Articles in this section

See more

AnyConnect Roaming Security Module: Pre-Deployment Tips (Windows)

Avatar
Tom Allen
  • Updated
Follow

 Overview

 

Deployment of the Umbrella Roaming Security Module involves these components:

  • Installation of the AnyConnect Core Module 
  • Installation of the Umbrella Roaming Security Module
  • Installation of the Diagnostic and Reporting Tool (DART) Module
  • Installation of the Umbrella Profile (OrgInfo.json)

Existing AnyConnect Users:

This article focuses on how to pre-deploy Umbrella using a CLI method.  It is also possible to deploy the Umbrella module & profile to existing AnyConnect users by adding configuration to the VPN head-end.  For more information on that method read the Umbrella documentation.

 

There are some scenarios where you may wish to "pre-deploy" the Umbrella module:

  • You are using AC VPN but want the Umbrella module to be available before the VPN is connected for the first time.
  • You want to deploy the Umbrella module as a standalone module, and will not be connecting to VPN.
  • You want to make use of advanced installation options (e.g. service lockdown).

 

 

Pre-deploying Umbrella module (VPN + Umbrella + DART)

 

The steps are as follows:

    1. Download the Umbrella roaming security module profile from your Umbrella Dashboard. Deployments>Roaming Computers>Roaming Clients
      • The downloaded filename of the module profile is Orginfo.json
    2. Download the Umbrella Roaming Security Module from one of the locations below.
    3. Extract the downloaded AnyConnect Client and find the version number.
      • AnyConnect_Download.png
    4. Update the MSI commands below with the version number from your download, then run in the CMD Prompt.
      • MSI commands
      • msiexec /package anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi /passive /lvx* vpninstall.log 
        msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /passive /lvx* umbrellainstall.log
        msiexec /package anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi /norestart /passive /lvx* anyconnect-win-X.X.XXXXX-dart-predeploy-k9-install-datestamp.log
      • Example if your downloaded version 4.10.05095
      • msiexec /package anyconnect-win-4.10.05095-core-vpn-predeploy-k9.msi /passive /lvx* vpninstall.log 
        msiexec /package anyconnect-win-4.10.05095-umbrella-predeploy-k9.msi /passive /lvx* umbrellainstall.log
        msiexec /package anyconnect-win-4.10.05095-dart-predeploy-k9.msi /norestart /passive /lvx* anyconnect-win-4.10.05095-dart-predeploy-k9-install-datestamp.log
    5.  Then copy the Orginfo.json file to the directory below. 
      • %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\

 

Standalone Umbrella module (No VPN)

 

If you wish to deploy Umbrella as a standalone application and disable the VPN functionality, follow the same steps as the installation above but add the PRE_DEPLOY_DISABLE_VPN=1 parameter when installing the AnyConnect MSI.  This will install only the core components of AnyConnect required for Umbrella to function, and will completely hide the VPN functionality.

    1. Download the relevant 'Pre-Deployment' installer from software.cisco.com
      1. Add the Umbrella installation MSI files and module profile (OrgInfo.json) to your installation package as follows.  This file can be obtained from your Umbrella Dashboard in 'Deployments > Roaming Computers > Add'
        anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi
        anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi
        anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi
        \Profiles\umbrella\OrgInfo.json
      2. Alternatively, the OrgInfo.json can be pre-copied to this location:
        %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\OrgInfo.json
    2. Run the AnyConnect Core VPN MSI, the Umbrella MSI, and the DART MSI with the PRE_DEPLOY_DISABLE_VPN=1 property:
      msiexec /package anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* vpninstall.log 
      msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* umbrellainstall.log
      msiexec /package anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* anyconnect-win-X.X.XXXXX-dart-predeploy-k9-install-datestamp.log

 

 

Setting MSI properties during installation

 

Cisco installation packages support a number of MSI properties which can be changed during installation.  The commonly used properties for Umbrella are:

  • LOCKDOWN = As described above, prevents service from manually being disabled
  • ARPSYSTEMCOMPONENT = Hides the program from Windows 'Programs and Features' list

To set these during installation follow the same installation steps above but pass the additional properties to the msiexec command:

Enable Lockdown

msiexec /package <MSI> /passive LOCKDOWN=1 /lvx*

Hide from Programs and Features

msiexec /package <MSI> /passive ARPSYSTEMCOMPONENT=1 /lvx*

 

Alternatively these MSI settings could be configured by supplying customized installer transform files (.mst files).  For more information see: Configure AnyConnect Lockdown.

 

 

Profile Troubleshooting

 

The common error "Profile is missing" indicates that the Umbrella module is installed but the profile (OrgInfo.json) is not.  This means the Umbrella module cannot register with Umbrella or enable protection.

mceclip0.png

To resolve this for an existing installation simply add the profile here:

%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\OrgInfo.json

To correct the error for future installations, ensure this profile is properly embedded within the deployment package:

\Profiles\umbrella\OrgInfo.json

 

 

 

Related articles

Comments

0 comments

Article is closed for comments.