Re: Anyconnect Deployment

avilt · ‎08-27-2013

a) Since anyconnect web deployment require admin privilages on the PC, what is the general trend with the company's on anyconnect deployment?

b) Also with web deployment anyone from the Internet can (with out username and the password) see the VPN group names. Is it a good way of deploying the client?

Marvin Rhoads · ‎08-27-2013

Companies I have seen that do not allow local admin privileges for users usually have a software deployment tool they can use to deploy centrally. They generally use that for deployment to remote corporate users.

The drop down list is indeed visible to unauthenticated clients - it usually has something innocuous in the naming. It can be disabled altogether if desired and clients given a direct URL in their local profiles.

avilt · ‎08-28-2013

Thank You.

When we manually deploy the anyconnect does it require to match the exact version on the ASA? Example can I have anyconnect version 3.0 on ASA and version 3.1 on the client?

Marvin Rhoads · ‎08-28-2013

Yes the client AnyConnect version can be newer than the package on the ASA. I run the latest AnyConnect on my laptop and, as a professional services engineer, often connect to clients with varying older versions of AnyConnect on their ASAs.

The ASA AnyConnect binary package (pkg file) is only used to download to clients who don't have AnyConnect at all orwhose version is out of date (the latter assuming they have sufficient privilege level to install software).