Re: Deploy new Compliance Module to all endpoint PCs

Da ICS16 · ‎01-22-2024

Dear Community,

Current we are using AnyConnect agent version 4.x with Compliance Module 4.3.17XX

We plan to upgrade to new Compliance Module 4.3.33XX though SCCM server.

Please kindly provide good practice to achieve this goal with no impact.

Appreciated for your advise and commend.

Thanks,

ahollifield · ‎01-22-2024

Deploy from ISE via Client Provisioning Portal/Policy, not SCCM.

Da ICS16 · ‎01-22-2024

Are the any impact or ISE high load performance or not if we perform via ISE Client Provisioning Policy?

We have around 6K endpoints.

thanks,

ahollifield · ‎01-23-2024

None that I can think of. What size deployment?

Da ICS16 · ‎01-23-2024

Dear @ahollifield ,

There are three deployment nodes ( PAN, Secondary, and pxGRID ).

ahollifield · ‎01-24-2024

So a small deployment? https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Da ICS16 · ‎01-28-2024

Dear @ahollifield

It is medium deployment.

Aref Alsouqi · ‎01-29-2024

In medium-sized deployment the recommendation as of ISE 3.0+ would be having 2x nodes for the Admin, MnT, and pxGrid and separate the PSNs. You can have up to 6x PSNs in the medium deployment. More details in the link shared by @ahollifield.

Aref Alsouqi · ‎01-23-2024

I think you can upgrade the endpoints via SCCM, however, upgrading through ISE wouldn't cause any issue. If you upgrade via SCCM you would still need to upload the interested posture agent version to ISE because the endpoints would always do a check on the agent version installed locally on the endpoints and the one on ISE.

Da ICS16 · ‎01-23-2024

Dear @Aref Alsouqi ,

Could you share the document support and how to achieve it? thanks,

Aref Alsouqi · ‎01-24-2024

I found this link that might help:

Cisco Identity Services Engine:Provisioning AnyConnect for ISE Posture (lookingpoint.com)