browse
Purpose
As Umbrella has evolved, we have enhanced our methods for protecting roaming computers. In our continual efforts to innovate, we have introduced the Cisco Secure Client which is built upon AnyConnect and is our next-generation unified endpoint agent. This new client encompasses all the benefits of the Umbrella Roaming Client while offering a more advanced security solution, including a suite of security service modules, superior performance and extended compatibility. It integrates the latest version of the Umbrella module as well as many other modules.
Please note that Cisco announced the End-of-Life of Cisco AnyConnect in 2023 and the Umbrella Roaming Client in 2024. Many Umbrella customers are already benefiting from migrating to Cisco Secure Client and you are encouraged to begin migration as soon as possible to get a better roaming experience.
All customers with valid licenses and active Umbrella support contracts are eligible to migrate to Cisco Secure Client for entitlement to the Umbrella Module, which includes the same functionality of the Umbrella Roaming Client capability, at no charge!
This article will cover the migration process and any questions about the Cisco Secure Client.
Upgrading to Cisco Secure Client
This section will cover how to migrate to the Cisco Secure Client.
Migrating from AnyConnect
The Cisco Secure Client has a mechanism to automatically detect an existing AnyConnect installation, gather configuration from it, migrate those settings to Cisco Secure Client and then uninstall the old AnyConnect client. However, there may be edge cases where this process fails, so some customers may prefer to uninstall the AnyConnect client themselves before installing Cisco Secure Client.
IMPORTANT: Disable any AnyConnect installation tasks in your endpoint management software to prevent older AnyConnect versions being re-installed.
Migrating from Umbrella Roaming Client
Note: Customers with valid licenses and active Umbrella support contracts migrating from the Umbrella roaming client are eligible to migrate to Cisco Secure Client for entitlement to the Umbrella Module only.
The Cisco Secure Client has a mechanism to automatically detect an existing Umbrella Roaming Client installation, gather configuration from it, migrate those settings to Cisco Secure Client and then uninstall the old Umbrella Roaming Client. However, there may be edge cases where this process fails, so some customers may prefer to uninstall the Umbrella Roaming client themselves before installing Cisco Secure Client.
IMPORTANT: Disable any Umbrella Roaming Client installation tasks in your endpoint management software to prevent the Roaming Client being re-installed.
Installing the Cisco Secure Client
1. Download Cisco Secure Client
Method 1: Umbrella Dashboard
Log in to your Umbrella Dashboard and navigate to Deployments > Roaming Computers. Click the Roaming Client download icon in the top right and download the appropriate pre-deployment package for your operating system.
Method 2: Software.cisco.com
Log in to software.cisco.com and navigate to Secure Client 5 section. Download the appropriate pre-deployment package for your operating system.
2. Double click on Setup file application
The following window appears:
3. Select only the Umbrella and Diagnostic and Reporting Tool options.
Selecting Lock down Computer Services is optional and will block users and admins from being able to change the state of the Cisco Secure Client's services on a device.
NOTE: The "Core & AnyConnect VPN" module will be installed as a required core module. Unchecking the "Core & AnyConnect VPN" option will hide the VPN from the GUI. The VPN service (csc_vpnagent) will still be running in the background, but the VPN will not show in the GUI.
4. Click on Install Selected to install the modules.
You will see the following windows when you start Cisco Secure Client:
5. At this time, Cisco Secure Client will detect and uninstall the Umbrella Roaming Client. Please allow some time for this to complete.
Umbrella Profile Installation
The Umbrella profile (OrgInfo.json) is automatically detected from your previous Roaming Client or AnyConnect installation and imported into Secure Client.
However, for new installations it is critical to deploy the Umbrella profile (OrgInfo.json) to the endpoint. This file uniquely identifies your Umbrella organization and allows the client to register with the Umbrella cloud. This step is required if you are installing on a device without Cisco AnyConnect or you are migrating from the Umbrella roaming client:
- Download the OrgInfo.json module profile from your dashboard in Deployments > Core Identities > Roaming Computers > Roaming Client then clicking on Download at the top right corner.
- Choose Download Module Profile.
- Once downloaded, copy the Orginfo.json file into the location specified below
C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json (Windows
/opt/cisco/secureclient/umbrella/OrgInfo.json (OSX)
Mass Deployment
Secure Client (including Umbrella module and profile) cab be mass deployed using endpoint management tools (such as UEM, MDM, RMM). See the following articles:
Customization
- Customize macOS installations of Secure Client (OSX)
- Customize Windows installations of Secure Client
Directory Structure
The directory locations have changed with Cisco Secure Client.
Cisco Secure Client Directories
Windows
Executable
C:\Program Files (x86)\Cisco\Cisco Secure Client
Umbrella data directory
C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\
macOS
Executable
/Applications/Cisco/Cisco Secure Client.app
Umbrella data directory
/opt/cisco/secureclient/umbrella/
Frequently Asked Questions
Q: Can we continue with the Umbrella Roaming client?
A: The Umbrella Roaming client end of life date is April 2, 2024. You can continue to use it past this date, and Cisco will continue to support and provide fixes for critical issues and vulnerabilities for a year until April 2, 2025. However, all new enhancements and innovations will be provided in Cisco Secure Client only. After April 2, 2025 any new device registrations for Umbrella Roaming client will be restricted. Customers still using Umbrella Roaming client at that time will no longer receive support or updates.
Q: Is the Umbrella Module the same thing as the Roaming Security Module?
A: Yes, Umbrella Module is just the new simplified name for the Roaming Security Module.
Q: We already have a 3rd party VPN agent. We do not want to install the VPN module. Is this an option?
A: The VPN module is installed as a core module. However, you are not required to configure or use the VPN module at all. You do have the option to hide the VPN module from the GUI though. Simply uncheck the "Core & AnyConnect VPN" option during installation to hide the VPN from the GUI. The VPN service (csc_vpnagent) will still be running in the background, but the VPN will not show in the GUI. Refer to the KB article for additional information on how to hide the VPN module: https://support.umbrella.com/hc/en-us/articles/18211951038740-How-to-hide-the-VPN-module-in-Cisco-Secure-Client-Windows
Q: I only need DNS-layer security. Do I still need to upgrade?
Yes, and you can still use your DNS-only subscription with the new Cisco Secure Client and Umbrella module. All customers have entitlement to the Umbrella module of Cisco Secure Client. The VPN module is a core module and will be installed, however you do not have to use it, and you have the option to hide it in the UI.
Q: Where can I get a copy of the Cisco Security Client?
A:
Method 1: Umbrella Dashboard
Log in to your Umbrella Dashboard and navigate to Deployments > Roaming Computers. Click the Roaming Client download icon in the top right and download the appropriate pre-deployment package for your operating system.
Method 2: Software.cisco.com
Log in to software.cisco.com and navigate to Secure Client 5 section. Download the appropriate pre-deployment package for your operating system.
Note: To complete download, you will need to log in using a valid Cisco Account.
Q: I have an Umbrella subscription, but I don't have any Cisco Secure Client licenses. Am I still able to upgrade to Cisco Secure Client?
A: All customers with valid licenses and active Umbrella support contracts are eligible to migrate to Cisco Secure Client for entitlement to the Umbrella Module, which includes all the Umbrella Roaming Client capability, at no charge!
Q: What are the architectural differences between the clients?
Umbrella Roaming Client approach
The Umbrella Roaming Client uses a loopback adapter in order to inspect all requests sent to the DNS servers specified in a computer's network adapters DNS settings. This requires that the roaming client resets the DNS server on all adapters to use 127.0.0.1, the localhost loopback address.
The disadvantage of this approach is that some VPN clients will conflict with this configuration--either by mandating that the configuration matches what has been set by the administrator or by preventing a DNS resolver from running on 127.0.0.1.
Alternatively, some VPN clients also overwrite an adapter's DNS settings with VPN values, overwriting the roaming client's DNS server address of 127.0.0.1 instead of the original values. This can cause the Umbrella Roaming Client and the conflicting software package to not function as designed, or cause a full DNS fail scenario where the configured DNS settings are lost at connect or disconnect.
Cisco Secure Client approach
With Cisco Secure Client, Umbrella is a module that can be installed. This module is able to control the adapter without changing the DNS settings on the interface, avoiding DNS change conflicts. Cisco Secure Client uses a kernel driver, which intercepts the DNS requests at a much lower level in the operating system. This more sophisticated mechanism has the advantage of not requiring that traffic for all adapters go through the loopback address, so the original DNS settings are maintained. This architectural difference means that the Umbrella module can retain much higher compatibility with other software when compared to the Umbrella Roaming Client.
Q: Does the Umbrella module for Cisco Secure Client have any known compatibility issues?
A.The Cisco Secure Client builds upon the AnyConnect architecture, which is much more widely compatible than the legacy Umbrella Roaming Client. In some rare instances, additional action is required to have the Umbrella module work with 3rd party software. You can read more information in the article below:
Software Compatibility - Umbrella Module for Cisco Secure Client (and legacy AnyConnect)
Q: We have existing AnyConnect and Umbrella Roaming client installations. Do we need to manually uninstall both and install the Cisco Secure Client with the AnyConnect and Umbrella modules?
A: No, the Secure Client installation process is designed with a seamless upgrade process. The installer will automatically move the Orginfo.json to Secure Client folders and also uninstall AnyConnect and the Umbrella Roaming client at the same time. If you were using VPN functionality from AnyConnect, it will be automatically carried over to the AnyConnect VPN module.
Q: I don't see the Cisco Secure Client UI after installation. How do I know it's working?
You can confirm Cisco Secure Client with Umbrella module is working by either going to https://policy-debug.checkumbrella.com in your browser or by running the following command:
nslookup -q=txt debug.opendns.com
The output should contain unique and relevant information to your Umbrella org such as your OrgID.
Q: How do I find support documentation for deployment using my specific MDM or RMM tool?
A: Third-party RMM and MDM's are not officially supported by Cisco Umbrella. As a courtesy, we do provide a few examples on our KB page at https://support.umbrella.com/hc/en-us/articles/18584514390932. However, these are not supported and are provided “as-is”. If you have any questions or concerns regarding their validity or suitability for your deployment, please follow up with your RMM or MDM vendor.
Q: Once I deploy the Cisco Secure Client with Umbrella Module, how do I keep it up to date? Will it auto-update?
A: For more information on how to keep Cisco Secure Client and Umbrella Module up to date, please see the below KB article:
Keeping the Cisco Secure Client up to Date