Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1335
Views
6
Helpful
7
Replies

Anyconnect users different pkg file

manvik
Level 3
Level 3

‎06-29-2023 12:04 AM

Is it possible to use two different versions of Anyconnect client for different VPN users.

We are planning to upgrade the anyconnect client version, before rolling it out for entire users, needed to check for 2 or 3 users.

Can the new Anyconnect pkg file uploaded to ASA via ASDM, 
then few VPN users when logged should connect to new pkg file. 
This way their anyconnect version gets automatically upgraded.

ASA in the backend is configured to AAA ISE server then to AD.

Any steps via ASDM very much helpful.

0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎06-29-2023 12:14 AM

@manvik Just use the pre-deployment package and manually install the software on the computers of the users you wish to use the different anyconnect version.

0 Helpful

manvik
Level 3
Level 3
In response to Rob Ingram

‎06-29-2023 12:29 AM

There are 3000 users, manually installing not possible.

0 Helpful

Rob Ingram
VIP
VIP
In response to manvik

‎06-29-2023 12:34 AM

@manvik I thought you said you wanted to check for 2-3 users before rolling out? I was suggesting you pre-deploy to those users for testing.

When you upload the headend package to the ASA/FTD all users will automatically upgrade (unless their local configuration file bypasses the downloader).

So perform the testing by manually upgrading the 2-3 users, then when ready to rollout you'd have to upload the headend package to the ASA or pre-deploy using your software management solution, such as SCCM.

manvik
Level 3
Level 3

‎06-29-2023 12:49 AM

Thank you @Rob Ingram we had tested manually with 2 users. It's working fine. 
Before rolling out to entire users just needed to check on automatic installation too, whether it works fine.

Should the headend package (.pkg file) be uploaded to Remote Access VPN > Network Client Access > Anyconnect client software

0 Helpful

Rob Ingram
VIP
VIP
In response to manvik

‎06-29-2023 12:55 AM

@manvik ok. Yes, upload the headend package file, guide - https://community.cisco.com/t5/security-knowledge-base/how-to-update-the-anyconnect-and-hostscan-images/ta-p/3157306

All clients will automatically upgrade by default next time they attempt to login. You can bypass the downloader updates by modifying the local policy on the client devices, but that would be a lot of effort. If you needed to phase this, then you'd have to use a software management solution (SCCM) to roll it out to different sets of users.

tvotna
Spotlight
Spotlight
In response to Rob Ingram

‎07-03-2023 01:29 AM

Actually, "AnyConnect Deferred Update" feature can help here. It's a headend feature -- no need to tweak client-side preferences. Users can be educated to postpone update or launch it.

Another option is to distribute another AnyConnect profile to most users with <AutoUpdate UserControllable="false">false</AutoUpdate> to prevent them from upgrading all at once.

 

 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to manvik

‎06-29-2023 08:21 AM

Make sure you remove the old package, or put down the list on the packages order andplace the new one on the top.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card