08-22-2022 03:21 PM
Hello,
I recently enabled web proxy on my ISE 3.0 patch 5 deployment to allow ISE to access the internet Profiler Feed.
I already had configured ISE to download the CRL from my Issuing CAs - and I noticed that the CRL downloads (which use http) started failing after I enabled the proxy feature. I thought that by putting a *.company.com in the Bypass List, ISE would not attempt to use the Proxy for the internal http stuff. But I was wrong. Wildcards are apparently supported, but they don't work as advertised. I had to fix the CRL download issue by adding the FQDN of the CA web server (e.g. myca.company.com) - viola! Fixed.
Anyone know how to make wildcard support work as documented?
08-24-2022 07:21 PM
This is a known limitation -- CSCuu66261: Proxy-bypass for CRL Retrieval Not Working with Wildcard domain list
08-25-2022 02:28 AM
thanks @hslai - it seems it's been a "known limitation" forever. Why doesn't Cisco just fix it? These kind of bugs are almost inexcusable in my opinion. Such basic stuff. Proxy is not a new feature, and it's not exactly rocket science either. The impact of enabling Proxy in ISE breaks things that used to work - causes issues in customer networks. I get the feeling not many customers use proxy (probably because it's always been buggy). So excuse me if I am venting instead of turning a blind eye and looking for my own workarounds.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide