cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7175
Views
5
Helpful
5
Replies

enroll.cisco.com how to use it..?

dgaikwad
Level 5
Level 5

Lately I have been going through posture configuration at my end and see the requirement to resolve to enroll.cisco.com.
As per my understanding it means that it should be resolved from my DNS server, right?
But, when is plainly do a ping enroll.cisco.com, I get this...

ping enroll.cisco.com (72.163.1.80): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

Request timeout for icmp_seq 3

Request timeout for icmp_seq 4

My question is, so what does actually happen when AnyConnect sends a probe to enroll.cisco.com for posture?
Could any please explain me this in detail?

1 Accepted Solution

Accepted Solutions

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

      Making use of "enroll.cisco.com" is just one of the methods used by Network Setup Assistant or by AnyConnect Posture module in order to trigger the URL redirection from the NAD, so that the AnyConnect Agent can be downloaded and posture module/policy as well. If you choose to make use of this method ("Enroll.cisco.com") for the above to work, the FQDN just needs to be resolvable, the IP itself in which it resolves may not even exist.

    Read this guide to better understand your options and where does "enrolled.cisco.com" kick in.

 

Regards,

Cristian Matei.

View solution in original post

5 Replies 5

Anurag Sharma
Cisco Employee
Cisco Employee

Hi @dgaikwad ,

 

This URL is used just a mechanism to trigger redirection.

The only thing you need to be concerned with is whether a PC which needs redirection can resolve this FQDN or not.

It's not pingable or respond in any other way.

Basically, this URL is hardcoded in the Anyconnect such that AC would first resolve this FQDN and send a GET request. This, in turn, would trigger redirection. This would allow the client to get the portal page. 

 

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

      Making use of "enroll.cisco.com" is just one of the methods used by Network Setup Assistant or by AnyConnect Posture module in order to trigger the URL redirection from the NAD, so that the AnyConnect Agent can be downloaded and posture module/policy as well. If you choose to make use of this method ("Enroll.cisco.com") for the above to work, the FQDN just needs to be resolvable, the IP itself in which it resolves may not even exist.

    Read this guide to better understand your options and where does "enrolled.cisco.com" kick in.

 

Regards,

Cristian Matei.

I have been through that documentation before I started working on deploying the posture. But the question always bothered me why would there be probe sent to enroll.cisco.com.
Just the question came up if resolution to only that one site could be used for posture and redirection to work.

I added the IP address resolved by enroll.cisco.com, which is, 72.163.1.80 and then was able to download AnyConnect and run the posture just as fine.

Hi,

 

I have been through that documentation before I started working on deploying the posture. But the question always bothered me why would there be probe sent to enroll.cisco.com.  It goes through multiple steps to ensure it's gonna detect the policy server. If you look at the 4 probes, if there is no default gateway, no discovery host configured and no previously detected PSN (like in the case of a new device which connects over VPN), how would it succeeds? So Cisco invented a HTTP probe in order to generate some HTTP traffic to make the redirection happen. Now think about it, if you be Cisco, what better FQDN would you like the probe to access, rather than enroll.cisco.com; the domain had to be cisco.com to ensure it does not match the customer's actual domain name, and the host name was chosen to be "enroll", as in the end it's for enrolling a new device, but could have been anything.

 

Just the question came up if resolution to only that one site could be used for posture and redirection to work. Yes, as you've seen.

 

Regards,

Cristian Matei.

 

 

Yes, now this is perfectly clear why that could be used.
Thanks for the explanation.