Solved: Re: ISE Posture.xml

khalid_mahmood · ‎05-15-2017

We have 2 datacenter sites, a primary and backup. The profile.xml file needs a DiscoveryHost defining which we've defined as the Policy Node 1 in DC1. the server rules in the profile are set as "*" for wildcard. The question is if DC1 fails how will the posture work with DC2, how will it find the Policy Nodes in DC2.

Using AnyConnect v4.4.243 on Windows 10

ISE v2.1 patch 3

ISE Compliance module 4.2.508

Thanks Khalid

Craig Hyps · ‎05-15-2017

Discovery Host should NOT point to PSN. It should point to an IP reachable network that is behind a URL redirection point and which is not permitted by NAD policy. The PSN should return the redirect URL to point to itself. Typically the dACL will allow access to each PSN. Therefore, you will NEVER be redirected to PSN and discovery will fail. In releases prior to ISE 2.2 (with AC 4.4), ISE requires that Posture traffic reaches PSN via redirection, not direct connection. Exception is ConnectionData.xml, but this file is reserved for tracking prior connected headends.

Craig

View solution in original post

Craig Hyps · ‎05-15-2017

Discovery Host should NOT point to PSN. It should point to an IP reachable network that is behind a URL redirection point and which is not permitted by NAD policy. The PSN should return the redirect URL to point to itself. Typically the dACL will allow access to each PSN. Therefore, you will NEVER be redirected to PSN and discovery will fail. In releases prior to ISE 2.2 (with AC 4.4), ISE requires that Posture traffic reaches PSN via redirection, not direct connection. Exception is ConnectionData.xml, but this file is reserved for tracking prior connected headends.

Craig

khalid_mahmood · ‎05-15-2017

Craig, thanks for prompt response, good to know it's not down to a PSN. The documentation that explains this is not quite as clear as your response.