Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
2
Replies

ISE 3.0 Bypass Proxy Wildcard support does not work

Arne Bier
VIP
VIP

‎08-22-2022 03:21 PM

Hello,

I recently enabled web proxy on my ISE 3.0 patch 5 deployment to allow ISE to access the internet Profiler Feed.

I already had configured ISE to download the CRL from my Issuing CAs - and I noticed that the CRL downloads (which use http) started failing after I enabled the proxy feature.  I thought that by putting a *.company.com in the Bypass List, ISE would not attempt to use the Proxy for the internal http stuff. But I was wrong. Wildcards are apparently supported, but they don't work as advertised. I had to fix the CRL download issue by adding the FQDN of the CA web server (e.g. myca.company.com) - viola! Fixed.  

Anyone know how to make wildcard support work as documented?

 

0 Helpful
2 Replies 2

hslai
Cisco Employee
Cisco Employee

‎08-24-2022 07:21 PM

This is a known limitation -- CSCuu66261: Proxy-bypass for CRL Retrieval Not Working with Wildcard domain list

0 Helpful

Arne Bier
VIP
VIP
In response to hslai

‎08-25-2022 02:28 AM

thanks @hslai - it seems it's been a "known limitation" forever. Why doesn't Cisco just fix it? These kind of bugs are almost inexcusable in my opinion. Such basic stuff. Proxy is not a new feature, and it's not exactly rocket science either. The impact of enabling Proxy in ISE breaks things that used to work - causes issues in customer networks. I get the feeling not many customers use proxy (probably because it's always been buggy). So excuse me if I am venting instead of turning a blind eye and looking for my own workarounds.

0 Helpful
Customers Also Viewed These Support Documents