12-07-2021 09:15 AM
Hi Team,
currently we have ISE running 2.7 version with Anyconnect Posturing enabled which is working fine. now we want to upgrade old Anyconnect software and posture compliance module via ISE.
1- my question is how can we upgrade it via ISE or what should be best procedure ?
2- do we have to manually install on Client laptop both software ?
3- or can we do it via ISE without doing anything on laptops ?
appreciate your response
Solved! Go to Solution.
12-13-2021 12:16 PM
You can rely on ISE to perform/require software install/upgrade via webdeploy and the client provisioning portals. To be more specific, client provisioning policy (CPP) is used to determine the version of AnyConnect to be used as well as the compliance module that will be installed on the endpoint during the provisioning process.
1- my question is how can we upgrade it via ISE or what should be best procedure ?
-I personally like using ISE. You can, if you want, rely on ISE + SCCM. This is totally up to you.
2- do we have to manually install on Client laptop both software ?
3- or can we do it via ISE without doing anything on laptops ?
-Answering 2 & 3 together. You have the option for both. With ISE the high level overview would look like this: you would manually upload the respective AC software into ISE + respective profiles, configure your AnyConnect result profile, assign it to CPP as a result, and finally ensure you steer clients to the respective CPP. When setting it up focus on the two areas in red:
There are a few components in play here so I would take a peek at the following resources:
-ISE Posture Prescriptive Deployment Guide - Cisco Community
-Good tutorials here: Video: Security | Lab Minutes
HTH!
12-07-2021 02:14 PM
Not sure ISE can do the job for this, if you have centralised SCCM can do that work for you :
12-13-2021 12:16 PM
You can rely on ISE to perform/require software install/upgrade via webdeploy and the client provisioning portals. To be more specific, client provisioning policy (CPP) is used to determine the version of AnyConnect to be used as well as the compliance module that will be installed on the endpoint during the provisioning process.
1- my question is how can we upgrade it via ISE or what should be best procedure ?
-I personally like using ISE. You can, if you want, rely on ISE + SCCM. This is totally up to you.
2- do we have to manually install on Client laptop both software ?
3- or can we do it via ISE without doing anything on laptops ?
-Answering 2 & 3 together. You have the option for both. With ISE the high level overview would look like this: you would manually upload the respective AC software into ISE + respective profiles, configure your AnyConnect result profile, assign it to CPP as a result, and finally ensure you steer clients to the respective CPP. When setting it up focus on the two areas in red:
There are a few components in play here so I would take a peek at the following resources:
-ISE Posture Prescriptive Deployment Guide - Cisco Community
-Good tutorials here: Video: Security | Lab Minutes
HTH!
12-16-2021 02:22 AM - edited 12-16-2021 02:25 AM
Hi Mike,
Thanks for Reply. I've prepared some points in case I want to do it via SSM (I believe Anyconnect we cannot upgrade with ISE in case of VPN Users but only when client laptop is part of the LAN Network but Compliance module can be upgrade directly with ISE in any case) please correct me if I am wrong.
currently old Users having Anyconnect 4.7 and old compliance module which i would like to upgradte to AC 4.10 and Compliance module 4.3.
I want it to upgrade seamlessly on all users. please have a look on below procedure.
Phase 1 (single user test)
1- Select test user laptop and manually install new Anyconnect 4.10 Pre-deploy image and Compliance module 4.3 Pre-deploy image.
2- download Anyconnect 4.10 webdeploy image on laptop and upload it on ISE under posture resources. (we should only upload webdepoly images on ISE/Headend devise)
3- on ISE, add compliance module 4.3 webdeploy under ISE posture resources (it can be direct download on ISE under posture resources from Cisco site once you click on add option)
4- create new Anyconnect configuration Profile and select Anyconnect 4.10 package and Compliance module 4.3 package and also need to add below configuration under deferral update section like old Anyconnect/compliance version (remaining configuration such as Anyconnect posture profile/NAM and other will remain same as per old Anyconnect configuration Profile)
5- Above Deferred configuration will support old and new Anyconnect/Compliance module during both testing and production deployment (this can be disable once all Users migrate successfully to new Version)
6- edit main Client Provisional Policy and select newly created Anyconnect configuration profile in result and remaining configuration will remain same as. (if you don’t want to edit existing policy then create new policy and add newly created Anyconnect configuration profile and also add Test AD group in condition option, you can put single user under Test AD group and put this policy on top, if you are choosing this method then you don’t need to configure Deferred update section under new Anyconnect configuration profile)
7- Also check if all Posture policy selected Compliance module 4.x or later. If it’s not then we can create new duplicate Posture Policy with Compliance module 4.x or later.
8- Also check if all Requirements policy selected Compliance module 4.x or later. If it’s not then we can create new duplicate Requirement Policy with Compliance module 4.x or later.
9- Now we can test the laptop after installing Anyconnect Client and Compliance module and check if Posturing is working fine.
10- At this time old and new Anyconnect Client and Compliance module should work simultaneously due to configured deferred policy under Anyconnect Configuration profile.
Phase 2 (General deployment for all users)
11- After successfully testing of new version of Anyconnect and Compliance module, Now we can push new Anyconnect client and Compliance module via SCCM to all Users and this time new compliance module should discover the ISE and download the updates and start checking posture.
12- If all users are working fine with new version then we can disable the deferred update section back to default in Anyconnect configuration profile (after that old version will not work)
Thanks in advance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide