Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
926
Views
7
Helpful
6
Replies

Distributed ISE deployment, localised Identity source

Go to solution
pehi030670
Level 1
Level 1

‎08-17-2017 03:17 AM - edited ‎03-11-2019 12:57 AM

Hi,

I'm trying to design a DMZ and security architecture that will incorporate a distributed deployment of ISE.

Assuming that each network segment will have a PSN deployed locally within it, is there any way to configure an individual PSN to consult the local network segment domain controller and name resolution service rather than having to open the firewalls to let every deployed PSN look "up" to a DC elsewhere on the network?

I've attached a concept sketch of what I want to achieve.

Thanks,

Labels:
Preview file
45 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-22-2017 11:20 AM

Hi,

 

ISE is Active Directory Sites and Services aware, so if you configure the ISE subnet in the same site as the local DC it should query this local DC. Whether at somepoint the ISE would need to query another DC is a good question and may need further investigation.

 

HTH

 

Rob

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎08-22-2017 11:20 AM

Hi,

 

ISE is Active Directory Sites and Services aware, so if you configure the ISE subnet in the same site as the local DC it should query this local DC. Whether at somepoint the ISE would need to query another DC is a good question and may need further investigation.

 

HTH

 

Rob

Go to solution
ajc
Level 7
Level 7

‎08-23-2017 01:19 PM

I would say the answer is yes but still you need to open firewall for traffic between PSN's and Admin Nodes regarding for instance, authentication logs. In addition to that, NTP running for example on windows DC does not work well with ISE devices. Take this into consideration.

 

 

0 Helpful

Go to solution
pehi030670
Level 1
Level 1
In response to ajc

‎08-25-2017 01:40 AM

Thanks - As per the correct answer, location awareness via AD should give a predictable pattern to build an ACL on. For info's sake - the Microsoft registry hacks to turn a Windows server into an NTP server have worked pretty well for me.

Go to solution
agrissimanis
Level 1
Level 1
In response to pehi030670

‎08-25-2017 02:49 AM

Just to add to the discussion - you can also specify preferred DCs for each PSN using the AD connector Advanced Tuning tool. It is usually recommended to rely on AD sites though.

Go to solution
pehi030670
Level 1
Level 1
In response to agrissimanis

‎08-25-2017 04:08 AM

That's good to know - thanks

0 Helpful

Go to solution
ajc
Level 7
Level 7
In response to pehi030670

‎08-25-2017 09:41 AM

We have had issues with the ISE synchronizing NTP with the Win Domain Controller. Do you have any link so I can check the tweak you mentioned?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents