Deploying Cisco
Secure Client refers to installing, configuring, and upgrading Cisco
Secure Client and its related files.
The Cisco Secure Client can be deployed to remote users by the following methods:
-
Predeploy—New installations and upgrades are done either by the end user, or by using an enterprise software management system
(SMS). This deployment option offers no cloud management.
-
Web Deploy—The Cisco
Secure Client package is loaded on the headend, which is either a Secure Firewall ASA, Secure Firewall Threat Defense, or an ISE server. When the user connects to a firewall or to ISE, Cisco
Secure Client is deployed to the client. This deployment option offers no cloud management.
-
For new installations, the user connects to a headend to download Cisco
Secure Client. The client is either installed manually or automatically
(web-launch).
-
Updates are done by Cisco
Secure Client running on a system where Cisco
Secure Client is already installed, or by directing the user to the Secure Firewall
ASA clientless portal.
-
Cisco Secure Client Cloud Management Deployment—Once you have chosen which Cisco Secure Client options you want to enable
(such as Start Before Login, Diagnostics and Reporting Tool, Secure Firewall Posture, Network Visibility Module, Secure Umbrella,
ISE Posture, and Network Access Manager), you can click the Network Installer button on the Deployment Management page of the Secure Client Cloud Management UI. This action downloads the csc-deployment.exe
file, which then can be executed in a command prompt to install the Cloud Management service and your configured modules.
You can then choose to have cloud registration with no package or profile management or utilize full cloud management. Cisco
Secure Client can be used with or without cloud management.
-
Within XDR, you can navigate to Client Management > Deployments to see a list of all Secure Client deployments in your Cisco
XDR organization and allows users to define a list of all packages and related profiles that must be installed on all computers
in a specific deployment within an organization. Refer to XDR documentation for further details.
When you deploy AnyConnect VPN, you can
include optional Cisco Secure Client modules that enable extra features, and client
profiles that configure the AnyConnect VPN and optional Cisco Secure Client features.
Refer to the Cisco
Secure Client release notes for system, management, and endpoint requirements for Secure
Firewall ASA, IOS, Microsoft Windows, Linux, and macOS.
Note
|
Some third-party applications and operating systems may restrict the ISE posture agent and other processes from necessary
file access and privilege elevation. Make sure the Cisco
Secure Client installation directory is trusted and/or in the allowed/exclusion/trusted lists for endpoint antivirus, antimalware, antispyware,
data loss prevention, privilege manager, or group policy objects. The following are the paths to be included:
-
-
macOS and Linux
-
/opt/cisco/
-
~/.cisco/
-
~/.vpn/
Additionally, third-party security applications (AV/AS/AM/DLP)
could result in failure with a Compliance Module upgrade, because the interaction
leads to missing libraries on the endpoint. To avoid these issues, upgrade the
Compliance Module version and set these to exclude (in your third-party security
application), before upgrading the Compliance Module:
-cisco-secure-client-win-4.3.xxxx.xxxx-isecompliance-webdeploy-k0.pkg
-cisco-secure-client-win-4.3.xxxx.xxxx-isecompliance-webdeploy-k9.exe
-cisco-secure-client-win-4.3.xxxx.xxxx-isecompliance-webdeploy-k9.msi
-opswat.msi
Compliance Module is not part of Secure Client Cloud Management deployments.
|
Decide How to Install Cisco
Secure Client
Cisco
Secure Client can be web deployed by ISE 2.0 (or later) and Secure Firewall ASA headends or
predeployed. To install Cisco
Secure Client initially requires administrative privileges.
Web Deploy
To upgrade Cisco
Secure Client or install additional modules using web deploy (from ASA/ISE/Secure Firewall Threat Defense with Downloader), you do not need administrative privileges.
Due to a new Apple API change, when using webdeploy to upgrade from macOS Cisco Secure Client 5.0.x (or earlier) to 5.1.x
(or later), you must have administrator privileges or manage the macOS devices via MDM to pre-approve the application extension.
This restriction does not apply to Windows or Linux.
-
Web Deploying from a Secure Firewall ASA or Secure Firewall Threat Defense—User connects to the Cisco
Secure Client clientless portal on the headend device, and selects to download Cisco
Secure Client. The Secure Firewall ASA downloads the Cisco
Secure Client Downloader. The Cisco
Secure Client Downloader downloads the client, installs the client, and starts a VPN
connection.
-
Web Deploying from ISE—User connects to the Network Access Device (NAD), such as a Secure
Firewall ASA, wireless controller, or switch. The NAD authorizes the user,
and redirects the user to the ISE portal. The Cisco
Secure Client Downloader is installed on the client to manage the package extraction
and installation, but does not start a VPN connection.
Predeploy
To upgrade Cisco
Secure Client or install additional modules using predeploy (out-of-band deployment, either manually or using SCCM and so on), you need
administrative privileges whether:
-
Using an Enterprise software management system
(SMS).
-
Manually distributing the Cisco
Secure Client file archive, with instructions for the user about how to install. File
archive formats are zip for Windows, DMG for macOS, and gzip for Linux.
When utilizing out-of-band deployment methods, whether manually or through SCCM, you should initiate pre-deploy installers
for software upgrades. It is important to note that you should not remove any Cisco Secure Client (AnyConnect) registry entries
within SCCM or other deployment scripts during the upgrade process. For upgrade-related issues, consult Cisco.
For system requirements and licensing dependencies, refer to the Cisco Secure Client Features, License, and OS Guide.
Note
|
If you are using Secure Firewall
Posture to perform root privilege activities on a macOS or Linux platform, we
recommend that you predeploy Secure Firewall
Posture.
|
Determine The Resources You Need to Install Cisco
Secure Client
Several types of files make up the Cisco
Secure Client deployment:
-
AnyConnect
VPN, which is included in the Cisco
Secure Client package.
-
Modules that support extra features, which are included
in the Cisco
Secure Client package.
-
Client profiles that configure Cisco
Secure Client and the extra features, which you create.
-
Language files, images, scripts, and help files, if you
wish to customize or localize your deployment.
-
ISE posture and the compliance module (OPSWAT).