AnyConnect 4 – Plus and Apex Licensing Explained

KB ID 0001013 

Problem

(Updated 11/05/21)

Before version 4 we simply had AnyConnect Essentials and Premium licensing, now we have Plus and Apex licensing.

AnyConnect Plus and Apex

There are in fact three licensing options;

  • Cisco AnyConnect Plus Subscription Licenses
  • Cisco AnyConnect Plus Perpetual Licenses
  • Cisco AnyConnect Apex Subscription Licenses
  • NEW VPN Only perpetual Licences

Plus and Apex Contain;

AnyConnect PLUS (Cisco pitch “Equivalent to the old Essentials License”).

  • VPN functionality for PC and mobile platforms, including per-app VPN on mobile platforms.
  • Basic endpoint context collection (Note: NOT full ISE context support).
  • IEEE 802.1X Windows supplicant.
  • Cisco Cloud Web Security agent for Windows & Mac OS X platforms.
  • Cisco Web Security Appliance support.
  • FIPS compliance.

AnyConnect APEX (Cisco pitch “Equivalent to the old Premium License”).

  • Everything that’s included in AnyConnect Plus.
  • Clientless (browser-based) VPN termination on the Cisco ASA.
  • VPN Compliance/Posture agent in conjunction with the Cisco ASA.
  • Unified Compliance/Posture agent in conjunction with the Cisco ISE 1.3 or later.
  • Next Generation Encryption/Suite B.

Both licenses are available as 1, 2 and 5 (not 3 as listed on the Cisco website) year subscription, or you can buy Plus licenses with a perpetual license option.

Note: For PLUS Licences looks at SKUs starting  L-AC-PLS, for APEX Licences look SKUs starting at L-AC-APX

(Note: if you have a Plus Perpetual license you still need to purchase a software applications support plus upgrades (SASU) contract.

Regardless of which you buy, the SASU for AnyConnect is NOT included in the support contract for the parent device e.g. the SmartNet on your Cisco ASA Firewall.

To purchase support you order the parent license (SKU: L-AC-PLS-P-G) which has no cost, then you add in the relevant license for the amount of clients you have e.g. AC-PLS-P-500-S for 500 users, AC-PLS-P-2000-S for 2000 users etc.

BE AWARE: AnyConnect 4 Licenses will display as AnyConnect Premium licenses when you issue a ‘show version’ command. When adding an AnyConnect 4 License (regardless of the quantity of licenses added), will license to the maximum permitted AnyConnect Premium license count for the ASA hardware platform, those being;

New AnyConnect VPN Only Licences (Perpetual)

You can now purchase VPN Only perpetual licences, they are sold by ‘Concurrent VPN Connection‘. You order them like so;

L-AC-VPNO-25 (for 25 concurrent VPN connections) you can also buy in 50, 100, 250, 500, 1K, 2500, 5K ,and 10K versions. Depending on what you device will physically support (see below)

Cisco ASA Maximum VPN Peers / Sessions

Cisco Firepower Firewalls

FPR-1010 = 75
FPR-1120 = 150
FPR-1130 = 400
FPR-1140 = 800
FPR-2110 = 1500
FPR-2120 = 3500
FPR-2130 = 7500
FPR-2140 = 10,000
FPR-4110 = 10,000
FPR-4112 = 10,000
FPR-4115 = 15,000
FPR-4120 = 20,000
FPR-4125 = 20,000
FPR-4140 = 20,000
FPR-4145 = 20,000
FPR-4150 = 20,000
FPR-9300-SM24 = 20,000 
FPR-9300-SM36 = 20,000
FPR-9300-SM40 = 20,000
FPR-9300-SM44 = 20,000
FPR-9300-3xSM44 = 60,000
FPR-9300-SM48 = 20,000
FPR-9300-SM56 = 20,000
FPR-9300-SM3x56 = 60,000

Cisco ASA 5500-X Firewalls
5506-X = 50
5508-X = 100
5512-X = 250
5515-X = 250
5516-X = 300
5525-X = 750
5545-X = 2500
5555-X = 5000
5585-X = 10,000
Cisco ASA 5500 Firewalls

5505 = 25 
5510 = 250 
5520 = 750 
5540 = 5,000 
5550 = 5,000 
5580 = 10,000

Cisco ASAv Firewalls

ASAv5  = 50
ASAv10 = 100
ASAv30 = 750
ASAv50 = 10,000
 

Related Articles, References, Credits, or External Links

Cisco AnyConnect – Essentials / Premium Licenses Explained

Cisco ASA 5500 – Adding Licenses

Cisco AnyConnect Ordering Guide

Migration From Exchange 2010 to Exchange 2016 (& 2013)

Part 1

KB ID 0000788

Problem

To complete a migration from Exchange 2010 (or 2007) to Exchange 2016/2013, you need to introduce Exchange 2016 into your existing Exchange environment, then migrate your content onto the new server(s), and finally remove Exchange 2010.

Solution

Assumptions:

In this example I’ve got aexisting Exchange 2010 environment running on Windows Server 2008 R2. I’m putting in Exchange 2016 onto a new server running Server 2012. Post install the NEW server will hold client access, and mailbox roles.

Exchange 2013/2016 Role Placement

Unlike with previous versions of Exchange, the 2016/2013 approach is NOT to split up roles to different servers, it’s considered good practice to deploy all roles on all Exchange servers.

Exchange 2013/2016 Licensing

Unless you have Microsoft “Software Assurance” you cannot simply upgrade to Exchange 2016 for free. You will need to buy the Exchange 2016 Base productYou may wish to look at an “Open Value Agreement”, which lets you pay the cost over a three year term.

The Exchange 2016 (on-premises) software itself comes in two flavours, Standard and Enterprise.

Standard: For small Exchange deployments (1-5 Mailbox Databases) and for non mailbox role servers in larger Exchange deployments.

Enterprise: For large Exchange deployments (1-50 Mailbox Databases).

Exchange 2013/2016 Client Access Licenses

As before there are two types of CAL for Exchange 2016 access. These are also ‘confusingly’ called Standard and Enterprise.

Note: An Enterprise CAL is NOT just for Exchange Enterprise 2016 and a Standard CAL is NOT just for Exchange Standard, this is a common mistake. Though you can mix and match, i.e. a standard CAL is required for all mailbox users or devices, adding an Enterprise CAL is only required for those existing users or devices requiring additional functionality.

Standard CAL: Required for all users (or devices) that require access to an Exchange mailbox. For most people these will be the CALS you need to purchase.

Enterprise CAL: Is an additional license that’s added to the Standard license, this enables the user to use archiving/journaling and unified messaging (Requires Outlook 2013). It also gives access to more advanced ActiveSync management policies and custom retention policies.

Exchange 2016/2013 Migration Step 1 “Planning / Pre Site Visit”

1. Media and Licenses: Before you start you will need to have the Exchange 2016 or  2013 CU2 (CU1 = Minimum) version of the install media (.iso or DVD). DO NOT attempt to perform the migration with a version of Exchange 2013 media that IS NOT at least CU1. Warning, this will be a DVD image (over 3.5 GB), you may wish to get this downloaded from a site with a decent Internet connection!

2. Make sure any third party Exchange software you are currently running is also supported on Exchange 2016, e.g. Anti Virus, Backup Solutions, Archiving, Mail Management, Mobile Device Software, etc, check with the software vendor.

3. DO NOT CONSIDER migrating anything until you know you have a good backup of your current Exchange environment. If you are lucky enough to have VMware ESX, Hyper-V or another virtualisation platform, consider doing a P2V conversion on your Exchange 2010 server then simply turning the 2010 Server off, then if it all goes to hell in a hand cart simply turn the original server back on again.

4. Outlook Client Access: Be aware your clients need to be using the following versions of Outlook BEFORE you migrate them.

Exchange 2016

  • Outlook 2016
  • Outlook 2013.
  • Outlook 2010 (With KB2965295)
  • Outlook for Mac 2011.
  • Outlook for Mac for Office 365

Exchange 2013

All of the above and 

  • Outlook 2007 (With SP3 and this update).
  • Entourage 2008 for Mac, Web Services Edition.

Exchange 2013/2016 Migration Step 2 “Pre-Install”

I would suggest you run through the Microsoft Exchange Server Deployment Assistant, as a “Belt and braces” approach to the migration”

1. Before you do anything, it’s time for a common sense check, make sure your existing Exchange 2010 Organisation is happy and running cleanly, and has good communication with both the domain and your DNS. Get in the event logs and make sure it’s a happy server.

Time spent on reconnaissance is seldom wasted!

2. Run a full Windows update on your existing Exchange server(s), this will install any Exchange roll-ups that are outstanding.

3. If you are planning to utilise DAG, then you should install the following hot-fix on your Exchange 2010 servers before deploying SP3.

4. For coexistence of Exchange 2010 and Exchange 2016/2013, Your Exchange 2010 Servers must have Service pack 3 installed. If you are upgrading from service pack 1 you may see the following error.

Exchange 2010 Service Pack 3 Error – ‘The IIS 6 WMI Compatibility component is required’

5. After SP3 apply the latest Update Rollup.

Exchange 2013/2016 Migration Step 3 “Server Prerequisites”

1. The server that will run Exchange 2016, will need to be a domain member*, and I would run all the current updates before you start.

Once that is complete there are a number of server roles that will need adding. (Note: in Exchange 2013 these roles are the SAME for both CAS and Mailbox Servers, in 2016 there is only mailbox and edge servers anyway).

*Note: As with previous versions of Exchange it is recommended that you DO NOT run Exchange 2016 on a domain controller.

To add the Exchange 2013/2016 Server roles via PowerShell

Note: Here on my ‘Test Network’ the server in question is also a domain controller. In your production environment this will probably NOT be the case. If so, you will need to install the Remote Server Administration Tools for Active Directory.

[box]

Install-WindowsFeature RSAT-ADDS

[/box]

Issue the following commands;

[box]

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-Clustering-CmdInterface

Then Reboot;

Restart-Computer

[/box]

2. You will need to install the Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

3. Exchange 2013 Only: You will also need to install the Microsoft Office 2010 Filter Pack 64 bit and Microsoft Office 2010 Filter Pack SP1 64 bit.

Exchange 2013/2016 Migration Step 4 “Install Exchange 2013/2016”

Note: Ensure the Exchange 2013 Media version you are using is CU2. 

1. Insert the DVD or open the install files and run setup.exe. It will attempt to find any outstanding updates before it starts.

2. Next.

3. Setup will begin copying files.

4. Next.

5. Accept the EULA > Next.

6. I tend to disable feedback, but the choice is yours > Next.

7. Select the server roles that you wish to install.

8. Select the folder that you wish to install the Exchange program into.

Note: Remember if deploying multiple Exchange 2013/2016 servers, it’s considered good practice to keep the folder paths contiguous across all the servers.

9. If you plan to deploy third party malware protection (post Install), then you might wish to disable this, but in most cases you will want it enabled > Next.

Note: This is built on technology that was called ‘Forefront’ in previous versions of Exchange.

10. Pre deployment readiness checks will be carried out > when complete > Next.

11. Setup will take quite some time.

12. When complete, tick the box to launch the admin console > Finish.

13. After a few seconds the Exchange Admin Center will open.

Note: If you log in and get a blank screen, ensure your users has ‘inheritable permissions’ enabled, (on the security tab of their user object in AD)

14. At this point I would move the new Exchange Database from its default location to its own volume/folder, (again keep this path contiguous across all the new servers). The following PowerShell command will do this for you;

[box]Move-DatabasePath -Identity “Database Name” -EdbFilePath “E:Folder NameDatabase name.edb” –LogFolderpath “E:Folder Name”[/box]

Exchange 2013/2016 Migration Step 5 “Migrate Mailbox’s”

STOP! Before you proceed you need to think about OWA access. For internal access this will not be a problem BUT if you have users that access OWA externally (e.g. via https://mail.yourpublicdomain.com/owa) Then you will have to DO SOME PLANNING. Unless you have two free public IP addresses, your router/firewall can only point to one CAS server at a time.

STOP AGAIN! OK I’ve had more than one email about this so, here’s a warning. Moving Mailboxes creates logs, the more you move, the more logs it creates. The only way to clear these logs properly is to do an Exchange Aware/VSS Level backup. If you just start moving mailboxes without keeping an eye on this you can fill up a volume with logs, and if you are daft enough to have this on our system volume you can take the server down, you have been warned! Or See the following Article

Exchange 2016 Enable Circular Logging

1. First make sure that the new server can see the existing Exchange infrastructure. From within the Exchange Admin Center > Servers. You should see both your Exchange 2010 Servers and the new Exchange 2016 Server.

Note: You can see the same with the following PowerShell command;

[box]Get-ExchangeServer | select Name, ServerRole, AdminDisplayVersion | ft –auto[/box]

2. Test move one mailbox from Exchange 2010 to 2016, Recipients > Mailboxes > Locate our Test User > Move Mailbox.

3. Give the test migration a name, and browse to the new datastore (Note: If the move fails you can increase both the BadItem limit and the LargeItem limit here as well) > Next.

4. New.

5. You will be asked if you want to the ‘Migration Dashboard’.

6. Here you can watch progress (remember to keep hitting ‘refresh’).

7. If you prefer to use PowerShell you can migrate all mailboxes from one database to another with the following command;

[box]

Get-Mailbox -Database Mailbox-Database | New-MoveRequest -TargetDatabase Mailbox-Databse-2013/16

If you have more than 1000 mailboxes use the following instead,

Get-Mailbox -Database Mailbox-Database -ResultSize Unlimited | New-MoveRequest -TargetDatabase Mailbox-Database-2013

[/box]

Depending on the amount of mailboxes this can take a while!

8. Then test mail flow to/from this mailbox to internal recipients in the Exchange 2010 infrastructure, and then test mail flow to/from an external mailbox.

Note: At this point you might struggle to connect to the Exchange 2016 Admin Center as ‘Administrator’, because that user’s mailbox is still on the Exchange 2010 Server. If that happens to you and you are ‘Locked Out‘ of the Exchange Admin Center, simply add the user you migrated already, to the Exchange Organization Management group, and log in as that user to https://{Exchange-2016-Server-Name}/ecp

9. You can now migrate the remainder of your mailboxes.

Note: Depending on mailbox size this can take a VERY LONG time, I would suggest staging this migration gradually. To view progress;

[box]

Get-MoveRequestStatistics -MoveRequestQueue “Mailbox-Database-2013

To check if anything is left in the OLD Database;

Get-MailboxDatabase -Identity “Mailbox-Database” | Get-Mailbox

[/box]

Exchange 2013/2016 Migration Step 6 “Change Mail flow”

At this point you need to change the SMTP feed from the old Exchange 2010 box to the new Exchange 2016 Server, how you do this depends on your network setup, some examples of how you might do this are,

i. Change the SMTP (TCP Port 25) Port redirect on your router/firewall. 
ii. Swap IP addresses from the old to the new server.
iii. Change the translation from public to private IP address to point to the new IP.

Note: If you have any mail scanning servers, anti spam hardware devices etc, then they will also need changing to point to the new server.

1. You will need to add the new server to your Exchange ‘Send Connector’ and remove the Exchange 2010 Server. (Note: I’m assuming you only have one send connector, if you have more than one i.e. for particular domains, or for secure TLS mail you will need to do these as well). From Exchange Admin Center > Mail flow > Send connectors > Select the send connector > Edit > Scoping > Add the 2016 server > Remove the 2010 server > Save.

2. You will not need to create receive connectors on the Exchange 2016 Server, if you navigate to mail flow > receive connectors > Change the drop down to point to the Exchange 2013 Server. You will see there is a ‘Default Frontend’ Connector already configured for Exchange 2016.

3. At this point, it would be sensible to once again check mail flow, to and from an external mail account.

 

Related Articles, References, Credits, or External Links

Thanks to Simcha Kope for the feedback (Adding RSAT-ADDS)
Thanks to Austin Weber for spotting my PowerShell typo.
Thanks to Tony Blunt for the log file PowerShell syntax omission.

Migration From Exchange 2010 to Exchange 2016 Part 2

How To Install Exchange 2016 (Greenfield Site)

Original Article Written 03/06/13

Cisco ASA 5500 – Install and Configure a CSC Module

KB ID 0000731 

Problem

The Cisco CSC module provides ‘in line’ scanning of POP3, SMTP, HTTP and FTP traffic, to protect against viruses but also for anti spam and anti phish (with the correct licensing).

If you are familiar with Trend products, you will like it, (because that’s what it runs), and the interface is much the same as Trend IWSS.

It is a hardware device that plugs into the back of the ASA, and comes in two flavours.

1. CSC-SSM-10 (50 to 500 users, depending on licenses) for ASA 5510 and 5520.

2. CSC-SSM-20 (500 to 100 users, depending on licenses) for ASA 5510, 5520, and 5540.

In addition to licensing the amount of users, you can also buy a Plus License, this enables anti-spam, anti-phish, URL filtering, and blocking control. Note: This license expires and must be renewed annually).

Solution

Some licenses on the CSC are time specific, I would consider setting the ASA’s internal clock before you start.

Set the ASA to get time from an External NTP Server

Step 1: License the Cisco CSC Module

1. Connect to the ASA via command line, go to enable mode and issue the following command;


From the output you should be able to get the serial number of the CSC module (write it down).

2. In the box with the CSC/ASA should be an envelope containing the PAK for the CSC module, write that number down as well.

3. Go to the Cisco license portal here, Note: If you do not have a Cisco CCO account you may need to create one. Enter your PAK code > Fulfill Single PAK.

Note: If you have multiple PAK codes, you can do them at once with the ‘Load more PAK’s’ button, this may be the case if you also have a ‘plus’ license to add.

4. Enter the serial number of your CSC module and the person/company from whom you bought it > Next.

5. It should display your valid email address (from your CCO account). Tick the box to accept the terms and conditions > Get License.

6. Scroll down and accept, then select DOWNLOAD, (that way you wont have to wait for it to be emailed to you).

7. Open the license file (will have a .lic extension) with notepad and you should see two keys.

Step 2: Setup the CSC Module

Note: Here I’m going to simply set up inspection of everything on all interfaces, this might not be what you want, i.e. if theres no mail server in the DMZ why would you want to inspect all DMZ traffic for SMTP.

1. Connect to the firewall’s ASDM console > Trend Micro Content Security > It should point you straight to the setup wizard.

9. Enter the base and plus license codes. Note: The plus license code that comes with the CSC is just an evaluation one, if you have purchased a plus license separately, then paste THAT code in instead.

10. Enter the network settings you require for the CSC (it requires its own network connection). it has a single RJ45 network socket on the CSC modules back plane, connect that to your LAN > Next.

11. Supply a name for the CSC module and details of your email server (if you require email notification) > Next > enter the IP addresses that will be allowed access to the CSC web console > Next > Change the password Note: The original password will be cisco > Next.

12. Select what traffic you want to inspect, here I’ve selected all traffic all interfaces > Ive set the CSC to fail open (if theres a problem it simply passes traffic, if you have it on fail close and the CSC encounters a problem all http, smtp, ftp, and pop traffic will be blocked until the problem is resolved) > OK > Next.

13. Review the settings > Finish.

Note: You may get a warning if you set ‘fail open’ above that’s OK.

Connecting to and Managing the Cisco CSC Module

Although you can access the CSC settings via the ASDM, the easiest way is via its web interface, you set the IP address in step 2 number 10 above, navigate to
https://{ip-address}:8443

Note: You should now set the CSC module so that is DOES NOT scan its own update traffic, see the following article.

Cisco CSC Module – Stop it scanning its own update traffic

Adding a ‘PLUS’ License to a Cisco CSC

If you add the plus license later, you will obtain the code in the same manner as you did above (put the PAK and the CSC Serial number into the licensing portal and have it sent to you.

1. Once you have the code, open a web session to the CSC management interface https://{ip-address}:8443 > Administration > Licensing > Enter a new code.

2. Paste in the new code > Activate.

3. It may look like it has hung, wait a minuter or so, and check the licensing tab again.

Related Articles, References, Credits, or External Links

Cisco CSC Module Error – Activation Warning

Apple Devices will not Update Though Cisco ASA and CSC Module

Outlook Error 0x800CCC0F – Using POP3 To Exchange – Behind a Cisco CSC (Trend InterScan) Module