Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
416
Views
0
Helpful
2
Replies

Changing the AnyConnect host connection

Andy White
Level 3
Level 3

‎12-03-2013 08:51 AM - edited ‎02-21-2020 07:21 PM

Hello,

We have many users using the Cisco AnyConnect client and to get to our company they go to vpn.company.co.uk.  We are changing our company name so we are creating a now FQDN called for example vpn.newcompany.co.uk which will point to our ASA. 

1.) Thing is will be need a new SSL cert on the ASA?

2.) If so can the new cert incorporate both FQDNs?

3.) How can I automatically change the host users connect to in the Anyconnect clients to reflect the new FQDN?

Thanks

Labels:
0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

‎12-03-2013 01:24 PM 

1.) Thing is will be need a new SSL cert on the ASA?

Yes, you will need a new SSL certificate which includes the new domain name.

2.) If so can the new cert incorporate both FQDNs?

Yes, if you purchase a wildcard certificate I believe you can have 5 domain names referenced in it.

3.) How can I automatically change the host users connect to in the Anyconnect clients to reflect the new FQDN?

If you purchase the certificate from a well known provider chances are that your clients will already have the public key installed on their PC.  If not, the user should be prompted to accept and install the certificate upon first connection.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Karsten Iwen
VIP
VIP
In response to Marius Gunnerud

‎12-03-2013 03:25 PM 

2.) If so can the new cert incorporate both FQDNs?
Yes, if you purchase a wildcard certificate I believe you can have 5 domain names referenced in it.

You are mixing two kind of certificates here:

Wildcard-certificates don't the "host" past. If you have a wildcard-certificate *.example.com then you can use anything.example.com.

The other thing are UCC, there you can have multiple FQDNs listed. It's the CA-policy that tells you how many names can be included there. For one project I have had a certificate with about 30 names in it.

3.) How can I automatically change the host users connect to in the Anyconnect clients to reflect the new FQDN?

You could deploy AnyConnect-profiles with both the old and the new name listed. When all users got the profile the old name can be removed:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac03vpn.html#wp1448620

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents