Re: Installing the Cisco Anyconnect on a Windows workstation Image---is it supported?

BenLora79498 · ‎07-22-2020

ello everyone,

We are undertaking two related projects at the same time. One is the deployment of a new Cisco FTD firewall and the other is the deployment of over 500 new laptops. I need to know if installing/configuring the Cisco Anyconnect client on one laptop and creating a gold image to be used to configure the deployment of the rest of laptops, is that a supported deployment mothed? Pros/Cons?

If I do this will we still be able to update the client software and profile settings in the future via the FTD?

Thank you all in advance for your assistance!

balaji.bandi · ‎07-22-2020

Look at the anyconnect supported platforms :

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html#topic_qr2_kdw_q2b

yes, you can deploy the package method to build as per business policy, so users can not upgrade or install unnecessary software into the device for a security reason.

If you have SCCM, you can push the upgrades to clients.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mike.Cifelli · ‎07-23-2020

Pros/Cons?
Pros: saves on deployment time; ensures machines have the SW version you want them to have; cuts any user/local lab admin out of install piece; eliminates third party sw push potential errors;
Cons: Still need viable solution to upgrade existing workstations that were already imaged (SCCM is typically used if you have that luxury); still need to deploy unique profiles for specific groups;
My assumption based on this post is that you are only deploying AnyConnect Secure Mobility Client for VPN purposes and no other modules. FYSA if planning to utilize NAM I suggest you test because once this is installed it can mess with network connectivity which could hose your image process. HTH!

BenLora79498 · ‎07-23-2020

Thank you very much for the information.

Yes, we are planning on using the additional modules listed below. My thinking is we will need to ensure we configure the modules listed below during the imaging process as FTD does not support configuration profiles for these modules. Would you agree with that approach?

Network Access Manager
Cisco Umbrella
Posture

Mike.Cifelli · ‎07-23-2020

I strongly suggest taking a peek at the NAM admin guide as I have seen/experienced issues with the overall workflow (https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-nam.html)
Are you attempting to use NAM for eap-fast purposes? So you are tracking latest ver of Win 10 and ISE 2.7 has support for eap-teap. Essentially means you can do eap-chaining with the native supplicant. See (https://www.ise-support.com/2020/05/29/using-teap-for-eap-chaining/) for more info. Regardless of what you decide ensure that you test the order of operations. For testing sake I would recommend installing NAM last. Good luck & HTH :)

BenLora79498 · ‎07-27-2020

Yes, I have been reading that documentation for the last three days!

Marvin Rhoads · ‎07-24-2020

You can push the modules and profiles using flexconfig in Firepower 6.6.

https://www.cisco.com/c/en/us/td/docs/security/firepower/config_examples/advanced-anyconnect-ftd-fmc/advanced-anyconnect-vpn-ftd-fmc.html#Cisco_Task_in_List_GUI.dita_12b746da-3ace-4ba0-91b0-a56e78e36ac3

Version 6.7 will include the ability to do that from the GUI.

BenLora79498 · ‎07-27-2020

Great, thank you for that information.