Hi,
Since many people have started working from home , Im wondering how you update VPN clients at users machines. This requires interrupting the connection for a while, and something can always go wrong.
For Global Protect, and we’ve done it on about 35k devices four or five times.
Stop PanGPS.
Install. It’ll reconnect.
Pablo doesn’t have the ability to do waves of deployments, so we basically do it ourselves.
Yeah, it interrupts the connection. We got no complaints. Or none got to me. Either way.
Make sure you comm it out and gives users advance notice. Ask they self install. Provide toast notifications. Stuff like that.
Powershell script checks if the VPN connection is up. If not, do the upgrade. If it is, checks if its outside normal work hours. If it is, checks if the workstation is locked. If it is, disconnect and do the upgrade. The only people this has trouble with are the ones that disconnect and shutdown/sleep as soon as they are done for the day.
Task sequence if the client can’t update itself from the ASA/Firewall.
What vpn client? If you do it for Cisco anyconnect it’s slick. Enable the new version on the concentrator and it auto updates each client as they connect and even reconnects them when complete.
We have a cmg. Haven’t had to update mine but I assume I’d push a script that way if I had to.
CMG
But like where have you been for 2 yrs? Did this other place have COVID? Was it nice?
We even use the GP auto update directly from the Palo. Don’t even have to push it out. Been doing it for a few years now and it works great.
We also have a CMG so if it craters, we can always get to the box to remediate.
This.
While I prefer to enpower users by allowing them to update the software from the Software Center at a convenient time, there are always tose users that never proceed with the installation. For those we need to force-install even during the day, thus causing a service interruption and a reconnection of the VPN tunnel, a small notification generated by a PS wrapper a la PSADT works like a charm to limit calls to helpdesk.
Hey,
sounds good, but how can I tell the Software Center to stop temporarily if the parameters are not matched and not hang forever in this installation or continuously generate error messages.
Thx mcdy!
We done from fire wall and I have also created batch file which copied Cisco any connect to c drive install it and then delete the evidence / reboot. But push from ftd is more preferable as it has a lot less leg work
Yeah, problem is you can’t ‘wave’ it out. We don’t want to enable it for 35k devices; we’d rather hit 300 testers, then 3000, then 8000… etc etc, in case something goes south.
But yeah, once you hit saturation point, or you just don’t care, it works fine.
It shouldn’t hang as the powershell script will exit if any of the blocking conditions exist. Software center will detect it as a failed install since the detection rule won’t match.
Makes sense. Our env is only 7000 and I’d expect these days to have only a fraction of those full-time remote these days.