Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
0
Helpful
3
Replies

Anyconnect Profile Editor for Posture Clarification

Go to solution
Kenlim
Level 1
Level 1

‎09-18-2019 07:10 AM

Dear Community,

 

I am trying to figure out what exactly need to be filled in in the profile editor to generate the xml for day 0 pre-deployment preparation. There are 2 fields marked mandatory to be filled in when I use the profile editor for posture, they are DH and Server names rules.

 

Discovery Host - Is this the nearest PSN IP address for the endpoint to connect to for first run of the agent deployed?

Server Name Rules - Does "server" refer to my PSNs? if my PSNs FQDN is all using the FQDN xxx.company.com, can I just put in *.company.com in this rule here?

 

Below is what I found from the Anyconnect deployment guide, but I can't find further explanation on what exactly need to be configured for the DH and the server name rules.

 

  • Posture Protocol

    • Discovery host—The server to which the agent can connect. For standalone profile editors, enter a single host only.

    • Server name rules—A list of wild-carded, comma-separated names that defines the servers to which the agent can connect (such as .cisco.com).

    • Call Home List—Enter FQDNs that you want to use for load balancing, monitoring and troubleshooting lookup, or for DNS mapped to the default Policy Service Node (PSN) in that node (if in a multiple scenario). When this is configured, the first probe for monitoring and troubleshooting lookup is sent to call home. You must configure this while migrating from a redirection to a non-redirection network.

Regards,

 

Ken

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-23-2019 04:45 AM

- Discovery Host: You want this to be a destination that will always be redirected. Think of it as trigger to force redirection. This can be any host (www.google.com, www.yahoo.com, www.cisco.com, enroll.cisco.com, 8.8.8.8) but should not be PSN or any resource needed for remediation as web traffic to PSN is not redirected

- Server Name Rules: This is where NAC Agent or AnyConnect Posture module compares server digital certificate with name rule here. If certificate CN/SAN is written as PSN1.company.com, PSN2.company.com, etc., then you should put in either both entries or *.company.com. This is in place, so your NA Agent or AnyConnect Posture module doesn't inadvertently respond to other ISE deployments when user connects to other company network.

- Call Home list: In the past AnyConnect Posture module required URL redirect to work, but now you can prepopulate posture XML with list of PSN nodes to connect to. This allows posture service in an environment where there is no URL redirect available. You would put PSN host or IP here.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎09-23-2019 04:45 AM

- Discovery Host: You want this to be a destination that will always be redirected. Think of it as trigger to force redirection. This can be any host (www.google.com, www.yahoo.com, www.cisco.com, enroll.cisco.com, 8.8.8.8) but should not be PSN or any resource needed for remediation as web traffic to PSN is not redirected

- Server Name Rules: This is where NAC Agent or AnyConnect Posture module compares server digital certificate with name rule here. If certificate CN/SAN is written as PSN1.company.com, PSN2.company.com, etc., then you should put in either both entries or *.company.com. This is in place, so your NA Agent or AnyConnect Posture module doesn't inadvertently respond to other ISE deployments when user connects to other company network.

- Call Home list: In the past AnyConnect Posture module required URL redirect to work, but now you can prepopulate posture XML with list of PSN nodes to connect to. This allows posture service in an environment where there is no URL redirect available. You would put PSN host or IP here.

0 Helpful

Go to solution
Kenlim
Level 1
Level 1
In response to howon

‎09-24-2019 01:16 AM

Hi Howon,

Just to clarify, I am preparing XML for 1st time pre-deployment using device management to push the Anyconnect and XML to bulk endpoints.

So I will configure the following:

Discovery host: enroll.cisco.com (which shall trigger redirection to PSN)
Server names rules - *.company.com (all my PSN FQDN is *.company.com)
Call home list: PSN IPs (is there a particular order or priority significance to the order of IP/fqdn I put here?)

It also happen that I have multi sites, with Site A will be using PSN A (Primary) and PSN B(Secondary), Site B using PSN B (Primary) and PSN A (Secondary) and so on. NAD pointing to Primary PSN is same site as PSN while to secondary PSN is remote site.

Regards,

Ken
0 Helpful
Customers Also Viewed These Support Documents