Accepted Solutions
Adding some information:
IMO webdeploy from ASA on VPN connections is straightforward and a great way to force the upgrade. As for onsite clients, if you do provisioning onsite then ISE can upgrade all components without the need of elevated privileges. Also, as mentioned by @Peter Koltl ISE webdeploy will fail/not work for RAVPN clients, but compliance module upgrades from ISE will work. If you do not have the on-site ability you can use ASA to aide SCCM with the upgrades and still support both client versions. You just need to support both old & new AnyConnect SW on the ASA & in ISE CPP.
For example, the ASA config entries to support old clients and not force upgrade, but also support new clients would look like this:
anyconnect image disk0:/anyconnect-win-4.9.05042-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.10.00093-webdeploy-k9.pkg 2
If you flip the order and make the new AC version client entry 1 then clients will get upgraded upon next VPN connection attempt. Another note that is important as you juggle the phased idea is in your CPP AnyConnect Result profiles you can configure it for the new AC clients, but support minimum version (old clients) and auto-defer ISE webdeploy upgrades. Would look something like this:
The above config does the following: Allows software deferral for AnyConnect, requires minimum version of 4.9.0 (in your case it would be 4.8.0 or the exact version), forces compliance module upgrade, states compliance minimum version required, and then the '0' combined with defer forces software update deferral without requiring user interaction. Once you confirm every client is upgraded you can reconfig the AC profs as needed. HTH!
@Srinivasan Nagarajan no problem glad to help
So you made this comment, We've Remote Access VPN configured on the ASA (9.8) which is authenticated and authorized by the ISE (2.6) with the posture enabled. Now we'd like to upgrade the Anyconnect (4.8) to 4.10 on the end-users PC.
-Quick note, unfortunately you cannot modify the ISE AnyConnect (AC) Config profiles on-the-fly that get assigned in your Client Provisioning Policies as a result when wishing to change AC software version. There is actually a feature request submitted for this, but as of today not sure when it will be implemented.
What I am suggesting for a phased rollout is this:
-Provide SCCM team individual MSIs for new AnyConnect software so they can prep packages & prep your enterprise image (at this point they are awaiting your go ahead for deployment)
-Upload the new AnyConnect webdeploy .pkg file into ISE, create new CPP AnyConnect Config profile specifying new AnyConnect version + currently deployed compliance module + software deferral method mentioned above (shown below too)
-Assign new CPP AC config profiles to your CPP policies (at this point you are now supporting provisioning/posturing for both versions old/new)
-Upload new AnyConnect webdeploy .pkg file on ASA & enable it as first entry while old version remains enabled, but as second entry (this will force VPN clients to get upgraded on next connection attempt)
--Once this is done you can now support both so you can begin phased rollout. Give SCCM team go ahead.
-Have SCCM hit clients that have not been upgraded via ASA
-Once all enterprise clients are upgraded you can update the new CPP policy results for new AC version support to change minimum version requirement.
A way to test this suggested method:
Identify one test group, create new ISE AC Config profile supporting new AC Sw version + current compliance module + software deferral. Assign AC config profile to test CPP policy for your test group. Upload new AC version to ASA but have it enabled as entry 2 (not forcing upgrade, but providing support). Then have one client running old AnyConnect SW and another client running latest/greatest AC Sw. Test connections for both to ensure they get network access & are properly postured as expected. Once tests are good to go you should have no problem implementing on additional CP policies.
Here is a screenshot of a full ISE AC Config Profile supporting new AC version + old version + forcing SW deferral:
Good luck & hope this clears things up.
