Smart Licensing is cool and we're busy converting all of our traditional licenses to Smart. We're also using Smart on Cisco Prime.
The challenge I am having is that in my environment, all internet traffic needs to go via an internal Proxy. The preferred scenario is that the proxy is authenticated (username/password). ISE supports this because I can configure a proxy with user credentials. I have tested this and I was able to use it for my SMS gateway feature which lives on the internet.
But the proxy doesn't work with Smart Licensing. I have taken countless tcpdumps and eventually logged a TAC case. There is a bug CSCvd93008 related to this.
As a workaround my customer said that they would whitelist the ISE PAN(s) to allow unauthenticated access through the proxy. But when we tried to allow tools.cisco.com the Smart Licensing didn't work.
Question: What is the FULL URL that ISE tries to access when talking to Cisco for Smart Licensing?
I don't know http and https that well, but I think a client will build a TLS connection to tools.cisco.com first, and only once the TLS tunnel is established it will try to POST/GET/whatever to the final URL. And if that's the case, we cannot see that in a tcpdump because the session is encrypted. Maybe that's why the URL filter won't work.
So what then should the proxy whitelisting URL contain? Is it even possible, or can one only whitelist the FQDN?