Configuring Client Update for Windows and VPN 3002 Clients
ASDM encompasses two kinds of client update: one that supports Windows clients and VPN 3002 hardware clients through a tunnel group, and the other that supports ASA devices acting as an auto-update server. This chapter describes how to configure the tunnel-group client-update function for Windows clients and VPN 3002 hardware clients.
The client update feature lets administrators at a central location automatically notify VPN client users that it is time to update the VPN client software and the VPN 3002 hardware client image. If the client is already running a software version on the list of revision numbers, it does not need to update its software. If the client is not running a software version on the list, it should update. This procedure applies only to the IPSec remote-access tunnel-group type.
Remote users might be using outdated VPN software or hardware client versions. You can perform a client-update at any time to do the following functions:
•Enable updating client revisions
•Specify the types and revision numbers of clients to which the update applies
•Provide a URL or IP address from which to get the update
•Optionally notify Windows client users that they should update their VPN client version.
•For Windows clients, you can provide a mechanism for users to accomplish the update.
•For VPN 3002 hardware client users, the update occurs automatically, with no notification.
To configure a client-update, perform the following steps.
Step 1 Go to the client update window by choosing the path Configuration > VPN > General > Client Update. The Client Update window opens (Figure 4-1).
Figure 4-1 Client Update Window
Step 2 Enable client update by checking the Enable Client Update check box.
Step 3 Select the type of client for which you want to apply the client update. The available client types are All Windows-Based, Windows 95, 98 or ME, Windows NT 4.0, 2000 or XP, and VPN 3002 Hardware Client.
If the client is already running a software version on the list of revision numbers, it does not need to update its software. If the client is not running a software version on the list, it should update. You can specify up to three of these client update entries. The All Windows Based selection covers all of the allowable Windows platforms. If you select this, do not specify the individual Windows client types.
Step 4 To specify the acceptable client revisions and the source for the updated software or firmware image for the client update, click Edit. The Edit Client Update Entry window (Figure 4-2) appears, showing the client type selection.
Figure 4-2 Edit Client Update Entry Window
Step 5 Specify the client update that you want to apply to all clients of the selected type across the entire security appliance. That is, specify the type of client, the URL or IP address from which to get the updated image, and the acceptable revision number or numbers for that client. You can specify up to four revision numbers, separated by commas. Your entries appear in the appropriate columns the table on the Client Upgrade window after you click OK.
If the user's client revision number matches one of the specified revision numbers, there is no need to update the client.
Note For all Windows clients, you must use the protocol http:// or https:// as the prefix for the URL. For the VPN 3002 hardware client, you must specify protocol tftp:// instead.
Figure 4-3 shows an example that initiates a client update for all Windows clients for a remote-access tunnel-group running revisions older than 4.6.1 and specifies the URL for retrieving the update as https://support/updates:
Figure 4-3 Edit Client Update Entry Example
Alternatively, you can configure client update just for individual client types, rather than for all Windows clients. (See Step 3.)
VPN 3002 clients update without user intervention and users receive no notification message.
You can have the browser automatically start an application by including the application name at the end of the URL; for example: https://support/updates/vpnclient.exe.
Step 6 Optionally, you can send a notice to active users with outdated Windows clients that their client needs updating. To send this notice, use the Live Client Update area of the Client Update window. Select the tunnel group (or All) and click Update Now. A dialog box appears (Figure 4-4), asking you to confirm that you want to notify connected clients about the upgrade.
Figure 4-4 Confirm Update Clients Dialog Box
The designated users see a pop-up window, offering them the opportunity to launch a browser and download the updated software from the site that you specified in the URL. The only part of this message that you can configure is the URL. (See Step 2 or 3.) Users who are not active get a notification message the next time they log on. You can send this notice to all active clients on all tunnel groups, or you can send it to clients on a particular tunnel group.
If the user's client revision number matches one of the specified revision numbers, there is no need to update the client, and no notification message is sent to the user. VPN 3002 clients update without user intervention and users receive no notification message.