Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3033
Views
1
Helpful
3
Replies

ISE Smart Licensing via http proxy - deeper dive

Go to solution
Arne Bier
VIP
VIP

‎11-29-2017 05:50 PM

Hi

Smart Licensing is cool and we're busy converting all of our traditional licenses to Smart.  We're also using Smart on Cisco Prime.

The challenge I am having is that in my environment, all internet traffic needs to go via an internal Proxy.  The preferred scenario is that the proxy is authenticated (username/password). ISE supports this because I can configure a proxy with user credentials. I have tested this and I was able to use it for my SMS gateway feature which lives on the internet.

But the proxy doesn't work with Smart Licensing.  I have taken countless tcpdumps and eventually logged a TAC case.  There is a bug CSCvd93008 related to this.

As a workaround my customer said that they would whitelist the ISE PAN(s) to allow unauthenticated access through the proxy.  But when we tried to allow tools.cisco.com the Smart Licensing didn't work.

Question:  What is the FULL URL that ISE tries to access when talking to Cisco for Smart Licensing?

I don't know http and https that well, but I think a client will build a TLS connection to tools.cisco.com first, and only once the TLS tunnel is established it will try to POST/GET/whatever to the final URL. And if that's the case, we cannot see that in a tcpdump because the session is encrypted.  Maybe that's why the URL filter won't work.

So what then should the proxy whitelisting URL contain?  Is it even possible, or can one only whitelist the FQDN?

#life_is_easy_without_proxies_getting_in_the_way

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-04-2017 07:04 PM

I see your TAC case is making progress and you already have the correct URL for the Smart Licensing site. Please continue working with TAC. I will write to TAC with my comments.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎11-30-2017 07:36 PM

Arne,

Not sure what version of ISE is this. Couple of things, I think the URL is hardcorded and since it is https, you cannot see via Wireshark captures. I have reached out to Engineering on the defect. Will update you more once I find.

Thanks

Krishnan

Go to solution
Arne Bier
VIP
VIP

‎12-03-2017 02:56 PM

Hi this is ISE 2.3 patch 1.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-04-2017 07:04 PM

I see your TAC case is making progress and you already have the correct URL for the Smart Licensing site. Please continue working with TAC. I will write to TAC with my comments.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents