VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7 - Client Update [Cisco VPN 3000 Series Concentrators]

Table Of Contents

Client Update

VPN Software Clients

VPN 3002 Hardware Clients

Configuration | System | Client Update

Enable

Entries

Screen Elements

Entries | Add or Modify

Screen Elements

Client Update

Updating VPN Client software in an environment with a large number of devices in different locations can be a formidable task. For this reason, the VPN 3000 Concentrator includes a client update feature that simplifies the software update process. This feature works differently for VPN software clients and VPN 3002 Hardware Clients.

VPN Software Clients

The client update feature lets administrators at a central location automatically notify VPN Client users when it is time to update the VPN Client software.

When you enable client update, upon connection the central-site VPN Concentrator sends an IKE packet that contains an encrypted message that notifies VPN Client users about acceptable versions of executable system software. The message includes a location that contains the new version of software for the VPN Client to download. The administrator for that VPN Client can then retrieve the new software version, and update the VPN Client software.

You configure parameters that specify the acceptable versions of software and their locations. Updates are supported per group. This means that all members of a group can obtain the same updates from the same server at approximately the same time.

VPN 3002 Hardware Clients

The client update feature lets administrators at a central location automatically update software/firmware for VPN 3002 Hardware Clients deployed in diverse locations.

When you enable client update, upon connection the central-site VPN Concentrator sends an IKE packet that contains an encrypted message that notifies VPN 3002 hardware clients about acceptable versions of executable system software and their locations. If the VPN 3002 is not running an acceptable version, its software is automatically updated via TFTP.

To use client update, you need to have a TFTP server that can handle the volume and frequency of updates that your network requires. We recommend that you locate this server inside your network. The client update facility sends notify messages to VPN 3002s in batches of 10 at 5-minutes intervals.

You configure parameters that specify the acceptable versions of software and their locations. Updates are supported per group. This means that all members of a group can obtain the same updates from the same server at approximately the same time.

The VPN 3002 logs event messages at the start of the update. When the update completes, the Hardware Client reboots automatically.

Note The VPN 3002 stores image files in two locations: the active location, which stores the image currently running on the system; and the backup location. Updating the image overwrites the stored image file in the backup location and makes it the active location for the next reboot. The client update process includes a test to validate the updated image. In the unlikely event that a client update is unsuccessful, the client does not reboot, and the invalid image does not become active. The update facility retries up to twenty times at 3-minute intervals. If an update is unsuccessful, the log files contain information indicating TFTP failures.

Configuration | System | Client Update

This section of the VPN 3000 Concentrator Manager lets you configure the client update feature.

•Enable: Enables or disables client update.

•Entries: Configures updates by client type, acceptable firmware and software versions, and their locations.

Figure 11-1 Configuration | System | Client Update Screen

Enable

This screen lets you disable or enable client update.

Figure 11-2 Configuration | System | Client Update | Enable Screen

Uncheck or check the Enable check box to disable or enable client update (by default, client update is enabled).

Entries

This screen lets you add, modify, or delete client update entries.

Figure 11-3 Configuration | System | Client Update | Entries Screen

Screen Elements

•Update Entry — This list shows the configured client update entries. Each entry shows the platform and acceptable software/firmware versions. If no updates have been configured, the list shows --Empty--.

•Add — Click to configure and add a new client update entry. The Manager opens the System | Client Update | Entries | Add or Modify screen.

•Modify — To modify parameters for a client update entry that has been configured, select the entry from the list and click Modify. The Manager opens the System | Client Update | Entries | Add or Modify screen.

•Delete — To remove a client update entry that has been configured, select the entry from the list and click Delete.

Note There is no confirmation or undo.

The Manager refreshes the screen and shows the remaining entries in the list.

Reminder:

After you apply changes, the Manager returns to the Configuration | System | Client Update screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Entries | Add or Modify

These screens let you configure and change client update parameters.

Figure 11-4 Configuration | System | Client Update | Entries | Add or Modify Screens

Screen Elements

•Client Type — Enter the client type you want to update. For the VPN Client, enter the Windows operating systems to notify. The entry must be exact, including case and spacing:

–Windows includes all Windows-based platforms.

–Win9X includes Windows 95, Windows 98, and Windows ME platforms.

–WinNT includes Windows NT 4.0, Windows 2000, and Windows XP platforms.

For the VPN 3002 Hardware Client, enter vpn3002 (matching case and spacing).

Note The VPN Concentrator sends a separate notification message for each entry in a Client Update list. Therefore your client update entries must not overlap. For example, the value Windows includes all Windows platforms, and the value WinNT includes Windows NT 4.0, Windows 2000 and Windows XP platforms. So you would not include both the values Windows and WinNT.

•URL — Enter the URL for the software/firmware image. This URL must point to a file appropriate for this client.

–For the VPN Client: To activate the Launch button on the VPN Client Notification, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

http://10.10.99.70/vpnclient-win-3.5.Rel-k9.exe

The directory is optional. You need the port number only if you use ports other than 80 for http or 443 for https.

–For the VPN 3002 Hardware Client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

tftp://10.10.99.70/vpn3002-3.5.Rel-k9.bin

The directory is optional.

•Revisions — Enter a comma-separated list of software or firmware images appropriate for this client. The following caveats apply:

–The revision list must include the software version for this update.

–Your entries must match exactly those on the URL for the VPN Client, or the TFTP server for the VPN 3002.

–The URL above must point to one of the images you enter.

If the client is already running a software version on the list, it does not need a software update. If the client is not running a software version on the list, an update is in order.

–A VPN Client user must download an appropriate software version from the listed URL.

–The VPN 3002 Hardware Client software is automatically updated via TFTP.

•Add or Apply / Cancel — To add this client update entry to the list of configured update entries, click Add. Or, to apply your changes, click Apply. Both actions include your entry in the active configuration. The Manager returns to the System | Client Update | Entries screen. Any new entry appears at the bottom of the Update Entries list. To discard your entries, click Cancel.

Reminder:

After you apply changes, the Manager returns to the System | Client Update | Entries screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Tip For more information about VPN Client updates, specifically the VPN Client Launch button, refer to the VPN Client Administrator Guide.

	VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7
	Client Update
VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 4.7 A PDF Version of the Entire Book Preface Using the VPN Concentrator Manager Configuration Interfaces System Configuration Servers Address Management IP Routing Management Protocols Events General Client Update Load Balancing Cisco VPN Clients User Management Policy Management Tunneling and Security Configuring an External Server for VPN Concentrator User Authorization Configuring the VPN Concentrator for WebVPN WebVPN End User Set-up Index	Download this chapter Client Update Table Of Contents Client Update VPN Software Clients VPN 3002 Hardware Clients Configuration \| System \| Client Update Enable Entries Screen Elements Entries \| Add or Modify Screen Elements Client Update Updating VPN Client software in an environment with a large number of devices in different locations can be a formidable task. For this reason, the VPN 3000 Concentrator includes a client update feature that simplifies the software update process. This feature works differently for VPN software clients and VPN 3002 Hardware Clients. VPN Software Clients The client update feature lets administrators at a central location automatically notify VPN Client users when it is time to update the VPN Client software. When you enable client update, upon connection the central-site VPN Concentrator sends an IKE packet that contains an encrypted message that notifies VPN Client users about acceptable versions of executable system software. The message includes a location that contains the new version of software for the VPN Client to download. The administrator for that VPN Client can then retrieve the new software version, and update the VPN Client software. You configure parameters that specify the acceptable versions of software and their locations. Updates are supported per group. This means that all members of a group can obtain the same updates from the same server at approximately the same time. VPN 3002 Hardware Clients The client update feature lets administrators at a central location automatically update software/firmware for VPN 3002 Hardware Clients deployed in diverse locations. When you enable client update, upon connection the central-site VPN Concentrator sends an IKE packet that contains an encrypted message that notifies VPN 3002 hardware clients about acceptable versions of executable system software and their locations. If the VPN 3002 is not running an acceptable version, its software is automatically updated via TFTP. To use client update, you need to have a TFTP server that can handle the volume and frequency of updates that your network requires. We recommend that you locate this server inside your network. The client update facility sends notify messages to VPN 3002s in batches of 10 at 5-minutes intervals. You configure parameters that specify the acceptable versions of software and their locations. Updates are supported per group. This means that all members of a group can obtain the same updates from the same server at approximately the same time. The VPN 3002 logs event messages at the start of the update. When the update completes, the Hardware Client reboots automatically. Note The VPN 3002 stores image files in two locations: the active location, which stores the image currently running on the system; and the backup location. Updating the image overwrites the stored image file in the backup location and makes it the active location for the next reboot. The client update process includes a test to validate the updated image. In the unlikely event that a client update is unsuccessful, the client does not reboot, and the invalid image does not become active. The update facility retries up to twenty times at 3-minute intervals. If an update is unsuccessful, the log files contain information indicating TFTP failures. Configuration \| System \| Client Update This section of the VPN 3000 Concentrator Manager lets you configure the client update feature. •Enable: Enables or disables client update. •Entries: Configures updates by client type, acceptable firmware and software versions, and their locations. Figure 11-1 Configuration \| System \| Client Update Screen Enable This screen lets you disable or enable client update. Figure 11-2 Configuration \| System \| Client Update \| Enable Screen Uncheck or check the Enable check box to disable or enable client update (by default, client update is enabled). Entries This screen lets you add, modify, or delete client update entries. Figure 11-3 Configuration \| System \| Client Update \| Entries Screen Screen Elements •Update Entry — This list shows the configured client update entries. Each entry shows the platform and acceptable software/firmware versions. If no updates have been configured, the list shows --Empty--. •Add — Click to configure and add a new client update entry. The Manager opens the System \| Client Update \| Entries \| Add or Modify screen. •Modify — To modify parameters for a client update entry that has been configured, select the entry from the list and click Modify. The Manager opens the System \| Client Update \| Entries \| Add or Modify screen. •Delete — To remove a client update entry that has been configured, select the entry from the list and click Delete. Note There is no confirmation or undo. The Manager refreshes the screen and shows the remaining entries in the list. Reminder: After you apply changes, the Manager returns to the Configuration \| System \| Client Update screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. Entries \| Add or Modify These screens let you configure and change client update parameters. Figure 11-4 Configuration \| System \| Client Update \| Entries \| Add or Modify Screens Screen Elements •Client Type — Enter the client type you want to update. For the VPN Client, enter the Windows operating systems to notify. The entry must be exact, including case and spacing: –Windows includes all Windows-based platforms. –Win9X includes Windows 95, Windows 98, and Windows ME platforms. –WinNT includes Windows NT 4.0, Windows 2000, and Windows XP platforms. For the VPN 3002 Hardware Client, enter vpn3002 (matching case and spacing). Note The VPN Concentrator sends a separate notification message for each entry in a Client Update list. Therefore your client update entries must not overlap. For example, the value Windows includes all Windows platforms, and the value WinNT includes Windows NT 4.0, Windows 2000 and Windows XP platforms. So you would not include both the values Windows and WinNT. •URL — Enter the URL for the software/firmware image. This URL must point to a file appropriate for this client. –For the VPN Client: To activate the Launch button on the VPN Client Notification, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example: http://10.10.99.70/vpnclient-win-3.5.Rel-k9.exe The directory is optional. You need the port number only if you use ports other than 80 for http or 443 for https. –For the VPN 3002 Hardware Client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example: tftp://10.10.99.70/vpn3002-3.5.Rel-k9.bin The directory is optional. •Revisions — Enter a comma-separated list of software or firmware images appropriate for this client. The following caveats apply: –The revision list must include the software version for this update. –Your entries must match exactly those on the URL for the VPN Client, or the TFTP server for the VPN 3002. –The URL above must point to one of the images you enter. If the client is already running a software version on the list, it does not need a software update. If the client is not running a software version on the list, an update is in order. –A VPN Client user must download an appropriate software version from the listed URL. –The VPN 3002 Hardware Client software is automatically updated via TFTP. •Add or Apply / Cancel — To add this client update entry to the list of configured update entries, click Add. Or, to apply your changes, click Apply. Both actions include your entry in the active configuration. The Manager returns to the System \| Client Update \| Entries screen. Any new entry appears at the bottom of the Update Entries list. To discard your entries, click Cancel. Reminder: After you apply changes, the Manager returns to the System \| Client Update \| Entries screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. Tip For more information about VPN Client updates, specifically the VPN Client Launch button, refer to the VPN Client Administrator Guide.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks