Deploy Cisco Secure Client using SecureX Deployment Management

Cisco AnyConnect is - or, was - Cisco’s VPN client offering. I say ‘was’ because AnyConnect is now referred to as ...

Cisco AnyConnect is - or, was - Cisco’s VPN client offering. I say ‘was’ because AnyConnect is now referred to as Secure Client. It would be a mistake, however, to think that this is a simple rebranding exercise, and that Secure Client is functionally identical to AnyConnect. To be sure, AnyConnect VPN remains the core application of Secure Client. But it is a mistake to conflate the two because Cisco Secure Client - while including AnyConnect - can offer you much more than a VPN client. Secure Client has the potential to house a suite of security tools, including Secure Endpoint (formerly known as AMP), Umbrella, and ISE Posture. This means that you can deploy robust security to endpoints in a clean and minimally intrusive way. With a single installation of Secure Client, a device can be protected against malware with Secure Endpoint, it can be protected on the Internet with Umbrella, it can keep your network protected with ISE Posture, and has a VPN client to boot! In this blog post, we will look at how to set this up using SecureX.


SecureX is Cisco’s cloud-native incident and threat response platform. It integrates the Cisco Security portfolio as well as third-party security platforms. This means that SecureX provides a single pane of glass for visibility, detection, and response. Because of SecureX’s integrative nature, it is the ideal launching point for deploying an integrated security solution to endpoints. Our main objective will be to integrate Cisco security solutions with SecureX. Once we have accomplished this, we can use Secure Client Deployment Management on SecureX to create a custom instance of Secure Client that can be installed on endpoints. Let’s get started by creating a SecureX account. If you have a Cisco security product, then you have access to SecureX. Navigate to and create a new account. Or, if you already have an account, log in to your existing account.

In Figure 1, we see the SecureX homepage. The utility of SecureX is obvious. It brings together data from all of your security products into one place. Let’s navigate to Integration Modules to see all of the security tools - by Cisco and by third parties - that can share their data with SecureX. As you can see in Figure 2, there are a lot of options!

securex1Figure 1: SecureX homepage

Figure 2: Integration Modules


Umbrella’s core security feature is DNS protection. But it offers much more than that! For example, Umbrella’s cloud-delivered firewall provides firewall service without the need to deploy, maintain, and upgrade physical or virtual appliances on-site. Regardless of what use cases you might have in mind with Umbrella, how it integrates with SecureX will be the same. Find the Umbrella widget on the Integration Modules page, and click add. As you can see in Figure 3, there are a number of variables that should be inputted into SecureX to enable the integration. Note the helpful Quick Start guide on the page, which explains how to find the required information.

securex3Figure 3: Enable SecureX with Umbrella

Organization ID

Let’s get started with Organization ID. The simplest way to find your Organization ID is to login to Umbrella. Once you login, take note of your URL. It should look something like this:… The number between the ‘o’ and ‘#’ is your organization ID.


Figure 4: Umbrella Organization ID

Investigate API

To find the Investigate API, from the Umbrella dashboard, navigate to Investigate > API Keys.

You’ll want to create a new API access token for the SecureX integration.


Figure 6: Create a New Token
Figure 7: Your Newly Created Token

Copy and paste the newly created Access Token into the SecureX Umbrella enablement page.

Enforcement URL

To find the Integration URL, from the Umbrella dashboard, navigate to Policies > Policy Components > Integration Settings.

Give your integration a name and enable it. Copy the Integration URL and paste it into SecureX. Finally, don’t forget to save your newly created integration!


Figure 9: Your Newly Created URL

Reporting, Management, and Network Devices & Policies APIs

The Reporting, Management, and Network Devices & Policies APIs are all found in the same place. From the Umbrella dashboard, navigate to Admin > API Keys.

From here, you’ll want to select Legacy Keys. This is where you will find APIs for Umbrella Network Devices, Legacy Network Devices, Umbrella Reporting, and Umbrella Management. Note that we will not be using the Legacy Network Devices for our enablement.


Figure 11: API Keys

Figure 12: API Keys

Copy and paste the information into SecureX.


After you have entered all of the required information into SecureX to enable the Umbrella integration, you can verify the integration by navigating to the submenu of My Integration Modules.

Figure 13: Verify Umbrella Integration

Secure Endpoint

We’ll basically repeat the workflow above to enable the Secure Endpoint integration with SecureX.

To begin, in SecureX navigate to Integration Modules, find the Secure Endpoint widget, and click to add it.

Figure 14: Add New Secure Endpoint Integration Module

As you can see in Figure 14, compared to the Umbrella integration, there is less information that we need to input in SecureX to enable the Secure Endpoint integration; there is only one API. Before detailing how to find this information, note that the URL you will want to use will depend on your region.

3rd Party API Client ID & API Key

To find this information, login to Secure Endpoint. From the Secure Endpoint dashboard, navigate to Admin > API Credentials.

On the API Credentials page, click on New API Credential.

Figure 16: API Credentials

Give your new API Credential a name. You have some options about how to configure the API. Choose what is best for your circumstance.

Figure 17

Upon creating a new API Credential, the credentials will be generated. Copy and paste this information into SecureX.

Figure 18: API Key Details


As before, to verify your integration, you can navigate to the My Integration Modules submenu to note the status of your integration.

Figure 19: Verify Secure Endpoint Integration

Deploy Secure Client using SecureX

To access Deployment Management, from the SecureX homepage, click on Insights. If you have never done this before, you will be asked to activate this service.

Figure 20: SecureX homepage

Figure 21: Activate SecureX Device Insights

From here, under the Secure Client heading, choose Deployment Management, and then Create New Deployment.

Figure 22: Deployment Management

Once you choose to create a new deployment, you will be presented with a page where you can configure your deployment, as seen in Figure 23.

At a high level, what you notice first is that you have an option of what security tools you would like to include in this deployment instance. For example, you could choose to include Network Access Manager, or not. Since this blog post is not concerned with NAM, we will choose not to do this in this deployment instance.

You’ll also notice Cloud Management in the top left. This is something we have not spoken about it, but as the name suggests, it is the mechanism that controls or manages the Secure Client endpoint software.

Figure 23: Configure your Deployment

The next item to discuss is profiling. A profile allows you to customize the configuration of each element of Secure Client in a modular way. You can either create a new profile or upload a profile that you have already built elsewhere. Note that Secure Endpoint does not give you the option to create a profile; rather it asks you to choose a group. This is analogous to profile in the sense that it has to do with how you want to configure Secure Endpoint.

If we consider the Cloud Management profile, for example, as in Figure 24, we see that this gives us the option to specify how we would like to control logging and updating Secure Client. If you do not create a custom profile for Cloud Management, it will run with the default settings, which are seen below.

Figure 24: Cloud Management Profile

Since we want to include ISE Posture with this deployment, let’s take a look at its profile options in Figure 25. ISE’s posture service scans endpoints for compliance with the security requirements of an organization. This allows you to provide differentiated network access to endpoints based on the degree to which they satisfy your organization’s security requirements.

Figure 25: ISE Posture Profile

If you choose to create a new ISE posture profile under Deployment Management, you will need to upload it to ISE. Otherwise, you can configure the posture profile you’ll be using in the ISE GUI. Most likely, you’ll want to use the latter setup.

Once you have configured Secure Client to your specifications, as in Figure 26 for example, and saved it, the Deployment Management service will generate executables for installation. The basic difference between the two options is that the Network Installer is the lightweight option. When you deploy with this option, once on the endpoint, the installer will download the rest of the installers configured in the deployment in the background.

When it comes to sharing the installer, you can simply share the URL where the file will be downloaded from, or you could upload it to a software management tool, and have it pushed to endpoints.

Figure 26: Installing Secure Client


Deploying Secure Client using SecureX is a great way to install robust security on endpoints with minimum fuss. Of course, what we have discussed in this blog post is only half the story. You will need to enable and configure each of the services mentioned - e.g., the Umbrella roaming client, ISE Posture - so that once Secure Client is installed on the endpoint, it will actually provide the security function to the endpoint! Please feel free to get in touch if you have questions or comments about using SecureX to manage deploying security within your organization.

Similar posts