including making sure the site is in the Local intranet zone.
  I could live without this functionality but just recently my upload-multiple-files functionality in SharePoint 2010 has also gone away (red x instead of directory UI).  I wonder if it's related somehow and could give us a clue.
  If it helps I'm using various browsers but of the IE flavor 8 and 9 32-bit as the base for testing this.

  For SharePoint 2013 (so could apply to 2010 as well), my problem was that I was trying to "Open with Explorer"
  something that probably can't be opened with Explorer. In my case, I just wanted to open my team's Shared Documents with Explorer. I found that when I first log into SharePoint and view the page, I'm presented with those Shared Documents, but also other things
  as well.
  To get "Open with Explorer" to work, I must click "Shared Documents" under the Libraries heading on
  the left. Then, all the other stuff (Links, Getting Started, etc.) go away and I'm focused on my team's shared documents. From there, I can go up to the Library Tools section in the ribbon, choose the Library tab in the ribbon, and click Open with Explorer.
  Works like a champ on Windows 7 64-bit, running IE 9 32-bit.
  Unfortunately that's not what was going on in my case.  One obvious way to check is to see if other people or other computers can Open with Explorer.  In my case it was just this one machine on my desk that had the issue.

• In SharePoint 2010 Document Library "Open with Explorer" Your client does not support opening this list with Windows Explorer

  Hi.
  I am getting below error "Your client does not support opening this list with Windows Explorer" while click "Open with Explorer" option in document library.
  My system is client machine which is 32 Bit system and
  Web Client service is also running and Window 7 PC.
  Other SharePoint sites "Open with Explorer" option in document library is working fine but specific site is giving error.
  Even it was working fine but not is giving this error.
  Please help me on it. Its making frustrations.
  Thanks & Regards
  Poomani Sankaran

  Hi,
  According to your post, my understanding is that you got “Your client does not support opening this list with Windows Explorer” error.
  Did you enable the both authentication (Windows and FBA) on default zone.
  As far as I remember when FBA is enabled on the same zone when Windows is used, it breaks whole client integration.
  So it will be better if you will recheck your architecture and will use different zones for Windows and FBA.
  There is also another thing to try: use claims based authentication with authentication provider which will work both with Windows and FBA.
  What’s more, you can also check with below steps.
  Use compatibility mode to check whether it works.
  Open IE->Tools->Compatibility View Settings
  Add the site into Trusted sites to check whether it works..
  Open the IE->Internet Options->Security->Sites->add the site into the Websites, then check whether it works.
  In addition, you can also try to enable Basic authentication on the client computer, by setting the BasicAuthLevel registry entry of the following key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
  For detailed steps, visit the following KB page.
  http://support.microsoft.com/kb/841215/en-us
  There are some similar threads for your reference.
  http://social.msdn.microsoft.com/Forums/en-US/e9a07773-db23-46e9-8d1d-7015cd5aa13b/your-client-does-not-support-opening-this-list-with-windows-explorer?forum=sharepointgeneralprevious
  http://blogs.technet.com/b/asiasupp/archive/2011/06/13/error-message-quot-your-client-does-not-support-opening-this-list-with-windows-explorer-quot-when-you-try-to-quot-open-with-explorer-quot-on-a-sharepoint-document-library-in-office-365-site.aspx
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support