diff --git a/src/config.c b/src/config.c
index 878127ca..c1614aa7 100644
--- a/src/config.c
+++ b/src/config.c
@@ -801,9 +801,7 @@ size_t urlfw_size = 0;
 
 	READ_STRING("ocsp-response", config->ocsp_response);
 
-#ifdef ANYCONNECT_CLIENT_COMPAT
 	READ_STRING("user-profile", config->xml_config_file);
-#endif
 
 	READ_STRING("default-domain", config->default_domain);
 	READ_STRING("crl", config->crl);
@@ -1162,7 +1160,6 @@ static void check_cfg(struct perm_cfg_st *perm_config)
 		}
 	}
 
-#ifdef ANYCONNECT_CLIENT_COMPAT
 	if (perm_config->cert && perm_config->cert_hash == NULL) {
 		perm_config->cert_hash = calc_sha1_hash(perm_config, perm_config->cert[0], 1);
 	}
@@ -1185,7 +1182,6 @@ static void check_cfg(struct perm_cfg_st *perm_config)
 			exit(1);
 		}
 	}
-#endif
 
 	if (perm_config->config->keepalive == 0)
 		perm_config->config->keepalive = 3600;
diff --git a/src/vpn.h b/src/vpn.h
index 81c0956c..b79c9c10 100644
--- a/src/vpn.h
+++ b/src/vpn.h
@@ -316,10 +316,8 @@ struct cfg_st {
 	char *cgroup;
 	char *proxy_url;
 
-#ifdef ANYCONNECT_CLIENT_COMPAT
 	char *xml_config_file;
 	char *xml_config_hash;
-#endif
 
 	/* additional configuration files */
 	char *per_group_dir;
diff --git a/src/worker-auth.c b/src/worker-auth.c
index 223f2380..6c8dcb3a 100644
--- a/src/worker-auth.c
+++ b/src/worker-auth.c
@@ -52,7 +52,20 @@ static const char oc_success_msg_head[] = "<?xml version=\"1.0\" encoding=\"UTF-
                         "<auth id=\"success\">\n"
                         "<title>SSL VPN Service</title>";
 
-static const char oc_success_msg_foot[] = "</auth></config-auth>\n";
+#define OC_SUCCESS_MSG_FOOT "</auth></config-auth>\n"
+#define OC_SUCCESS_MSG_FOOT_PROFILE \
+			"</auth>\n" \
+			"<config client=\"vpn\" type=\"private\">" \
+				"<vpn-profile-manifest>" \
+				"<vpn rev=\"1.0\">" \
+				"<file type=\"profile\" service-type=\"user\">" \
+				"<uri>/profiles/%s</uri>" \
+				"<hash type=\"sha1\">%s</hash>" \
+				"</file>" \
+				"</vpn>" \
+				"</vpn-profile-manifest>\n" \
+			"</config>" \
+			"</config-auth>"
 
 static const char ocv3_success_msg_head[] = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
                         "<auth id=\"success\">\n"
@@ -892,20 +905,30 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 	size_t str_cookie_size = sizeof(str_cookie);
 	char msg[MAX_BANNER_SIZE + 32];
 	const char *success_msg_head;
-	const char *success_msg_foot;
+	char *success_msg_foot;
 	unsigned success_msg_head_size;
 	unsigned success_msg_foot_size;
 
 	if (ws->req.user_agent_type == AGENT_OPENCONNECT_V3) {
 		success_msg_head = ocv3_success_msg_head;
-		success_msg_foot = ocv3_success_msg_foot;
+		success_msg_foot = talloc_strdup(ws, ocv3_success_msg_foot);
 		success_msg_head_size = sizeof(ocv3_success_msg_head)-1;
-		success_msg_foot_size = sizeof(ocv3_success_msg_foot)-1;
+		success_msg_foot_size = strlen(success_msg_foot);
 	} else {
 		success_msg_head = oc_success_msg_head;
-		success_msg_foot = oc_success_msg_foot;
+		success_msg_foot = OC_SUCCESS_MSG_FOOT;
+		if (ws->config->xml_config_file) {
+			success_msg_foot = talloc_asprintf(ws, OC_SUCCESS_MSG_FOOT_PROFILE,
+				ws->config->xml_config_file, ws->config->xml_config_hash);
+		} else {
+			success_msg_foot = talloc_strdup(ws, OC_SUCCESS_MSG_FOOT);
+		}
+
+		if (success_msg_foot == NULL)
+			return -1;
+
 		success_msg_head_size = sizeof(oc_success_msg_head)-1;
-		success_msg_foot_size = sizeof(oc_success_msg_foot)-1;
+		success_msg_foot_size = strlen(success_msg_foot);
 	}
 
 	oc_base64_encode((char *)ws->cookie, sizeof(ws->cookie),
@@ -917,28 +940,28 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 	cstp_cork(ws);
 	ret = cstp_printf(ws, "HTTP/1.%u 200 OK\r\n", http_ver);
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	ret = cstp_puts(ws, "Connection: Keep-Alive\r\n");
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	if (ws->selected_auth->type & AUTH_TYPE_GSSAPI && imsg != NULL && imsg[0] != 0) {
 		ret = cstp_printf(ws, "WWW-Authenticate: Negotiate %s\r\n", imsg);
 		if (ret < 0)
-			return -1;
+			goto fail;
 	}
 
 	ret = cstp_puts(ws, "Content-Type: text/xml\r\n");
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	if (ws->config->banner) {
 		size =
 		    snprintf(msg, sizeof(msg), "<banner>%s</banner>",
 			     ws->config->banner);
 		if (size <= 0)
-			return -1;
+			goto fail;
 		/* snprintf() returns not a very useful value, so we need to recalculate */
 		size = strlen(msg);
 	} else {
@@ -950,11 +973,11 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 
 	ret = cstp_printf(ws, "Content-Length: %u\r\n", (unsigned)size);
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	ret = cstp_puts(ws, "X-Transcend-Version: 1\r\n");
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	if (ws->sid_set != 0) {
 		char context[BASE64_ENCODE_RAW_LENGTH(SID_SIZE) + 1];
@@ -967,7 +990,7 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 			       "Set-Cookie: webvpncontext=%s; Secure\r\n",
 			       context);
 		if (ret < 0)
-			return -1;
+			goto fail;
 
 		oclog(ws, LOG_SENSITIVE, "sent sid: %s", context);
 	}
@@ -977,14 +1000,13 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 		       "Set-Cookie: webvpn=%s; Secure\r\n",
 		       str_cookie);
 	if (ret < 0)
-		return -1;
+		goto fail;
 
-#ifdef ANYCONNECT_CLIENT_COMPAT
 	ret =
 	    cstp_puts(ws,
 		     "Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure\r\n");
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	if (ws->config->xml_config_file) {
 		ret =
@@ -1001,20 +1023,23 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 	}
 
 	if (ret < 0)
-		return -1;
-#endif
+		goto fail;
 
 	ret =
 	    cstp_printf(ws,
 		       "\r\n%s%s%s", success_msg_head, msg, success_msg_foot);
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	ret = cstp_uncork(ws);
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	return 0;
+
+ fail:
+	talloc_free(success_msg_foot);
+	return -1;
 }
 
 /* Returns the contents of the password field in a newly allocated
diff --git a/src/worker-http-handlers.c b/src/worker-http-handlers.c
index 9164cefa..ec4b23ce 100644
--- a/src/worker-http-handlers.c
+++ b/src/worker-http-handlers.c
@@ -220,7 +220,6 @@ int get_ca_der_handler(worker_st * ws, unsigned http_ver)
 	return ca_handler(ws, http_ver, 1);
 }
 
-#ifdef ANYCONNECT_CLIENT_COMPAT
 int get_config_handler(worker_st *ws, unsigned http_ver)
 {
 	int ret;
@@ -257,6 +256,7 @@ int get_config_handler(worker_st *ws, unsigned http_ver)
 	return 0;
 }
 
+#ifdef ANYCONNECT_CLIENT_COMPAT
 #define VPN_VERSION "0,0,0000\n"
 #define XML_START "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<vpn rev=\"1.0\">\n</vpn>\n"
 
diff --git a/src/worker-http.c b/src/worker-http.c
index 6fbb8c65..8220fdd6 100644
--- a/src/worker-http.c
+++ b/src/worker-http.c
@@ -59,6 +59,7 @@ const static struct known_urls_st known_urls[] = {
 	LL("/cert.cer", get_cert_der_handler, NULL),
 	LL("/ca.pem", get_ca_handler, NULL),
 	LL("/ca.cer", get_ca_der_handler, NULL),
+	LL_DIR("/profiles", get_config_handler, NULL),
 #ifdef ANYCONNECT_CLIENT_COMPAT
 	LL("/1/index.html", get_empty_handler, NULL),
 	LL("/1/Linux", get_empty_handler, NULL),
@@ -69,7 +70,6 @@ const static struct known_urls_st known_urls[] = {
 	LL("/1/VPNManifest.xml", get_string_handler, NULL),
 	LL("/1/binaries/update.txt", get_string_handler, NULL),
 
-	LL_DIR("/profiles", get_config_handler, NULL),
 	LL("/+CSCOT+/", get_string_handler, NULL),
 	LL("/logout", get_empty_handler, NULL),
 #endif