AnyConnect Roaming Security Module: Pre-Deployment Tips (Windows)

 Overview

Deployment of the Umbrella Roaming Security Module involves these components:

• Installation of the AnyConnect Core Module 
• Installation of the Umbrella Roaming Security Module
• Installation of the Diagnostic and Reporting Tool (DART) Module
• Installation of the Umbrella Profile (OrgInfo.json)

Existing AnyConnect Users:

This article focuses on how to pre-deploy Umbrella using a CLI method.  It is also possible to deploy the Umbrella module & profile to existing AnyConnect users by adding configuration to the VPN head-end.  For more information on that method read the Umbrella documentation.

 

There are some scenarios where you may wish to "pre-deploy" the Umbrella module:

• You are using AC VPN but want the Umbrella module to be available before the VPN is connected for the first time.
• You want to deploy the Umbrella module as a standalone module, and will not be connecting to VPN.
• You want to make use of advanced installation options (e.g. service lockdown).

 

Pre-deploying Umbrella module (VPN + Umbrella + DART)

Builiding the deployment package

1. 1. Download the Umbrella roaming security module profile from your Umbrella Dashboard. Deployments>Roaming Computers>Roaming Clients
      • The downloaded filename of the module profile is Orginfo.json
   2. Download the Umbrella Roaming Security Module from one of the locations below.
      • software.cisco.com
      • Umbrella Release Notes
   3. Extract the downloaded AnyConnect Client and find the version number.
   4. Add your OrgInfo.json file within the 'Profiles' folder in the same directory as the installer.  This step is crucial for the Umbrella module to register automatically after installation.   The folder structure should look as follows.

      anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi
      anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi
      anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi
      \Profiles\umbrella\OrgInfo.json         

Installing the package

1. Update the MSI commands below with the version number from your download, then run in the CMD Prompt.
   • MSI commands

     msiexec /package anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi /norestart /passive /lvx* vpninstall.log 
     msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /norestart /passive /lvx* umbrellainstall.log
     msiexec /package anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi /norestart /passive /lvx* dartinstall.log

   • Example if your downloaded version 4.10.05095

     msiexec /package anyconnect-win-4.10.05095-core-vpn-predeploy-k9.msi /norestart /passive /lvx* vpninstall.log 
     msiexec /package anyconnect-win-4.10.05095-umbrella-predeploy-k9.msi /norestart /passive /lvx* umbrellainstall.log
     msiexec /package anyconnect-win-4.10.05095-dart-predeploy-k9.msi /norestart /passive /lvx* dartinstall.log

Standalone Umbrella module (No VPN)

If you wish to deploy Umbrella as a standalone application and disable the VPN functionality, follow the same steps for Building the deployment package as above. 

Installing the package

When running the installation add the PRE_DEPLOY_DISABLE_VPN=1 parameter when installing the AnyConnect MSI.  This will install only the core components of AnyConnect required for Umbrella to function, and will completely hide the VPN functionality.

1. • Run AnyConnect Core VPN MSI with the PRE_DEPLOY_DISABLE_VPN=1 property, as well as Umbrella MSI and DART MSI.
     

     msiexec /package anyconnect-win-X.X.XXXXX-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* vpninstall.log 
     msiexec /package anyconnect-win-X.X.XXXXX-umbrella-predeploy-k9.msi /norestart /passive /lvx* umbrellainstall.log
     msiexec /package anyconnect-win-X.X.XXXXX-dart-predeploy-k9.msi /norestart /passive /lvx* dartinstall.log

Setting MSI properties during installation

Cisco installation packages support a number of MSI properties which can be changed during installation.  The commonly used properties for Umbrella are:

• LOCKDOWN = As described above, prevents service from manually being disabled
• ARPSYSTEMCOMPONENT = Hides the program from Windows 'Programs and Features' list
  

To set these during installation follow the same installation steps above but pass the additional properties to the msiexec command:

Enable Lockdown

msiexec /package <MSI> /passive LOCKDOWN=1 /lvx* 

Hide from Programs and Features

msiexec /package <MSI> /passive ARPSYSTEMCOMPONENT=1 /lvx* 

Alternatively these MSI settings could be configured by supplying customized installer transform files (.mst files).  For more information see: Configure AnyConnect Lockdown.

Profile Troubleshooting

The common error "Profile is missing" indicates that the Umbrella module is installed but the profile (OrgInfo.json) is not.  This means the Umbrella module cannot register with Umbrella or enable protection.

To resolve this for an existing installation simply add the profile here:

%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Umbrella\OrgInfo.json

To correct the error for future installations, ensure this profile is properly embedded within the deployment package:

\Profiles\umbrella\OrgInfo.json