Solved: AnyConnect Posture (HostScan) PreDeploy pros and cons

SergGu · ‎04-06-2022

Dear Cisco ASA AnyConnect Experts,

Can you please clarify what are the advantages of pre-deploying HostScan (aka non-ISE traditional Posture) agent?

The only few official part of documentation I found are:

"If you are using AnyConnect Posture (HostScan) to perform root privilege activities on a macOS or Linux platform, we recommend that you predeploy AnyConnect Posture." in Deploy AnyConnect chapter.
The "we recommend" does not mean this is mandatory but recommended. Are there any blockers, like features you can not use without pre-deployment? Or is it about speed (because one does not need to download it)
"When there is a mismatch in the version number between the headend (ASA or ISE) and the endpoint (VPN posture or ISE posture), the OPSWAT compliance module gets upgraded or downgraded to match the version on the headend. These upgrades/downgrades are mandatory and happen automatically without end user intervention, as soon as a connection to the headend is established. "
ASA Web-Deployment Restrictions: The OPSWAT definitions are not included in the VPN posture (HostScan) module when web deploying. You must either manually deploy the HostScan module or load it on the ASA in order to deliver the OPSWAT definitions to the client. link

I can spend 2 days labbing each and every combination with Win10 and macOS but it would be better to read about this in one simple document.

All-in-all I find HostScan does not documented well. There is a reason for this, this is a legacy product dating into 200x ... the bits remaining from the full CSD. I welcome Cisco still supporting this while pushing customers to deploy Cisco ISE Posture agent. Perhaps ISE Posture agent documented better, but I'm working with classic ASA (non-FTD) and Classic HostScan and Advanced Posture license.

Regards,

Serg.

P.S. Here are a few documents I found most helpful in understanding HostScan and DAP:

* Old Cisco Live presentation - https://www.alcatron.net/Cisco%20Live%202015%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3033%20Advanced%20AnyConnect%20Deployment%20and%20Troubleshooting%20with%20ASA.pdf

* HostScan migration guide - https://www.cisco.com/c/en/us/td/docs/security/asa/migration/guide/HostscanMigration43x-46x.html

Saurabh Dhakate · ‎04-23-2022

There is no such different with pre-deployment vs web-deployment of HostScan. But, it is recommended to go with pre-deployment if any of the DAP checks needs elevation/privileges in its operation. It is because when it is installed with pre-deployment, HostScan process ciscod.exe runs with SYSTEM privileges. However, in case of web-deploy, it runs with user privileges and could show UAC prompt if elevation needed.

View solution in original post

Mike.Cifelli · ‎04-11-2022

Moving to VPN section in hopes you get more insight there. Also, do you currently run ISE in your environment? If so, what licenses do you currently have? Just trying to determine if migrating to ISE Posture is feasible with current situation. Lastly, for reference: ISE Posture Prescriptive Deployment Guide - Cisco Community

Saurabh Dhakate · ‎04-23-2022

There is no such different with pre-deployment vs web-deployment of HostScan. But, it is recommended to go with pre-deployment if any of the DAP checks needs elevation/privileges in its operation. It is because when it is installed with pre-deployment, HostScan process ciscod.exe runs with SYSTEM privileges. However, in case of web-deploy, it runs with user privileges and could show UAC prompt if elevation needed.