09-18-2019 07:10 AM
Dear Community,
I am trying to figure out what exactly need to be filled in in the profile editor to generate the xml for day 0 pre-deployment preparation. There are 2 fields marked mandatory to be filled in when I use the profile editor for posture, they are DH and Server names rules.
Discovery Host - Is this the nearest PSN IP address for the endpoint to connect to for first run of the agent deployed?
Server Name Rules - Does "server" refer to my PSNs? if my PSNs FQDN is all using the FQDN xxx.company.com, can I just put in *.company.com in this rule here?
Below is what I found from the Anyconnect deployment guide, but I can't find further explanation on what exactly need to be configured for the DH and the server name rules.
Posture Protocol
Discovery host—The server to which the agent can connect. For standalone profile editors, enter a single host only.
Server name rules—A list of wild-carded, comma-separated names that defines the servers to which the agent can connect (such as .cisco.com).
Call Home List—Enter FQDNs that you want to use for load balancing, monitoring and troubleshooting lookup, or for DNS mapped to the default Policy Service Node (PSN) in that node (if in a multiple scenario). When this is configured, the first probe for monitoring and troubleshooting lookup is sent to call home. You must configure this while migrating from a redirection to a non-redirection network.
Regards,
Ken
Solved! Go to Solution.
09-23-2019 04:45 AM
- Discovery Host: You want this to be a destination that will always be redirected. Think of it as trigger to force redirection. This can be any host (www.google.com, www.yahoo.com, www.cisco.com, enroll.cisco.com, 8.8.8.8) but should not be PSN or any resource needed for remediation as web traffic to PSN is not redirected
- Server Name Rules: This is where NAC Agent or AnyConnect Posture module compares server digital certificate with name rule here. If certificate CN/SAN is written as PSN1.company.com, PSN2.company.com, etc., then you should put in either both entries or *.company.com. This is in place, so your NA Agent or AnyConnect Posture module doesn't inadvertently respond to other ISE deployments when user connects to other company network.
- Call Home list: In the past AnyConnect Posture module required URL redirect to work, but now you can prepopulate posture XML with list of PSN nodes to connect to. This allows posture service in an environment where there is no URL redirect available. You would put PSN host or IP here.
09-23-2019 04:45 AM
- Discovery Host: You want this to be a destination that will always be redirected. Think of it as trigger to force redirection. This can be any host (www.google.com, www.yahoo.com, www.cisco.com, enroll.cisco.com, 8.8.8.8) but should not be PSN or any resource needed for remediation as web traffic to PSN is not redirected
- Server Name Rules: This is where NAC Agent or AnyConnect Posture module compares server digital certificate with name rule here. If certificate CN/SAN is written as PSN1.company.com, PSN2.company.com, etc., then you should put in either both entries or *.company.com. This is in place, so your NA Agent or AnyConnect Posture module doesn't inadvertently respond to other ISE deployments when user connects to other company network.
- Call Home list: In the past AnyConnect Posture module required URL redirect to work, but now you can prepopulate posture XML with list of PSN nodes to connect to. This allows posture service in an environment where there is no URL redirect available. You would put PSN host or IP here.
09-24-2019 01:16 AM
09-26-2019 10:04 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide