02-27-2019 01:38 PM - edited 02-27-2019 01:55 PM
Good afternoon everyone,
We are in the midst of deploying a new ISE instance for a SP customer . The scope of the project was to allow the customers Contractors and Vendors to have a separate Remote Access solution in order to enforce Security requirements via device posturing.
It appears that for the last week have hit a roadblock where we have a Posture policy defined to ensure that all Windows Critical patches are installed via the Windows Update module and if not compliant to display a message and not to remediate. There are no internal WSUS servers available to the end points, we are depending on the client to download updates directly from the Windows Public Catalog.
During all our testing, the client fails the posture check for Patch Management intermittently even though the windows machines is totally up to date and with no patches pending.
Question: Is this type of use case supported? Are there any specific requirements that need to be met for this use case to work?
Solved! Go to Solution.
03-05-2019 02:22 PM
Yes but it is a bit twisted, I've experienced the same issue!
The key point is that the device being postured need to have access to the public Microsoft update server during the posture!!
We managed to get it working by using dynamic split-tunneling to exclude the traffic to Microsoft from the VPN (since there is no public list of IP addresses for the MS server, you need to rely on the FQDN)
03-05-2019 10:35 AM
AnyConnect posture module relies on 3rd party agent (Such as SUS agent) to confirm that it is up-to-date. To do so, the 3rd party agent need to have access to remediation server to check its status. The remediation server may be internal or on the Internet and should be allowed during the posture redirect phase. I suggest reviewing the redirect ACL to make sure it is allowing access to possible remediation resources.
03-05-2019 02:22 PM
Yes but it is a bit twisted, I've experienced the same issue!
The key point is that the device being postured need to have access to the public Microsoft update server during the posture!!
We managed to get it working by using dynamic split-tunneling to exclude the traffic to Microsoft from the VPN (since there is no public list of IP addresses for the MS server, you need to rely on the FQDN)
03-13-2019 06:32 PM
Thanks for the response. At the end this was the same conclusion we came to, but the security policies at the organization does not permit split tunnels. With the ISE redirect in a posture unknown state, all http and https traffic is redirected. We tried using the ASA FQDN ACL to exclude some of the microsoft servers but depending on the client location the Microsoft server name resolution changed and hence this worked intermittently. We ultimately abandoned the requirement but I do appreciate your time to respond as this is exact the the resolution to this problem.
11-26-2019 07:43 AM
Hi
This post has helped us with a problem. The customer tried to use the Posture module to check critical updates on windows computers without internet access.
After enabling internet access, the posture check works.
Is there any official document where explains the internet or remediation server requirement?
07-29-2020 01:07 PM
Hi I asked to do the same implementation, could you tell me if you use patch management posture rules ? What version of ISE did you use?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide