browse
Purpose
As Umbrella has grown, we have evolved our methods for protecting roaming computers. In 2022 we started encouraging all Umbrella Roaming Client customers to switch to the AnyConnect version because it offers better performance and compatibility with 3rd party software. Built upon AnyConnect, the Cisco Secure Client is the next-generation unified endpoint agent for Cisco. It integrates the latest version of the Umbrella module as well as many other modules.
Subsequently, Cisco announced the End-of-Life of Cisco AnyConnect and the Umbrella Roaming Client in 2023. Many Umbrella customers are already benefiting from migrating to Cisco Secure Client. This article will cover the migration process and any questions about the Cisco Secure Client.
If you are an MSP or need information of mass-deployment refer to the article below.
Umbrella Module for Cisco Secure Client - Command Line installation and RMM reference
Upgrading to Cisco Secure Client
This section will cover how to migrate to the Cisco Secure Client.
Migrating from AnyConnect
No special steps are needed when migrating from AnyConnect. The Cisco Secure Client installer will remove the AnyConnect client during install.
Migrating from standalone roaming client
Note: Customers with valid licenses and active Umbrella support contracts migrating from the standalone roaming client are eligible to migrate to Cisco Secure Client for entitlement to the Umbrella Roaming Security Module only.
Windows
No special steps are needed when migrating from the standalone roaming client. The Cisco Secure Client installer will remove the standalone roaming client during install.
NOTE: If you are running Windows version 3.0.343 or older, we recommend uninstalling the standalone roaming client prior to installing the Cisco Secure Client. Instructions can be found at this link.
macOS
No special steps are needed when migrating from the standalone roaming client. The Cisco Secure Client installer will remove the standalone roaming client during install.
Installing the Cisco Secure Client
1. Download Cisco Secure Client
Method 1: Umbrella Dashboard
Log in to your Umbrella Dashboard and navigate to Deployments > Roaming Computers. Click the Roaming Client download icon in the top right and download the appropriate pre-deployment package for your operating system.
Method 2: Software.cisco.com
Log in to software.cisco.com and navigate to Secure Client 5 section. Download the appropriate pre-deployment package for your operating system.
2. Double click on Setup file application
The following window appears:
3. Select only the Umbrella and Diagnostic and Reporting Tool options.
Selecting Lock down Computer Services is optional and will allow only administrators start/stop Cisco Secure Client's services on a device.
NOTE: The "Core & AnyConnect VPN" module will be installed as a required core module. Unchecking the "Core & AnyConnect VPN" option will hide the VPN from the GUI. The VPN service (csc_vpnagent) will still be running in the background, but the VPN will not show in the GUI.
4. Click on Install Selected to install the modules.
You will see the following windows when you start Cisco Secure Client:
5. At this time, Cisco Secure Client will detect and uninstall the Umbrella Roaming Client. Please allow some time for this to complete.
6. Note: this last step is required only if you are installing on a device without Cisco AnyConnect or you are migrating from the Umbrella roaming client:
You will need your organization's orginfo.json (Windows) or orginfo.plist (macOS) file. You can download this from your dashboard by browsing to Deployments > Core Identities > Roaming Computers > Roaming Client then clicking on Download at the top right corner and selecting Download Module Profile.
Once downloaded, copy the orginfo.json (Windows) or orginfo.plist (macOS) file into the folder specified by the Umbrella Directory in the section below.
Directory Structure
The directory locations have changed with Cisco Secure Client.
Cisco Secure Client Directories
Windows
Executable
C:\Program Files (x86)\Cisco\Cisco Secure Client
Umbrella Directory
C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\
macOS
Executable
/Applications/Cisco/Cisco Secure Client.app
Umbrella Directory
/opt/cisco/secureclient/Umbrella/
Common questions and concerns
Q: Is Roaming Security Module the same thing as the Umbrella Module?
A: Yes, Umbrella Module is just the new simplified name for the Roaming Security Module.
Q: If I use the Cisco Secure Client, do I need to use the VPN module? I already have a VPN client and do not wish to switch.
A: While Cisco is known for its VPN software, the VPN module does not need to be in use in order to take advantage of the Umbrella module. You can use another VPN client while using the Cisco Secure Client Umbrella Module.
Q: Where can I get a copy of the Cisco Security Client?
A:
Method 1: Umbrella Dashboard
Log in to your Umbrella Dashboard and navigate to Deployments > Roaming Computers. Click the Roaming Client download icon in the top right and download the appropriate pre-deployment package for your operating system.
Method 2: Software.cisco.com
Log in to software.cisco.com and navigate to Secure Client 5 section. Download the appropriate pre-deployment package for your operating system.
Note: To complete download, you will need to log in using a valid Cisco Account.
Q: I have an Umbrella subscription, but I don't have any Cisco Secure Client licenses. Am I still able to upgrade to Cisco Secure Client?
A: Cisco Secure Client is now included in all Umbrella licenses. If you have any further questions, please reach out to Umbrella Support.
Q: What are the architectural differences between the clients?
Standalone roaming client approach
The standalone roaming client uses a loopback adapter in order to inspect all requests sent to the DNS servers specified in a computer's network adapters DNS settings. This requires that the roaming client resets the DNS server on all adapters to use 127.0.0.1, the localhost loopback address.
The disadvantage of this approach is that some VPN clients will conflict with this configuration--either by mandating that the configuration matches what has been set by the administrator or by preventing a DNS resolver from running on 127.0.0.1.
Alternatively, some VPN clients also overwrite an adapter's DNS settings with VPN values, overwriting the roaming client's DNS server address of 127.0.0.1 instead of the original values. This can cause the Umbrella Roaming Client and the conflicting software package to not function as designed, or cause a full DNS fail scenario where the configured DNS settings are lost at connect or disconnect.
Cisco Secure Client approach
With Cisco Secure Client, Umbrella is a module that can be installed. This module is able to control the adapter without changing the DNS settings on the interface, avoiding DNS change conflicts. Cisco Secure Client uses a kernel driver, which intercepts the DNS requests at a much lower level in the operating system. This more sophisticated mechanism has the advantage of not requiring that traffic for all adapters go through the loopback address, so the original DNS settings are maintained. This architectural difference means that the Umbrella module can retain much higher compatibility with other software when compared to the standalone roaming client.
Q: Are there still any compatibility issues with the Cisco Secure Client?
A. Some conflicts may exist if a vendor also binds to port 53 on 127.0.0.1, or has certain kernel level controls, or DNS relay proxies of their own. However, conflicts are minimal and rare in practice. For more information on known issues, see the following Knowledge Base article:
Software Compatibility - Umbrella Module for Cisco Secure Client (and legacy AnyConnect)