cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

362
Views
5
Helpful
3
Replies
Cisco Employee

ISE Posture Failing for Windows Update Patch

Good afternoon everyone,

We are in the midst of deploying a new ISE instance for a SP customer .  The scope of the project was to allow the customers Contractors and Vendors to have a separate Remote Access solution in order to enforce Security requirements via device posturing.

 

It appears that for the last week have hit a roadblock where we have a Posture policy defined to ensure that all Windows Critical patches are installed via the Windows Update module and if not compliant to display a message and not to remediate.  There are no internal WSUS servers available to the end points,  we are depending on the client to download updates directly from the Windows Public Catalog. 

 

During all our testing, the client fails the posture check for Patch Management intermittently even though the windows machines is totally up to date and with no patches pending.

 

Question:  Is this type of use case supported? Are there any specific requirements that need to be met for this use case to work?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE Posture Failing for Windows Update Patch

Yes but it is a bit twisted, I've experienced the same issue!

The key point is that the device being postured need to have access to the public Microsoft update server during the posture!!

We managed to get it working by using dynamic split-tunneling to exclude the traffic to Microsoft from the VPN (since there is no public list of IP addresses for the MS server, you need to rely on the FQDN)

 

3 REPLIES 3
Cisco Employee

Re: ISE Posture Failing for Windows Update Patch

AnyConnect posture module relies on 3rd party agent (Such as SUS agent) to confirm that it is up-to-date. To do so, the 3rd party agent need to have access to remediation server to check its status. The remediation server may be internal or on the Internet and should be allowed during the posture redirect phase. I suggest reviewing the redirect ACL to make sure it is allowing access to possible remediation resources.

Cisco Employee

Re: ISE Posture Failing for Windows Update Patch

Yes but it is a bit twisted, I've experienced the same issue!

The key point is that the device being postured need to have access to the public Microsoft update server during the posture!!

We managed to get it working by using dynamic split-tunneling to exclude the traffic to Microsoft from the VPN (since there is no public list of IP addresses for the MS server, you need to rely on the FQDN)

 

Highlighted
Cisco Employee

Re: ISE Posture Failing for Windows Update Patch

Thanks for the response.  At the end this was the same conclusion we came to, but the security policies at the organization does not permit split tunnels.  With the ISE redirect in a posture unknown state, all http and https traffic is redirected.  We tried using the ASA FQDN ACL to exclude some of the microsoft servers but depending on the client location the Microsoft server name resolution changed and hence this worked intermittently. We ultimately abandoned the requirement but I do appreciate your time to respond as this is exact the the resolution to this problem.