browse
Purpose
The VPN module is a required component of the Cisco Secure Client, even if you are not using AnyConnect for VPN access. Umbrella uses shared underlying Secure Client drivers for intercepting and managing DNS traffic.
Even though the Secure Client VPN module must be installed, the VPN functionality itself can be entirely disabled.
Methodology
The VPN functionality can be disabled in two ways:
- During Installation - The module is disabled during installation by using install arguments (Windows) or modifying the installation package (OSX)
- Post Installation - The module is disabled by deploying a special profile to the endpoint (which can be deployed programmatically).
How to disable the VPN module (During Installation)
Windows
During installation on Windows use the PRE_DEPLOY_DISABLE_VPN=1 msi argument to disable the VPN functionality. For more information see Customize Windows Installations of Cisco Secure Client.
OSX
The OSX installation package (.DMG) can be customized with an ACTransforms.xml file which controls the enablement of the VPN functionality. For more information see Customize MacOS installations of Cisco Secure Client.
How to disable the VPN module (Post Installation)
To hide the VPN module, navigate to the following directory*:
C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile\ (Windows)
/opt/cisco/secureclient/vpn/profile/ (OSX)
*By default, the ProgramData folder is hidden on Windows. You may have to type this directly into Windows explorer.
Copy the following XML code below into a blank text document and save the file as “VPNDisable_ServiceProfile.xml” within the relevant 'profile' folder above.
<?xml version="1.0" encoding="utf-8"?>
<!--
Cisco AnyConnect VPN Profile -
This profile is a sample intended to allow for the disabling of VPN service
for those installations that do not require VPN support.
-->
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<ServiceDisable>true</ServiceDisable>
</ClientInitialization>
</AnyConnectProfile>
Once the “VPNDisable_ServiceProfile.xml” file is saved within the “Profile” folder, restart the computer. On Windows it's also possible to restart the “Cisco Secure Client – AnyConnect VPN Agent” service from Windows services.
After restarting you can see the results by launching the Cisco Secure Client GUI application: