ISE 3.0 Bypass Proxy Wildcard support does not work

Arne Bier · ‎08-22-2022

Hello,

I recently enabled web proxy on my ISE 3.0 patch 5 deployment to allow ISE to access the internet Profiler Feed.

I already had configured ISE to download the CRL from my Issuing CAs - and I noticed that the CRL downloads (which use http) started failing after I enabled the proxy feature. I thought that by putting a *.company.com in the Bypass List, ISE would not attempt to use the Proxy for the internal http stuff. But I was wrong. Wildcards are apparently supported, but they don't work as advertised. I had to fix the CRL download issue by adding the FQDN of the CA web server (e.g. myca.company.com) - viola! Fixed.

Anyone know how to make wildcard support work as documented?

hslai · ‎08-24-2022

This is a known limitation -- CSCuu66261: Proxy-bypass for CRL Retrieval Not Working with Wildcard domain list

Arne Bier · ‎08-25-2022

thanks @hslai - it seems it's been a "known limitation" forever. Why doesn't Cisco just fix it? These kind of bugs are almost inexcusable in my opinion. Such basic stuff. Proxy is not a new feature, and it's not exactly rocket science either. The impact of enabling Proxy in ISE breaks things that used to work - causes issues in customer networks. I get the feeling not many customers use proxy (probably because it's always been buggy). So excuse me if I am venting instead of turning a blind eye and looking for my own workarounds.