browse
Problem
After installing AnyConnect 4.8.x with the Umbrella Roaming Security module, customers with Umbrella SIG Essentials, SIG add-on, or ELA including SIG, endpoints start forwarding web traffic to Umbrella SWG with no clear method to disable this behavior.
AnyConnect 4.8 MR1 was the first release to support Umbrella SWG from the endpoint, but rather than the SWG Agent having its own binary to install from, it was bundled with the same binary that installs Umbrella Roaming Security Agent.
Currently the SWG Agent can be controlled from the Umbrella dashboard, but this is a global setting that affects all endpoint installs. SWG selective sync can now be completed in the dashboard, 100 at a time.
Solution
There are two methods available for managing the SWG Agent on Windows: GPO or script. Note that you will need to have the SWG AnyConnect Agent globally enabled first in the dashboard. The instructions below are for creating a GPO to disable or re-enable SWG Agent for managed Windows computers. Additionally, the Cisco Umbrella team has developed two scripts, one to disable SWG Agent and one to re-enable SWG Agent, which make the state persistent and may be used if GPO is not preferred.
Controlling AnyConnect SWG Agent in Windows Managed Environments (GPO)
Disable SWG Agent via GPO
- From a Windows Domain Controller open Group Policy Management.
- Expand the domain container and right-click the Group Policy Objects folder > select New.
- Navigate down through Computer configuration > Preferences > Control Panel Settings > right-click on Services and select New > Service.
- Configure the New Service Properties as such:
- Startup = Disabled
- Service name = acswgagent
- Service action = Stop service
- Log on as = Local System account
Re-enable SWG Agent via GPO
-
Edit the above GPO or perform steps 1-3, then configure the Service Parameters as follows:
- Startup = Manual
- Service name = acswgagent
- Service action = Start service
- Log on as = Local System account
Controlling AnyConnect SWG Agent Using Script
The scripts (attached at the bottom of the article) will need to be executed as Administrator. Depending on how Windows security is configured, if these scripts are pushed from a GPO, even if the local user is a member of the local Administrators group, the scripts may need to be run as a STARTUP script to run in the context of the local SYSTEM account.
If using you are using the scripts to manage the SWG agent, while no reboot should be required. When executing the enable script from a previously disabled state, the username may not be reported by AnyConnect. Restarting the Umbrella Roaming Security Agent (ACUMBRELLAGENT) service or a reboot will remedy this. This issue should be resolved by AnyConnect 4.9. Upgrading or re-installing AnyConnect will re-enable SWG Agent.
Checking the Status of the AnyConnect SWG Agent
To ensure that the status of your AnyConnect SWG Agent is correct:
- Open the Cisco AnyConnect Secure Mobility Client
- Click on "Settings"
- Scroll down to see "Web Protection Status"
EFT for SWG Device Settings API
The curl I used for a single machine:
curl --location 'https://api.umbrella.com/deployments/v2/deviceSettings/SWGEnabled/set' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <your-token-here>' \
--data '{
"value": "0",
"originIds": [ 123456789 ]
}'
Using a file with multiple machines:
curl --location 'https://api.umbrella.com/deployments/v2/deviceSettings/SWGEnabled/set' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <your-token-here>' \
--data 'your-path/swg-stat.json'
More information can be found on our official developer documentation: Set Secure Web Gateway Override Setting for Devices