Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2926
Views
3
Helpful
3
Replies

ISE 1.1.1 firewall rules distributed deployment

Stephen McBride
Level 1
Level 1

‎12-02-2012 08:25 PM - edited ‎03-10-2019 07:51 PM

My question is in reference to the following link:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html

Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell

My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?

I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Philip Vilhelmsson
Level 1
Level 1

‎12-04-2012 01:18 AM

I am having the same questions. So far I have opend SNMP from ISE to NAD and then all the probe trafic (DNS, DHCP...) from NAD to ISE. And I seem to be able to profile devices correctly.

0 Helpful

bikespace
Level 1
Level 1

‎12-05-2012 05:41 PM

Try this for size.

In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.

You might be able to cut this list down, and you might have to add to it for any specific requirements.

From PSN to AD (potentially all AD nodes):

TCP 389, 3268, 445, 88, 464

UDP 389, 3268

From PSN to Monitoring nodes:

TCP 443

UDP 20514

PSN to Admin Nodes (2Way):

TCP 443, 1521

ICMP echo and reply (heartbeat)

WLC to PSN:

TCP 443, 8443, 80, 8080

UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67

PSN to other PSN’s (2 way)

UDP 30514, 45588, 45990

Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)

TCP 8443, 8905

UDP 8905

Admin/Sponsor to all ISE nodes:

TCP 22, 80, 443, 8080, 8443

UDP 161

PSN access to DNS servers:

TCP/UDP 53

PSN access to NTP servers:

UDP 123

Tarik Admani
VIP Alumni
VIP Alumni
In response to bikespace

‎12-05-2012 10:18 PM

You could also issue a show ports | inc ip from cli to see the ports that are successfully connected between each node. Also if you are deploying an inline node you will have to add 8443 to bikespace reference

PSN to Admin Nodes (2Way):

TCP 443, 1521, 8443

ICMP echo and reply (heartbeat)

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents