Customize Windows Installation of AnyConnect
You can customize the installation of Cisco AnyConnect with various modules and features on Windows. AnyConnect installation packages support a number of MSI properties that you can change during installation, including lockdown and disabling the display of the VPN module in the client's graphical user interface (GUI).
This guide describes how to deploy AnyConnect with the virtual private network (VPN), Umbrella Roaming Security, and DART (for diagnostics) modules. By default, AnyConnect deploys with the VPN module.
Table of Contents
Requirements
- Windows 8.1 or newer
- The Roaming Security Module requires a .NET framework (4.6.2+ at the minimum)
- Windows 10/11 on ARM-64 is not supported by the Umbrella Roaming Security module
- Cisco AnyConnect 4.8 MR2 or newer
- Administrative permissions on the Windows device
Prerequisites
- Download OrgInfo.json from Umbrella.
- Download the AnyConnect Package (Windows) from https://software.cisco.com/download/home.
Procedure
You can deploy AnyConnect for Windows with several options including:
- Hide the VPN module in the AnyConnect client GUI.
- Hide the AnyConnect installation from the Add/Remove Windows Programs list.
- Enable the Lockdown option.
AnyConnect installation packages support a number of MSI properties that you can change during installation, including lockdown and disabling the display of the VPN module in the client's graphical user interface (GUI). Lockdown prevents the service from being disabled manually.
Deploy the AnyConnect VPN Module
- Run the Windows installer to deploy the AnyConnect VPN package and set the option that hides the VPN module in the AnyConnect client's GUI. This option does not disable the VPN module. Set the MSI property to
PRE_DEPLOY_DISABLE_VPN=1.
Note: If the VPN module is hidden in the client GUI, you can manage the VPN module through the AnyConnect command-line interface.
The following command disables the VPN functionality by copying the VPNDisable_ServiceProfile.xml file embedded in the MSI to the directory specified for profiles for VPN functionality.
For example:
msiexec /package anyconnect-win-\<\_version\_>-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 /lvx* output_1.log
Deploy the AnyConnect Umbrella Roaming Security Module
- Run the Windows installer to deploy the AnyConnect Umbrella Roaming Security package.
msiexec /package anyconnect-win-\<_version_>-umbrella-predeploy.msi /norestart /passive /lvx* output_2.log
To enable lockdown, add LOCKDOWN=1 in the command-line installer.
msiexec /package anyconnect-win-\<\_version\_>-umbrella-predeploy-k9.msi /passive LOCKDOWN=1 /lvx* output_3.log
(Optional) Deploy the AnyConnect DART Module
- Run the Windows installer to deploy the AnyConnect DART (diagnostics and troubleshooting) package.
msiexec /package anyconnect-win-\<_version_>-dart-predeploy-k9.msi /norestart /passive /lvx* output_4.log
Hide AnyConnect from Add/Remove Programs List
You can hide the installed AnyConnect modules from users that have permissions to view the Windows Add/Remove Programs list.
- Run the Windows installer for an AnyConnect package using
ARPSYSTEMCOMPONENT=1.
This provided module does not appear in the Windows Add/Remove Programs list. Apply this to all modules at the time of deployment.
For example:
msiexec /package anyconnect-win-\<\_version\_>-umbrella-predeploy-k9.msi /passive ARPSYSTEMCOMPONENT=1 /lvx* output_5.log
Optional OrgInfo.json Configurations
When deploying the AnyConnect Roaming Security module, you can add and configure various parameters to the Umbrella OrgInfo.json profile file. These parameters, unlike LOCKDOWN, are applied to the OrgInfo.json profile directly rather than at the time of installation with an msiexec parameter. The following does not apply if run at install time.
| Parameter | Values | Description |
|---|---|---|
| noAutoSuffix | 0 - Add the domains (default)1 - Do not add domains | Does not add domains contained in the DNS Suffixes settings in network adapters and networking properties to the Internal Domains list. This feature exists so that the Umbrella roaming module is more aware of local resources and domains on foreign networks. |
| customUSResolvers | ["208.67.221.76", "208.67.223.76"] - Sets primary and secondary US-based Anycast addresses | Enables special DNS resolver Anycast addresses that limits DNS queries to only US-based Umbrella servers. Does not affect block pages or proxy. |
| noNXDOMAIN | 0 - Do re-query (default)1 - Do not re-query | Automatically re-query public NXDOMAINS at the local resolvers. This feature allows roaming users to resolve internal domains on networks beyond their own without interruption or internal domains list management. Note: DNS search suffixes are automatically sent to local resolvers, unless this functionality is disabled. |
Customize macOS Installation of AnyConnect < Customize Windows Installation of AnyConnect > Virtual Appliance User Guide
Updated 2 days ago