Cisco ASA 5505 User Manual

66-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 66 Setting General VPN Parameters

Using Client Update to Ensure Acceptable IPsec Client Revision Levels

Note

For all Windows clients, you must use the protocol http:// or https:// as the prefix for the URL. For the
VPN 3002 hardware client, you must specify protocol tftp:// instead.

The following example configures client update parameters for the remote access tunnel group. It
designates the revision number 4.6.1 and the URL for retrieving the update, which is
https://support/updates.

hostname(config)# client-update type windows url https://support/updates/ rev-nums 4.6.1

hostname(config)#

Alternatively, you can configure client update just for individual tunnel groups, rather than for all clients
of a particular type. (See Step 3.)

VPN 3002 clients update without user intervention and users receive no notification message. The
following example applies only to VPN 3002 hardware clients. Entered in tunnel-group ipsec-attributes
configuration mode the command it configures client update parameters for the IPsec remote access
tunnel group salesgrp. This example designates the revision number, 4.7 and uses the TFTP protocol for
retrieving the updated software from the site with the IP address 192.168.1.1:

hostname(config)# tunnel-group salesgrp type ipsec-ra

hostname(config)# tunnel-group salesgrp ipsec-attributes

hostname(config-tunnel-ipsec)# client-update type vpn3002 url tftp:192.168.1.1 rev-nums

4.7

hostname(config-tunnel-ipsec)#

Note

You can have the browser automatically start an application by including the application name at the end
of the URL; for example:

https://support/updates/vpnclient.exe.

Step 3

Define a set of client-update parameters for a particular ipsec-ra tunnel group.

In tunnel-group ipsec-attributes mode, specify the tunnel group name and its type, the URL or IP address
from which to get the updated image, and a revision number. If the user’s client’s revision number
matches one of the specified revision numbers, there is no need to update the client, for example, for a
Windows client enter this command:

hostname(config)# tunnel-group remotegrp type ipsec-ra

hostname(config)# tunnel-group remotegrp ipsec-attributes

hostname(config-tunnel-ipsec)# client-update type windows url https://support/updates/

rev-nums 4.6.1

hostname(config-tunnel-ipsec)#

Step 4

(Optional) Send a notice to active users with outdated Windows clients that their client needs updating.
For these users, a pop-up window appears, offering them the opportunity to launch a browser and
download the updated software from the site that you specified in the URL. The only part of this message
that you can configure is the URL. (See Step 2 or 3.) Users who are not active get a notification message
the next time they log on. You can send this notice to all active clients on all tunnel groups, or you can
send it to clients on a particular tunnel group. For example, to notify all active clients on all tunnel
groups, enter the following command in privileged EXEC mode:

hostname# client-update all

hostname#