Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
5
Replies

ISE 2 node deployment at multiple sites

raksec
Cisco Employee
Cisco Employee

‎09-13-2019 02:41 AM

Hello Experts,

 

We have a requirement, below is the detail:

 

1. There are a total of 2500 endpoints

2. Total number of sites are 16 across the globe (7 sites in US, 3 in UK, 1 in Japan, 1 in Singapore, 2 in India, rest in other APJC locations). Each sites having on-prem Active Directory (active/standby)

3. ISE will be licensed for Base, Plus, Apex and device administration

 

Considering just 2500 endpoints and customer's budget, we are suggesting 2-node deployment, one node in US and other node in India. So US_ISE_node has to be integrated with ADs in US and UK and India_ISE_node with ADs in APJC. Please suggest if there are any challenges for ISE redundant node deployment and ISE-AD integrations.

 

Thanks,

Rakesh Kumar

0 Helpful
5 Replies 5

Sheraz.Salim
VIP
VIP

‎09-13-2019 03:00 AM

if i were you. i would deploy each 2xPSN at each country (2xUK,2xJP,2xSingapoor) and so on. two because if the one PNS goes down the other will pick it up.

 

on the PAN side you can keep in the one main location and add your ADs  to PAN. 

please do not forget to rate.
0 Helpful

raksec
Cisco Employee
Cisco Employee
In response to Sheraz.Salim

‎09-13-2019 03:07 AM

Unfortunately, this design is not affordable to customer. We have to cut the number of PSNs to as minimum as possible.
0 Helpful

Sheraz.Salim
VIP
VIP
In response to raksec

‎09-13-2019 03:12 AM

 

 

As long as the ADs are integrated in ISE this should not be a problem. however, NTP needs to keep in syn all the time. if you using hardware NTP that would be ideal. apart from that would be ideal if customer could spend more monies on the ISE. however, if that that case with limit budget.

please do not forget to rate.
0 Helpful

raksec
Cisco Employee
Cisco Employee
In response to Sheraz.Salim

‎09-13-2019 03:24 AM

So I have few questions on this:

1. If one ISE box (running all personas) is placed in US and other in India, would it be recommended to configure them in HA?
2. What's the recommended latency for ISE-AD integration and ISE-NAD?
3. For instance, integrating US_ISE_node with UK_AD, though they are in different timezone, would be a challenge for NTP sync?
0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎09-13-2019 06:02 AM

Here are my thoughts/questions without knowing all the details:
IMO when customer requirements come out I always bump the number of endpoints up for future growth. So 2500 endpoints could potentially be 3000. What are the desired needs to have base, plus, & apex licenses?  Could you save money here to deploy additional PSN/s?
My recommendation would be 2 PANs, 2 PSNs if you cannot do what @Sheraz.Salim suggested.

0 Helpful
Customers Also Viewed These Support Documents