We help IT Professionals succeed at work.

Cisco Anyconnect & VPN client

CHI-LTD asked
We are running cisco cloud websecurity (anyconnect client) and old cisco VPN client (currenlty v5) which is EOL and a PITA with Win8+, but works.  The thick VPN client software is managed by us and the firewalls are managed by a 3rd party.  

We are looking at migrating from IPSec VPN for our sites (3) to MPLS.  So far the firewalls proposed are cisco or fortinet.  I have no preferance currently, but would like to keep CWS..

Im unsure how the fortinet VPN client (thick and thin (SSL)) works, can we point clients from the web into the firewalls in the MPLS core back to our on-prem AD for authentication?  Can we use SSL and thick VPN clietns at the same time on the same firewall(s)?   Also, how good is the VPN client compared to the cisco anyconnect?

Regarding the CIsco, can we use SSL and thick client (anyconnect right?) and also integrate both VPN & CWS in anyconnect (labelled umbrella?)?  What are the licencing options?

Any info would be great.
Watch Question

There's not enough information here.

Is it MPLS between offices over a private link with an internet gateway somewhere, is it 3 offices with seperate internet connections, with MPLS tunnelled over the internet?

Fortigate supports IPSec and SSL VPN. You may use Cisco AnyConnect it self to connect the Fortigate using IPSec. SSL VPN supports Web and Tunnel mode. For tunnel mode you have to in stall FortiClient. FortiClient is comes with IPSec and SSL VPN client built-in. We are using FortiClient and it is working smotthly without any issues.
FortiGate VPN can be easily integrated with AD for authentication.
For detailed setup details refer the videos at https://video.fortinet.com/search?q=ipsec+vpn

Good Luck!


believe its this: 3 offices with seperate internet connections, with MPLS tunnelled over the internet, with centralised breakout to the web from the core.

There are a few valid views on this.  

In my opinion, firewalls are not needed, although you know your network setup better than I do.  

MPLS is just a big VPN-like network.  You can have MPLS into your office and not need a firewall because everything is tunneled through the MPLS and there is no local internet connectivity to your network.  This is how I've seen it done in most places.  THe MPLS is usually terminated by a Cisco 2900 and it is set such that all traffic is routed down the MPLS.  No firewall (between network and Internet) needed on site.  Just a correctly configured router.  Multiply this by 3.  

You DO need a firewall at the MPLS core breakout to the Internet.  This is where you would have whatever VPN/firewall technology you prefer.  

As it is a single endpoint, licensing should be simpler than having a firewall at each site.  

This of course is based upon the idea that the three networks are trusted and you don't need to firewall between them.


I agree, which is why we are looking at centrlaising the firewalls with MPLS.