Thanks for your reply. I know this but my question is why enabling this port on newer ISE versions?

Hi @rezaalikhani ,

 in ISE 2.2+, the Posture process is divided into two stages.

 The 1st stage contains a set of traditional Posture Discovery Probes to support backward compatibility with Deployments that rely on the url redirect.

 The 2nd stage contains two Discovery Probes that allow the AC ISE Posture Module to establish a connection to the PSN where the session is authenticated in environments where redirection is not supported. During stage two, all Probes are sequential.

Note 1: prior to ISE 2.2, communication over Port 8905 is a requirement for Posture.

Note 2: if you are not using the 1st stage, then you are going to use only the 2nd stage.

Hope this helps !!!

Thanks for your reply;

So, based on your statement, if we prefer to user URL Redirection for Posture operation and using ISE 2.1 for example, the use of TCP port 8905 is mandatory and this port must be in listening state in ISE PSNs. Right?

Now the point I do not understand is that:

Why opening this port on non-PSNs (in fully distributed deployments, actually)?

Thanks

Hi @rezaalikhani ,

 yes, your understanding is correct about "... using ISE 2.1 for example, the use of TCP Port 8905 is mandatory ..." (more detail at: Compare ISE Posture Redirection Flow to ISE Posture Redirectionless Flow).

 About your other question ... "Why opening this Port on non-PSNs ?" ...

 If you take a look at Cisco ISE Port References - ISE 3.3:

"... From Cisco ISE 3.1 onwards, port 8905 is disabled by default on non-Policy Service Nodes ..."

Hope this helps !!!

Hi @rezaalikhani ,

 just adding one more thing about your 2nd question and get ready to laugh  : )

 Please take a look at PAN should be listening on port 8905?

Note: take a look at ISE - Slow Replication and search for 8905.

Best regards