Hiding the Secure Client aka: AnyConnect VPN Module

Advanced Malware Protection, CCIE, Endpoint Security, Identity Services Engine, Integrations, Mobile, Umbrella 3 Minutes

“How do I use NVM or the Umbrella module without installing [showing] the AnyConnect VPN module?”

That’s a question I get a lot.

Before diving directly into the answer, you might be asking yourself: what the heck are they talking about? So let’s go through it together.

Cisco Secure Client (CSC), which was formerly known as Cisco AnyConnect [Secure Mobility Client] has been deployed to ~200 million endpoints world-wide. So, naturally, Cisco’s branding team decided to rename it to Cisco Secure Client & confuse everyone, everywhere.. 😦 But not to worry, the VPN module is still named “AnyConnect VPN”.

However, CSC is not _only_ the best VPN client that’s ever existed… It’s so much more, and that’s why it is Cisco’s Unified Agent. It is a super powerful agent, because (in part) it has a stream-level interceptor for network traffic.. Did you know that? I speak about it at pretty much every Cisco Live since dinosaurs roamed the earth, but most people don’t have any clue.

The interceptor is incredibly important & powerful. It allows CSC [aka: AnyConnect] to intercept any traffic as it’s coming down the stack from the application to the network. With that power comes the ability to inspect the traffic and manipulate it.

For example when DNS traffic is sent down the stack from the DNS resolver client, CSC is able to recognize that it’s a DNS request and intercept it. It will compare that DNS request to the list of internal domains, and if the destination is internal (say: email.woland.com); then it leaves the traffic untouched which will use the DHCP assigned DNS servers. However, it is NOT an internal domain (say: http://www.internetbadguys.com) then CSC will wrap that DNS request in an eDNS packet, insert identifying data & forward it to Cisco Umbrella’s DNS resolvers for a policy-based response.

In other words, this stream-level interceptor is how the Umbrella module works for DNS-based control as well as the HTTP/S controls with the Secure Web Gateway (SWG) and more!

Stop Rambling… Get Back to the Point

Ok. So the point of all this is: Cisco Secure Client (CSC) is a very bad-*** product on the endpoint, and has a lot of power that gets delivered through it’s modules. So what if I just want those modules and I never want my end-users to see the “AnyConnect VPN” module?

Can I install just the NVM module or just the Umbrella module & not install the VPN module?

Short answer: No. Long Answer: the “AnyConnect VPN” module is known as the core module internally at Cisco. This core module has core functionality that is shared by the other modules in CSC. One such function is Trusted Network Detection (TND) – so all the modules can benefit from knowing if the endpoint is on a Trusted or Untrusted network.

However, you CAN hide the core module from the UI!

Why would anyone want to hide the module?

Answer: because they don’t use AnyConnect for VPN at their company. They may use some other vendor (poor souls). So, having the AnyConnect VPN module displayed in the UI can cause pain & confusion for their end-user population, and that is not something any of us want.

Can we hide the VPN module without hiding the entire UI? Yes we can.

You must create an XML file with very specific settings in it (see below); and name that file “VPNDisable_ServiceProfile.xml” specifically.  Then put that file into the %programdata%\Cisco\Cisco Secure Client\VPN\Profile directory. 

<?xml version=”1.0″ encoding=”utf-8″?>
<AnyConnectProfile xmlns=”http://schemas.xmlsoap.org/encoding/&#8221; xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xsi:schemaLocation=”http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd”>
  <ClientInitialization>
    <ServiceDisable>true</ServiceDisable>
  </ClientInitialization>
</AnyConnectProfile>

The XML must match this exactly. The file name must match “VPNDisable_ServiceProfile.xml” exactly. You can use your own file distribution mechanisms (SCCM, etc) to get this profile deployed, and (as of August 2023) you cannot use Secure Client’s Cloud Management in SecureX or the Cisco XDR (yet).

That’s all folks… You might need to restart the machine to ensure the UI loads fresh & clean, but now you can use the power of the Umbrella module, the ISE Posture module, the Network Access supplicant and the Secure Endpoint EDR modules – all without forcing your users to see the VPN module too!

<EOM>

Published by Loxx

Aaron Woland, CCIE No. 20113, is a Principal Engineer in Cisco’s Advanced Threat Security group and works with Cisco’s Largest Customers all over the world. His primary job responsibilities include security design, solution enhancements, standards development, advanced threat solution design, endpoint security and futures. Aaron joined Cisco in 2005 and is currently a member of numerous security advisory boards, and standards body working groups. Prior to joining Cisco, Aaron spent 12 years as a Consultant and Technical Trainer. Aaron is the author of: both editions of the Cisco ISE for BYOD and Secure Unified Access book; the All-in-one Cisco ASA Firepower Services, NGIPS and AMP book; the CCNP Security SISAS 300-208 Official Cert Guide; the CCNA Security 210-260 Complete Video Course; and many published white papers and design guides. Aaron is one of only five inaugural members of the Hall of Fame Elite for Distinguished Speakers at Cisco Live, and is a security columnist for Network World where he blogs on all things related to Security. His other certifications include: GHIC, GCFE, GSEC, Certified Ethical Hacker, MCSE, VCP, CCSP, CCNP, CCDP and many other industry certifications. You can follow Aaron on Twitter: @aaronwoland

Published

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.