Guides
ProductDeveloperPartnerPersonal

Deploy Umbrella for Cisco Secure Client

Deploying the Cisco Secure Client can be accomplished in three ways: SecureX Connected Deployment (Recommended), Standard Deployment and VPN head-end-based Deployment. This guide will walk you through all the methods. To start, select the steps for your chosen deployment method.

Table of Contents

SecureX Connected Deploy (Recommended)

Deploying Cisco Secure Client connected with SecureX is our recommended deployment method and will configure your deployment from the SecureX cloud portal. Configure all of your profiles in the cloud and your client configuration will be automatic for every aspect of the client.

  1. To begin, sign on to SecureX at securex.cisco.com.
  2. Navigate to Insights.
  3. Click Deployment Management.

To configure Umbrella, create an Umbrella profile in SecureX and upload the OrgInfo.json profile file downloaded from the Umbrella dashboard. Then, select it as the chosen profile and enable the Umbrella setting. Umbrella will now be configured during installation.

Key features:

  • Profiles are configured and pushed with your deployments from the cloud (including Umbrella– requires one time configuration)
  • Client updates are configured and managed on the SecureX portal

Standard Installation

Download the Cisco Secure Client from Umbrella

  1. Navigate to Deployments > Roaming Computers and click Roaming Client.
  2. Select and download the Cisco Secure Client deployment packages that meet the operating system requirements of the devices in your organization.

Manual Installation (Most Common for Evaluation)

  • Initial deployments for evaluation occur when an admin downloads a copy of the Cisco Secure Client (formerly AnyConnect) and manually installs it on the system.
  • At install, the client prompts the required modules. For Umbrella-only, check Umbrella and DART, and install. For VPN as well, check Core/VPN, DART, and Umbrella.

Standard Installation (Most Common)

  • Standard deployment consists of manual or mass installing the client with the module MSI installer or with the wrapping setup EXE installer contained in the client download ZIP file. To begin, download the prerequisite software:

  • Download a copy of the Cisco Secure Client from software.cisco.com. Cisco Secure Client is licensed for Umbrella use for all current Umbrella packages but may require linking your contract ID to your Cisco account. For more information, see Standalone Roaming Client vs AnyConnect Roaming Module
    .

  1. Download a copy of the configuration profile from the Umbrella Dashboard. See Quick Start Guide.

  2. Depending on your system, drop or push the file into the following directory:

    • Windows: %ProgramData%\Cisco\Cisco Secure Client\Umbrella
      or
    • macOS: /opt/cisco/secureclient/umbrella/

Note:

  1. If deploying after installing Cisco Secure Client, the folder structure will already be in place.
  2. If deploying the OrgInfo.json before installing Cisco Secure Client, you will need to create the folder before placing the file.

The client activates the Umbrella module once installed and OrgInfo.json is present in the Umbrella directory.

🚧

Important

When you deploy the OrgInfo.json file for the first time, it is copied to the data subdirectory (/umbrella/data), where several other registration files are also created. Therefore, if you need to deploy a replacement OrgInfo.json file, the data subdirectory must be deleted. Alternatively, you can uninstall the Umbrella Roaming Security module (which deletes the data subdirectory) and reinstall it with the new OrgInfo.json file.

The OrgInfo.json has specific information about your Umbrella dashboard instance that lets the Roaming Security module know where to report to and which policies to enforce. If you use another OrgInfo.json file from a different dashboard to install the Roaming Security module, the client computer appears in that dashboard instead.

VPN Head-end Pushed Installation

Cisco Secure Client may also be deployed from a Cisco Secure VPN head end such as an ASA. Head end deployment is not available on Meraki MX devices for Umbrella profiles.

Deploy the Module
To add the Umbrella module to your VPN profile, add “Umbrella” from ASDM or with the following CLI command:

webvpn 

       anyconnect modules value umbrella 

Deploy the Umbrella Profile
After configuring the module installation, the profile must be deployed as well. Please refer to your deployment vector of choice:

ASA CLI

  1. Upload the OrgInfo.json that you obtained from the Umbrella​ dashboard to the ASA file system.
  2. Run the following commands, adjusting the group-policy name as appropriate for your configuration.

📘

Note

The file name on the ASA is case sensitive. If you upload a file named OrgInfo.json, you must maintain the case of the filename.

In the following example, you can configure the default group policy by setting <Group_Policy_Name> to

DfltGrpPolicy. 

webvpn 

    anyconnect profiles orginfo disk0:/OrgInfo.json 

 

group-policy <Group_Policy_Name> attribute 

    webvpn 

        anyconnect profiles value orginfo type umbrella 

 

group-policy <Group_Policy_Name> attributes 

    webvpn 

        anyconnect modules value umbrella 

ASDM GUI

📘

Note

ASDM 7.6.2 is required to configure the Roaming Security module through the GUI.

  1. Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile.
  2. Choose Add.
  3. Give the profile a name.
  4. Choose the Umbrella Security Roaming Client type from the Profile Usage drop-down list. The OrgInfo.json file populates in the Profile Location field.
  5. Click Upload and browse to the location of the OrgInfo.json file downloaded from the dashboard.
  6. Associate it with the DfltGrpPolicy at the Group Policy drop-down list or the policy of your choice. For more information about how to specify the new module name in the group-policy,
    see Enable Additional AnyConnect Modules.

ISE

  1. Upload the OrgInfo.json from the Umbrella dashboard.
  2. Rename the file OrgInfo.xml.
  3. Follow the steps in Configure ISE to Deploy AnyConnect.

Before You Begin < Deploy Umbrella for Cisco Secure Client > Meraki Systems Manager (SM) Deployment