Just last month, Cisco announced that the Cisco Umbrella Roaming Client would become End of Life (EoL) effective April 2nd 2024. As a result, the last day of support would be April 2nd 2025, one year after the client is EoL.
This announcement means that customers that have deployed the Cisco Umbrella Roaming Client now need to look at ways to migrate to the alternative Cisco solution; Cisco Secure Client (Formally Cisco AnyConnect). With that said, this article has been created to help Cisco customers identify and plan for their migration from the Umbrella Roaming Client to the Cisco Secure Client. While some potential migration methods may not be covered here, the idea is to identify the most appropriate and effective way for the majority of customers using the Umbrella Roaming Client.
Customers should plan their migration steps deciding whether to migrate all endpoints to the Secure Client immediately or choosing to opt for a staged migration approach. Larger organisations may benefit from a staged migration allowing them to test the Secure Client with selected departments before continuing with the rollout whereas it might be more appropriate for smaller organisations to consider the release notes and migrate all devices to the Secure Client at a time appropriate to them. Regardless of the approach taken, customers should keep in mind the EoL date and take suitable steps to migrate to the Secure Client.
Please also note that the information covered in this article is not affiliated with Cisco and while the author may have affiliation with Cisco, it is recommended that you also seek additional Cisco support that may be required for your particular deployment.
Cisco AnyConnect to Cisco Secure Client
For some time now, Cisco has encouraged customers to use Cisco AnyConnect over the Umbrella Roaming Client and so for some customers, migrating to the Cisco Secure Client will be relatively straightforward. Customers already using Cisco AnyConnect will simply only be required to install version 5.0+ to start leveraging the new Secure Client. The older version of (AnyConnect) will be removed and replaced with the Secure Client.
Customers can continue to leverage their existing software deployment methods to deploy Cisco Secure Client to their respective endpoints or follow one of the suggested approaches below. Regardless of the method chosen, always check the release notes before migrating away from your existing version as this will help you avoid any potential bugs or apply compensating controls if possible in the interim.
Customers can check the release notes here: Cisco Secure Client (including AnyConnect) – Release Notes – Cisco
- Option One: Download the Cisco Secure Client from the Umbrella dashboard (Deployments > Roaming Computers > Roaming Client). You can select the relevant version/s of the software and decide whether you want to download the pre-deployment package or the headend package. The package you select will be dependent on the way you choose to install the Secure Client. Assuming that you’re already using the Umbrella Roaming Security Module, you shouldn’t need to push the Umbrella profile again.
- Option Two: The Secure Client can be downloaded from software.cisco.com. You can then select the most relevant package for your organisation. Again, the Umbrella profile won’t be required for existing installations.
Umbrella Roaming Client to Cisco Secure Client
Cisco has already indicated that customers with Umbrella support contracts for standalone roaming clients will be eligible to migrate and use the Secure Client with the Umbrella Roaming Security module. If you require additional information concerning entitlement, please reach out to your Cisco account team.
The good news here is that Cisco has taken steps to remove the standalone roaming client from Windows and macOS machines when the Secure Client is installed. However, they do have one caveat and that is, if customers have Windows version 3.0.343 or older then they should uninstall the standalone roaming client before migrating to the new client. When migrating from the Umbrella Roaming Client, customers will need to download and deploy their respective Umbrella profile again.
The recommended migration paths for customers with the Umbrella Roaming Client are listed below.
- Option One: Download the Cisco Secure Client from the Umbrella dashboard (Deployments > Roaming Computers > Roaming Client). You can select the relevant version/s of the software and decide whether you want to download the pre-deployment package or the headend package. The package you select will be dependent on the way you choose to install the Secure Client. Once downloaded, from the same location, download the Umbrella profile. Once you have deployed the Secure Client to your respective endpoints, deploy the Umbrella profile to the correct file location.
The correct location for Windows machines is:
C:\ProgramData\Cisco\Cisco Secure Client\Umbrella\
The correct location for macOS machines is:
/opt/cisco/secureclient/Umbrella/
- Option Two: The Secure Client can be downloaded from software.cisco.com. You can then select the most relevant package for your organisation. You will still need to access the Umbrella dashboard as stated in Option One to download the Umbrella profile specific to your organisation.
When preparing to install the Cisco Secure Client, only select the modules that are relevant to your organisation. If your organisation is only licensed for Umbrella then only select the following modules: ‘Core & AnyConnect VPN’, ‘Umbrella’ and ‘Diagnostic And Reporting Tool’. The Core & AnyConnect VPN module is required, you can choose to deselect it however this will result in the module still being installed but not shown from the Graphical User Interface (GUI).
