Skip to main content

AnyConnect Roaming Security Module: Pre-Deployment Tips (Windows)

Tom Allen
  • Updated
  • min read

 Overview

 

Deployment of the Umbrella Roaming Security Module involves these components:

  • Installation of the AnyConnect Core Module 
  • Installation of the Umbrella Roaming Security Module
  • Installation of the Diagnostic and Reporting Tool (DART) Module
  • Installation of the Umbrella Profile (OrgInfo.json)

Existing AnyConnect Users:

This article focuses on how to pre-deploy Umbrella using a CLI method.  It is also possible to deploy the Umbrella module & profile to existing AnyConnect users by adding configuration to the VPN head-end.  For more information on that method read the Umbrella documentation.

 

There are some scenarios where you may wish to "pre-deploy" the Umbrella module:

  • You are using AC VPN but want the Umbrella module to be available before the VPN is connected for the first time.
  • You want to deploy the Umbrella module as a standalone module, and will not be connecting to VPN.
  • You want to make use of advanced installation options (e.g. service lockdown).

 

 

Pre-deploying Umbrella module (VPN + Umbrella + DART)

 

Builiding the deployment package

    1. Download the Umbrella roaming security module profile from your Umbrella Dashboard. Deployments>Roaming Computers>Roaming Clients
      • The downloaded filename of the module profile is Orginfo.json
    2. Download the Umbrella Roaming Security Module from one of the locations below.
    3. Extract the downloaded AnyConnect Client and find the version number.AnyConnect_Download.png
    4. Add your OrgInfo.json file within the 'Profiles' folder in the same directory as the installer.  This step is crucial for the Umbrella module to register automatically after installation.   The folder structure should look as follows. 
      anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi
anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi
anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi
\Profiles\umbrella\OrgInfo.json

 

Installing the package

  1. Update the MSI commands below with the version number from your download, then run in the CMD Prompt.
    • MSI commands 
      msiexec /package anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi /norestart /passive /lvx* vpninstall.log 
      msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /norestart /passive /lvx* umbrellainstall.log
      msiexec /package anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi /norestart /passive /lvx* dartinstall.log
    • Example if your downloaded version 4.10.05095 
      msiexec /package anyconnect-win-4.10.05095-core-vpn-predeploy-k9.msi /norestart /passive /lvx* vpninstall.log 
      msiexec /package anyconnect-win-4.10.05095-umbrella-predeploy-k9.msi /norestart /passive /lvx* umbrellainstall.log
      msiexec /package anyconnect-win-4.10.05095-dart-predeploy-k9.msi /norestart /passive /lvx* dartinstall.log

 

 

Standalone Umbrella module (No VPN)

 

If you wish to deploy Umbrella as a standalone application and disable the VPN functionality, follow the same steps for Building the deployment package as above. 

 

Installing the package

When running the installation add the PRE_DEPLOY_DISABLE_VPN=1 parameter when installing the AnyConnect MSI.  This will install only the core components of AnyConnect required for Umbrella to function, and will completely hide the VPN functionality.

    • Run AnyConnect Core VPN MSI with the PRE_DEPLOY_DISABLE_VPN=1 property, as well as Umbrella MSI and DART MSI.
      msiexec /package anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* vpninstall.log 
      msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /norestart /passive /lvx* umbrellainstall.log
      msiexec /package anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi /norestart /passive /lvx* dartinstall.log

 

 

Setting MSI properties during installation

 

Cisco installation packages support a number of MSI properties which can be changed during installation.  The commonly used properties for Umbrella are:

  • LOCKDOWN = As described above, prevents service from manually being disabled
  • ARPSYSTEMCOMPONENT = Hides the program from Windows 'Programs and Features' list

To set these during installation follow the same installation steps above but pass the additional properties to the msiexec command:

Enable Lockdown

msiexec /package <MSI> /passive LOCKDOWN=1 /lvx*

Hide from Programs and Features

msiexec /package <MSI> /passive ARPSYSTEMCOMPONENT=1 /lvx*

 

Alternatively these MSI settings could be configured by supplying customized installer transform files (.mst files).  For more information see: Configure AnyConnect Lockdown.

 

 

Profile Troubleshooting

 

The common error "Profile is missing" indicates that the Umbrella module is installed but the profile (OrgInfo.json) is not.  This means the Umbrella module cannot register with Umbrella or enable protection.

mceclip0.png

To resolve this for an existing installation simply add the profile here:

%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\OrgInfo.json

To correct the error for future installations, ensure this profile is properly embedded within the deployment package:

\Profiles\umbrella\OrgInfo.json

 

 

 

Was this article helpful?

3 out of 4 found this helpful
Have more questions? Submit a request

Related articles