https://community.cisco.com/t5/network-access-control/ise-1-1-1-firewall-rules-distributed-deployment/m-p/2137656#M199950 <HTML><HEAD></HEAD><BODY><P>Try this for size.</P><P>In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.</P><P>You might be able to cut this list down, and you might have to add to it for any specific requirements.</P><P></P><P><STRONG>From PSN to AD (potentially all AD nodes):</STRONG></P><P>TCP 389, 3268, 445, 88, 464</P><P>UDP 389, 3268</P><P></P><P><STRONG>From PSN to Monitoring nodes:</STRONG></P><P>TCP 443</P><P>UDP 20514</P><P></P><P><STRONG>PSN to Admin Nodes (2Way):</STRONG></P><P>TCP 443, 1521</P><P>ICMP echo and reply (heartbeat)</P><P></P><P><STRONG>WLC to PSN:</STRONG></P><P>TCP 443, 8443, 80, 8080</P><P>UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67</P><P></P><P><STRONG>PSN to other PSN’s (2 way)</STRONG></P><P>UDP 30514, 45588, 45990</P><P></P><P><STRONG>Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)</STRONG></P><P>TCP 8443, 8905</P><P>UDP 8905</P><P></P><P><STRONG>Admin/Sponsor to all ISE nodes:</STRONG></P><P>TCP 22, 80, 443, 8080, 8443</P><P>UDP 161</P><P></P><P><STRONG>PSN access to DNS servers:</STRONG></P><P>TCP/UDP 53</P><P></P><P><STRONG>PSN access to NTP servers:</STRONG></P><P>UDP 123</P></BODY></HTML> Thu, 06 Dec 2012 01:41:08 GMT bikespace 2012-12-06T01:41:08Z https://community.cisco.com/t5/network-access-control/ise-1-1-1-firewall-rules-distributed-deployment/m-p/2137654#M199928 <P>My question is in reference to the following link:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html" rel="nofollow" target="_blank">http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html</A></P><P></P><P>Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell</P><P></P><P>My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?</P><P></P><P>I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.</P> Mon, 11 Mar 2019 02:51:06 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-1-firewall-rules-distributed-deployment/m-p/2137654#M199928 Stephen McBride 2019-03-11T02:51:06Z https://community.cisco.com/t5/network-access-control/ise-1-1-1-firewall-rules-distributed-deployment/m-p/2137655#M199941 <HTML><HEAD></HEAD><BODY><P>I am having the same questions. So far I have opend SNMP from ISE to NAD and then all the probe trafic (DNS, DHCP...) from NAD to ISE. And I seem to be able to profile devices correctly.</P></BODY></HTML> Tue, 04 Dec 2012 09:18:09 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-1-firewall-rules-distributed-deployment/m-p/2137655#M199941 Philip Vilhelmsson 2012-12-04T09:18:09Z https://community.cisco.com/t5/network-access-control/ise-1-1-1-firewall-rules-distributed-deployment/m-p/2137656#M199950 <HTML><HEAD></HEAD><BODY><P>Try this for size.</P><P>In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.</P><P>You might be able to cut this list down, and you might have to add to it for any specific requirements.</P><P></P><P><STRONG>From PSN to AD (potentially all AD nodes):</STRONG></P><P>TCP 389, 3268, 445, 88, 464</P><P>UDP 389, 3268</P><P></P><P><STRONG>From PSN to Monitoring nodes:</STRONG></P><P>TCP 443</P><P>UDP 20514</P><P></P><P><STRONG>PSN to Admin Nodes (2Way):</STRONG></P><P>TCP 443, 1521</P><P>ICMP echo and reply (heartbeat)</P><P></P><P><STRONG>WLC to PSN:</STRONG></P><P>TCP 443, 8443, 80, 8080</P><P>UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67</P><P></P><P><STRONG>PSN to other PSN’s (2 way)</STRONG></P><P>UDP 30514, 45588, 45990</P><P></P><P><STRONG>Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)</STRONG></P><P>TCP 8443, 8905</P><P>UDP 8905</P><P></P><P><STRONG>Admin/Sponsor to all ISE nodes:</STRONG></P><P>TCP 22, 80, 443, 8080, 8443</P><P>UDP 161</P><P></P><P><STRONG>PSN access to DNS servers:</STRONG></P><P>TCP/UDP 53</P><P></P><P><STRONG>PSN access to NTP servers:</STRONG></P><P>UDP 123</P></BODY></HTML> Thu, 06 Dec 2012 01:41:08 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-1-firewall-rules-distributed-deployment/m-p/2137656#M199950 bikespace 2012-12-06T01:41:08Z https://community.cisco.com/t5/network-access-control/ise-1-1-1-firewall-rules-distributed-deployment/m-p/2137657#M199963 <HTML><HEAD></HEAD><BODY><P>You could also issue a show ports | inc ip <PEER node=""> from cli to see the ports that are successfully connected between each node. Also if you are deploying an inline node you will have to add 8443 to bikespace reference</PEER></P><P></P><P><STRONG>PSN to Admin Nodes (2Way):</STRONG></P><P>TCP 443, 1521, 8443</P><P>ICMP echo and reply (heartbeat)</P><P></P><P>Thanks,</P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Thu, 06 Dec 2012 06:18:24 GMT https://community.cisco.com/t5/network-access-control/ise-1-1-1-firewall-rules-distributed-deployment/m-p/2137657#M199963 Tarik Admani 2012-12-06T06:18:24Z