Update AnyConnect Software on Computers

SOLVED
mattalley
Getting noticed

Update AnyConnect Software on Computers

Hey everyone,

 

I was wondering how folks were handling updating the AnyConnect software on their endpoints? 

 

I have trained our user's to sign in to the VPN at the Windows 10 login screen. I tested updating AnyConnect using our software management tool, and it disconnects the VPN (which I wasn't surprised by). 

 

Is this all I am stuck with to update AnyConnect? Is to just push it out and maybe tell people ahead of time that their VPN sessions will disconnect and they will have to manually reconnect?

 

I can use our software management tool to push the update a specific time of day, I was thinking maybe late in the evening to avoid interruptions?

 

Thanks for any guidance.

1 ACCEPTED SOLUTION
KarstenI
Kind of a big deal
Kind of a big deal

The easiest (and best 😉 ) way to update AnyConnect is to also have Cisco Umbrella enabled on the client. Not only the security is increased, but AnyConnect can be automatically updated from the cloud. Ok, there have to be inserted some more coins ...

View solution in original post

12 REPLIES 12
KarstenI
Kind of a big deal
Kind of a big deal

The easiest (and best 😉 ) way to update AnyConnect is to also have Cisco Umbrella enabled on the client. Not only the security is increased, but AnyConnect can be automatically updated from the cloud. Ok, there have to be inserted some more coins ...

CptnCrnch
Kind of a big deal
Kind of a big deal

…but it‘s well worth it! 👍

We have Cisco Umbrella already, but do not use the agent.

A while back I heard to avoid to the agent due to DNS resolution issues frequently happening?

 

We currently don't use it since I have the endpoint get their DNS while on the VPN from our DNS servers, and our DNS servers are pointed to Umbrella.

 

I am aware that they only get our Umbrella filtering while on network or connected to the VPN, but we have an antivirus product that has really good web filtering built in as well.

 

So, my question is, is your experience with the Umbrella agent good?

CptnCrnch
Kind of a big deal
Kind of a big deal

Even better than!

 

Our own experience with Umbrella‘s Anyconnect module are really great, also our customers are lovin it. Tunneling everything into your HQ and having a central internet breakout / centralized DNS is clearly on the decline with cloud services especially like Microsoft 365. It really helps you to keep up (or even lift up) your overall security posture.

 

Having an Auto Update in place is just an added bonus then. 😉

Yeah I think this is something that should be considered on my end then. We really only have a couple things left on prem that we already have plans to migrate to the cloud, so the only thing left on prem would be domain authentication on the computer and DNS.

 

In the meantime, I think I'll set up a script to update AnyConnect on computers that are running overnight 😕

 

Thank you!

KarstenI
Kind of a big deal
Kind of a big deal

Same here as @CptnCrnch.  The AC module behaves really well. What we are having is some trouble with the AD-Connector, but I would go for Umbrella with AnyConnect where possible.

PhilipDAth
Kind of a big deal
Kind of a big deal

I didn't realise Umbrella could trigger whole AnyConnect updates.  I'll look into that.

 

Back to the original poster - if this is an AD network have you consider deploying it via group policy?

I have not considered GPO deployment, as we have other means to deploy software.

 

My concern was getting AnyConnect updated without interfering with an existing VPN session. Does a GPO deployment offer that?

CptnCrnch
Kind of a big deal
Kind of a big deal

Each way of distributing automatic Anyconnect updates will interfere with existing VPN sessions. The only way to change that would be having the software downloaded and only started without a running VPN session, possibly via scripting

Yeah, I thought so.

 

I built a script in our software deployment tool that checks to see if AnyConnect needs updated, and then checks to see if it is in the middle of the night.

 

I think I'll build it out to figure out if the AnyConnect adapter is enabled instead, that way it will update for folks who are in the office, or working from home but happen to not be connected to the VPN.

KarstenI
Kind of a big deal
Kind of a big deal

That is also easy with the cloud-update. It only runs while the VPN is not connected.

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know.  I have not tested that scenario.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels