Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1913
Views
10
Helpful
7
Replies

Anyconnect Profile PC Imaging

CarlRowe31854
Level 1
Level 1

‎04-16-2020 04:18 PM

Hello, I’m looking for direction in adding an Anyconnect profile with SBL enabled to a Windows image. This would allow us to image a pc and ship directly to the end user without having to login as them, download the SBL update to Anyconnect before shipping. My company is now all working remote including our help desk due to Covid. 

We have SCCM at our disposal, can anyone help with a document covering available methods in adding not just the Anyconnect client but the configured profile?

 

Thanks in advance and stay safe!

Labels:
0 Helpful
7 Replies 7

Francesco Molino
VIP Alumni
VIP Alumni

‎04-16-2020 07:35 PM

Hi

Here a documentation showing how to enable it:
https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1/configure-vpn.html#ID-1428-000000d7

Basically, you just need to enable start before login option in your xml profile and deploy the sbl module.

Afterwards, you will get the network sign in icon at the login screen. User will have to click on it to sign in on your VPN and then open a Windows session.

Be careful, if you use user certificate to enable the VPN, you'll have issues because the user isn't yet logged in so no access to user certificate store.

To avoid users click the network sign in option, you create a task with a scheduler to automatically open and connect to your VPN using vpncli command. For sure, if the VPN is based on users credentials, it won't be fully automated because an user input still be needed. If you use machine certificate, you can fully automate it and keep a smooth user experience with just their Windows login to take care.

To keep this smooth and avoid any error messages, you can also enable automatic vpn, which will start a VPN on untrusted network but nothing will be done if the user sits on a trusted network.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CarlRowe31854
Level 1
Level 1
In response to Francesco Molino

‎04-17-2020 12:30 PM

Let me rephrase, I already enabled and tested the SBL module and works like a charm. But my question is regarding on "no touch" windows laptop imaging solution. My colleague that takes care of our SCCM deployments, is trying to figure out how to pull the URL into the package as well as the SBL module all at once. In theory, if a newly imaged laptop has the any connect profile and the SBL module already installed, he could ship a laptop to a new user and when they open it and power on they would already see the SBL option in the lower right corner instead of having to login to windows, then connect to vpn and allowing the SBL module to download. 

 

Right now, after he images a pc, he logs into the laptop as the user, adds the anyconnect profile manually, and would then have to download the SBL module. We are shooting for "no touch" essentially. 

 

Thanks

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to CarlRowe31854

‎04-17-2020 07:03 PM

Ok gotcha,
Authentication is done using certificate or user credentials?
At the first start, after staging, a user can authenticate on the VPN and the SBL module + the XML profile file will be installed and updated automatically. This will work if you're using an ASA. Is that the case?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

CarlRowe31854
Level 1
Level 1
In response to Francesco Molino

‎04-17-2020 07:20 PM

We are using credentials and an ASA. It will work that way and is per my test. Regardless, management is tasking us to have everything included as well as the user Anyconnect profile in the pc image without any manual input. 

They want the end user experience to be as clean as possible and the user to not have to know the vpn url or see the update for the module so it’s there as soon as they open the laptop.  Should just advise this isn’t exactly possible? I feel like I’ve talked with others regarding all of that being preloaded via SCCM as an example. 

 

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to CarlRowe31854

‎04-17-2020 08:09 PM

If users must not see anything, why not re-build a new pc image with module and the xml?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

stsargen
Cisco Employee
Cisco Employee

‎04-17-2020 05:40 AM

Have you looked into the new VPN Management tunnel feature in AnyConnect.  This will eliminate the need for SBL and give you a VPN tunnel whenever the user tunnel is disconnected.  This allows for managing the device at all times and allowing non-cached logon to the domain.  It might be a better option for you.

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/b_AnyConnect_Administrator_Guide_4-7_chapter_01100.html?bookSearch=true

 

CarlRowe31854
Level 1
Level 1
In response to stsargen

‎04-17-2020 09:36 AM

Thank you for the reply, I will take a look into this feature! We don’t image pc’s often but looking for a better method due to some setups needing to attach to the corporate network before being able to work etc.
0 Helpful
Customers Also Viewed These Support Documents