Solved: ISE Posture Failing for Windows Update Patch

moe786 · ‎02-27-2019

Good afternoon everyone,

We are in the midst of deploying a new ISE instance for a SP customer . The scope of the project was to allow the customers Contractors and Vendors to have a separate Remote Access solution in order to enforce Security requirements via device posturing.

It appears that for the last week have hit a roadblock where we have a Posture policy defined to ensure that all Windows Critical patches are installed via the Windows Update module and if not compliant to display a message and not to remediate. There are no internal WSUS servers available to the end points, we are depending on the client to download updates directly from the Windows Public Catalog.

During all our testing, the client fails the posture check for Patch Management intermittently even though the windows machines is totally up to date and with no patches pending.

Question: Is this type of use case supported? Are there any specific requirements that need to be met for this use case to work?

jdal · ‎03-05-2019

Yes but it is a bit twisted, I've experienced the same issue!

The key point is that the device being postured need to have access to the public Microsoft update server during the posture!!

We managed to get it working by using dynamic split-tunneling to exclude the traffic to Microsoft from the VPN (since there is no public list of IP addresses for the MS server, you need to rely on the FQDN)

View solution in original post

howon · ‎03-05-2019

AnyConnect posture module relies on 3rd party agent (Such as SUS agent) to confirm that it is up-to-date. To do so, the 3rd party agent need to have access to remediation server to check its status. The remediation server may be internal or on the Internet and should be allowed during the posture redirect phase. I suggest reviewing the redirect ACL to make sure it is allowing access to possible remediation resources.

jdal · ‎03-05-2019

Yes but it is a bit twisted, I've experienced the same issue!

The key point is that the device being postured need to have access to the public Microsoft update server during the posture!!

We managed to get it working by using dynamic split-tunneling to exclude the traffic to Microsoft from the VPN (since there is no public list of IP addresses for the MS server, you need to rely on the FQDN)

moe786 · ‎03-13-2019

Thanks for the response. At the end this was the same conclusion we came to, but the security policies at the organization does not permit split tunnels. With the ISE redirect in a posture unknown state, all http and https traffic is redirected. We tried using the ASA FQDN ACL to exclude some of the microsoft servers but depending on the client location the Microsoft server name resolution changed and hence this worked intermittently. We ultimately abandoned the requirement but I do appreciate your time to respond as this is exact the the resolution to this problem.

Javier Morales · ‎11-26-2019

Hi

This post has helped us with a problem. The customer tried to use the Posture module to check critical updates on windows computers without internet access.

After enabling internet access, the posture check works.

Is there any official document where explains the internet or remediation server requirement?

Eder Marcos Camacho Gomez · ‎07-29-2020

Hi I asked to do the same implementation, could you tell me if you use patch management posture rules ? What version of ISE did you use?

Thanks