Introduction
Cisco Secure Client the rebranded AnyConnect Client is best known as a VPN client but has been much more than that for a long time. CSC is an enabler of Security services with its many modules; NVM, NAM, Umbrella, ISE Posture, Secure Firewall Posture and Secure Endpoint in the CSC 5.0 Unified Client..
Thousand Eyes aims to Instantly identify what is impacting user experiences across any domain—even those that you do not own or control. Data shows that work has changed forever and one of the biggest issues facing organizations is operationalvisibility, which impacts business.
ThousandEyes for Cisco Secure Client is only one the valuable integrations since the Thousand Eyes joined Cisco and has streamlined the deployment of ThousandEyes Endpoint with Cisco Secure Client to extend visibility to more of your connected workforce.
Slide source: Cisco Live BRKAPP-2012 Enabling Hybrid Work with ThousandEyes
Other integrations include ThousandEyes on Meraki MX and ThousandEyes on Webex RoomOS Devices
This article will cover Cisco Secure Clients initial integration with Thousand Eyes and the deployment method available at the time this article is published. Web deployment and Cloud deployment is planned.
Cisco Secure Client Deployment Methods - Overview
Cisco Secure Client (AnyConnect) can be deployed several ways;
Pre-Deployment where the Admin downloads the pre-deployment package CCO (Cisco Connection Online) which includes all the MSI's required to install CSC and the various modules mentioned earlier. An Admin would either use a software distribution application such as SCCM or build the installers into a "golden image" that is applied to their corporate assets before distributing the devices to their employees. This is the most widely used deployment method as it scales best in a large enterprise
Web-Deployment this is the method where an admin would download the Web-Deployment package and upload to a VPN headend such as the ASA or Firepower device. The Web-deployment package can also be uploaded to the Cisco Identity Service Engine for customers that utilize ISE and Client Provisioning in ISE. Many customers will first deploy using the pre-deployment method and then upload the deployment packages and let the subsequent upgrades be pushed by the VPN headend when required.
XDR (SecureX) Cloud Management is the newest method of deploying and managing Cisco Secure Client. This method allows the Administrator to create deployments that contain the modules and profiles and create either a Full or Network installer. These installers would then be distributed using a software management system such as SCCM for example.
To learn more about this deployment method please see an earlier article Cisco Secure Client 5.x (AnyConnect) with SecureX Cloud Management - Cisco Community
Cisco Secure Client support for deployment of Thousand Eyes
As of the date this article was written the Thousand Eyes agent can be deployed using the Pre-Deployment method only. Again, In the near future this will also be possible on the headends but even more importantly in XDR Client Management for cloud deployment .
Required Cisco Secure Client Version for Windows and macOS
Cisco Secure Client 5.0.04032 - Initial Windows support.
This maintenance release includes the Introduction of Cisco Secure Client ThousandEyes Endpoint Agent Module—We now offer a ThousandEyes Windows installer (.msi) in the predeploy package. Upon installation, Secure Client can detect the installation of the ThousandEyes Module and displays the version in the About box, although no UI tile is present. This integration enhances a customers' ability to get a complete picture of their application health, allowing them to make better-informed decisions and to resolve issues quicker. Refer to the Thousand Eyes Integration in the Cisco Secure Client Administrator Guide for additional details. Refer to the Cisco Secure Client - ThousandEyes Endpoint Agent Module Integration Guide for detailed information on how to collect network- and application-layer performance data when users access specific websites from within monitored networks.
Cisco Secure Client 5.0.05040 - Initial macOS support
This maintenance release includes the addition of Cisco Secure Client ThousandEyes Endpoint Agent Module for macOS—A ThousandEyes macOS installer is now available in the predeploy package: Cisco Secure Client - ThousandEyes Endpoint Agent-x64-<vers>.pkg. Additions have also been made to the DART logs for the ThousandEyes Endpoint Agent Module. Refer to the Thousand Eyes Integration in the Cisco Secure Client Administrator Guide for additional details. Refer to the Cisco Secure Client - ThousandEyes Endpoint Agent Module Integration Guide for detailed information on how to collect network- and application-layer performance data when users access specific websites from within monitored networks.
Source: Cisco Secure Client Release Notes
Deployment Example: Windows MSI to install only the TE Agent
Use case: Customer does not currently utilize AnyConnect/Cisco Secure Client but want to install using the CSC deployment option for Thousand Eyes
Step 1. Download the pre-deployment package from CCO
Cisco Secure Client Installer file names:
Step 2. Run the install on the Windows endpoint.
Note: We are only showing the direct install of using the MSI directly on the Endpoint but more than likely in a large deployment a customer may deploy using SCCM.
Windows Pre-deployment MSI Example
msiexec /package cisco-secure-client-win-version-thousandeyes-predeploy-k9.msi / norestart/passive /lvx*
cisco-secure-client-version-thousandeyes-predeploy-k9-install-datetimestamp.log
Step 3. Verify Installation
Simple Windows verification of the Installed Programs and Task Manager.
Deployment Example: Adding Cisco Secure Client and Modules
In this example we are going deploy Cisco Secure Client to the endpoint that previously only had the Thousand Eyes Agent installed. Using Client Deployment in Cisco XDR we will create a deployment that includes a couple of modules and profiles The expected outcome is that CSC is installed and now reporting Thousand Eyes as an installed module.
Summary of steps
- Using XDR Client Management
- Creating a CSC deployment that has the following:
- Cloud Management - the endpoint will be managed and in the inventory.
- Secure Endpoint (AMP) will be installed in the Unified Agent
- AnyConnect VPN
- Umbrella
- DART
Note:
The ability to install and update Thousand Eyes from the Cloud will come at a later date - unknown at this time.
When CSC is installed the currently installed TE Agent will be reported as installed in the UI with the current version.
Step 1. XDR > Client Management > Deployments
Step 2. Create a deployment
To learn more details about this deployment method please see an earlier article Cisco Secure Client 5.x (AnyConnect) with SecureX Cloud Management - Cisco Community
Step 3. Download the Deployment package
Step 4. Install the Deployment
Note: Both the Full and Network installers are .exe files (not MSI) An .exe can be deployed via SCCM and just requires a bit more work by the SCCM administrator. This is a one time task as all subsequent updates will be done in the cloud and a client check-in can be configured to check-in as frequently as every 2 hours. Unlike using a VPN headend to keep the clients updated the endpoint only needs to have internet access for the Cloud Management to function. No VPN required.
Manual installation shown
Install is complete and CSC UI is now visible on the desktop.
The previous install of Thousand Eyes now being reported by the Cisco Secure Client.
End.
References:
Cisco Secure Client ThousandEyes Endpoint Agent Module - ThousandEyes Documentation