10-01-2018 06:27 AM - edited 02-21-2020 09:28 PM
I have a scenario where I want to push software version updates for the AnyConnect client when the user connects to the ASA, but I do not want to allow initial client installation. My intent is to force the user to obtain the client from a different internal website where other security controls can be enforced, but when a software update is needed, I can accomplish this by installing the desired client version on the ASA. Is this possible? I only see an option to redirect the user to a portal.
10-01-2018 11:36 PM
I don't believe you can prevent the initial download. It does require Administrator privilege on the local PC to install it the first time if that helps.
You could use client certificates for authentication and make that a requirement for the remote device to log in and perform the initial download.
10-03-2018 07:19 PM
@Marvin Rhoads is correct. If your users are non-admins, you don't have to do anything extra. They wont be able to install new software but updates should work just fine. IF they have admin rights, you can shutdown the portal page so that they cannot download the image from the ASA.
ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# keepout “The Portal is not available”
ciscoasa(config-webvpn)#
You can then push the Anyconnect clients through your desktop software and have them connect directly to the url from the client. They should still be able to update the client with the portal shutdown.
10-03-2018 07:20 PM
Good point @Rahul Govindan I keep forgetting about the keepout option.
10-04-2018 07:39 AM
Oh, thank you both for your input. Just to make sure I understand correctly. If I configure the "keepout" command, that will shutdown the portal and not allow the client to be downloaded, BUT the users will still receive the update when they connect to the ASA. Is that correct?
10-05-2018 12:40 AM
That's correct.
No initial downloads can be done when keepout is enabled.
Updates for customers already having the AnyConnect client will continue to work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide