cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3465
Views
5
Helpful
7
Replies
Highlighted
Cisco Employee

ISE URLs for external service updates

My customer is using a proxy and has requested the specific URLs for the following functions in ISE so they can whitelist them in their proxy.  Also, if the ports are not T/443, which ports should we enable?

  • Partner Mobile Management
  • Endpoint Profiler Feed Service Update
  • Endpoint Posture Update
  • Endpoint Posture Agent Resources Download
  • CRL (Certificate Revocation List) Download
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Thanks to hslai helping with this

  • Partner Mobile Management (MDM)

    • Depends on the provider

  • Endpoint Profiler Feed Service Update

    • Work Centers > profiler > Feeds

GENERAL ISE 2.4 - The Posture and CP URLs are actually redirected to AWS S3; e.g. example: https://s3.amazonaws.com/ise-posture-artifacts/ise/posture-update.xml  

  • Endpoint Posture Update

    • Work Centers > Posture > Settings > Posture Update

  • Endpoint Posture Agent Resources Download

    • Work Centers > Posture > Settings > Client Provisioning

  • CRL (Certificate Revocation List) Download and/or OCSP

    • This all depends on the certificate configuration

    • Administration > System > Certificates > Certificate Management > Trusted Certificates > Edit relevant certificate

      • Currently not supporting wildcard domain list

  • SMS Message Transmission

    • Administration > System > settings > SMS Gateway

    • Depends on the provider

  • Social Login

    • Facebook.com

  • Smart Licensing

View solution in original post

7 REPLIES 7
Highlighted
Cisco Employee

For now please see this:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

I will work on getting a list of URLs but this may take a while

Highlighted
Cisco Employee

CRL is per deployment and configured under a certificate object under Trusted Certificates. Please note this known issue -- CSCuu66261 -- that proxy based not working for a wildcard domain list.

Partner MDM is also per deployment configuration.

Highlighted
Cisco Employee

Thanks to hslai helping with this

  • Partner Mobile Management (MDM)

    • Depends on the provider

  • Endpoint Profiler Feed Service Update

    • Work Centers > profiler > Feeds

GENERAL ISE 2.4 - The Posture and CP URLs are actually redirected to AWS S3; e.g. example: https://s3.amazonaws.com/ise-posture-artifacts/ise/posture-update.xml  

  • Endpoint Posture Update

    • Work Centers > Posture > Settings > Posture Update

  • Endpoint Posture Agent Resources Download

    • Work Centers > Posture > Settings > Client Provisioning

  • CRL (Certificate Revocation List) Download and/or OCSP

    • This all depends on the certificate configuration

    • Administration > System > Certificates > Certificate Management > Trusted Certificates > Edit relevant certificate

      • Currently not supporting wildcard domain list

  • SMS Message Transmission

    • Administration > System > settings > SMS Gateway

    • Depends on the provider

  • Social Login

    • Facebook.com

  • Smart Licensing

View solution in original post

Highlighted

Small addendum on the Smart Licensing section: this currently doesn't work because that part of ISE doesn't handle the communications to the Cisco via an authenticated proxy.  The TCP connection between PAN and Proxy is created, but ISE doesn't handle the HTTP/407 response from the proxy.  So Smart Licensing doesn't work.

The workaround we used was to bypass authentication requirement on the proxy by means of a whitelist (if your proxy supports that).  That gets rid of the HTTP/407 query and hence, Smart Licensing then works through the proxy.

Cisco Bug ID: CSCvh77224

This is still current in ISE 2.3 patch 3

Highlighted

Jason,

Thank you for the detailed response.  I have one follow-up question, some of the responses have multiple URLs, for example the Endpoint Posture Update Pre2.4 has two links:

In this case, which one should we use?

Thanks again!

Highlighted

Both are needed. The former is the default configured in the ISE setting and the web request will redirect to the latter.

Highlighted

Hi Hslai,

 

From firewall perspective what are the hostnames or IP addresses that has to be allowed over internet for ISE to access the following services. 

 

-profile feed service

-posture update service

-client provisioning update service.

 

Is it enough if I allow *.cisco.com, *.perfigo.com on s3.amazonaws.com 443 and 8443.

 

Any help would be appreciated.

 

Thanks,

 

Aravind.