cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5979
Views
5
Helpful
7
Replies

ISE URLs for external service updates

matthen
Cisco Employee
Cisco Employee

My customer is using a proxy and has requested the specific URLs for the following functions in ISE so they can whitelist them in their proxy.  Also, if the ports are not T/443, which ports should we enable?

  • Partner Mobile Management
  • Endpoint Profiler Feed Service Update
  • Endpoint Posture Update
  • Endpoint Posture Agent Resources Download
  • CRL (Certificate Revocation List) Download
1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

Thanks to hslai helping with this

  • Partner Mobile Management (MDM)

    • Depends on the provider

  • Endpoint Profiler Feed Service Update

    • Work Centers > profiler > Feeds

GENERAL ISE 2.4 - The Posture and CP URLs are actually redirected to AWS S3; e.g. example: https://s3.amazonaws.com/ise-posture-artifacts/ise/posture-update.xml  

  • Endpoint Posture Update

    • Work Centers > Posture > Settings > Posture Update

  • Endpoint Posture Agent Resources Download

    • Work Centers > Posture > Settings > Client Provisioning

  • CRL (Certificate Revocation List) Download and/or OCSP

    • This all depends on the certificate configuration

    • Administration > System > Certificates > Certificate Management > Trusted Certificates > Edit relevant certificate

      • Currently not supporting wildcard domain list

  • SMS Message Transmission

    • Administration > System > settings > SMS Gateway

    • Depends on the provider

  • Social Login

    • Facebook.com

  • Smart Licensing

View solution in original post

7 Replies 7

Jason Kunst
Cisco Employee
Cisco Employee

For now please see this:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

I will work on getting a list of URLs but this may take a while

hslai
Cisco Employee
Cisco Employee

CRL is per deployment and configured under a certificate object under Trusted Certificates. Please note this known issue -- CSCuu66261 -- that proxy based not working for a wildcard domain list.

Partner MDM is also per deployment configuration.

Jason Kunst
Cisco Employee
Cisco Employee

Thanks to hslai helping with this

  • Partner Mobile Management (MDM)

    • Depends on the provider

  • Endpoint Profiler Feed Service Update

    • Work Centers > profiler > Feeds

GENERAL ISE 2.4 - The Posture and CP URLs are actually redirected to AWS S3; e.g. example: https://s3.amazonaws.com/ise-posture-artifacts/ise/posture-update.xml  

  • Endpoint Posture Update

    • Work Centers > Posture > Settings > Posture Update

  • Endpoint Posture Agent Resources Download

    • Work Centers > Posture > Settings > Client Provisioning

  • CRL (Certificate Revocation List) Download and/or OCSP

    • This all depends on the certificate configuration

    • Administration > System > Certificates > Certificate Management > Trusted Certificates > Edit relevant certificate

      • Currently not supporting wildcard domain list

  • SMS Message Transmission

    • Administration > System > settings > SMS Gateway

    • Depends on the provider

  • Social Login

    • Facebook.com

  • Smart Licensing

Small addendum on the Smart Licensing section: this currently doesn't work because that part of ISE doesn't handle the communications to the Cisco via an authenticated proxy.  The TCP connection between PAN and Proxy is created, but ISE doesn't handle the HTTP/407 response from the proxy.  So Smart Licensing doesn't work.

The workaround we used was to bypass authentication requirement on the proxy by means of a whitelist (if your proxy supports that).  That gets rid of the HTTP/407 query and hence, Smart Licensing then works through the proxy.

Cisco Bug ID: CSCvh77224

This is still current in ISE 2.3 patch 3

Jason,

Thank you for the detailed response.  I have one follow-up question, some of the responses have multiple URLs, for example the Endpoint Posture Update Pre2.4 has two links:

In this case, which one should we use?

Thanks again!

hslai
Cisco Employee
Cisco Employee

Both are needed. The former is the default configured in the ISE setting and the web request will redirect to the latter.

Hi Hslai,

 

From firewall perspective what are the hostnames or IP addresses that has to be allowed over internet for ISE to access the following services. 

 

-profile feed service

-posture update service

-client provisioning update service.

 

Is it enough if I allow *.cisco.com, *.perfigo.com on s3.amazonaws.com 443 and 8443.

 

Any help would be appreciated.

 

Thanks,

 

Aravind.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: