Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2595
Views
10
Helpful
5
Replies

ISE Sponsor portal with load-balancer URL

Go to solution
MP_Linc
Level 1
Level 1

‎01-15-2019 06:44 AM

I have two ISE nodes running in Primary and Secondary mode, I have a sponsor portal established with a defined dns string internally for employees to reach, however we have a load-balancer(LB) managing the sponsor portals respectively.  When clients attempt to reach our sponsor portal they get caught by the LB which then presents a certificate error and won't redirect the client to the ISE nodes seamlessly.  On the ISE servers for the same portal we have valid external certs to prevent a cert error page from appearing.  Has anyone run a setup like this before?  I'll condense all the information I have below for ease of reading.  Also does the secondary even take any requests for sponsor logins?  Or is the primary the work horse?  I don't expect the portal to be heavily used but I could be wrong.

 

I have the FQDN field filled out with my dns entry in ISE for the sponsor portal URL.

 

The LB has the same FQDN defined for where to redirect.

 

Our internal DNS is pointing to our internal IP with the correct DNS entry.  Known because this works without the LB being active.

 

The actual URL for ISE has a long string after the DNS name .com:8888/sponsorportal/...

Should the full ISE URL be used on the LB or just the shortened FQDN?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎01-15-2019 07:22 AM

Hi,

 

If you haven't already done so, please take a look at BRKSEC-3699 which has a large section on PSN load balancing that also covers load balancing web services.

 

Regards,

-Tim

View solution in original post

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Timothy Abbott

‎01-15-2019 08:42 AM

For two nodes I wouldn't even bother load balancing the sponsor portal.  Create two A records in your DNS for the sponsor portal FQDN and put in the IPs of each of your ISE nodes.  Both ISE nodes can serve up the sponsor portal.  There is no concept of primary/secondary.

View solution in original post

5 Replies 5

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎01-15-2019 07:22 AM

Hi,

 

If you haven't already done so, please take a look at BRKSEC-3699 which has a large section on PSN load balancing that also covers load balancing web services.

 

Regards,

-Tim

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Timothy Abbott

‎01-15-2019 08:42 AM

For two nodes I wouldn't even bother load balancing the sponsor portal.  Create two A records in your DNS for the sponsor portal FQDN and put in the IPs of each of your ISE nodes.  Both ISE nodes can serve up the sponsor portal.  There is no concept of primary/secondary.

Go to solution
MP_Linc
Level 1
Level 1
In response to paul

‎01-15-2019 11:03 AM

I wish I could have done it that way but the powers above me wanted it behind the LB adding the cert to the LB alleviated my original issue. I do appreciate you answering the question about how the ISE nodes respond to requests for the portal.
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to MP_Linc

‎01-15-2019 01:34 PM

What brand load balancer are you using? It sounds like you're doing ssl decryption when you should be able to just sticky/persist the session traffic and let ise handle it. 

 

 

 

 

0 Helpful

Go to solution
MP_Linc
Level 1
Level 1
In response to Damien Miller

‎01-16-2019 04:06 AM

Its a Citrix Netscaler, but the issue for the page not appearing appropriately was resolved by placing the cert on the LB. I sadly only manage ISE and the network equipment so I usually work with another team for server related tasks.
0 Helpful
Customers Also Viewed These Support Documents