VPN Head End Pushed Installation

Cisco VPN Head End Deployment

Cisco Secure Client may also be deployed from a Cisco Secure VPN head end such as an ASA. Head end deployment is not available on Meraki MX devices for Umbrella profiles.

Deploy the module

To add the Umbrella module to your VPN profile, add “Umbrella” from ASDM or with the following CLI command:


       anyconnect modules value umbrella 

Deploy the Umbrella profile

After configuring the module installation, the profile must be deployed as well. Please refer to your deployment vector of choice:


  1. Upload the OrgInfo.json obtained from the Umbrella​ dashboard to the ASA file system.
  2. Run the following commands, adjusting the group-policy name as appropriate for your configuration.

Note: The file name on the ASA is case-sensitive. If you upload a file named OrgInfo.json, you must maintain the case of the filename.

In the following example, you can configure the default group policy by setting <Group_Policy_Name> to


    anyconnect profiles orginfo disk0:/OrgInfo.json 

group-policy <Group_Policy_Name> attribute 


        anyconnect profiles value orginfo type umbrella 

group-policy <Group_Policy_Name> attributes 


        anyconnect modules value umbrella 


Note that ASDM 7.6.2 is required to configure the Roaming Security module through the GUI.

  1. Navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile.
  2. Choose Add.
  3. Give the profile a name.
  4. Choose the Umbrella Security Roaming Client type from the Profile Usage drop-down list. The OrgInfo.json file populates in the Profile Location field.
  5. Click Upload and browse to the location of the OrgInfo.json file that you downloaded from the dashboard.
  6. Associate it with the DfltGrpPolicy at the Group Policy drop-down list or the policy of your choice. For information about how to specify the new module name in the group-policy,
    see Enable Additional AnyConnect Modules.


  1. Upload the OrgInfo.json from the Umbrella dashboard.
  2. Rename the file OrgInfo.xml.
  3. Follow the steps in Configure ISE to Deploy AnyConnect.

Meraki Systems Manager (SM) Deployment < VPN Head End Pushed Installation > Enable the Umbrella SWG Agent