As far as I know, the only

blazarov86 · ‎06-08-2017

Hello Community,

I have searched very hard to find info on that matter, but with almost no result, so I've decided to post a thread here. Our environment is based ISE 2.2 ASA 9.4 and AnyConnect 4.4

As you know there are two separate version "trains" for the ISE compliance module for AnyConnect:

v 3.x where the latest version is v 3.6.xxxx
v 4.x where the latest version is v 4.2.xxxx

Obviously they have some substantial functional differences that are reflected in the ISE posture condition policies, e.g.:

Anti-Malware is only for v4.x
Anti-Spyware is only for v3.x
Anti-Virus in only for v3.x
Application conditions are for both v3.x and v4.x
Patch management conditions have to separately configured for v3.x and v4.x
.. and so on..

So my questions are:

What is the general rule of thumb for choosing to use v3 or v4 AC Compliance module? Obviously both would do the job one way or the other, and both support the current AnyConnect versions. So what is the catch?
Since AV and Anti-Spyware checks seem "depreciated" in compliance module v4 is it true to assume that they have been consolidated into Anti-Malware checks that covers all?

Marvin Rhoads · ‎06-08-2017

Yes - v4.x is calling all those related checks Anti-malware.

Use v4.x as a general rule as v3.x will totally be deprecated in the future.

efellows.support · ‎06-08-2017

Thanks Marvin,

do you know if there is any reason to still use v3.x - like any common functionality that is still not doable with 4.x ? Or maybe OS support.. Looked at available docs & release notes and couldn't find such..

Marvin Rhoads · ‎06-08-2017

As far as I know, the only reason to use 3.x compliance module is if you have clients with AnyConnect 3.x.

If you have no such clients, then you should only run the 4.x compliance module.

ISE Posture - AnyConnect Compliance module v3.x vs v4.x