Question

Worklet - Install Cisco Umbrella Anyconnect Agent

  • 7 September 2023
  • 7 replies
  • 415 views
jack.smith
Userlevel 5
Badge +1

This worklet will install Cisco Umbrella with certificate and config files. This also checks for the OpenDNS agent and removes as well. 

 

Evaluation

  • Paramaters
    • Thumbprint ID of the root certificate used by your own SWG deployment
  • If any of the services don’t exist, run remediation
    • csc_vpnagent
    • csc_swgagent
    • csc_umbrellagent
  • If running an older version of the service Umbrella_RC, run remediation
  • If the Root Certificate is missing, run remediation
  • If OrgInfo.json is not in place, run remediation
#params
$thumbprint = "<your-org-thumbprint>"

# Cisco AnyConnect VPN Module
$service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
IF(!$service)
{
    exit 1
}

# Cisco AnyConnect Diagnostics and Reporting Tool
$service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
IF(!$service)
{
    exit 1
}

# Cisco AnyConnect Umbrella Roaming Security Agent
$service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
IF(!$service)
{
    exit 1
}

# Root Certificate used to inpsect HTTPS traffic
$cert  = Get-ChildItem Cert:\LocalMachine\Root | Where-Object Thumbprint -eq $thumbprint
IF(!$cert)
{
    exit 1
}

# Cisco Umbrella Roaming Client
$service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
IF($service)
{
    exit 1
}

# Cisco Umbrella Roaming Client OrgInfo.json
$orginfo = 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json'
IF((Test-Path $orginfo) -eq $false)
{
  exit 1
}

 

Remediation

Please use the reference links in the code to read about each installer, the switches so you can update to your needs

 

  • Paramaters
    • Thumbprint ID of the root certificate used by your own SWG deployment
    • OrgId of your own organization
  • Payloads
    • Download your own ZIP file from Cisco and upload that, the worklet will unpackage that and look for the relevant titles to install
    • Root Certificate
      example payloads as uploaded

       

  • If any of the services don’t exist, run remediation
    • csc_vpnagent
    • csc_swgagent
    • csc_umbrellagent
  • If running an older version of the service Umbrella_RC, uninstall
  • If the Root Certificate is missing, install from payload
  • If OrgInfo.json is not in place, create it using params
# Reference Links
## Secure Client Download: https://software.cisco.com/download/home/283000185
## Admin Guide: https://docs.umbrella.com/deployment-umbrella/docs/anyconnect-umbrella-roaming-security-client-administrator-guide
## downloaded "Module Profile" found at \Profiles\umbrella\OrgInfo.json from https://dashboard.umbrella.com/o/'<your-orgid>'/#/deployments/core/roamingdevices
## downloaded "Root Certificate" found at \ from https://dashboard.umbrella.com/o/'<your-orgid>'/#/deployments/configuration/customercertificate

$thumbprint = "<your-thumbprint>"
$orgid = '<your-orgid>'
$userId = '<your-userid>'
$zip = 'cisco-secure-client-win-5.0.03072-predeploy-k9' #just the name, don't add .zip

Get-Process MSIExec | Stop-Process -force -confirm:$false

# Prepare installation folder
Copy-Item .\$zip.zip C:\windows\temp\
Expand-Archive C:\windows\temp\$zip.zip -DestinationPath C:\windows\temp\$zip
$path = "C:\Windows\Temp\$zip"

# Setup Root Certificate used to inpsect HTTPS traffic
$cert  = Get-ChildItem Cert:\LocalMachine\Root | Where-Object Thumbprint -eq $thumbprint
IF(!$cert)
{
    # Missing Root Certificate. Installing
    Write-Output "Installing Cisco_Umbrella_Root_CA certificate"
    $cert = Get-ChildItem .\Cisco_Umbrella_Root_CA.cer
    $cert | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
}
elseif($cert)
{
    Write-Output "Cisco_Umbrella_Root_CA.cer already installed in root certificate store."
}

# Remove Cisco Umbrella
$service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
IF($service)
{
    # Removing Umbrella Roaming Client
    Write-Output "Removing Umbrella Roaming Client"
    Start-Process msiexec -ArgumentList "/x $path\Setup.msi /qn" -wait

    # Validate Removal
    Start-Sleep -Seconds 15
    $service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
    IF($service)
    {
        Write-Output "Failed to remove Umbrella Roaming Client"
    }
}
elseif(!$service)
{
    Write-Output "Umbrella Roaming Client already removed."
}

# Install Cisco Secure Client VPN Module
$service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
IF(!$service)
{
    Write-Output "Installing Cisco Secure Client VPN Module."
    $msi = (Get-ChildItem $path\*core-vpn-predeploy-k9.msi).fullname
    Start-Process msiexec -ArgumentList "/package $msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 LOCKDOWN=1 /lvx* C:\windows\temp\vpninstall.log" -Wait
    Start-Sleep -Seconds 30
    $service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
    IF(!$service)
    {
        Write-Output "Failed to install Cisco Secure Client VPN Module. Review C:\windows\temp\vpninstall.log"
    }
}
elseif($service)
{
    Write-Output "Cisco Secure Client VPN Module already installed."
}

# Install Cisco Secure Client Diagnostics and Reporting Tool
$service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
IF(!$service)
{
    Write-Output "Installing Cisco Diagnostics and Reporting Tool"
    $msi = (Get-ChildItem $path\*dart-predeploy-k9.msi).fullname
    Start-Process msiexec -ArgumentList "/package $msi /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\dartinstall.log" -Wait
    Start-Sleep -Seconds 30
    $service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
    IF(!$service)
    {
        Write-Output "Failed to install Cisco Secure Client Diagnostics and Reporting Tool. Review C:\windows\temp\dartinstall.log"
    }
}
elseif($service)
{
    Write-Output "Cisco Diagnostics and Reporting Tool already installed."
}

# Install Cisco Secure Client Agent
$service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
IF(!$service)
{
    Write-Output "Installing Cisco Secure Client Umbrella Roaming Security Agent"
    $msi = (Get-ChildItem $path\*umbrella-predeploy-k9.msi).fullname
    Start-Process msiexec -ArgumentList "/package $msi /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\umbrellainstall.log" -Wait
    Start-Sleep -Seconds 30
    $service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
    IF(!$service)
    {
        Write-Output "Failed to install Cisco Secure Client Umbrella Roaming Security Agent. Review C:\windows\temp\umbrellainstall.log"
        $log = Get-Content C:\windows\temp\umbrellainstall.log
    }
}
elseif($service)
{
    Write-Output "Cisco Secure Client Umbrella Roaming Security Agent already installed."
}

# Cisco Umbrella Roaming Client OrgInfo.json
$orginfo = 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json'
IF((Test-Path $orginfo) -eq $false)
{
  "OrgInfo.json was missing. Creating file. "
  $json = [pscustomobject]@{organizationId=$orgid;fingerprint=$thumbprint;userId=$userId}
  $json | ConvertTo-Json | out-file $orginfo -force
}
Remove-Item C:\windows\temp\$zip -Recurse -Force
$log

 @jhollis tagging you as I noticed you asking a similar question in another thread. This worklet may help.

7 replies

S
Userlevel 5
Badge

Great Worklet, Jack! We can’t keep up with you 😉

A
Badge

@jack.smith this is very helpful as we are testing umbrella! Would I take away the umbrella portion if we were only wanting to deploy the secure VPN?

jack.smith
Userlevel 5
Badge +1

@jack.smith this is very helpful as we are testing umbrella! Would I take away the umbrella portion if we were only wanting to deploy the secure VPN?

@ajamaya I’d confirm with documentation or support, but that would be my initial reaction as well.

A

I cant get your script to work on automox :(

jack.smith
Userlevel 5
Badge +1

I cant get your script to work on automox :(

Oh no. I’ve updated since this was first published. Perhaps this newer version could work. 

 

Payloads

  • OrgInfo.json
  • cisco-secure-client-win-current-version-predeploy-k9.zip
  • Cisco_Umbrella_Root_CA.cer

Then update the $ver variable with whatever current version you have uploaded for the payload above. 

 

#region Prepare installation folder
$ver = '5.1.2.42'
$path = "C:\Windows\Temp\cisco-secure-client-win-$ver-predeploy-k9"
Copy-Item .\cisco-secure-client-win-$ver-predeploy-k9.zip C:\windows\temp\ -Verbose
Expand-Archive "$path.zip" -DestinationPath $path

IF((Test-Path $path) -eq $false){
  Write-output "Failed to expand $path.zip to $($path)"
  Exit 0
}
#endregion

#region Setup Root Certificate used to inpsect HTTPS traffic
$cert  = Get-ChildItem Cert:\LocalMachine\Root | Where-Object Subject -match "CN=Cisco Umbrella Root CA"
IF(!$cert)
{
    # Missing Root Certificate. Installing
    Write-Output "Installing Cisco_Umbrella_Root_CA certificate"
    $cert = Get-ChildItem .\Cisco_Umbrella_Root_CA.cer
    $cert | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
}
elseif($cert)
{
    Write-Output "Cisco_Umbrella_Root_CA.cer already installed in root certificate store."
}
#endregion

#region Remove Cisco Umbrella (Legacy Client)
$service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
IF($service)
{
    # Removing Umbrella Roaming Client
    Write-Output "Removing Umbrella Roaming Client"
    Start-Process msiexec -ArgumentList "/x $path\Setup.msi /qn" -wait

    # Validate Removal
    Start-Sleep -Seconds 15
    $service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
    IF($service)
    {
        Write-Output "Failed to remove Umbrella Roaming Client"
    }
}
elseif(!$service)
{
    Write-Output "Umbrella Roaming Client already removed."
}
#endregion

#region Install Cisco Secure Client VPN Module
$service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Running")
{
    Write-Output "Installing Cisco Secure Client VPN Module."
    $dVPN = (Get-ChildItem "$path\cisco*core-vpn-predeploy-k9.msi").FullName
    Write-Output "MSI Path: $dVPN"
    IF(!$dVPN -or (Test-Path $dVPN) -eq $false){
        Write-Output "Failed to detect core-vpn-predeploy-k9.msi"
        exit 0
    }
    Start-Process MsiExec -ArgumentList "/I $dVPN /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 LOCKDOWN=1 /lvx* C:\windows\temp\cisco-core-vpn-predeploy-k9.log" -Wait
    Start-Sleep -Seconds 30
    $service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
    IF(!$service)
    {
        Write-Output "Failed to install Cisco Secure Client VPN Module. Review C:\windows\temp\cisco-core-vpn-predeploy-k9.log"
        $log = Get-Content 'C:\windows\temp\cisco-core-vpn-predeploy-k9.log' -Tail 20
        Write-Output $log
    }
}
elseif($service)
{
    Write-Output "Cisco Secure Client VPN Module already installed."
}
#endregion

# Install Cisco Secure Client Diagnostics and Reporting Tool
$service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Stopped")
{
    Write-Output "Installing Cisco Diagnostics and Reporting Tool"
    $dSWG = (Get-ChildItem "$path\cisco*dart-predeploy-k9.msi").fullname
    Write-Output "MSI Path: $dSWG"
    IF(!$dSWG -or (Test-Path $dSWG) -eq $false){
        Write-Output "Failed to detect dart-predeploy-k9.msi"
        exit 0
    }
    Start-Process msiexec -ArgumentList "/I $dSWG /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\cisco-dart-predeploy-k9.log" -Wait
    Start-Sleep -Seconds 30
    $service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
    IF(!$service)
    {
        Write-Output "Failed to install Cisco Secure Client Diagnostics and Reporting Tool. Review C:\windows\temp\cisco-dart-predeploy-k9.log"
        $log = Get-Content 'C:\windows\temp\cisco-dart-predeploy-k9.log' -tail 20
        Write-Output $log
    }
}
elseif($service)
{
    Write-Output "Cisco Diagnostics and Reporting Tool already installed."
}

# Install Cisco Secure Client Agent
$service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Running")
{
    Write-Output "Installing Cisco Secure Client Umbrella Roaming Security Agent"
    $dUMB = (Get-ChildItem "$path\cisco*umbrella-predeploy-k9.msi").fullname
    Write-Output "MSI Path: $dUMB"
    IF(!$dUMB -or (Test-Path $dUMB) -eq $false){
        Write-Output "Failed to detect umbrella-predeploy-k9.msi"
        exit 0
    }
    Start-Process msiexec -ArgumentList "/I $dUMB /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\cisco-umbrella-predeploy-k9.log" -Wait
    Start-Sleep -Seconds 30
    $service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
    IF(!$service)
    {
        Write-Output "Failed to install Cisco Secure Client Umbrella Roaming Security Agent. Review C:\windows\temp\cisco-umbrella-predeploy-k9.log"
        $log = Get-Content 'C:\windows\temp\cisco-umbrella-predeploy-k9.log' -tail 20
        Write-Output $log
    }
}
elseif($service)
{
    Write-Output "Cisco Secure Client Umbrella Roaming Security Agent already installed."
}

# Cisco Umbrella Roaming Client OrgInfo.json
$orginfo = 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json'
IF((Test-Path $orginfo) -eq $false)
{
  Copy-Item OrgInfo.json 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\' -Verbose
}
Remove-Item C:\windows\temp\$zip -Recurse -Force
Remove-Item C:\windows\temp\$zip.zip -Force

 

A

oh thank you, let me give this a try

A

Still no luck, I can run a modified version of your script locally by cd to the location of the zip first and it would complete all the way. but the moment i run it on automox i get the event type “Error” with no log summary. Only once did i see a flash of hope; after correcting the failure.. went back to errors and no logs..:(
 

VERBOSE: Performing the operation "Copy File" on target "Item: C:\Program Files 
(x86)\Automox\execDir404182935\cisco-secure-client-win-5.0.05040-predeploy-k9.zip Destination: 
C:\windows\temp\cisco-secure-client-win-5.0.05040-predeploy-k9.zip".
Installing Cisco_Umbrella_Root_CA certificate


   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                                Subject                                                                      
----------                                -------                                                                      
**************               CN=Cisco Umbrella Root CA, O=Cisco                                           
Umbrella Roaming Client already removed.
Installing Cisco Secure Client VPN Module.
MSI Path: 
Failed to detect core-vpn-predeploy-k9.msi


This is my script,
Evaluation:
 

# Predefinied Variables
$AppName = "Cisco Secure Client - Umbrella"

# Check 64bit hive on x64 devices
if([System.Environment]::Is64BitOperatingSystem)
{
    $hklm64 = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,[Microsoft.Win32.RegistryView]::Registry64)
    $skey64 = $hklm64.OpenSubKey("Software\Microsoft\Windows\CurrentVersion\Uninstall")
    $unkeys64 = $skey64.GetSubKeyNames()
    foreach($key in $unkeys64)
    {
        if($skey64.OpenSubKey($key).getvalue('DisplayName') -like "*$AppName*")
        {
            $installed += 1
        }
    }
}

# Check 32bit hive on 32/64 bit devices
$skey32 = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"
foreach($key in Get-ChildItem $skey32 -ErrorAction SilentlyContinue | Get-ItemProperty | Where-Object {($_.DisplayName -like "*$AppName*")})
{
    $installed += 1
}

# Check Presence
if(!($installed))
{
    Write-Output "Software not installed - Flagging for installation"
    Exit 1
}

Write-Output "Software is already installed"
Exit 0


Remediation

 

#region Prepare installation folder
$ver = '5.0.05040'
$path = "C:\Windows\Temp\cisco-secure-client-win-$ver-predeploy-k9"
Copy-Item .\cisco-secure-client-win-$ver-predeploy-k9.zip C:\windows\temp\ -Verbose
Expand-Archive "$path.zip" -DestinationPath $path -Force

IF((Test-Path $path) -eq $false){
  Write-output "Failed to expand $path.zip to $($path)"
  Exit 0
}
#endregion

#region Setup Root Certificate used to inpsect HTTPS traffic
$cert  = Get-ChildItem Cert:\LocalMachine\Root | Where-Object Subject -match "CN=Cisco Umbrella Root CA"
IF(!$cert)
{
    # Missing Root Certificate. Installing
    Write-Output "Installing Cisco_Umbrella_Root_CA certificate"
    $cert = Get-ChildItem .\Cisco_Umbrella_Root_CA.cer
    $cert | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
}
elseif($cert)
{
    Write-Output "Cisco_Umbrella_Root_CA.cer already installed in root certificate store."
}
#endregion

#region Remove Cisco Umbrella (Legacy Client)
$service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
IF($service)
{
    # Removing Umbrella Roaming Client
    Write-Output "Removing Umbrella Roaming Client"
    Start-Process msiexec -ArgumentList "/x $path\Setup.msi /qn" -wait

    # Validate Removal
    Start-Sleep -Seconds 15
    $service = Get-Service Umbrella_RC -ErrorAction SilentlyContinue
    IF($service)
    {
        Write-Output "Failed to remove Umbrella Roaming Client"
    }
}
elseif(!$service)
{
    Write-Output "Umbrella Roaming Client already removed."
}
#endregion

#region Install Cisco Secure Client VPN Module
$service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Running")
{
    Write-Output "Installing Cisco Secure Client VPN Module."
    $dVPN = (Get-ChildItem "$path\core-vpn-predeploy-k9.msi").FullName
    Write-Output "MSI Path: $dVPN"
    IF(!$dVPN -or (Test-Path $dVPN) -eq $false){
        Write-Output "Failed to detect core-vpn-predeploy-k9.msi"
        exit 0
    }
    Start-Process MsiExec -ArgumentList "/I $dVPN /norestart /passive PRE_DEPLOY_DISABLE_VPN=1 LOCKDOWN=1 /lvx* C:\windows\temp\cisco-core-vpn-predeploy-k9.log" -Wait
    Start-Sleep -Seconds 30
    $service = Get-Service csc_vpnagent -ErrorAction SilentlyContinue
    IF(!$service)
    {
        Write-Output "Failed to install Cisco Secure Client VPN Module. Review C:\windows\temp\cisco-core-vpn-predeploy-k9.log"
        $log = Get-Content 'C:\windows\temp\core-vpn-predeploy-k9.log' -Tail 20
        Write-Output $log
    }
}
elseif($service)
{
    Write-Output "Cisco Secure Client VPN Module already installed."
}
#endregion

# Install Cisco Secure Client Diagnostics and Reporting Tool
$service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Stopped")
{
    Write-Output "Installing Cisco Diagnostics and Reporting Tool"
    $dSWG = (Get-ChildItem "$path\cisco*dart-predeploy-k9.msi").fullname
    Write-Output "MSI Path: $dSWG"
    IF(!$dSWG -or (Test-Path $dSWG) -eq $false){
        Write-Output "Failed to detect dart-predeploy-k9.msi"
        exit 0
    }
    Start-Process msiexec -ArgumentList "/I $dSWG /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\cisco-dart-predeploy-k9.log" -Wait
    Start-Sleep -Seconds 30
    $service = Get-Service csc_swgagent -ErrorAction SilentlyContinue
    IF(!$service)
    {
        Write-Output "Failed to install Cisco Secure Client Diagnostics and Reporting Tool. Review C:\windows\temp\cisco-dart-predeploy-k9.log"
        $log = Get-Content 'C:\windows\temp\cisco-dart-predeploy-k9.log' -tail 20
        Write-Output $log
    }
}
elseif($service)
{
    Write-Output "Cisco Diagnostics and Reporting Tool already installed."
}

# Install Cisco Secure Client Agent
$service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
IF(!$service -or $service.status -ne "Running")
{
    Write-Output "Installing Cisco Secure Client Umbrella Roaming Security Agent"
    $dUMB = (Get-ChildItem "$path\umbrella-predeploy-k9.msi").fullname
    Write-Output "MSI Path: $dUMB"
    IF(!$dUMB -or (Test-Path $dUMB) -eq $false){
        Write-Output "Failed to detect umbrella-predeploy-k9.msi"
        exit 0
    }
    Start-Process msiexec -ArgumentList "/I $dUMB /norestart /passive LOCKDOWN=1 /lvx* C:\windows\temp\cisco-umbrella-predeploy-k9.log" -Wait
    Start-Sleep -Seconds 30
    $service = Get-Service csc_umbrellaagent -ErrorAction SilentlyContinue
    IF(!$service)
    {
        Write-Output "Failed to install Cisco Secure Client Umbrella Roaming Security Agent. Review C:\windows\temp\cisco-umbrella-predeploy-k9.log"
        $log = Get-Content 'C:\windows\temp\umbrella-predeploy-k9.log' -tail 20
        Write-Output $log
    }
}
elseif($service)
{
    Write-Output "Cisco Secure Client Umbrella Roaming Security Agent already installed."
}

# Cisco Umbrella Roaming Client OrgInfo.json
$orginfo = 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\OrgInfo.json'
IF((Test-Path $orginfo) -eq $false)
{
  Copy-Item OrgInfo.json 'C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\' -Verbose
}

#Clean Up
$zip = "cisco-secure-client-win-$ver-predeploy-k9"
Remove-Item C:\windows\temp\$zip -Recurse -Force
Remove-Item C:\windows\temp\$zip.zip -Force

 

Reply


Terms & ConditionsCookie settings