Adding a new PSN to our already existing configuration

ggenti122 · ‎11-19-2025

Dear All,

We currently have an existing Cisco ISE deployment and are planning to add an additional Policy Service Node (PSN) to our environment (PAN, MnT, PSN). I’m looking for guidance on the recommended process for bringing a new PSN online.

At the moment, I have a prepared virtual machine that does not yet have ISE installed. What is the correct procedure for loading the ISE image onto the VM, and how should I register the new PSN so that it integrates properly with our existing deployment?

Any best practices, steps, or considerations would be greatly appreciated.

Thank you.

Rob Ingram · ‎11-19-2025

@ggenti122 I would deploy the new ISE node from OVA, run the initial setup (assigning IP, gateway etc), then install the latest patch (to match the same patch level as the cluster). Register a DNS entry for the new node. Replace the admin certificate with a signed certificate from CA that is trusted by the ISE cluster. From the P-PAN register the new ISE node, then if integrated with AD, join to AD.

Marcelo Morais · ‎11-19-2025

@ggenti122 ,

it's important to remember that:

1st ... what is your ISE Deployment version (3.3 P7, 3.4 P3, 3.5, ...) ?

The ISE version impacts the Hardware model ... please take a look at: ISE - What we need to know about SNS / VM, search for Cisco ISE Compatibility.

2nd ... what is your ISE Deployment type (Standalone, Small, Medium or Large) ?

Your "Deployment Type" could change if you add one more Node ... please take a look at: Performance and Scalability Guide for Cisco Identity Services Engine, search for Table 2. Types of Cisco ISE deployments.

Hope this helps !