Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1454
Views
0
Helpful
6
Replies

ISE Deployment Change..

Go to solution
Mohammed Makki Ali
Level 1
Level 1

‎05-12-2014 01:50 AM - edited ‎03-10-2019 09:42 PM

Hello..

 

We have 2x3355 ISE appliances and we already deployed them in standalone mode (redundant deployment which support up to 2000 endpoints), After a while the customer ask us to add another PSN using external server with VM version of ISE,  he said that 2000 endpoints is not enough for him and he wants to increase the number of endpoints by adding extra PSN.

 

What I understand is with the current setup (standalone) I cannot add extra PSN unless I re-dpoly the whole thing in distributed mode (which will cause reconfiguring the two appliances and disconnect all ISE services), is this correct? If so Is there any way or guide line  to safely migrate from stand alone to distribution without down time..

 

Thx

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎05-20-2014 12:17 PM

Once you convert from Standalone to Distributed Mode, the ISE services MUST restart.  There is no getting around this.  This generally does not take more than 15 minutes, depending on your environment.  Once that is done, you can add PSNs to the deployment without an interruption in service.  Just do not remove the Policy Service role from the Admin Node until your PSN is up.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Mohammed Makki Ali
Level 1
Level 1

‎05-14-2014 01:04 AM

Any suggestion guys..

0 Helpful

Go to solution
Mohammed Makki Ali
Level 1
Level 1
In response to Mohammed Makki Ali

‎05-20-2014 05:06 AM

Any help on this....

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎05-20-2014 12:17 PM

Once you convert from Standalone to Distributed Mode, the ISE services MUST restart.  There is no getting around this.  This generally does not take more than 15 minutes, depending on your environment.  Once that is done, you can add PSNs to the deployment without an interruption in service.  Just do not remove the Policy Service role from the Admin Node until your PSN is up.

0 Helpful

Go to solution
Mohammed Makki Ali
Level 1
Level 1
In response to Charlie Moreton

‎05-20-2014 12:29 PM

Thank you so much Charles..

One more question, After converting to Distribution mode, then add the new external PSN, can I remove the old PSN on the 3355 appliance???

Thx

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Mohammed Makki Ali

‎05-20-2014 12:44 PM

You can take it off, but it will restart the ISE services on that node.  If this is your Admin Node, then you ISE will have the chance of being down.  The PSN should authenticate users and re-sync with the Admin Node once it comes back up.

0 Helpful

Go to solution
Mohammed Makki Ali
Level 1
Level 1
In response to Charlie Moreton

‎05-20-2014 01:08 PM

Thank you for your answers Charles.. they are very helpful.. yes

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents