10-13-2021 05:34 AM
All,
I understand that AnyConnect will attempt to download the XML file from the ASA every time it connects to the VPN.
1. Does this mean the user needs write access to %ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Profiles directory?
2. What does the AnyConnect client do if there are multiple XML files within that directory?
Many thanks
James.
Solved! Go to Solution.
10-13-2021 07:21 AM
-AFAIK the vpndownloader.exe is responsible for taking care of any changes and new deployments received from the ASA. Note that the vpndownloader appears every time a connection is established with the ASA VPN which determines if there are any changes in the profiles, group policy, etc. Once changes are done or there are no changes, the vpndownloader exits.
In terms of multiple xml profiles though...some of the settings conflict with each other. For example, one profile might enable OnConnect scripting, the next might disable it. Is AnyConnect capable of matching the current VPN connection to the xml file associated with it?
-Each unique profile would have a different HostName xml tag within the profile. This tag definition is what you would see via AnyConnect gui(vpnui.exe = simply the AnyConnect user interface) in the drop down that @Rob Ingram mentioned.
Examples:
profile1.xml:<HostName>Profile1</HostName>
profile2.xml:<HostName>Profile2</HostName>
Then in AC UI user would have Profile1 & Profile2 appear. Each with their own settings etc. HTH!
10-13-2021 05:43 AM
I believe SYSTEM has R/W rights not the user to the Profile folder, the AnyConnect client service is using the local system to run. You don't explictly need to set permissions for a user on the folder.
If there are multiple XML profiles then all connection profiles are displayed in the drop down list.
10-13-2021 06:41 AM
That file access makes some sense. If I look carefully in the task manager I can see:
* vpnagent = running with blank username (this is a service running as "local system" I think)
* vpndownloader = starts briefly after connecting, but it's running as my user account
So presumably vpnagent would be responsible for saving the XML to the folder?
In terms of multiple xml profiles though...some of the settings conflict with each other. For example, one profile might enable OnConnect scripting, the next might disable it. Is AnyConnect capable of matching the current VPN connection to the xml file associated with it?
10-13-2021 07:21 AM
-AFAIK the vpndownloader.exe is responsible for taking care of any changes and new deployments received from the ASA. Note that the vpndownloader appears every time a connection is established with the ASA VPN which determines if there are any changes in the profiles, group policy, etc. Once changes are done or there are no changes, the vpndownloader exits.
In terms of multiple xml profiles though...some of the settings conflict with each other. For example, one profile might enable OnConnect scripting, the next might disable it. Is AnyConnect capable of matching the current VPN connection to the xml file associated with it?
-Each unique profile would have a different HostName xml tag within the profile. This tag definition is what you would see via AnyConnect gui(vpnui.exe = simply the AnyConnect user interface) in the drop down that @Rob Ingram mentioned.
Examples:
profile1.xml:<HostName>Profile1</HostName>
profile2.xml:<HostName>Profile2</HostName>
Then in AC UI user would have Profile1 & Profile2 appear. Each with their own settings etc. HTH!
10-13-2021 10:03 AM
Thanks Mike, I'm going to check this and will post back later on.
10-13-2021 11:07 PM
Hi @j.a.m.e.s,
Next to what @Rob Ingram and @Mike.Cifelli already stated, pay close attention not to have multiple profiles for the same connection. More often that I would like, I'm seeing in customer's environments that they simply create new profile, with new name but with old Hostname/User Group (without deleting old profile on client devices), so profiles are conflicting, and you can never know which one will AC choose. In that case, users start reporting weird behavior, depending on the difference in the profiles (e.g. one profile is instructed to use script, but other isn't).
Also, I never faced an issue in which profile download required privilege elevations, so explicit access for this is not required.
BR,
Milos
10-14-2021 05:39 AM
Thank you for this insight into the XML matching process. My testing also shows Anyconnect is behaving like this.
Thank you for the advice on making it an unambigous match and the file permissions for the ProgramData dir. I wasn't able to verify this, but if you've never faced an issue, I'm happy with that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide