- Jamf Nation Community
- Products
- Jamf Pro
- AnyConnect 4.5 and Proxy PAC
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
AnyConnect 4.5 and Proxy PAC
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-04-2018 11:40 AM
We are currently using Cisco AnyConnect v4.5 to connect to our Cisco VPN. Prior to the connection we have internet access, once connected to the VPN the ASA is pushing a blank configuration wiping the proxy settings. We have already engaged Cisco and there is no fix from their end. Because AnyConnect is not listed as an adapter, we cannot set a proxy configuration to it. If anyone has come across something like this and has found a solution I would love to hear what you did. This is causing massive issues with deploying JAMF to our clients.
Labels:
- Labels:
-
Jamf Pro
-
Usage Management
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-19-2020 06:48 AM
We are having the exact same issue. Did you ever find a solution?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-26-2020 12:48 PM
Never got a solution other than a back and forth between Cisco and Apple. Both say it is the other ones issue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-26-2020 04:01 PM
AnyConnect 4.5 is a 32-bit app (or has mostly 32 bit components) and is not recommended anymore.
Even 4.6 and 4.7 use 32-bit hostscan binaries. 4.8 is all 64-bit.
Can you use the newer versions?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-02-2020 06:57 AM
So, I figured it out. It's one of those if-you-use-this-specific-setup-it won't-work-kind of deals. When the user connects to VPN, web traffic should go to the PAC file URL defined in system preferences, but it does not. It appears that there is some kind of "PAC file cache" that gets refreshed when there is a change to a network adapter. Since AnyConnect does not use a network adapter, the refreshing doesn't take place. So what I have done is place a simple "OnConnect" shell script in the /opt/cisco/anyconnect/script folder that runs after the users connects. It bounces the network interfaces, which refreshes the PAC file info and everything works correctly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-01-2020 01:49 PM
@beejybone Can you share that script?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-01-2020 02:52 PM
For this to work you have to follow AnyConnect's script rules. It has to be named OnConnect.sh (case-sensitive), has to be executable, and has to be in /opt/cisco/anyconnect/script. I believe you can also have the ASA distribute it, but I didn't have access to those boxes. There is also a 45 second delay to let the compliance module finish its process. If you don't use compliance module you could probably remove that line.
! /bin/sh -u
sleep 45
networksetup -listallnetworkservices | awk 'NR>1' | while read SERVICE ; do
if networksetup -getautoproxyurl "$SERVICE" | grep '^Enabled: Yes' >/dev/null; then
networksetup -setautoproxystate "$SERVICE" off
networksetup -setautoproxystate "$SERVICE" on
echo "$SERVICE" bounced.
fi
done
Reply
