AnyConnect Deployment Overview
Deploying AnyConnect refers to installing, configuring, and upgrading the AnyConnect client and its related files.
The Cisco AnyConnect Secure Mobility Client can be deployed to remote users by the following methods:
-
Predeploy—New installations and upgrades are done either by the end user, or by using an enterprise software management system (SMS).
-
Web Deploy—The AnyConnect package is loaded on the headend, which is either an ASA or FTD firewall, or an ISE server. When the user connects to a firewall or to ISE, AnyConnect is deployed to the client.
-
For new installations, the user connects to a headend to download the AnyConnect client. The client is either installed manually or automatically (web-launch).
-
Updates are done by AnyConnect running on a system where AnyConnect is already installed, or by directing the user to the ASA clientless portal.
-
When you deploy AnyConnect, you can include optional modules that enable extra features, and client profiles that configure the VPN and optional features.
Refer to the AnyConnect release notes for system, management, and endpoint requirements for ASA, IOS, Microsoft Windows, Linux, and macOS.
Note |
Some third-party applications and operating systems may restrict the ISE posture agent and other processes from necessary file access and privilege elevation. Make sure the AnyConnect installation directory (C:\Program Files (x86)\Cisco for Windows or /opt/cisco for macOS) is trusted and/or in the allowed/exclusion/trusted lists for endpoint antivirus, antimalware, antispyware, data loss prevention, privilege manager, or group policy objects. |
Decide How to Install AnyConnect
AnyConnect can be web deployed by ISE 2.0 (or later) and ASA headends or predeployed. To install AnyConnect initially requires administrative privileges.
To upgrade AnyConnect or install additional modules using web deploy (from ASA/ISE/Umbrella cloud with Downloader), you do not need administrative privileges.
- Web Deploying from an ASA or FTD device—User connects to the AnyConnect clientless portal on the headend device, and selects to download AnyConnect. The ASA downloads the AnyConnect Downloader. The AnyConnect Downloader downloads the client, installs the client, and starts a VPN connection.
- Web Deploying from ISE—User connects to the Network Access Device (NAD), such as an ASA, wireless controller, or switch. The NAD authorizes the user, and redirects the user to the ISE portal. The AnyConnect Downloader is installed on the client to manage the package extraction and installation, but does not start a VPN connection.
To upgrade AnyConnect or install additional modules using predeploy (out of band deployment, either manually or using SCCM and so on), you need administrative privileges.
-
Using an Enterprise software management system (SMS).
-
Manually distributing an AnyConnect file archive, with instructions for the user about how to install. File archive formats are ISO for Windows, DMG for macOS, and gzip for Linux.
For system requirements and licensing dependencies, refer to the AnyConnect Secure Mobility Client Features, License, and OS Guide.
Note |
If you are using AnyConnect Posture (HostScan) to perform root privilege activities on a macOS or Linux platform, we recommend that you predeploy AnyConnect Posture. |
Determine The Resources You Need to Install AnyConnect
Several types of files make up an AnyConnect deployment:
-
AnyConnect core client, which is included in the AnyConnect package.
-
Modules that support extra features, which are included in the AnyConnect package.
-
Client profiles that configure AnyConnect and the extra features, which you create.
-
Language files, images, scripts, and help files, if you wish to customize or localize your deployment.
-
AnyConnect ISE Posture, and the compliance module (OPSWAT).