Configure Application-Based (Per App VPN) Remote Access VPN on Mobile Devices Using Cisco Secure Firewall Management Center (2024)

Configure Application-Based Remote Access VPN (Per App VPN) on Mobile Devices Using Cisco Secure Firewall Management Center
About Per App VPN
Is this Guide for You?
System Requirements
Prerequisites for Configuring Per App VPN Tunnels
How to Configure Per App VPN Using Management Center
Determine the Application IDs for Mobile Applications
Define a Per App VPN Policy for Android and Apple iOS Devices
Assign the Per App VPN Policy to a Remote Access VPN in the Management Center
Verify Per App VPN Configuration

First Published: July 31, 2023

About Per App VPN

When a remote user establishes a VPN connection from a mobile device using Secure Client, all the traffic including traffic from personal applications is routed through the VPN.

For mobile devices that run on Android or iOS, you can restrict the applications that traverse the VPN tunnel. This application-based remote access VPN is called Per App VPN.

To use Per App VPN, you must perform the following actions:

Install and configure a third-party Mobile Device Manager (MDM) server.
Define the list of approved applications that can go over the VPN tunnel in the MDM server.
Deploy the Per App configurations from the MDM server to the mobile devices.
Configure Per App VPN on the managed headend threat defense.

When an MDM-managed mobile device connects to the VPN using Secure Client, the client validates the applications before tunneling the traffic. The Per App policy configured on the threat defense performs this validation.

The following illustration shows an example of Per App VPN using the threat defense:

Benefits

Limit VPN traffic over the corporate network and free up resources of the VPN headend. You can prevent:
- Applications such as Netflix, Facebook, and YouTube over the VPN.
- Trusted cloud applications such as Outlook, and Webex over the VPN.
Optimize traffic.
Minimize latency.
Protect the corporate VPN tunnel from unapproved malicious applications on the mobile device.

Is this Guide for You?

This use case is for network administrators who use the management center to configure Per App VPN for remote workers connecting to their organization’s network using remote access VPN.

In versions 6.4 to 6.7, you can enable Per App VPN on an FTD using FlexConfig. For more information, see Configure Application-Based (Per App) Remote Access VPN on Mobile Devices. In version 7.0 and later, you can enable Per App VPN on the threat defense using the management center UI.

System Requirements

The table below shows the supported platforms for this feature.


Product	Version	Version used in this document
Cisco Secure Firewall Threat Defense (formerly Firepower Threat Defense/FTD)	7.0 and later	7.3
Cisco Secure Firewall Management Center (formerly Firepower Management Center/FMC)	7.0 and later	7.3
Cisco Secure Client (formerly AnyConnect)	4.0 and later	5.0
Android Devices	Android 5.0 and later	-
Apple iOS devices	Apple iOS 8.3 and later	-

Prerequisites for Configuring Per App VPN Tunnels

Ensure that you have:

Configured a remote access VPN policy in the management center.
Set up an MDM server and enrolled each mobile device to the MDM server.

For more information, see the MDM documentation.

We recommend that you configure the applications that can traverse the VPN tunnel in the MDM server. This configuration simplifies the headend configuration.
Downloaded and installed the Cisco AnyConnect Enterprise Application Selector from the Cisco Software Download Center to your local host.

You need this tool to define the Per App VPN policy.

Licenses:

You need one of the following Secure Client licenses:

Secure Client Premier or Secure Client Advantage.
Your management center Essentials license must allow export-controlled functionality.

Choose System > Licenses > Smart Licenses to verify this functionality in the management center.

How to Configure Per App VPN Using Management Center


Step	Do This	More Info
1	Ensure that you meet the prerequisites.	Prerequisites for Configuring Per App VPN Tunnels
2	Determine which applications should be allowed in the tunnel.	-
3	Determine the application IDs for the mobile applications.	Determine the Application IDs for Mobile Applications
4	Define a Per App VPN policy for Android and Apple iOS devices.	Define a Per App VPN Policy for Android and Apple iOS Devices
5	Assign the Per App VPN policy to a remote access VPN in the management center.	Assign the Per App VPN Policy to a Remote Access VPN in the Management Center
6	Deploy the configuration on the threat defense.	On the management center menu bar, click Deploy and then select Deployment.

Determine the Application IDs for Mobile Applications

If you decide to configure the list of allowed applications on the headend, you must determine the application IDs for each application on each type of endpoint.

Configure Application-Based (Per App VPN) Remote Access VPN on Mobile Devices Using Cisco Secure Firewall Management Center (2)

Note

We recommend that you configure the Per App policy in the MDM server. This configuration simplifies the headend configuration.

The application ID, or the bundle ID in iOS, is a reverse DNS name. You can use an asterisk as a wildcard. For example, *.* indicates all applications, com.cisco.* indicates all Cisco applications.

To determine the application IDs:

Android
1. In a web browser, go to Google Play (https://play.google.com/store/).
2. Click the Apps tab.
3. Click an application that you want to allow in the VPN tunnel.
  
  The application ID is part of the URL.
4. Copy the string after the ‘id=’ parameter.
  
  For Microsoft Remote Desktop, the URL is:
  See Also
  Apple finalisiert seine VPN-Strategie: iOS 9 bringt Per-App-VPN für jedermann
  
  https://play.google.com/store/apps/details?id=com.microsoft.rdc.androidx, and the app id is com.microsoft.rdc.androidx.
For applications that are not available on Google Play, download a package name viewer application to extract the app ID.
iOS
1. In a web browser, go to Apple App Store (https://www.apple.com/in/app-store/).
2. In the search results, search for an application.
  
  The application ID is part of the URL.
3. Copy the number after the ‘id’ string.
  
  For Facebook, the URL is:
  
  https://apps.apple.com/in/app/facebook/id284882215 and the application ID is 284882215.
4. Open a new browser window, and add the number to the end of the following URL: https://itunes.apple.com/lookup?id=
  
  For Facebook the URL is https://itunes.apple.com/lookup?id=284882215.
5. Download the text file, usually named 1.txt.
6. Open the file in a text editor, and search for ‘bundleId’. For Facebook, the ‘bundleId’ is " com.facebook.Facebook". Use this bundle ID as the app ID.

Once you have your list of application IDs, you can define the policy for the mobile device as explained in the procedure below.

Define a Per App VPN Policy for Android and Apple iOS Devices

Use the Cisco AnyConnect Enterprise Application Selector to define the Per App VPN policy.

We recommend that you create a simple ‘Allow All’ policy, and define the allowed applications in the MDM. However, you can specify a list of applications to allow and control the list from the headend. If you want to include specific applications, create a separate rule for each application, using a unique name and the application’s app ID.

To create an Allow All policy (wildcard policy) that supports both Android and iOS platforms using the AnyConnect Enterprise Application Selector:

Choose Android or iOS from the drop-down list as the platform type.
Configure the following options:
- Friendly Name—Enter a name for the policy. For example, Allow_All.
- App ID—Enter *.* to match all possible applications.
- Leave the other options.
Choose Policy > View Policy to get the base64 encoded string for the policy. This string contains an encrypted XML file that allows the threat defense to see the policies. Copy this value. You need this string when you configure Per App VPN on the threat defense in the next step.

To create a policy for the Microsoft Remote Desktop application using the AnyConnect Enterprise Application Selector:

Choose Android from the drop-down list as the platform type.
Configure the following options:
- Friendly Name—Enter the policy name.
- App ID—For Android, enter com.microsoft.rdc.androidx.
- Leave the other options.
Choose Policy > View Policy to get the base64 encoded string for the policy.

Assign the Per App VPN Policy to a Remote Access VPN in the Management Center

Procedure

Step1	Choose Devices > Remote Access.
Step2	Select a remote access VPN policy and click Edit.
Step3	Select a connection profile and click Edit.
Step4	Click Edit Group Policy.
Step5	Click the Secure Client tab.
Step6	Click Custom Attributes and click +.
Step7	Choose Per App VPN from the Secure Client Attribute drop-down list.
Step8	Choose an object from the Custom Attribute Object drop-down list or click + to add an object. When you add a new custom attribute object for Per App VPN: Enter the name, and description. In the Attribute Value field, specify the base64 encoded policy string from the Cisco AnyConnect Enterprise Application Selector.
Step9	Click Save and click Add.
Step10	Click Save.

What to do next

Deploy the configuration on the threat defense.
Establish a VPN connection to the threat defense using the Secure Client.
Verify the Per App VPN configuration.

Verify Per App VPN Configuration

On the Threat Defense

Use the following commands on the threat defense to verify the Per App configuration:


Command	Description
show run webvpn	View details of the Secure Client configurations.
show run group-policy <group_policy_name>	View details of the remote access VPN group policy for Secure Client.
show vpn-sessiondb anyconnect	View details of the active Secure Client VPN sessions.
show run anyconnect-custom-data	View details of the Per App configuration.

Sample output for sh run webvpn is given below:

firepower# sh run webvpn webvpn enable inside anyconnect-custom-attr perapp description Per-App Allow http-headers hsts-server enable max-age 31536000 include-sub-domains no preload hsts-client enable x-content-type-options x-xss-protection content-security-policy anyconnect image disk0:/csm/cisco-secure-client-win-5.0.03076-webdeploy-k9 1 regex "Windows" anyconnect enable tunnel-group-list enable cache no disable error-recovery disable

Sample output for sh run anyconnect-custom-data is given below:

firepower# sh run anyconnect-custom-data anyconnect-custom-data perapp PerAppPolicyeJw9kFtvgkAQhf8K2ae2GC+rqPFNgYjgBcUL2PRhCyuuZVlkuRv/

Sample output for sh running-config group-policy is given below:

firepower# sh running-config group-policy group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ikev2 ssl-client user-authentication-idle-timeout none anyconnect-custom perapp value PerAppPolicy webvpn anyconnect keep-installer none anyconnect modules value none anyconnect ask none default anyconnect http-comp none activex-relay disable file-entry disable file-browsing disable url-entry disable deny-message none

On the Endpoint

After the endpoint establishes a VPN connection with the threat defense, click the Statistics icon of the Secure Client:

Tunnel Mode will be “Application Tunnel” instead of “Tunnel All Traffic.”
Tunneled Apps will list the applications you enabled for tunneling in the MDM.

Configure Application-Based (Per App VPN) Remote Access VPN on Mobile Devices Using Cisco Secure Firewall Management Center (2024)

FAQs

What Cisco client product would you use as VPN client software for remote-access VPNS? ›

Cisco AnyConnect - VPN client

Cisco's AnyConnect Secure Mobility Client VPN application is in use for quite a long time now in our organization. It has allowed our team to establish secure connections to any remote machine, thereby maintaining trust of our partners and customers.

Discover More ›

How does Cisco remote-access VPN work? ›

A remote-access VPN extends almost any data, voice, or video application to a remote device, also known as an "endpoint" or a host. Advanced VPN technology allows for security checks to be conducted on endpoints to make sure that they meet a certain posture before they can connect to the network.

Learn More ›

How to configure VPN server in Cisco? ›

Steps for setting up a VPN

Step 1: Line up key VPN components. ...
Step 2: Prep devices. ...
Step 3: Download and install VPN clients. ...
Step 4: Find a setup tutorial. ...
Step 5: Log in to the VPN. ...
Step 6: Choose VPN protocols. ...
Step 7: Troubleshoot. ...
Step 8: Fine-tune the connection.

Learn More Now ›

How to setup a Cisco AnyConnect VPN? ›

Install

Uninstall any previous versions of Cisco AnyConnect.
Install Cisco AnyConnect app from the Apple App Store or Google Play Store.
Open the Cisco AnyConnect app.
Select Add VPN Connection.
Enter a Description, for example, CMU VPN and the Server Address vpn.cmu.edu.
If prompted, allow the changes.
Click Save.

Get More Info Here ›

What is the difference between remote access VPN and client to site VPN? ›

Client-to-Site (or Remote Access) and Site-to-Site (or Gateway-to-Gateway). The difference between them is simple: Client-to-Site VPN is characterized by single user connections. In contrast, Site-to-Site VPNs deal with remote connections between entire networks.

Show Me More ›

What is the difference between Cisco AnyConnect and VPN client? ›

What is the difference between AnyConnect and the VPN client and can you use them both to connect to the ASA? Hi, Either will work fine on the ASA as long as it is configured to accept them. AnyConnect uses HTTPS/SSL to connect whereas the VPN Client uses IPSEC. Generally see everyone moving toward AnyConnect.

Discover More ›

Do you have to pay for Cisco VPN? ›

Yes. Cisco Secure Client Plus is offered as a perpetual license in addition to the 1, 3 or 5 year terms. Cisco also offers a perpetual VPN-only license.

View Details ›

What is remote access VPN example? ›

A remote access virtual private network (VPN) enables users to connect to a private network remotely using a VPN. Employees who need to access their company's network from off-site locations or people who want to securely connect to a private network from a public area frequently use this kind of VPN.

Discover More Details ›

What type of VPN does Cisco Anyconnect use? ›

Anyconnect is the replacement for the old Cisco VPN client and supports SSL and IKEv2 IPsec. When it comes to SSL, the ASA offers two SSL VPN modes: Clientless WebVPN.

What two methods can be used to configure VPNs on a Cisco router? ›

For a basic VPN, the basic steps are configure ISAKMP, configure IPSec (how encryption will be done), configure a set of access lists to define what traffic is to be encrypted, configure the address of the peer, and then apply the policy on an outbound interface.

See Details ›

How do I connect my Cisco phone to a VPN? ›

Adding a VPN Phone in Connect

Log in to the Admin Portal.
Navigate to the phones tab " " and select. ...
Select either User Phone or Common Area Phone under "Device Purpose" depending on the intended use of the phone.
Using the Device Type drop-down select Cisco Remote Phone - VPN Enabled.

More items...

Jan 26, 2023

Keep Reading ›

Can I use Cisco AnyConnect as a VPN? ›

Secure VPN access for remote workers

Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization.

Protocol	Cisco AnyConnect Client Port
TLS (SSL)	TCP 443
SSL Redirection	TCP 80
DTLS	UDP 443
IPsec/IKEv2	UDP 500, UDP 4500