Solved: Re: ISE Posture Portal

Steven Williams · ‎05-14-2019

If I need to get a third-party cert for my posture portal, how can I change the URL of the portal? Currently it redirects to the servername followed by my internal domain name. Is it possible to tie this to an external domain name?

paul · ‎05-17-2019

Just a point of clarification here because this is one of the frequently misunderstood parts of posturing. You need the client provisioning portal to control settings on the posture module, but if you aren't using the client provisioning portal to install AnyConnect or the posture module (and you shouldn't in my opinion) there is no reason your client should EVER see the client provisioning portal. If they are seeing the client provisioning portal it means your redirect ACL is wrong. The only traffic you need to redirect is the discovery traffic which is port 80 to the default gateway IP and port 80 to enroll.cisco.com (72.163.1.80).

View solution in original post

hslai · ‎05-14-2019

Assuming you meant ISE client provisioning portals, recent ISE releases (e.g. ISE 2.2) allows us to set a FQDN at the Portals Settings and Customization > Portal Behavior and Flow Settings > Portal Settings > Fully qualified domain name (FQDN)

Another way is to enable and set a value for "Static IP/Host name/FQDN" in the authorization profile.

Screen Shot 2019-05-14 at 9.28.34 AM.png

Steven Williams · ‎05-14-2019

I am on 2.2.

Ok I see on Portal Settings, so if my ISE server is "ProdISE01.domain.local" I create an alias called "Portal.domain.local" and cut the cert to domain.local? Actually I should probably use my external DNS name domain.com, correct?

hslai · ‎05-14-2019

You got it right!

Steven Williams · ‎05-14-2019

Why do we even need the client provisioning portal? When I launch my anyconnect on a fresh PC it automatically downloads the posture profile and starts scanning. So is there even a need to portal?

hslai · ‎05-16-2019

ISE Posture service is needing such portal. For instance, it uses the ISE server certificate defined in this portal during posture assessment, if Call Home list defined with either {FQDN|IP}:{CP-Portal-Portal-Number}. Also used if using NAD URL redirects.

paul · ‎05-17-2019

Just a point of clarification here because this is one of the frequently misunderstood parts of posturing. You need the client provisioning portal to control settings on the posture module, but if you aren't using the client provisioning portal to install AnyConnect or the posture module (and you shouldn't in my opinion) there is no reason your client should EVER see the client provisioning portal. If they are seeing the client provisioning portal it means your redirect ACL is wrong. The only traffic you need to redirect is the discovery traffic which is port 80 to the default gateway IP and port 80 to enroll.cisco.com (72.163.1.80).

Steven Williams · ‎05-17-2019

few questions:

1. If not using the client provisioning portal to deploy I assume there is the use of the ASA to deploy the agent or Group policy?

My unknown posture status dACL looks like this:

permit udp any eq bootpc any eq bootps
permit udp any any eq 53
permit tcp any host 10.20.0.85 eq 8443
permit tcp any host 10.81.3.25 eq 8443
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any any

Is this not correct?

paul · ‎05-17-2019

You usually use SCCM or other software delivery tools.

Permit tcp any 10.0.0.1 0.255.255.0 eq 80
Permit tcp any host (enroll.cisco.com IP) eq 80
Deny ip any any

That is our standard redirect. This assumes your and 10.x.x.x network and DGs are .1