01-31-2019 04:46 PM
Hello everyone,
I'm in the process of deploying AnyConnect ISE Posture using our Software Management System (SMS). I do have a couple of questions about the pre-deployment packaging.
Appreciate the Help.
Solved! Go to Solution.
01-31-2019 08:19 PM - edited 01-31-2019 08:20 PM
It all depends on how you have your network setup. If you have your network setup to do posture discovery then you don't need to deploy anything but the AnyConnect software with the posture module. When the posture module first starts up it will do posture discovery (HTTP to gateway IP, enroll.cisco.com, etc.) and if you have posture discovery URL redirection configured on the network the posture module will find the correct PSN to talk and download everything it needs to function. You would also need to have a client provisioning rule to apply the correct posture config file.
Check out this link for posture discovery options and how to do it without redirection (would require you to push the posture config file with the SCCM package).
01-31-2019 08:37 PM
Hi Ain,
Once you install the software with SMS. Due to redirection configured on the NAD the client will get redirected to PSN and it will download the file from ISE.
If you are not using redirection then you have to push the file to the client.
Regards,
Pankaj Kumar
01-31-2019 06:08 PM
Hi,
Could you please explain what you consider under "Client Provisioning Configuration"?
Regards,
Pankaj
01-31-2019 08:06 PM
Hi Pankaj,
I'm talking about this section "Policy Elements > Results > Client Provisioning > Resources" where you define Posture Profile and then attach the Posture Profile with Anyconnect Configuration.
Let me know if you have any questions.
HTH
Ain
01-31-2019 08:19 PM - edited 01-31-2019 08:20 PM
It all depends on how you have your network setup. If you have your network setup to do posture discovery then you don't need to deploy anything but the AnyConnect software with the posture module. When the posture module first starts up it will do posture discovery (HTTP to gateway IP, enroll.cisco.com, etc.) and if you have posture discovery URL redirection configured on the network the posture module will find the correct PSN to talk and download everything it needs to function. You would also need to have a client provisioning rule to apply the correct posture config file.
Check out this link for posture discovery options and how to do it without redirection (would require you to push the posture config file with the SCCM package).
01-31-2019 08:33 PM
Thank you for the explanation, it makes a lot of sense.
One last thing I would like to confirm that you said about the CCP. What you said that I don't have to deploy the Posture Profile using the Software Management System in the Anyconnect bundle. Once Posture Module on the client fires up, it'll detect the correct PSN with or without discovery and downloads the AnyConnect Config/Posture Profile from ISE?
01-31-2019 08:37 PM
Hi Ain,
Once you install the software with SMS. Due to redirection configured on the NAD the client will get redirected to PSN and it will download the file from ISE.
If you are not using redirection then you have to push the file to the client.
Regards,
Pankaj Kumar
01-31-2019 08:42 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide