Anyconnect Og
Anyconnect Og
Anyconnect Og
Cisco AnyConnect
Ordering Guide
March 2017
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 14
Contents
1. Introduction .......................................................................................................................................................... 3
1.1 Purpose, Audience, and Scope....................................................................................................................... 3
1.2 Orderability...................................................................................................................................................... 3
2. Cisco AnyConnect Secure Mobility Client ......................................................................................................... 3
2.1 Servers and Platforms..................................................................................................................................... 4
3. Licenses ............................................................................................................................................................... 4
4. Ordering Information ........................................................................................................................................... 5
4.1 Plus Licenses (12- to 60-Month Term or Perpetual) ....................................................................................... 7
4.2 Apex Licenses (12- to 60-Month Term) ........................................................................................................... 9
4.3 VPN Only Licenses (Perpetual) .................................................................................................................... 10
5. Service Offerings ............................................................................................................................................... 11
6. License Management......................................................................................................................................... 12
6.0.1 Plus and Apex Term Licenses (L-AC-PLS-LIC= or L-AC-APX-LIC=) .................................................... 12
6.0.2 Plus Perpetual (L-AC-PLS-P-G) and Older Plus or Apex Ordering
(L-AC-APX-xYR-G, L-AC-PLS-xYR-G) .......................................................................................................... 12
6.0.3 VPN Only (L-AC-VPNO-xxxx= and AC-VPNO=xxxx) ............................................................................ 13
6.0.4 Firepower Threat Defense (FTD) 6.2.1 and later................................................................................... 13
6.1 Contract Entitlement (Support and Software Center Access) ....................................................................... 13
6.2 Evaluation Licenses ...................................................................................................................................... 14
6.3 Export Classification ..................................................................................................................................... 14
6.4 Strong Encryption Licenses (ASA) ................................................................................................................ 14
6.5 Frequently Asked Questions (FAQ) .............................................................................................................. 14
7. Product Licensing Terms and Conditions ....................................................................................................... 14
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 14
1. Introduction
1.1 Purpose, Audience, and Scope
This document describes the packaging structure and ordering information for the Cisco AnyConnect Secure
Mobility Client.
Audience: This guide is for Cisco sales teams, partners, distributors, and customers.
1.2 Orderability
The following AnyConnect licenses are available:
Release 4.x goes well beyond traditional secure access. It offers a wide range of endpoint security services and
streamlined IT operations from a single unified agent. AnyConnect offers you the ability to achieve tighter security
controls while helping to enable direct, highly secure, per-application access to corporate resources through mobile
per-application VPN services. Cisco AnyConnect also provides robust unified compliance capabilities so that an
endpoints compromised state is less able to affect the integrity of the corporate network. AnyConnect provides
endpoint posture assessment and remediation capabilities for wired, wireless, and VPN environments in
conjunction with Cisco Identity Services Engine 1.3 (with Apex licenses for both solutions). Access can be granted
based on validating an endpoints state (antimalware, patch, disk encryption, and beyond) while out-of-compliance
endpoints can have automated remediation actions or remediation actions based on policy requirements.
Network Visibility Module (Windows and Mac OS X platforms) allows administrators to monitor endpoint application
usage on and off premises to uncover potential behavior anomalies and to make more informed network and
service design decisions. Rich contextual data from the AnyConnect Network Visibility Module can be shared with
a growing number of Internet Protocol Flow Information Export (IPFIX)capable network-analysis tools.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 14
AnyConnect can also assist with the deployment of Cisco Advanced Malware Protection (AMP) for Endpoints with
its AMP Enabler. The AMP Enabler significantly expands endpoint threat protection to VPN-enabled endpoints or
wherever AnyConnect services (802.1X network access, posture, etc.) are in use. This capability further reduces
the potential of an attack from enterprise-connected hosts. Cisco AMP for Endpoints is licensed separately from
Cisco AnyConnect.
The AnyConnect client has built-in web security and malware threat defense. You can use the premises-based
Cisco Web Security Appliance, cloud-based Cisco Cloud Web Security, or Cisco Umbrella Roaming offers. Along
with remote access, the comprehensive and highly secure enterprise mobility solution supports web security and
malware threat defense. It automatically blocks phishing and command-and-control attacks. Consistent, context-
aware security policies help ensure a protected and productive work environment.
In addition to industry-leading VPN capabilities, the AnyConnect client supports advanced IEEE 802.1X
capabilities. A single authentication framework manages user and device identity along with the network access
protocols required to move smoothly from wired to wireless networks. Consistent with its VPN functionality, the
client supports IEEE 802.1AE Media Access Control security (MACsec) for data confidentiality, data integrity, and
data origin authentication on wired networks. Communication between trusted components of the network is
protected.
3. Licenses
AnyConnect 4.x offers simplified licensing to meet the needs of the broad enterprise IT community as it adapts to
growing end-user mobility demands. AnyConnect 4.x collapses the formerly complex AnyConnect licensing model
into two simple tiers. The first is AnyConnect Plus, which includes basic VPN services such as device and
per-application VPN (including third-party IKEv2 remote access VPN headend support), trusted network detection,
basic device context collection, and Federal Information Processing Standards (FIPS) compliance. AnyConnect
Plus also includes other non-VPN services such as the AnyConnect Network Access Manager 802.1X supplicant,
the Cloud Web Security module, and the Cisco Umbrella Roaming module. Existing AnyConnect customers should
think of AnyConnect Plus as similar to the previous AnyConnect Essentials.
The second offer is AnyConnect Apex, which includes more advanced services such as endpoint posture checks
(Hostscan through ASA VPN, or ISE Posture through the Cisco Identity Services Engine), network visibility, next-
generation VPN encryption (including Suite B), and clientless remote access VPN as well as all the capabilities of
AnyConnect Plus. Existing AnyConnect customers should think of AnyConnect Apex as similar to previous
AnyConnect Premium and Premium Shared Licenses. AnyConnect Plus and Apex licenses offer a set of features
and deployment flexibility to meet a wide range of your enterprises requirements. See Table 1 for details. For
enterprises that want only AnyConnect for remote access use cases, there is also the AnyConnect VPN Only
license. Please refer to section 4.3 for additional details on VPN Only licenses.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 14
Table 1. AnyConnect Plus and Apex License Features
Cloud Web Security and Web Security Suite B or next-generation encryption (including third-party IPsec IKEv2 remote VPN clients)
Appliance
Cisco Umbrella Roaming Clientless (browser-based) VPN connectivity
(Umbrella Roaming services are licensed
separately)
Network Access Manager ASA multicontext-mode remote access
Cisco AMP for Endpoints Enabler SAML authentication (new in 4.4 and requires ASA 9.7.1 or later)
(AMP for Endpoints is licensed
separately)
Cisco AnyConnect Apex and Plus licensing eliminates the need to purchase per headend simultaneous-
connections licenses and dedicated license servers. AnyConnect Apex licenses include all AnyConnect Plus
license functionality, so only one type of license is required for each user. Thus, the number of Plus licenses can
be smaller or greater than the number of Apex licenses. This model allows you to mix license tiers across a single
environment, and it shifts licensing from simultaneous connections to total unique users.
AnyConnect Plus and Apex licenses are available as 12- to 60-month subscriptions, AnyConnect Plus licenses are
also available as perpetual licenses. Software Application Support and software upgrades are included in
AnyConnect Plus and Apex subscription licenses. For AnyConnect Plus perpetual licenses, as well as AnyConnect
VPN Only, a SWSS subscription must be purchased separately.
An active subscription or an active SWSS contract is required for all software access and technical support. Please
note that support contracts for the headend termination devices (ASA, ISE, etc.) must be purchased separately.
AnyConnect 4.x licensed customers are also entitled to earlier AnyConnect releases.
Note: The number of licenses needed for AnyConnect Plus or Apex is based on all the possible unique users
that may use any Cisco AnyConnect service. The exact number of Plus or Apex licenses should be based on the
total number of unique users that require the specific services associated with each license type.
4. Ordering Information
All AnyConnect licenses are orderable in Cisco Commerce and are listed on the Global Price List (GPL).
A contract number will be generated for all subscription licenses as well as any perpetual license ordered with a
support contract. If you have an existing contract number, you may request that the new licenses be added to that
contract. You dont have to generate a new contract number. If a new contract number is generated, you will need
to obtain this contract number from your Cisco authorized reseller or account team.
Please follow the instructions in Section 6.1 for ensuring that the contract is linked to your Cisco.com
ID(s). If the contract is not linked, then you will not be able to download AnyConnect software or receive
technical support.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 14
Note: Integrated Services Routers require a Security license (L-SL-xx-SEC-K9=) in addition to an AnyConnect
license.
Subscription Licenses
To order a Plus subscription license, start with L-AC-PLS-LIC=
The quantity of users should be equal to the total number of unique (authorized) users that will make use of
AnyConnect services for each license tier. Please note that the minimum user license size is 25.
The term length will default to 36 months (3 years). It can be adjusted by selecting Edit Service/Subscription -> Edit
Subscriptions. Subscriptions can be purchased for durations between 12 and 60 months. Please note that
additional discounts are offered for subscriptions between 3 and 5 years. When using the ordering method above,
you will be able to co-term licenses by selecting specific start or end dates.
When purchasing licenses from a Cisco authorized reseller, your order may need to be based on the banding SKU
for your particular duration and user count size. Please see Section 4.1 (Table 2) for Plus Licenses and Section 4.2
(Table 4) for Apex licenses for the specific SKUs.
Note: You are allowed to stack AnyConnect Plus and Apex licenses and terms. Doing so will result in the
generation of multiple product activation keys, which should be registered to your Adaptive Security Appliances
(ASAs). PAK registration does not apply to the Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Firepower
Next-Generation Firewall appliances running ASA software, Cisco routers, Cisco ISE, or other Cisco headends.
AnyConnect Plus and Apex PAKs are applied only to physical ASAs. Additional user licenses can be purchased at
a later time. For customers with Firepower Threat Defense (FTD) 6.2.1 or later, please follow the instructions
in Section 6.0.4 in order to share your AnyConnect license with your Smart account.
Perpetual Licenses
Plus Perpetual
To order AnyConnect Plus perpetual licenses, start by choosing L-AC-PLS-P-G. Next choose Select Options and
select the count-based license option(s) based on the total number of possible unique (authorized) users that will
use AnyConnect Plus services. After selecting your user count(s), a high-quantity (99,999) expansion SKU in the
format of L-AC-yyy-S-xY-zzzz is added at no cost. This SKU delivers a multiuse product activation key (PAK),
which can be used to support Adaptive Security Appliance VPN services throughout the enterprise. Please see
Section 4.1 (Table 3) for the specific SKUs. Each ASA is registered to your PAK once per registration attempt
using a quantity of 1.
Note: Cisco Software Support Service (SWSS) must be purchased and maintained separately for all software
access and technical support.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 14
4.1 Plus Licenses (12- to 60-Month Term or Perpetual)
The Plus license tier provides the following services:
VPN functionality for PC and mobile platforms, including per-application VPN on mobile platforms,
Cisco phone VPN, and third-party (non-AnyConnect) IKEv2 VPN clients
Basic endpoint context collection
IEEE 802.1X Windows supplicant
Cisco Cloud Web Security agent for Windows and Mac OS X platforms
(Cloud Web Security services are licensed separately.)
Cisco Umbrella Roaming agent for Windows and Mac OS X platforms
(Umbrella Roaming services are licensed separately.)
Cisco Advanced Malware Protection for Endpoints Enabler
(AMP for Endpoints is licensed separately.)
FIPS compliance
Plus licenses are most applicable in environments previously served by the Cisco AnyConnect Essentials and
Mobile licenses, as well environments serviced by other AnyConnect use cases including Network Access
Manager, Web Security, and Cisco IOS and Adaptive Security Appliance VPN headends.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 14
Term License Banding SKU Description User Range
Note: Plus perpetual licenses require active Cisco Software Support Service (SWSS) for software access and
technical support.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 14
4.2 Apex Licenses (12- to 60-Month Term)
The AnyConnect Apex license tier provides the following services:
Clientless (browser-based) VPN termination on the Cisco Adaptive Security Appliance
VPN compliance and posture agent in conjunction with the Cisco Adaptive Security Appliance
Unified compliance and posture agent in conjunction with the Cisco Identity Services Engine 1.3 or later
Next-generation encryption (Suite B) with AnyConnect and third-party (non-AnyConnect) IKEv2 VPN clients
Network Visibility Module
ASA multicontext-mode remote access
SAML Authentication (new in 4.4 with ASA 9.7.1 or later)
All Plus services described above
Apex licenses are most applicable to environments previously served by the Cisco AnyConnect Premium, Shared,
Flex, and Advanced Endpoint Assessment licenses.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 14
Term License Banding SKU Description User Range
Note: AnyConnect VPN Only is licensed based on a single headend device and simultaneous connections (not
authorized users). VPN Only licenses are an alternative to the AnyConnect Plus and Apex model. No other
AnyConnect function or service (such as the Web Security Module, Cisco Umbrella Roaming, ISE Posture,
Network Visibility, or Network Access Manager) is available with the AnyConnect VPN Only licenses. The VPN
Only licenses cannot be transferred, rehosted, shared, combined, split, or directly upgraded to another VPN Only
license size. These licenses do not coexist with Plus or Apex licensing or any retired AnyConnect licenses.
Note: AnyConnect VPN Only licenses require an active Cisco Software Support Services (SWSS) contract for
software access and technical support. All ASA headends in a VPN Only license environment also must have
active AnyConnect SASU support contracts. During a covered Smart Net Total Care return material authorization
(RMA) replacement of an ASA hardware device, VPN Only licenses covered under an active SWSS contract will
be moved to the replacement hardware provided by Cisco.
Perpetual License (Spare): Perpetual License (ASA Option):
L-AC-VPNO-xxxx= AC-VPNO-xxxx
(xxxx = simultaneous user count from Table 4; may not (xxxx = simultaneous user count from Table 4; may not
exceed platform capabilities) exceed platform capabilities)
Refer to Table 4 for specific SASU (support contract) SKUs. Refer to Table 4 for specific SWSS (support contract) SKUs.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 14
Table 5. VPN Only SKUs (Simultaneous Connections/Single Headend)
L-AC-VPNO-25= Cisco AnyConnect VPN Only Perpetual License/25 simultaneous connections CON-EMCU-ACVO25
L-AC-VPNO-50= Cisco AnyConnect VPN Only Perpetual License/50 simultaneous connections CON-EMCU-ACVO50
L-AC-VPNO-100= Cisco AnyConnect VPN Only Perpetual License/100 simultaneous connections CON-EMCU-ACVO100
L-AC-VPNO-250= Cisco AnyConnect VPN Only Perpetual License/250 simultaneous connections CON-EMCU-AVOL250
L-AC-VPNO-500= Cisco AnyConnect VPN Only Perpetual License/500 simultaneous connections CON-EMCU-ACVO500
L-AC-VNPO-1K= Cisco AnyConnect VPN Only Perpetual License/1,000 simultaneous connections CON-EMCU-ACVO1K
L-AC-VPNO-2500= Cisco AnyConnect VPN Only Perpetual License/2,500 simultaneous connections CON-EMCU-ACVO2500
L-AC-VPNO-5K= Cisco AnyConnect VPN Only Perpetual License/5,000 simultaneous connections CON-EMCU-ACVO5K
L-AC-VPNO-10K= Cisco AnyConnect VPN Only Perpetual License/10,000 simultaneous connections CON-EMCU-ACVO10K
AC-VPNO-25 Cisco AnyConnect VPN Only Perpetual License/25 simultaneous connections CON-EMCU-ACVA25
AC-VPNO-50 Cisco AnyConnect VPN Only Perpetual License/50 simultaneous connections CON-EMCU-ACVA50
AC-VPNO-100 Cisco AnyConnect VPN Only Perpetual License/100 simultaneous connections CON-EMCU-ACVA100
AC-VPNO-250 Cisco AnyConnect VPN Only Perpetual License/250 simultaneous connections CON-EMCU-AVA250
AC-VPNO-500 Cisco AnyConnect VPN Only Perpetual License/500 simultaneous connections CON-EMCU-ACVA500
AC-VPNO-1K Cisco AnyConnect VPN Only Perpetual License/1,000 simultaneous connections CON-EMCU-ACVA1K
AC-VPNO-2500 Cisco AnyConnect VPN Only Perpetual License/2,500 simultaneous connections CON-EMCU-ACVA2500
AC-VPNO-5K Cisco AnyConnect VPN Only Perpetual License/5,000 simultaneous connections CON-EMCU-ACVA5K
AC-VPNO-10K Cisco AnyConnect VPN Only Perpetual License/10,000 simultaneous connections CON-EMCU-ACVA10K
Note: For headend devices supporting more than 10,000 simultaneous connections, more than one VPN Only
license can be purchased to support the maximum simultaneous capacity of the platform. For example, if the
device supports 20,000 connections, two L-AC-VPNO-10K= licenses can be purchased. For those devices, the
physical PAK registration process does not apply. Spare licenses (L-AC-VPNO-xxxx=) are sent by eDelivery. ASA
Options (AC-VPNO-xxx) will be printed physically and mailed together with the ASA ordered with this option.
5. Service Offerings
Support and software updates are included for the duration of all AnyConnect term based licenses. Plus perpetual
and VPN Only perpetual licenses require the additional purchase of Cisco Software Support Service (SWSS) to
obtain software access and technical support. Cisco Smart Net Total Care support contracts for the headend
termination devices must be purchased separately.
This support entitles customers to the services listed here for the full term of the purchased software subscription:
Software updates and major upgrades to keep AnyConnect performing optimally with the most current
feature set
Access to the Cisco Technical Assistance Center, which provides fast, specialized support
Registered access to Cisco.com
Please refer to the following link for more detailed information regarding Cisco Software Support Service:
http://www.cisco.com/c/en/us/services/technical/software-support-service-swss.html
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 14
6. License Management
Cisco offers a variety of license management tools at the License Management portal. A valid Cisco.com user
name and password are required to use the portal.
When a Cisco Adaptive Security Appliance (ASA) is used with AnyConnect, you must register each individual ASA
appliance to each AnyConnect Plus or Apex license that you purchase. The license registration process should not
be completed for the Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Firepower, Cisco ISE, Cisco IOS, or
other headends. See Section 6.0.4 for instructions on sharing your AnyConnect license with your Smart
account, which is required for Firepower Threat Defense (FTD) 6.2.1 and later. Contract entitlement
(Section 6.1) should be completed regardless of the headend. Otherwise you will not be able to download
AnyConnect software or obtain tech support.
Note: When registering a license to your ASA, it is important that you confirm the serial number for your
appliance by using the Show Version command or the appliances device manager.
Note: For all AnyConnect Plus and Apex licenses, the Adaptive Security Appliance (ASA) license emailed to you
after activating your key will display only the simultaneous hardware user capacity of your appliance, not your
authorized user license count or AnyConnect license tier (Plus or Apex). To look up the user license purchased or
term remaining, please access your support contract through the Cisco Service Contract Center.
For subsequent registrations, you request an activation code on the Cisco.com license portal under Get Other
Licenses Share License Process ASA AnyConnect Term and Content. You will be prompted to enter a source
and target serial number. The source serial number can be any serial number currently sharing this license. The
target serial number is the ASA serial number you wish to share it with. If the source serial number has multiple
Plus or Apex licenses, you will be able to select multiple licenses to share at once. If you have multiple co-termed
licenses, each of them should be shared with all the ASA serial numbers. The ASA key itself will not change when
you share multiple licenses.
After completing this process, you will be emailed an activation code and instructions to complete the sharing
process. You must repeat this process for each additional ASA serial number you wish to share the license with.
Only the Cisco.com ID tied to the initial license registration process can share your license with additional devices.
6.0.2 Plus Perpetual (L-AC-PLS-P-G) and Older Plus or Apex Ordering (L-AC-APX-xYR-G, L-AC-PLS-xYR-G)
The product activation key (PAK) will be used for all subsequent ASA device registrations. For each PAK
registration submission you can associate only one Adaptive Security Appliance (ASA) on a single license
registration page.
The same product activation key (PAK) can be applied to multiple appliances by repeating this process.
If you have purchased multiple license tiers or user counts, register each activation key individually to all of your
appliance serial numbers. A quantity of 1 should be used with all registrations.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 14
6.0.3 VPN Only (L-AC-VPNO-xxxx= and AC-VPNO=xxxx)
The PAK will be used for your ASA device registration, it is not used for any other Cisco headend device. This PAK
can be used only once.
Note: This license cannot be transferred after it is registered, so please make sure you are registering the
license for the correct ASA serial number from show version.
In order to activate your AnyConnect Plus, Apex or VPN Only license(s) with Firepower Threat Defense (FTD)
6.2.1 or later, it must be shared with your Smart account. To complete the sharing process, please open up a case
with Cisco Global Licensing (GLO) using this link and fill in the requested information.
If the above link is not available, you may send an email to [email protected] with the following subject and
information filled in:
Message Body:
Please share the below AnyConnect license by provisioning Smart AnyConnect entitlement to the Smart Account
and Virtual Account as specified below.
To use your Cisco.com ID for support and Software Center access, you must first locate the contract number
generated with your order. The contract number is not the same as your product activation key or Cisco sales
order. You must obtain your contract number directly from your Cisco reseller. A contract number is usually
generated within a week after your product activation key eDelivery. When an order is placed with Cisco, your
authorized reseller or account team can specify an existing contract number already belonging to your
organization.
If your reseller is unable to link your contract number to your Cisco.com ID, you can request that the contract be
linked to your Cisco.com ID directly by mailing [email protected] with your contract number and Cisco.com
ID and a short note requesting the linking to be completed for full access (support and Software Center
downloads). Your Cisco.com ID profile details (company, address, etc.) must match the details on the order.
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 14
6.2 Evaluation Licenses
Cisco offers 4-week Apex evaluation licenses that incorporate all Plus license functionality. To obtain an evaluation
license, please visit: https://www.cisco.com/go/license.
Select the following: Get Other Licenses -> Demo and Evaluation -> Security Products -> AnyConnect Plus/Apex
(ASA) Demo license.
Get Other Licenses -> IPS, Crypto, Other -> Security Products -> Cisco ASA 3DES/AES License
2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 14