Jamf Nation Community

ImAMacGuy · ‎05-18-2012

Has anybody had the sheer pleasure of having to deploy Cisco's Anyconnect 2.5+?

dragging the package into casper doens't seem to work, using composer to capture the install DOES work, however the post process is UGLY...
Currently what I have to do is:
have the app installed via policy (during image process doens't work)
download the user's certificate from our CA, import to the Keychain
Open the cert and set to always trust
open the CA and set to always trust
close Keychain
try to connect - it will fail with certificate validation failure
Cmd Q out of Anyconnect
Reboot
Sign in again, try to connect - it will fail again with same error
Cmd Q again
Reboot
Sign in again and try to connect and 98% of the time it will work.

We've contacted Cisco - they basically told us that if their PC app works, then the mac app works and they won't help.

myronjoffe · ‎05-18-2012

Did you change the package name you got from Cisco at all?
Are you able to install your package manually if you connect to your repository, drag the pkg to your desktop?

MikeF · ‎05-18-2012

I am installing 3.0.5080 which is a little later version but I used the same process for 2.5. I have the mpkg and I have a policy set in the JSS to install it. It installs properly and when the user uses it for the first time when they connect to out concentrators all the have to do is start the app and enter in the site. after they do that if it is the first time the have to accept a cert but then it connect and ask for user name and password. We have had some issues on the mac not displaying messages but we did some switching around on our RSA servers to do the authentication. But I have had no problem with the install.

dzmudzki · ‎05-19-2012

Same here. No problems using 3.0.5080.

Install the app through a policy. We are using the original package from Cisco (vpn.pkg)
Run AnyConnect. Type in the server address.
Accept Cert.
Provide login details.
Connection successful.

Sonic84 · ‎05-19-2012

Hello, thought I'd throw in my 2 cents.

I haven't dealt with AnyConnect 2.5, but I have had to deal with AC 3.0.0629, 3.0.5080, and now 3.0.07059. It's important to note that the folder structure in /opt/cisco changed between 3.0.0629 and 3.0.5080. The way I'm deploying AnyConnect these days is to create a Composer package that installs the AnyConnect.mpkg into /tmp/. A postflight script runs: installer -pkg "/private/tmp/AnyConnect.mpkg" -target $3 This method take advantage of the pre/post flight scripts included in the AnyConnect package. Especially since the metapackage from Cisco comes with vpn, posture, dart, and websecurity as individual pkgs.

You can pre-populate server addresses in /opt/anyconnect/profile/anyconnect.xml

You can also pre-populate a users preferred server by changing the order of servers listed in /opt/anyconnect/profile/anyconnect.xml or by deploying ~/.anyconnect

If your deploying to 10.5 Macs, there is logic involving the TUN extension that may be blown away by doing a composer snapshot on 10.6+.

I've found out the hard way that there are many settings on the ASA/server/vpn concentrator that can cause problem on the client. Going over the ASA settings for correctness is a exercise worth doing.

Kumarasinghe · ‎05-20-2012

Make sure you don't rename the pkg or anything in the original package name. If you rename the Cisco installer, it will break.

These are the steps we use for AnyConnect 3.0.3054

1. Right-click AnyConnect.mpkg > Contents > Packages > 2. Copy vpn.pkg to Casper Admin

To get the server address automatically we package the new.xml (this file can be called new.xml or any name which will set by network engineers, so use the name specified on your environment) file which holds the server details.
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac0...

Install Anyconnect on a reference machine and log in to your VPN server to get the new.xml file created in /opt/cisco/vpn/profile/ or /opt/cisco/anyconnect/profile/

Open new.xml from TextWrangler and delete entries except <ServerList> field. You'll see that <HostName> and <HostAddress> fields reflect your VPN server details.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">


<ServerList>
    <HostEntry>
        <HostName>vpn.mycompany.com</HostName>
        <HostAddress>vpn.mycompany.com</HostAddress>
    </HostEntry>
</ServerList>
</AnyConnectProfile>

Package the new.xml file and upload it to Casper Admin to be used with a policy.

When we first launch and connect to Cisco VPN Concentrator it will download the latest VPN AnyConnect client software available on the Concentrator.

ImAMacGuy · ‎05-21-2012

@Kumarasinghe - I've been following your instructions, but I never get the new.xml file created in either folder.

Is there more to the file than what you posted above?

Do you deploy the vpn.pkg file as part of the install, at boot time, or like others suggested as a policy w/ the XML file?

ImAMacGuy · ‎05-21-2012

also, since we have 2 servers, is it possible to have 2 host entries? Do I just do:

<HostEntry> <HostName>vpn1.mycomp.com</HostName> <HostAddress>vpn1.mycomp.com</HostAddress> <HostName>vpn2.mycomp.com</HostName> <HostAddress>vpn2.mycomp.com</HostAddress> </HostEntry>

or do I need I just put 1 per <HostEntry> and </HostEntry>?

Kumarasinghe · ‎05-21-2012

@jwojda

Most probably the v2.5 file location etc is different.
With v2.5, please check for the file called .anyconnect or something in the root level of your user account
e.g- /Users/jwojda/.anyconnect

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHost>**vpn.mycomp.com**</DefaultHost>
<DefaultGroup></DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac0...

We deploy vpn.pkg + packaged XML file at imaging time and we have it in Self Service via a policy as well.

We have same vpn1 and vpn2 addresses as well BUT those are load balanced server addresses. So once we connect to vpn.mycomp.com it will load balance in to one of these servers. It is a part of Cisco VPN configuration. We need only vpn.mycomp.com to be put in the XML file. Most probably you company has the same setup.

Check with your network engineers. Also check with them that if you can upgrade to a AnyConnect 3.0+ version.

ImAMacGuy · ‎10-31-2012

There's a new 3.1.01065 released on October 18th. That seems to work with far less frustration of our 2.5 version.

hansjoerg_watzl · ‎11-07-2012

Does anybody know how to deploy the 3.1.01065 version with only VPN core module installed? (We don't need Web Security, DART and Posture)
There's a ACTransforms.xml in the Profiles folder, which will be used for customized installations. e.g. you can disable the "Customer Experience Feedback". But I don't know, if this XML could be used to skip not required modules too. (I didn't find a property list for modules)
We just want to deploy the AnyConnect client (VPN core) with our vpn profile (stored in /opt/cisco/anyconnect/profile)
I didn't find a vpn.pkg. In the original DMG there's just an AnyConnect.pkg (no .mpkg) and I can't open it ("show content"). Where do I find just the VPN core installer pkg? (With version 3.1.x)

ImAMacGuy · ‎11-07-2012

I was able to open it in pacifist (http://www.charlessoft.com/)

There's vpn_module.pkg, websecurity_module.pkg, dart_module.pkg, and posture_module.pkg. You can use Pacifist and select the resources tab and pull out the individual pkg files.

hansjoerg_watzl · ‎11-08-2012

Thanks. Will try it...

Markus · ‎06-11-2013

Have you found a solution? this from jwojda "You can use Pacifist and select the resources tab and pull out the individual pkg files.", the vpn_module.pkg does'nt running. How can i edit or replace the xml inside the packages?

ImAMacGuy · ‎11-04-2013

Sorry to reopen this thread again, but I am working on the new.xml portion in 3.1.x and I want to pre-populate the 2 primary servers, but every time I plug it into my opt/cisco/anyconnect/profile folder and relaunch cisco, it doesn't populate the servers.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

    <ServerList>
        <HostEntry>
            <HostName>VPN1<HostName>
            <HostAddress>vpngw4.server.com</HostAddress>
        </HostEntry>
        <HostEntry>
            <HostName>VPN2<HostName>
            <HostAddress>vpngw3.server.com</HostAddress>
        </HostEntry>
    </ServerList>
</AnyConnectProfile>

johnklimeck · ‎04-10-2014

thanks guys,

I was able to get AnyConnect 3.1.05152 to connect successfully.

Had to use the restart vpnagentd script that was posted here (or you get the App Quit error message), and hide the /opt folder.

But, a few issues:

- It seems the whatever.xml file in the profile directory is being "pushed" out by the the Cisco hardware. If you change it, it changes back.

- The <AutoConnectOnStart is totally irritating, and has to be disabled, and can be, by setting, UserControllable="true">false</AutoConnectOnStart>

But, this setting just gets overwritten by what is being pushed, guess I have to talk to our network guys. Can there be only one default profile, for all AnyConnect users?

I would guess they would not want this for any user, Windows included, so they will probably be open to turning this off.

jk