Solved: Compliance Module Upgrade via CPP - Is it Resource Intensive?

Srinivasan Nagarajan · ‎03-15-2021

Hi Experts,

We’ve placed the Custom AD groups on the Client Provisioning Policy (CPP) policy for the users to get upgraded to 4.3 which went successful. Now, we’d like to proceed for everyone via CPP (approx. 1000 users).

I’d like to know if this is resource intensive on ISE? We’re using VM ISE node with a small license for the PSN and a Medium license for PAN/MNT.

Note: As this PSN is residing on DMZ, we've Guest User traffic as well.

hslai · ‎03-19-2021

Srinivasan Nagarajan, Your observation is correct. CM versions are not in the posture details reports and Client Provisioning reports have entries when the end users launch web browsers to the ISE client provisioning portal and get evaluated.

You may consider submit Identity Services Engine (ISE) Feedback

View solution in original post

Greg Gibbs · ‎03-15-2021

I imagine it would be fairly resource intensive if all of your users hit the CPP at the same time, but there are various other factors so I don't believe there is any way to estimate how much.

Depending on which small VM platform specs you're using (3515 vs. 3615), you could have a performance impact. It may not be visible to users, but again there are many variables. I would suggest looking at your CPU/memory utilisation over time (especially during peak hours) to determine what percentage is free. If you have relatively low utilisation (no more than 30-40%) you may not have any issues.

A better option for deploying the update, however, would be using your standard software management platform (like SCCM) as those platforms typically have built-in mechanisms for staggering software updates to mitigate such performance impacts.

Srinivasan Nagarajan · ‎03-16-2021

Hi @Greg Gibbs

Thanks for the reply.

I believe when users are authenticated, compliance module (CM) is being automatically upgraded by the endpoint Anyconnect. Though users will be hitting the Unknown AuthZ policy for the redirection to Client Provisioning portal (CPP), guess it's being automatically upgraded by the endpoint client (Anyconnect) and not sure if it's been pushed down automatically by the ISE. Can you please confirm?

Also, do we need to just uninstall (3.6) and install the new module (4.3) via SCCM. would it work or does it require any extra config to be performed?

Please excuse my skillset on Windows as i'm not a SCCM guy. I did a pilot testing via ISE CPP and it was successful.

Now i'm looking for the options to ensure it's not causing any resource intensive issues on the ISE.

Greg Gibbs · ‎03-16-2021

With a head-end install/upgrade (as you're doing from ISE), the package is downloaded to the end client directly from the ISE node then executed on the client. The package download is where you might have a performance impact as this will happen on-demand for every individual client.

The 4.3 pre-deployment package is an MSI file, so I would expect it would just be a matter of pushing that via SCCM. I'm also not an SCCM expert and I don't have the old 3.6 installer to test. I would suggest testing with a small pilot group via SCCM similar to what you have done with ISE.

Srinivasan Nagarajan · ‎03-17-2021

Hi @Greg Gibbs

Thanks mate for the reply. Final one, we've two Client Provisioning policies:-

Pilot AD group+ ASA firewall = Compliance Module 4.3

Fallback CPP rule with the other condition 'ASA firewall' = Compliance Module 3.6

We're planning to add the users into the Pilot AD group on a phased approach (everyday 100 users) to provision 4.3 via ISE. So, if a user isn't part of the AD group, they'll continue authenticating via 3.6.

My question is How I can fetch a report daily about the number of users who are provisioned with the 4.3 as currently I'm not able to do so. I've navigated to Reports -> Endpoints and Users -> Client Provisioning but this doesn't give the list of users who are provisioned with the new CPP name.

Is there any way we can check or fetch the report how many users are being deployed with the new CM 4.3?

Greg Gibbs · ‎03-17-2021

Per the Admin Guide, "The Client Provisioning report indicates the client provisioning agents applied to particular endpoints. You can use this report to verify the policies applied to each endpoint to verify whether the endpoints have been correctly provisioned."

Do you see any info in this report?

What info are you looking for that you don't see?

Have you confirmed the Logging Categories are enabled for this report as per the Admin Guide?

The ISE canned reports are not very flexible. Sometimes you might have to correlate info between multiple reports (using IP address from one report to match it to the username in another report.

You may also be able to get the info you need via another system like using SCCM to gather a report on the software packages installed on the endpoints.

Srinivasan Nagarajan · ‎03-17-2021

Hi Mate

Yeah, I don't see the client provisioning policy name (for Compliance Module 4.3) in that report for that user/endpoint though they're upgraded via the Head-end (ISE). I just want to fetch the report everyday who are being provisioned with the latest CPP policy.

hslai · ‎03-19-2021

Srinivasan Nagarajan, Your observation is correct. CM versions are not in the posture details reports and Client Provisioning reports have entries when the end users launch web browsers to the ISE client provisioning portal and get evaluated.

You may consider submit Identity Services Engine (ISE) Feedback

Srinivasan Nagarajan · ‎03-20-2021

Hi @hslai

I've submitted the feedback and in parallel, if you could take it up with the Engineering teams or Anyconnect TME it'd be great. Thanks for the support and reply