Last year AnyConnect went through an interesting transformation, its name changed to Secure Client, and looks like Cisco realized that the amount of information that could be collected from it and other services, makes it a good data mine for Security context and information.
But what is the buzz about, what changed?
A few interesting things changed, and one of the most important things that changed was the way to deploy it or roll it out to an environment.
As in the image, the look also changed, but I really don’t care too much about it – It still looks cool
What you see in the image is just a quick representation of the things that you deploy on top of your Secure Client application. I think this is especially good since it integrates with 2 big ones that I believe are also very important. I’m referring to the Umbrella Module and the Secure Endpoint Module.
- AnyConnect VPN (Core) ** VPN Connectivity, nothing new here, this is the core of the application
- Network Access Manager (NAM) ** This is still here, I’m not a fan but be aware of some of the caveats in the release notes
- ISE Posture ** This is one of the ways ISE has to run checks on your computers
- HostScan (aka ASA posture) (No UI) ** The old Hotscan you can use with ASA and Firepower, another way of doing Posture
- Secure Endpoint (AMP) ** AntiMalware Protection, comes with a few more things that can be configured like Orbital
- Umbrella Module ** Umbrella’s integration for Roaming CLients
- Cloud Management Module (No UI) ** Now Secure Client can be deployed and somehow managed via Cloud Services, leveraging the Insights section in SecureX
- Network Visibility Module (NVM) (No UI)
How to configure Secure Client in SecureX?
The first step is to create a SecureX account. Once you have created the SecureX Account and you are in the dashboard, move to the Insights Section
Once you log in for the first time there will be not much information unless SecureClient is already installed, Umbrella and Secure Endpoint (AMP) is already connected to your SecureX portal.
We are going to move now to Deployment Management and check what we can do there. In my case I will create a new installation or deployment:
Notice that you have a few things that may look familiar. But we will break it down. But so far looks like we can create Profiles for everything we need running with our Secure Client installation
This section will be your Cloud Management Profile selection, but what is in there? – Let’s Check:
Here is where we can configure information that will be used to keep our Secure Client installation updated, which could be a desired end goal for your organization, or in most cases not. For me, I’m ok with breaking things.
But you may want to configure a profile with Updates and another one with no Updates
Going back to the Deployment Management section, we can see now that we have a couple of Cloud Management Profiles that we can configure with our deployment
For this one to work, you must have Secure Endpoint (AMP) integrated with SecureX – We will not go over this one for this post.
Select the Version of the Secure Endpoint you want to deploy
Select your Endpoint Instance – This one goes with the Secure Endpoint Integration to SecureX
Last you will select your deployment Group – This one is tied to your Secure Endpoint Subscription and the Deployment Policy options you have
Going back to Secure Endpoint, I’d like to point out that under my Protect Policy I have Orbital enabled as well, so if everything works as it’s supposed to we should be able to see Orbital being installed as part of this package
Now that we have pretty much Cloud and SecureEndpoint Configured, let’s move to the next section
For this section, if needed we will have to create a Profile. Creating a VPN profile has many different options, which if you notice will match the same settings you can create in the ASA or Firepower – Here is a quick example
The umbrella section is going to be very similar to Secure Endpoint, and you must have Umbrella integrated with SecureX. If you are familiar with the Umbrella deployment, you will notice that this requires a JSON file that contains your OrgID as part of the installation. Well in this case that file with the right OrgID information will be added as part of the installation. This Umbrella Profile is not configurable from SecureX but there is really not much to configure on this one
This one will require you to create a profile, and this profile is the same thing as creating your Agent Profile Configuration at the time of ISE Posture Provisioning
Network Access Manager
This one seems that we can’t create one just yet, rather we will have to upload it and import its settings. I really don’t play that much with NAM, so I will not pay too much attention to this one just for now
Network Visibility Module
This is where we configure our Flow Collector to send Network traffic for analysis
Now for my deployment looks like this:
At this point, we are ready to deploy, and you will be presented with 2 options – A full installer and a Network installer – both theoretically do the same but looks like the Network package is smaller, so my guess is that this package will download itself when installing.
While deploying any of the installers you could receive this message, just click Yes
Practically here we should wait a few minutes as things are getting installed
The end Result
This one is from one of the computers I deployed SecureClient on
What to look forward to?
The insights Section in SecureX provides a lot of good information and context, I will try to explore what we can see from there in upcoming posts
About the Author:
Andres Sarmiento, CCIE # 53520
With over 18 years of professional experience, Andres is a specialist in Unified Communications and Collaboration technologies, Enterprise Networks, and Network Security. He has consulted for numerous companies in South Florida, including Financial Institutions, on behalf of Cisco Systems. Andres has played a key role in several high-profile implementations, utilizing Cisco technologies such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security, and Hosted IPT Service Provider infrastructures.