browse
Overview
This article covers how to deploy the Secure Client Umbrella Module if you do not have an automation tool to push the software, example: SCCM, Intune, GPO, etc.
We simplify the deployment using a Windows Shared Folder and running just one script from the PCs that we want to have SC Umbrella installed.
Additionally, we will also install the DART module that is useful when we need to t-shooting a particular issue.
As part of this configuration, we are going to hide the VPN UI; therefore, only the Umbrella module is visible to the user and for simplicity of the deployment, we are also importing the OrgInfo.json file used by the Umbrella module, and importing the Umbrella Root CA Certificate onto the machine, all this by running a .bat script.
Notes:
- To have SC Umbrella Module installed, we need the SC VPN Core to also be installed since every module is Core/VPN-dependent.
- The configuration example here assumes you don't need the VPN UI for the VPN capabilities nor any other .xml profile like the VPN Client Profile.
Pre requisites:
-
- Access to the Umbrella Dashboard.
- Admin rights on the PC you will install this on.
- Access to the Windows Shared Folder from the PC you are installing the SC Umbrella on.
- If possible, restrict admin access to the user to the following path C:\ProgramData\Cisco\Cisco Secure Client, so they cannot remove/edit the profiles.
- Also you can think about restricting access to start/stop/restart services on the PC.
Configuration Steps
1. Start by downloading the Secure Client software from the dashboard.
This file is found once logged in to the dashboard under: "Deployments > Roaming Computers > Roaming Client > Download Cisco Secure Client".
Once downloaded, unzip the file and copy the files (used under step #4):
- cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.msi
- cisco-secure-client-win-5.0.05040-dart-predeploy-k9.msi
- cisco-secure-client-win-5.0.05040-umbrella-predeploy-k9.msi
2. Download the OrgInfo.json file from the dashboard.
This file is found once logged in to the dashboard under: "Deployments > Roaming Computers > Roaming Client > Download Module Profile".
3. (Optional) In order to install the Umbrella Root CA Certificate as part of the installation script, please download the Root CA from the Umbrella Dashboard under: "Deployments > Root Certificate > Cisco Root Certificate Authority > click on the download icon".
4. Place all the files on the Shared Folder where all the PCs have access to. The files needed in this case are:
- Cisco_Umbrella_Root_CA.cer
- OrgInfo.json
- cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.msi
- cisco-secure-client-win-5.0.05040-dart-predeploy-k9.msi
- cisco-secure-client-win-5.0.05040-umbrella-predeploy-k9.msi
5. Create your custom .bat script using any of the options described in our documentation. For the purpose of our lab, we are making use of the option "PRE_DEPLOY_DISABLE_VPN=1".
You could also use "ARPSYSTEMCOMPONENT=1 to hide the Secure Client software from the Add/Remove Programs List, and/or the LOCKDOWN=1 to lock down the service".
If you do not want to hide the VPN UI, please ignore the "PRE_DEPLOY_DISABLE_VPN=1" at the end of the first line of the below script.
msiexec /package "\\DC\Shared_Folder\cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.msi" /norestart /quiet PRE_DEPLOY_DISABLE_VPN=1
msiexec /package "\\DC\Shared_Folder\cisco-secure-client-win-5.0.05040-umbrella-predeploy-k9.msi" /norestart /quiet
msiexec /package "\\DC\Shared_Folder\cisco-secure-client-win-5.0.05040-dart-predeploy-k9.msi" /norestart /quiet
copy "\\DC\Shared_Folder\OrgInfo.json" "C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json"
certutil -enterprise -f -v -AddStore "Root" "\\DC\Shared_Folder/Cisco_Umbrella_Root_CA.cer"
Note: Please replace the "\\DC\Shared_Folder\" with your local shared folder path.
6. Deploy/copy the .bat script to the PCs that you want to install the Secure Client Umbrella module on.
7. Proceed on running the script from the client machines, preferably using PowerShell as Admin.
8. Repeat steps #6 and #7 on the PCs you want to Install Umbrella.
Verification
Verify the software has been installed on the PC.
Verify that only the Umbrella module is visible to the user. In case you want the VPN module to also be visible (to use for VPN purposes, please ignore the "PRE_DEPLOY_DISABLE_VPN=1" at the end of the first line of the script under step #5).
Confirm the PC was properly registered to your dashboard.