Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1312
Views
10
Helpful
5
Replies

Disable AnyConnect Download But Allow Updates

dtjacob
Level 1
Level 1

‎10-01-2018 06:27 AM - edited ‎02-21-2020 09:28 PM

I have a scenario where I want to push software version updates for the AnyConnect client when the user connects to the ASA, but I do not want to allow initial client installation.  My intent is to force the user to obtain the client from a different internal website where other security controls can be enforced, but when a software update is needed, I can accomplish this by installing the desired client version on the ASA.  Is this possible?  I only see an option to redirect the user to a portal.

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-01-2018 11:36 PM

I don't believe you can prevent the initial download. It does require Administrator privilege on the local PC to install it the first time if that helps.

 

You could use client certificates for authentication and make that a requirement for the remote device to log in and perform the initial download.

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎10-03-2018 07:19 PM

@Marvin Rhoads is correct. If your users are non-admins, you don't have to do anything extra. They wont be able to install new software but updates should work just fine. IF they have admin rights, you can shutdown the portal page so that they cannot download the image from the ASA. 

 

ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# keepout “The Portal is not available”
ciscoasa(config-webvpn)#

 

You can then push the Anyconnect clients through your desktop software and have them connect directly to the url from the client. They should still be able to update the client with the portal shutdown. 

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Rahul Govindan

‎10-03-2018 07:20 PM

Good point @Rahul Govindan I keep forgetting about the keepout option.

0 Helpful

dtjacob
Level 1
Level 1
In response to Marvin Rhoads

‎10-04-2018 07:39 AM

Oh, thank you both for your input.  Just to make sure I understand correctly.  If I configure the "keepout" command, that will shutdown the portal and not allow the client to be downloaded, BUT the users will still receive the update when they connect to the ASA.  Is that correct?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dtjacob

‎10-05-2018 12:40 AM

That's correct.

 

No initial downloads can be done when keepout is enabled.

 

Updates for customers already having the AnyConnect client will continue to work.

0 Helpful
Customers Also Viewed These Support Documents