Partner Webinar AnyConnect 4.0 Rene Straube Cisco Germany December 2014
Agenda Introduction to AnyConnect 4.0 New Licensing Scheme for AnyConnect 4.0 How to migrate to the new Licensing? Ordering & Migration Examples Cisco Confidential 2
Cisco AnyConnect Secure Mobility Client Extending Control of Context to the Endpoint Simply and securely work anywhere on any device Delivers reliable and transparent secure remote access for the off-premises user based on VPN Helps ensure endpoint integrity Multiple authentication options Comprehensive posture checks Provides secure connectivity End-to-end encryption Integrated web security Per-app VPN for mobile Cisco Confidential 3
What s New in Cisco AnyConnect 4.0? Connect Only Approved Applications over VPN Provide secure remote access for selected applications by user, role, device, etc. (per-app VPN) Selectively Tunnels Traffic Through VPN WWW Reduce the potential for non-approved applications to compromise enterprise data Support a range of remote users and endpoints (employees, partners, contractors), streamlining IT operations Cisco Confidential 4
What s New in Cisco AnyConnect 4.0? Posture Check and Secure VPN Access with Unified Agent and Cisco ISE 1.3 Supports device posture and authorization across multiple access methods Simplifies management with only one agent to manage Prevents noncompliant devices from accessing the network Cisco Confidential 5
Centralized Endpoint Secure Access Policy Common Context-Based Access Policy Services (Cisco ISE + Cisco AnyConnect ) Cisco Prime Cisco ISE Third-Party MDM Cisco Catalyst Switches ASA Firewall Wired Network Devices Office Wired Access Office Wireless Access Remote Access Cisco Confidential 6
Cisco AnyConnect More Than just VPN/ASA Future IPsec VPN SSL /DTLS VPN HostScan Clientless Cloud Web Security L2 Supplicant (Win Only today) NAC Agent Mobile MDM FireAMP Volume Premium Interest & Value Head End Devices Switches and Wireless controllers ISE/ACS ASA WSA Cloud Web Security ASR/ CSR ISR Cisco Confidential 7
Agenda Introduction to AnyConnect 4.0 New Licensing Scheme for AnyConnect 4.0 How to migrate to the new Licensing? Ordering & Migration Examples Cisco Confidential 8
Why we Change the AnyConnect Licensing? AnyConnect o Simplify o Feature / value alignment o Remove lock to appliance (helps with ASA migrations & RMA Process) o Consistent model regardless of headend o Solve Share / Flex / Essentials + Premium mix challenges ISE o Adapt to new ISE feature content / AC integration in 1.3 o o - Unified Agent (single agent for compliance) Consistency with AC selling motion Different 3 rd Party MDM offer structure Cisco Confidential 9
AnyConnect Licensing Today SHARED License (per user + per ASA) MOBILE License (per ASA model) ESSENTIALS License (per ASA model) Basic Remote Access Connectivity Or Premium Licenses Shared by Multiple Cisco ASA Devices MOBILE License (per ASA) ADVANCED ENDPOINT ASSESSMENT License (per ASA) PREMIUM License (per user for each ASA) Always-On, Clientless, Posture Assessment, Mobile Posture, Suite B Other Licenses: VPN Phone & FIPS (per ASA model) FLEX License (for 54 days daily use) Good for Short Periods of High Demand (Emergencies, Events, etc.; per box) This is too complex, even if we re all got used to it... Cisco Confidential 10
New Licensing in Cisco AnyConnect 4.0 Simpler Licensing with Greater Flexibility New endpoint licensing portable across any hardware platforms, simplifying transfer New two-tiered licensing structure to allow customers to grow based on new enterprise mobility needs Plus License IPSec/SSL VPN Mobile per-app VPN (new) Web security Network access manager Any Headend Apex License Plus features Unified Endpoint Compliance (new) Clientless Suite B Any Headend Per user (with their multiple devices) Cisco Confidential 11
How to Design a Deployment? Users o How many users will utilize AC services? Services o How many users need basic services? o How many users need advanced services? Headend Sizing o How many active sessions at any given time? o What headend platform/s? o How many locations? It s importand to understand that Users/Services and Headend Sizing are decoupled completely PLUS Cisco ASA Much easier to scale the deployment, even afterwards APEX Cisco Web Security Cisco ISE Router Cisco Confidential 12
New AC Features & Licensing Tied only to ASA Current AnyConnect 3.X Premium (Perpetual) Shared (Perpetual) Flex (Perpetual) AEA (Perpetual) Mobile (Perpetual) Essentials (Perpetual) Non-Lic (NAM, CWS) New AnnyConnect 4.X PLUS New! APEX Advanced PC + Mobile Services Unified Endpoint Compliance /Remediation (Posture) Suite B Clientless Includes PLUS!!! New! Basic PC + Mobile Services Device VPN / Per app VPN Always On ASA, ISE, ASR, CSR FIPS CWS / Web Security NAM * VPN Phone goes away because of VCS gateway Loose with ASA ISR ASR CSR CWS Cisco Confidential 13
Two Licensing Models to choose APEX (Term) PLUS (Perpetual) 25-250K per user* pricing ($$$) Right to Use based on user/seat count vs concurrency Support (SASU) ordered separately Compliance -> Trust (Phase 1) Built in Shared, Flex functionality Covers PC and Mobile Includes near zero day OS support for all supported platforms or PLUS (Term) 25-250K per user* pricing ($) Right to Use based on user/seat count vs concurrency 1, 3 and 5 Yr options (includes support) Compliance -> Trust (Phase 1) Built in Shared, Flex functionality Covers PC and Mobile Includes near zero day OS support for all supported platforms * Please be aware of user based licensing not device based!! Cisco Confidential 14
Whats the difference? PLUS (Perpetual) Support ordered separate $$$ per user is more No perpetual Licence for Apex or APEX (Term) PLUS (Term) Support included in the Subscription $ per User is less Cisco Confidential 15
AnyConnect Premium & Essentials Licensing Essentials almost free Essentials perpetual License Premium perpetual License Essential & Premium cannot be mixed on one device Premium & Essentials are charged based on concurrent connections Licenses applied on a device AnyConnect Apex & Plus Licensing Plus not free Plus perpetual or Subscription License Apex Subscription License only Plus & Apex can be mixed in a single customer deployment Apex & Plus are charged per User Licenses applied to all devices needed Cisco Confidential 16
ASA + AC Support Matrix AC Mobile AC Desktop 3.x 4.x 3.x 4.x End of Sale Announcement Q4 CY 2014 N/A Q4 CY 2014 N/A End of New OS Support Q2 CY 2015 N/A Q2 CY 2015 N/A End-of-Sale Date (All AC and ASA+AC SKUs) 5500 Q2 CY 2015 NA Q2 CY 2015 NA 5500-X Standard End of Sale Policies Apply Cisco Confidential 17
Frequently Answered Questions Does a customer need to upgrade to Plus/Apex from Essentials/Premium? AnyConnect Plus/Apex licenses required for AnyConnect 4.x software (Desktop & Mobile) New AnyConnect 4.0 capabilities like Per-app VPN functions will require Plus or Apex licenses along with ASA 5500-X with 9.3.1 or later Essentials and Premium licenses and version 3.x AnyConnect software will be phased out but can further be used with current software versions an features Can AnyConnect 4.x be used without a Plus or Apex license? No, with one exception: basic mobile VPN use cases through April 2016 (see below) AnyConnect 4.x usage requires Plus or Apex license, this includes Network Access Manager, Cloud Web Security and all VPN use cases, regardless of the Cisco head-end AnyConnect 4.x Apex license also authorizes clientless SSL VPN How is the 4.x conversion being handled for the mobile versions of AnyConnect? Customer cannot remain on old versions of AnyConnect for ios & Android All 3.x customers will be permitted to utilize AnyConnect 4.x on mobile devices until April 30, 2016 After this date, a customer will no longer be entitled to utilize AnyConnect on mobile devices without converting licensing models The Per App VPN capabilities in AnyConnect 4.0 are not available to customers using the original AnyConnect Essentials/Premium licenses Cisco Confidential 18
Agenda Introduction to AnyConnect 4.0 New Licensing Scheme for AnyConnect 4.0 How to migrate to the new Licensing? Ordering & Migration Examples Cisco Confidential 19
Customer Conversations Not tied to specific ASA release though some features like per app will only work with 9.3.x+ Don t have to move to AC 4.x right away but should start planning particularly if interested in New PC/Mobile OS support New features Special migration offers for existing customers reduces financial impact with even more services (e.g. ISE context sharing) Cisco Confidential 20
Migration Strategy Existing AC licenses Premium (Perpetual) Shared (Perpetual) Essentials (Perpetual) Non-Lic (NAM, CWS) AC APEX Migration Licenses ($0 for 3 Yr, Any User Count) APEX (Term) PLUS (Term) AC PLUS Migration Licenses (50% Discount on 5/3/1 Yr licenses, Any User Count) PLUS (Term) Old ASA New ASA Yes, there is no migration offer for Plus perpetual!! Cisco Confidential 21
Agenda Introduction to AnyConnect 4.0 New Licensing Scheme for AnyConnect 4.0 How to migrate to the new Licensing? Ordering & Migration Examples Cisco Confidential 22
Scenario #1a Basic VPN Greenfield (Term) New customer wants to cover 1000 users with 500 active endpoint connected at any one time. This is basic device-based VPN for PC as well as mobile devices, requires HA, and is centralized. Customer is interested in migrating to per app VPN on mobile platforms to help decrease bandwidth backhaul costs. 1 Order appropriate appliances and SMARTnet options Product Number List Price Qty Total ASA5525-K9 $8,995 2 $18,990 (SMARTNET/SASU-SKUs) - - - 2 Selects AC PLUS based on total number of users Product Number List Price Qty Total L-AC-PLS-5Y-G $- 1 $- AC-PLS-5Y-1K $2,500 1 $2,500 Cisco Confidential 23
Scenario #1b Basic VPN Greenfield (Perpetual) New customer wants to cover 1000 users with 500 active endpoint connected at any one time. This is basic device-based VPN for PC as well as mobile devices, requires HA, and is centralized. Customer is interested in migrating to per app VPN on mobile platforms to help decrease bandwidth backhaul costs. Have CAPEX vs OPEX preference. 1 Order appropriate appliances and SMARTnet options Product Number List Price Qty Total ASA5525-K9 $8,995 2 $18,990 (SMARTNET/SASU-SKUs) - - - 2 Selects AC PLUS based on total number of users Product Number List Price Qty Total L-AC-PLS-P-G $- 1 $- AC-PLS-P-1K $6,250 1 $6,250 Cisco Confidential 24
Scenario #2a Advanced VPN Greenfield New customer wants to cover 1000 users with 500 active endpoint connected at any one time. This is advanced device-based VPN for PC as well as mobile devices, requires HA, and is centralized. They want clientless for contractors and want to enforce PC compliance prior for employees. 1 Order appropriate appliances and SMARTnet options Product Number List Price Qty Total ASA5525-K9 $8,995 2 $18,990 (SMARTNET/SASU-SKUs) - - - 2 Selects AC APEX based on total number of users Product Number List Price Qty Total L-AC-APX-5Y-G $- 1 $- AC-APX-5Y-1K $12,000 1 $12,000 Cisco Confidential 25
Scenario #2b Advanced + Basic VPN Greenfield New customer wants to cover 750 users with 500 active endpoint connected at any one time. This is advanced device-based VPN for PC as well as mobile devices, requires HA, and is centralized. They want clientless for 250 contractors and want to enforce PC compliance for 250 employees but they want basic VPN access for 250 partners regardless of PC or mobile for partner portal access 1 Order appropriate appliances and SMARTnet options Product Number List Price Qty Total ASA5525-K9 $8,995 2 $18,990 (SMARTNET/SASU-SKUs) - - - 2 Selects AC PLUS and APEX based on total number of users Product Number List Price Qty Total L-AC-PLS-5Y-G $- 1 $- AC-PLS-5Y-250 $625 1 $625 L-AC-APX-5Y-G $- 1 $- AC-APX-5Y-500 $9,000 1 $9,000 Cisco Confidential 26
Scenario #3 Basic VPN Migration Existing customer has pair of 5540s with essentials and mobile. They have been providing basic VPN access to 5000 users (averaging 1000 concurrently sessions). This is all device-based VPN. Customer expects mobile device count to grow so want so add per app VPN services in addition to covering new future Windows OS and Apple OS X software versions. Feels that existing 5540s still has enough headroom (only expect 2000 concurrent worst case). Budget wise they want 3 year licenses. 1 Does not need any new appliances 2 Selects AC PLUS migration based on total number of users Product Number List Price Qty Total L-AC-PLS-M-3Y-G $- 1 $- AC-PLS-M-3Y-5K $4,600 1 $4,600 Cisco Confidential 27
Scenario #4 Adv VPN Migration Existing customer has pair of 5540s with 1000 AC Premium licenses. They have been providing advanced VPN access to 3000 users with (averaging 1000 concurrently sessions). The are using Hostscan and Adv Endpoint Assessment and want to maintain that service but open service up to larger number of employees (5000 in total). Feels that existing 5540s still has enough headroom (only expect 2000 concurrent worst case). 1 Does not need any new appliances 2 Selects AC Apex migration based on total number of users Product Number List Price Qty Total L-AC-APX-M-SG $0 1 $0 L-AC-APX-M-5K $0 1 $0 Cisco Confidential 28
Scenario #5 New CWS Customer In the short term (next 6 mo), CWS customer will transact as they do today. If they need to enable AC Plus for VPN services in addition to CWS inspection service they need to reach out to Cloud Ops team. Once CWS team decides how they will evolve model in CCW, we will update this slide. 1 Does not need any new appliances 2 TBD Product Number List Price Qty Total Cisco Confidential 29
Scenario #6 Existing CWS Customer Existing CWS customer with 2500 users. 2 years into their 3 year term they decide to add AnyConnect VPN services on ASAs. Don t expect more than 500 concurrent endpoints at any point. 1 Order appropriate appliances and SMARTnet options Product Number List Price Qty Total ASA5525-K9 $8,995 2 $18,990 (SMARTNET/SASU-SKUs) - - - 2 Does not need any new CWS licenses. Grandfathered to use AC Plus for remainder of existing term Product Number List Price Qty Total L-AC-PLS-1Y-G $- 1 $- AC-PLS-1Y-2500 $0* 1 $0* * Note - Please apply 100% discount to existing AC-PLS CWS team will automatically approve this Cisco Confidential 30
Scenario #7 NAM New customer wants to add EAP chaining for 5000 users to establish user and machine auth within their existing ISE Base deployment. 1 Does not need any new appliances 2 Does not need any new ISE licenses. Selects AC PLUS based on total number of users Product Number List Price Qty Total L-AC-PLS-5Y-G $- 1 $- AC-PLS-5Y-5K $11,400 1 $11,400 Cisco Confidential 31
Scenario #8 NAM Migration Large existing customer want to maintain EAP chaining for 100K users and is considering moving from Juniper to ASA for basic VPN services covering all 100K users. 1 Juniper to ASA migration program TBD 2 Selects AC PLUS Migration based on total number of users Product Number List Price Qty Total L-AC-PLS-M-3Y-G $- 1 $- AC-PLS-M-3Y-100K $38,600 1 $38,600 Cisco Confidential 32
Summary & Resources The new Licensing is actually much simpler than the old one It solves many operational challenges of the old Licensing Model by decoupling the Licensing from Platforms It provides more Flexibility and Scalability of Deployments AnyConnect Ordering Guide http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf Cisco Confidential 33
Thank you.