cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10915
Views
10
Helpful
3
Replies

How to upgrade Compliance module and Anyconnect package via ISE ?

hashimwajid1
Level 3
Level 3

Hi Team,

 

currently we have ISE running 2.7 version with Anyconnect Posturing enabled which is working fine. now we want to upgrade old Anyconnect software and posture compliance module via ISE.

 

1- my question is how can we upgrade it via ISE or what should be best procedure ?

2- do we have to manually install on Client laptop both software ?

3- or can we do it via ISE without doing anything on laptops ?

 

appreciate your response 

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

You can rely on ISE to perform/require software install/upgrade via webdeploy and the client provisioning portals.  To be more specific, client provisioning policy (CPP) is used to determine the version of AnyConnect to be used as well as the compliance module that will be installed on the endpoint during the provisioning process.

 

1- my question is how can we upgrade it via ISE or what should be best procedure ?

-I personally like using ISE.  You can, if you want, rely on ISE + SCCM.  This is totally up to you.

2- do we have to manually install on Client laptop both software ?

3- or can we do it via ISE without doing anything on laptops ?

-Answering 2 & 3 together.  You have the option for both.  With ISE the high level overview would look like this: you would manually upload the respective AC software into ISE + respective profiles, configure your AnyConnect result profile, assign it to CPP as a result, and finally ensure you steer clients to the respective CPP.  When setting it up focus on the two areas in red:

cpp_result_LI.jpg

 There are a few components in play here so I would take a peek at the following resources:

-ISE Posture Prescriptive Deployment Guide - Cisco Community

-Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - Deploy AnyConnect [Cisco AnyConnect Secure Mobility Client] - Cisco

-Good tutorials here: Video: Security | Lab Minutes

HTH!

 

View solution in original post

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

Not sure ISE can do the job for this, if you have centralised SCCM can do that work for you :

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-posture.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mike.Cifelli
VIP Alumni
VIP Alumni

You can rely on ISE to perform/require software install/upgrade via webdeploy and the client provisioning portals.  To be more specific, client provisioning policy (CPP) is used to determine the version of AnyConnect to be used as well as the compliance module that will be installed on the endpoint during the provisioning process.

 

1- my question is how can we upgrade it via ISE or what should be best procedure ?

-I personally like using ISE.  You can, if you want, rely on ISE + SCCM.  This is totally up to you.

2- do we have to manually install on Client laptop both software ?

3- or can we do it via ISE without doing anything on laptops ?

-Answering 2 & 3 together.  You have the option for both.  With ISE the high level overview would look like this: you would manually upload the respective AC software into ISE + respective profiles, configure your AnyConnect result profile, assign it to CPP as a result, and finally ensure you steer clients to the respective CPP.  When setting it up focus on the two areas in red:

cpp_result_LI.jpg

 There are a few components in play here so I would take a peek at the following resources:

-ISE Posture Prescriptive Deployment Guide - Cisco Community

-Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0 - Deploy AnyConnect [Cisco AnyConnect Secure Mobility Client] - Cisco

-Good tutorials here: Video: Security | Lab Minutes

HTH!

 

Hi Mike,

 

Thanks for Reply. I've prepared some points in case I want to do it via SSM (I believe Anyconnect we cannot upgrade with ISE in case of VPN Users but only when client laptop is part of the LAN Network but Compliance module can be upgrade directly with ISE in any case) please correct me if I am wrong.

 

currently old Users having Anyconnect 4.7 and old compliance module which i would like to upgradte to AC 4.10 and Compliance module 4.3.

 

I want it to upgrade seamlessly on all users. please have a look on below procedure.

 

Phase 1 (single user test)

1- Select test user laptop and manually install new Anyconnect 4.10 Pre-deploy image and Compliance module 4.3 Pre-deploy image.
2- download Anyconnect 4.10 webdeploy image on laptop and upload it on ISE under posture resources. (we should only upload webdepoly images on ISE/Headend devise)
3- on ISE, add compliance module 4.3 webdeploy under ISE posture resources (it can be direct download on ISE under posture resources from Cisco site once you click on add option)
4- create new Anyconnect configuration Profile and select Anyconnect 4.10 package and Compliance module 4.3 package and also need to add below configuration under deferral update section like old Anyconnect/compliance version (remaining configuration such as Anyconnect posture profile/NAM and other will remain same as per old Anyconnect configuration Profile)
5- Above Deferred configuration will support old and new Anyconnect/Compliance module during both testing and production deployment (this can be disable once all Users migrate successfully to new Version)
6- edit main Client Provisional Policy and select newly created Anyconnect configuration profile in result and remaining configuration will remain same as. (if you don’t want to edit existing policy then create new policy and add newly created Anyconnect configuration profile and also add Test AD group in condition option, you can put single user under Test AD group and put this policy on top, if you are choosing this method then you don’t need to configure Deferred update section under new Anyconnect configuration profile)
7- Also check if all Posture policy selected Compliance module 4.x or later. If it’s not then we can create new duplicate Posture Policy with Compliance module 4.x or later.
8- Also check if all Requirements policy selected Compliance module 4.x or later. If it’s not then we can create new duplicate Requirement Policy with Compliance module 4.x or later.
9- Now we can test the laptop after installing Anyconnect Client and Compliance module and check if Posturing is working fine.
10- At this time old and new Anyconnect Client and Compliance module should work simultaneously due to configured deferred policy under Anyconnect Configuration profile.

Phase 2 (General deployment for all users)

11- After successfully testing of new version of Anyconnect and Compliance module, Now we can push new Anyconnect client and Compliance module via SCCM to all Users and this time new compliance module should discover the ISE and download the updates and start checking posture.
12- If all users are working fine with new version then we can disable the deferred update section back to default in Anyconnect configuration profile (after that old version will not work)

 

Thanks in advance