Move from centralized to distributed ISE deployment

gdelp · ‎10-07-2019

Hello. I have a customer that has a centralized HA ISE deployment. They also have another seperate ISE deployment in another part of the network. They would like to change this to one distributed deployment. Is there a guide that details how this can be accomplished?

The second deployment is barely used and could be re-installed if that would make the change easier.

Thanks

Colby LeMaire · ‎10-07-2019

Expanding the deployment is as simple as joining new ISE nodes to the deployment and setting their roles. For the deployment that isn't used much, I would recommend a re-install of those nodes and then just join them to the existing deployment. As soon as you add your first additional node, set its role as PSN and remove the PSN role from the current Admin/MnT nodes. Keep in mind that you will have to point your network devices to the new PSN IP addresses.

Damien Miller · ‎10-07-2019

There is no guide for this and you will have to merge the deployments manually. What that looks like will depend greatly on what is configured on both deployments.

Some of the steps might include determining what is using the deployment you intend on removing. Reasons the two deployments were set up in the first place, ex. one is in the DMZ/used for guest while the other is for prod. Planning any expansion of the deployment that will remain if there will be a load increase. Ensuring licensing is migrated. Building any authentication and authorization policies that might now exist on the remaining deployment. Finally, reconfiguring any device that is using the deployment getting removed.

There is no one size fits all to this. It has to start with manually auditing the deployments to see what needs to move/be built.