Skip to main content

 

 

Cisco Defense Orchestrator

Upload AnyConnect Software Packages to an FTD Device Running FTD Version 6.5 or Later

If you’re using a Firepower Threat Defense (FTD) device, running FTD version 6.5 or later, for configuring Remote Access Virtual Private Network (RA VPN), you can use the RA VPN wizard in CDO to upload AnyConnect software packages to the FTD. In the RA VPN wizard, you must provide the URL of the remote HTTP or HTTPS server where the AnyConnect packages are preloaded. 

Note: You can upload the AnyConnect package using the FDM API procedure as well.

Before you Begin

  1. Download the AnyConnect packages from https://software.cisco.com/download/home/283000185
    • Make sure you accept the EULA and have K9 (encrypted image) privileges.
    • Select the "AnyConnect Headend Deployment Package" package for your operating system. The package name will be similar to "anyconnect-win-4.7.04056-webdeploy-k9.pkg." There are separate headend packages for Windows, macOS, and Linux.
  2. Upload the AnyConnect packages to a remote HTTP or HTTPS server. Ensure that there is a network route from the FTD device to the HTTP or HTTPS server.  

    Important: If you are uploading the AnyConnect package to an HTTPS server, ensure that the following steps are performed: 
  1. The remote server's URL must be a direct link without prompting for authentication. If the URL is pre-authenticated, then the file can be downloaded by specifying the URL in the RA VPN wizard.
  2. If the remote server IP address is NATed, you have to provide the NATed public IP address of the remote server location. 

Upload an AnyConnect Package

Use the following procedure to upload to an AnyConnect package to an FTD Version 6.5.0 device:

  1. Create an RA VPN Configuration from steps 1-4.
  2. In the AnyConnect Package Detected, you can upload separate packages for Windows, Mac, and Linux endpoints. 
    Note: If the AnyConnect packages are already present on the devices, you can see them in the RA VPN wizard. You can replace the existing package with a new one. See Replace an Existing AnyConnect Package for instructions.
  3. In the corresponding platform field, specify the paths of the server where the AnyConnect packages compatible for Windows, Mac, and Linux are pre-uploaded. 
    Examples of server paths: 'http://<ip_address>:port_number/<folder_name>/anyconnect-win-4.8.01090-webdeploy-k9.pkg',
    'https://<ip_address>:port_number/<folder_name>/anyconnect-linux64-4.7.03052-webdeploy-k9.pkg'.
  4. ClickUpload_AnyConnect.JPG to upload the package. CDO validates if the path is reachable, and the specified filename is a valid package.
    When the validation is successful, the names of the AnyConnect packages appear.
    As you add more FTD devices to the RA VPN configuration, you can upload the AnyConnect packages to them. 
  5. Click OK. The AnyConnect packages are added to the RA VPN configuration.
  6. Continue to Create an RA VPN Configuration from step 6 onwards.

To complete a VPN connection, your users must install the AnyConnect client software on their workstation. For more information, see How Users Can Install the AnyConnect Client Software

Update an Existing AnyConnect Package

Ensure that the new AnyConnect package is uploaded already to a server on the network that the FTD can reach.

  1. In the CDO navigation bar at the left, click VPN > Remote Access VPN
  2. Select the RA VPN configuration to be modified, and under Actions, click Edit
  3. In AnyConnect Packages Detected, clickEdit_AnyConnectPackage.JPG icon appearing beside the existing AnyConnect package.
    The existing package disappears from the corresponding field.
    Note: If you want to retain the existing package, click OK without making any changes. 
  4. Specify the path of the server where the new AnyConnect package is preloaded and clickUpload_AnyConnect.JPG to upload the package.
  5. Click OK. The new AnyConnect package is added to the RA VPN configuration.
  6. Continue to Create an RA VPN Configuration from step 6 onwards.

Delete the AnyConnect Package

You can delete the existing AnyConnect package from the FTD device that you want. 

  1. In the CDO navigation bar at the left, click VPN > Remote Access VPN.
  2. Select the RA VPN configuration to be modified, and under Actions, click Edit
  3. In AnyConnect Packages Detected, click Delete_AnyConnect.JPG icon appearing beside the AnyConnect package that you want to delete. 
    The existing package disappears from the corresponding field.
    Note: Click Cancel to stop the delete operation and retain the existing package, 
  4. Click OK. The device's Configuration Status is in 'Not Synced' state. 
    Note: If you want to undo the delete action at this stage, go to Device & Services page and click Discard Changes to retain the existing AnyConnect package. 
  5. Review and deploy configuration changes to the devices.
  • Was this article helpful?