This configuration guide covers the steps to provision the AnyConnect Umbrella Roaming Security Module via FMC for versions 6.7 or later.
- Access to Umbrella Dashboard
- Access to Cisco Firewall Management Console (FMC), version 6.7 or later, as this version add support for additional AnyConnect modules, for versions prior to 6.7 FlexConfig can be used to deploy the module, you can refer to this document for details.
- AnyConnect Umbrella Module Profile (orginfo.json)
- AnyConnect VPN configuration is already complete and functional on the FMC/FTD.
AnyConnect umbrella module installation/download from the FMC :
Here are the steps to enable the AnyConnect umbrella module installation/download from the FMC :
- Go to Objects > Object Management:
- Once there, click under VPN > AnyConnect File > Add AnyConnect File. Set a name for the profile (locally significant), browse for the json downloaded from your Umbrella dashboard, under File Type select Umbrella Roaming Security Profile, and click on Save.
- Once there, click under Group Policy. Select the GP you’re using to deploy Umbrella (Umbrella_GP in my case):
- Lastly, click under AnyConnect > Client Modules > Add option à Select under Client Module the Umbrella Roaming Client, and under Profile to download the profile we defined under step #2, make sure the “Enabled module download” is selected, so users connecting via AnyConnect will automatically download the Umbrella json profile.
(OPTIONAL) VPN local authentication (FMC 7.0 or later required)
If you want to test a separate profile with Local Authentication on the FMC/FTD, you can follow these steps (FMC 7.0 or later is required)
- Create a local realm.
Local usernames and passwords are stored in local realms. When you create a realm (System > Integration > Realms) and select the new LOCAL realm type, the system prompts you to add one or more local users.
- Configure RA VPN to use local authentication.
Create or edit an RA VPN policy (Devices > VPN > Remote Access), create a connection profile within that policy, then specify LOCAL as the primary, secondary, or fallback authentication server in that connection profile.
- Associate the local realm you created with an RA VPN policy.
In the RA VPN policy editor, use the new Local Realm setting. Every connection profile in the RA VPN policy that uses local authentication will use the local realm you specify here.