cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
4
Helpful
9
Replies

Upgrade to Cisco Secure Client agent version 5 through ISE web portal

Da ICS16
Level 1
Level 1

Dear Community,

We plan to upgrade AnyConnect agent version 4.xx to new Secure Client agent 5.xx through ISE server web portal.

There have around 7K endpoints PC using AnyConnect 4.XX

Could you share good practice how to push upgrade new Secure Client agent from ISE server?

1. Does ISE can push upgrade agent 300 PCs per time? if yes, how to do it?

2. Does ISE can push upgrade new agents to all PCs at the same time? if yes, how to do it?

3. In case #2 failed, how to restore existing PC ( using AC 4.XX ) still working fine?

Remark: We use ISE 3.1 P6

Well appreciated for your supporting.

Best Regards, 

 

9 Replies 9

Arne Bier
VIP
VIP

ISE does not push AnyConnect or Secure Endpoint software to endpoints. That is the job of the ASA/FTD when users make a connection to those firewall devices.

@Arne Bier  This question comes from the following statements from official Cisco's book:

rezaalikhani_0-1709195507134.png

 

Yes only if your endpoints are actually using CPP flows.  Do all of your endpoints use Posture or BYOD flows?  

Dear @ahollifield ,

We use Posture flow.

Thanks,

Dear @ahollifield ,

We use posture less. 

Let me know if you recommend on this.

 

Thanks.

"Posture Less"  What does this mean?  Earlier you said you use Posture Flow?

As @ahollifield mentioned, the statement you highlighted only applies in a few ISE use cases. Generally, we depend on either an enterprise software management tool or, where VPN is widely used, the headend firewall to deploy new Secure Client versions.

If we are doing ISE posture, it CAN be used to deploy the modules but you should take care to sync what is being pushed from your VPN headend to avoid the systems conflicting with each other.

Dear @Marvin Rhoads ,

Do all endpoints require have connection both ( dot1x  or VPN connection ) to upgrade to new agents?

Thanks,

For VPN you would upgrade from headend instead.  The endpoints must be in a flow that uses a Client Provisioning Portal.  802.1X or VPN alone is not enough to push new Cisco Secure Client packages/versions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: