I recently added the following line to our AnyConnect .xml profile:
We use a proxy server internally in our network, so when the client computers were set up for this, they couldn't connect to our ASA with AnyConnect when they were off-site. The setting above in their profile fixed this, so even though proxy was enabled in their IE, they could connect with AnyConnect when roaming. So far so good.
Yesterday I added the following to our configuration:
group-policy TEST attributes
msie-proxy method use-server
msie-proxy server value ip.ip.ip.ip:port
msie-proxy local-bypass enable
This config was to make sure that the user's proxy is enabled when connected to VPN. According to Cisco doc the proxy settings on the client should automatically revert to the original settings when disconnecting. All this also works as intended.
But then here comes the funny thing (which isn't funny at all really):
When booting the client computer and starting the AnyConnect client before Windows logon (SBL), I get the attached prompt when trying to connect! This only happens with SBL - not when the user is logged in and then starts the VPN client. I have tried with various proxy user auth that I know are working, but I can't get through, and therefor can't connect before Windows logon. According to Cisco doc, the proxy settings should apply AFTER VPN logon - but it seems it tries to use them BEFORE the connection attempt when using SBL.
Does anyone know why this happens? And can anyone come up with a solution (besides disabling the proxy settings just made)?
Thanks in advance - much appreciated!
Bad news ... I checked the "fixed-in" field in the bugs.
002.005(1002) and 002.005(2000)
meaning - they will be fixed in new release.
The "IgnoreProxy" setting in the AnyConnect XML profile is not functioning when Start Before Login (SBL) is also enabled.
Problem first observed on AnyConnect 2.4.1012 when "IgnoreProxy" is set in the xml profile. Using Start Before Login feature (SBL). Using GPOs to set the proxy before login. Most noticable when the Proxy that is set is internal/private because the AnyConnect will not be able to reach the headend device to make the anyconnect connection due to the proxy being set. Confirmed the profile is active. The "IgnoreProxy" setting in the profile is working for a non-SBL connection.
1. This does work without SBL. For instance If you cancel SBL, logon to windows in the usual way and then start the Anyconnect client. If you then disconnect and reconnect the AnyConnect it does indeed ignore the configured proxy.
2. Disable GPO settings that push the proxy before login.
Note: If you are using GPO to launch scripts, be aware AnyConnect also now has a OnConnect scripting feature to launch scripts as well