https://community.cisco.com/t5/network-access-control/ise-smart-licensing-via-http-proxy-deeper-dive/m-p/3578643#M519430 <HTML><HEAD></HEAD><BODY><P>Arne,</P><P></P><P>Not sure what version of ISE is this. Couple of things, I think the URL is hardcorded and since it is https, you cannot see via Wireshark captures. I have reached out to Engineering on the defect. Will update you more once I find.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Fri, 01 Dec 2017 03:36:40 GMT kthiruve 2017-12-01T03:36:40Z https://community.cisco.com/t5/network-access-control/ise-smart-licensing-via-http-proxy-deeper-dive/m-p/3578642#M519429 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Smart Licensing is cool and we're busy converting all of our traditional licenses to Smart.&nbsp; We're also using Smart on Cisco Prime. </P><P>The challenge I am having is that in my environment, all internet traffic needs to go via an internal Proxy.&nbsp; The preferred scenario is that the proxy is authenticated (username/password). ISE supports this because I can configure a proxy with user credentials. I have tested this and I was able to use it for my SMS gateway feature which lives on the internet.</P><P>But the proxy doesn't work with Smart Licensing.&nbsp; I have taken countless tcpdumps and eventually logged a TAC case.&nbsp; There is a bug CSCvd93008 related to this.</P><P></P><P>As a workaround my customer said that they would whitelist the ISE PAN(s) to allow unauthenticated access through the proxy.&nbsp; But when we tried to allow tools.cisco.com the Smart Licensing didn't work. </P><P><STRONG>Question:&nbsp; What is the FULL URL that ISE tries to access when talking to Cisco for Smart Licensing?</STRONG></P><P></P><P></P><P>I don't know http and https that well, but I think a client will build a TLS connection to tools.cisco.com first, and only once the TLS tunnel is established it will try to POST/GET/whatever to the final URL. And if that's the case, we cannot see that in a tcpdump because the session is encrypted.&nbsp; Maybe that's why the URL filter won't work.</P><P></P><P>So what then should the proxy whitelisting URL contain?&nbsp; Is it even possible, or can one only whitelist the FQDN?</P><P></P><P>#life_is_easy_without_proxies_getting_in_the_way</P></BODY></HTML> Thu, 30 Nov 2017 01:50:53 GMT https://community.cisco.com/t5/network-access-control/ise-smart-licensing-via-http-proxy-deeper-dive/m-p/3578642#M519429 Arne Bier 2017-11-30T01:50:53Z https://community.cisco.com/t5/network-access-control/ise-smart-licensing-via-http-proxy-deeper-dive/m-p/3578643#M519430 <HTML><HEAD></HEAD><BODY><P>Arne,</P><P></P><P>Not sure what version of ISE is this. Couple of things, I think the URL is hardcorded and since it is https, you cannot see via Wireshark captures. I have reached out to Engineering on the defect. Will update you more once I find.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Fri, 01 Dec 2017 03:36:40 GMT https://community.cisco.com/t5/network-access-control/ise-smart-licensing-via-http-proxy-deeper-dive/m-p/3578643#M519430 kthiruve 2017-12-01T03:36:40Z https://community.cisco.com/t5/network-access-control/ise-smart-licensing-via-http-proxy-deeper-dive/m-p/3578644#M519431 <HTML><HEAD></HEAD><BODY><P>Hi this is ISE 2.3 patch 1.</P></BODY></HTML> Sun, 03 Dec 2017 22:56:09 GMT https://community.cisco.com/t5/network-access-control/ise-smart-licensing-via-http-proxy-deeper-dive/m-p/3578644#M519431 Arne Bier 2017-12-03T22:56:09Z https://community.cisco.com/t5/network-access-control/ise-smart-licensing-via-http-proxy-deeper-dive/m-p/3578645#M519432 <HTML><HEAD></HEAD><BODY><P>I see your TAC case is making progress and you already have the correct URL for the Smart Licensing site. Please continue working with TAC. I will write to TAC with my comments.</P></BODY></HTML> Tue, 05 Dec 2017 03:04:24 GMT https://community.cisco.com/t5/network-access-control/ise-smart-licensing-via-http-proxy-deeper-dive/m-p/3578645#M519432 hslai 2017-12-05T03:04:24Z