cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
745
Views
0
Helpful
0
Replies

Anyconnect profile migration

Ralphy006
Level 1
Level 1

I'm trying to figure out how to update an anyconnect profile XML and make it seamless to my users. Tricky part is, the new xml profile enables certificate auth. So it's required to be there when a tunnel-group is selected.

 

Current:

Tunnel-group-A

Profile-xml-A

-Auth timer: 12

-Certificate store: All

-Certificate store override: false

 

Future:

Tunnel-group-B

Profile-xml-B

                -Profile-xml-B HAS to be on the machine to use Tunnel-group-B since it allows for the certificate auth

-Auth timer: 62

-Certificate store: Machine

-Certificate store override: true

 

Sounds like TAC recommends:

  1. Create a group-url for tunnel-group-B that is different than tunnel-group-A
  2. Profile-xml-B to reference only the group-url for tunnel-group-B
  3. Deploy profile-xml-B to users. At this point, original URL’s AND new group-url will be in the users dropdown. Users can test tunnel-group-B.
  4. Once testing is done, remove profile-xml-A. When profile-xml-A is gone, the URL’s from profile-xml-B will be the only ones left.

 

What I was GOING to do:

  1. Create a new Profile-xml-B (with cert and auth timer changes). Associate profile-xml-B to both tunnel-groups.
  2. Make sure Profile-xml-B is alphabetically first so the machine uses profile B if both B and A exist.
    1. This ensures if we push out profile-xml-B to users, it will NOT get overwritten when they log into tunnel-group-A
  3. Push out profile-xml-B to all users and delete profile-xml-A
  4. Make tunnel-group-B the default once everyone has the new profile.
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: