Hi there folks. I have a need to deploy the 4.10 upgrade of Cisco AnyConnect VPN client and StartBeforeLogin modules to our remote users. This is something many of you must have done in the past, but I can’t quite figure it out. The main challenges:
I need to upgrade both the core VPN client and then the Start Before Login module. So I need to run 2 MSI’s, in that order.
Users need to be connected to VPN in order to get Software Distribution from SCCM
The installer seems to fail when trying to upgrade AnyConnect while it is actively in use for the VPN connection.
Before the Cisco admins jump in here and tell me to just “Use ASA auto update feature to push the upgrade to clients when they connect”…I am using FTD which doesn’t support auto-update for the extra module I need (StartBeforeLogin).
Things I’ve tried:
Typical Package with the client platform and language set so that the content is supposed to get pre-downloaded, plus chaining the 2 MSI’s together via “Always run this program before…”.
Problem: Installer sometimes fails if VPN connection is active. Pre-download doesn’t always work either.
Task sequence with “pre-caching” enabled. TS first step is to restart computer, thus disconnecting VPN. My hope is that all the required content would be pre-cached, and the TS would be able to continue after reboot with no network connection to MP
TS just never starts up again after reboot
If anybody had some general suggestions or examples of how they did something similar, I would appreciate your advice. Thanks in advance!
Users need to be connected to VPN in order to get Software Distribution from SCCM
They need to be online to *Get* content, but not necessarily run it.
We’re doing a roll out of AnyConnect too, and use a Package. In the logic:
$vpnCheck = Get-WmiObject -Query “Select * from Win32_NetworkAdapter where (Name like ‘%AnyConnect%’) and NetEnabled=‘True’”
$vpnCheck = [bool]$vpnCheck
If “True”, exit out; that checks for VPN connection. If false, continue on.
Make it a package. Deploy it. Make it run every 4 hours, or 2, or whatever, and re-run on failures. That will let the package attempt run/re-run. Unless you’re enforcing VPN always on, chances are most people are *not* on VPN 24/7.
I’m not saying a TS isn’t going to work, I’m just saying it’s probably overkill. I’d at least ‘try’ a Package first.
Task sequence is the way to go. What you want is on the Distribution Points tab on the Deployment Properties Download all content locally before starting task sequence
Then the client will have all the resources it needs before starting the TS. You can have a restart step at the beginning to ensure AnyConnect is not in use prior to upgrading.
Note, you will lose status messages after that reboot, so all your systems will show In Progress on the deployment status.
That’s odd, I’m also installing 4.10 at the moment and in all my test cases it happily installs over the top of 3.1 even if it’s connected at the time. (Obviously disconnects the user though)
Here’s a PSADT snippet I use for a user that’s currently logged in. We have to be very transparent with our users where I work. I will eventually remove the deferrals once we get more folks back in the office and it’s not so invasive to disconnect them from the network to upgrade the client.
I would recommend not deploying through a task sequence unless it’s for OSD. With this you will not have to reboot the computer as the vpncli utility can perform the disconnect.
Write-Log -Message “Warning: User is connected to VPN and will be automatically disconnected.” -Severity 3
Show-InstallationPrompt -Title “Installing $appVendor $appName $appVersion” -Message “You will be disconnected from VPN for a few minutes while new client is installed. Once the install has completed you will be prompted to log back into VPN.” -ButtonMiddleText ‘Continue’ -Icon Exclamation -MinimizeWindows $true -ExitOnTimeout $true
We do a package where its a required deployment 30 days out and communicate to end users to go into software center and run the package. This way it’s not unexpected when it stops VPN once package runs and user gets a choice to run when they are ready. At 30 day mark it runs with a 60 minute heads up that its going to upgrade vpn and you will be disconnected.
Your check whether user is connected or not is worth testing in our environment so thank you for that.
Ya, when I did 4.5 to 4.6 it worked the same way, although a small percentage of users had issues where it failed to install and left them with no vpn client at all. This time, my first test of 4.10 had the problem, and I have many more vpn users now, so I can’t accept even a small amount of failed installs.
The catch for me here is that I need StartBeforeLogin to be installed before the next time the user logs in. We have trained them to use SBL so that they get network drives, login scripts, etc to run correctly.
For now, I am working on a Task Sequence with a “KillVPN” step, plus 2 app install steps (Core, SBL), then a reboot.