ISE 2.3 Anyconnect VPN ISE Posture issue

Gagandeep Singh · ‎04-03-2019

Hi Team,

I have a question regarding opening up the clients to Microsoft updates. Before the clients are compliant they are only allowed access to the ISE server and dns/dhcp servers. Does that mean I have to modify the redirect ACL in the ASA to allow the Microsoft update servers or DACL from ISE? Also, Microsoft only provides FQDNs for the update servers. They do not provide any IP addresses and they also use wildcards. How can this be implemented in the ACLor DACL? Please advice.

Any help would be appreciated.

Regards

Gagan

Timothy Abbott · ‎04-03-2019

Depending on the version of ASA code you are using, you could probably use the below guide and then have ISE reference the ACL while the endpoint is in remediation.

https://community.cisco.com/t5/security-documents/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480

Regards,
-Tim

Rob Ingram · ‎04-03-2019

Hi, I believe you can only check for Microsoft Updates from an internally hosted WSUS or SCCM server.

https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/119214-configure-ise-00.html

HTH