Is there any way to update the Cisco AnyConnect Client and Cisco Umbrella for Anyconnect module on a computer that is work from home without disrupting their connection to the company?
I have a test laptop at home alongside my production laptop. I tried pushing it out with psexec for example (a silent install) and what happened is once the installer kicked off it disconnected from the vpn, thus losing psexec connection and also connection to the file share where the updated msi files resided. Luckily this was just my test.
How can one upgrade the software silently and discreetly without any interruption to the main user?
You should be able to load headend deployment packages on the VPN itself. At least on an ASA or Firepower running ASA code. The clients install it at connect time.
It is not practical or possible to upgrade or update or patch the AnyConnect client without the user restarting the AnyConnect software and thus having at least one disconnect/connect cycle.
If you are a Cisco Umbrella customer, the Umbrella module for any connect handles this in the best way possible. It auto-updates the whole anyconnect installation when the VPN is not in use. We use this in combination with updating the anyconnect package on the head-ends
This is the way. The next time the user logs in the anyconnect client checks if theres an update and the proceeds to upgrade the client.
Yes, let the anyconnect client update it self off the ASA/FTD.
Does it upgrade silently or is it very Microsoft-ish and force the user to reboot and sign in yet again?
This doesn’t stop the connection dropping though. To install the new client the connection has to drop.
But can it put it on there and just not be effective until next boot? Like we can say “at the end of the work day today make sure you shut down or reboot.” On the day it’s deployed.
If the user keeps on top of it.
But this will still drop the active connection
Reboot is needed at least with HostScan & SBL components, as they hook into low-level Windows APIs which are called at boot time. Other non-Windows platforms I’ve tested do not require a reboot.
It just does the install without user intervention, even if they’re non privileged users. Edit: For us with just AnyConnect + Umbrella, I haven’t seen a required reboot yet.
Do test it first, as I had clients with a specific version that were failing. I think it was related to how AnyConnect was pushed out with SCCM. This was the fix there: https://it.engr.ncsu.edu/help/kb/cisco-anyconnect-error-the-file-manifest-tool-exe-is-not-marked-for-installation/
as others have mentioned, it depends. But i can share my experience of updating the client from the headend in an enviroment with 700+ daily active users through out the pandemic that are from 70+ organizations who manage their own users devices. We really have not ran into issues to be honest, at least not ones that have been reported to us. we mange a service for our clients that we host in our datacenter, and we also offer AnyConnect to our clients which then allows their remote users to access their own internal networks. patching the any connect client has largely been issue free by just updating the version the ASAv that is the headend pushes out.
There is no reboot but the connection must abort, I forget the code.
True. I think I have a 16 hour timeout set on ours anyways, to force a reconnect daily.
To proactively deploy the client to workstations you’d have to use your organizations SCCM or package management software. If you put the new version on the VPN endpoints it will download and install the next time the user connects.
We just did this – we put out an IT bulletin that the next time they connected after a given date/time, they would be automatically upgraded, and to make sure they had saved open documents etc. in case a reboot was needed… no one complained. You can upload the new webdeploy packages into flash, but it doesn’t take affect until you configure the software to specify the new version.
Throw the headend package on your firewall abs the user will be prompted to upgrade at next connection. It will not drop someone who is currently connected. It doesn’t matter if they are connected for an hour or a week, the next connection attempt they will be fed the new client.
Right, but he’s saying his install job fails because of it. Any connect install won’t break it, because it only does it on connection time