Skip to main content

How do I deploy the AnyConnect Umbrella Roaming Security Module using Cisco Firewall Management Console (FMC)?

czunigab
  • Updated
  • min read

Note: Cisco announced the End-of-Life of Cisco AnyConnect in 2023. Cisco announced the End-of-Life for Umbrella Roaming Client on April 2, 2024, and the last date of support will be April 2, 2025. Many Cisco Umbrella customers are already benefiting from migrating to Cisco Secure Client, and you are encouraged to begin migration as soon as possible to get a better roaming experience. Read more in this Knowledge Base article: How do I install Cisco Secure Client with the Umbrella Module?

 

This configuration guide covers the steps to provision the AnyConnect Umbrella Roaming  Security Module via Cisco Firewall Management Console (FMC) for versions 6.7 or later.

Pre-requisites

  • Access to the Cisco Umbrella Dashboard
  • Access to Cisco Firewall Management Console (FMC), version 6.7 or later, as this version adds support for additional AnyConnect modules. For versions earlier than 6.7, FlexConfig can be used to deploy the module, you can refer to the Cisco documentation for details.
  • AnyConnect Umbrella Module Profile (orginfo.json)
  • AnyConnect VPN configuration is already complete and functional on the FMC/FTD.

 

 

AnyConnect Umbrella module installation/download from the FMC :

 

 

Here are the steps to enable the AnyConnect Umbrella module installation/download from the FMC :

      1. Go to Objects > Object Management:

        Object Management.

      2. Navigate to VPN > AnyConnect File > Add AnyConnect File. Set a name for the profile (locally significant).
        • Browse for the JSON downloaded from your Cisco Umbrella dashboard.
        • Under File Type, select "Umbrella Roaming Security Profile," and then Save.
        Picture2.png
      3. Once there, select Group Policy, then select the group policy that you’re using to deploy Umbrella ("Umbrella_GP" in this case):
        Group Policy
      4. Select AnyConnect > Client Modules > Add Client Module.
        • Under Client Module, select the Umbrella Roaming Client, and then Profile to download the profile we defined under step #2.
        • Ensure that the “Enabled module download” is selected so that users connecting via AnyConnect will automatically download the Umbrella JSON profile.
        Client Module

 

(OPTIONAL) VPN local authentication (FMC 7.0 or later required)

 

If you want to test a separate profile with Local Authentication on the FMC/FTD, you can follow these steps (FMC 7.0 or later is required):

      1. Create a local realm.
        • Local usernames and passwords are stored in local realms.
        • When you create a realm (System > Integration > Realms) and select the new LOCAL realm type, the system prompts you to add one or more local users.
      2. Configure RA VPN to use local authentication.
        • Create or edit an RA VPN policy (Devices > VPN > Remote Access), create a connection profile within that policy, and then specify LOCAL as the primary, secondary, or fallback authentication server in that connection profile.
      3. Associate the local realm you created with an RA VPN policy.
        • In the RA VPN policy editor, use the new Local Realm setting. Every connection profile in the RA VPN policy that uses local authentication will use the local realm you specify here.
          FMC
          FMC

Additional information

Cisco Firepower Release Notes, Version 7.0.x

 

Was this article helpful?

3 out of 3 found this helpful
Have more questions? Submit a request

Related articles