Solved: ISE URLs for external service updates

matthen · ‎05-30-2018

My customer is using a proxy and has requested the specific URLs for the following functions in ISE so they can whitelist them in their proxy. Also, if the ports are not T/443, which ports should we enable?

Partner Mobile Management
Endpoint Profiler Feed Service Update
Endpoint Posture Update
Endpoint Posture Agent Resources Download
CRL (Certificate Revocation List) Download

Jason Kunst · ‎05-30-2018

Thanks to hslai helping with this

Partner Mobile Management (MDM)

Depends on the provider

Endpoint Profiler Feed Service Update

Work Centers > profiler > Feeds

https://ise.cisco.com:8443/feedserver/

GENERAL ISE 2.4 - The Posture and CP URLs are actually redirected to AWS S3; e.g. example: https://s3.amazonaws.com/ise-posture-artifacts/ise/posture-update.xml

Endpoint Posture Update

Work Centers > Posture > Settings > Posture Update

pre2.4 https://www.cisco.com/web/secure/pmbu/posture-update.xml --> https://www.perfigo.com/ise/posture-update.xml

2.4 - https://www.cisco.com/web/secure/spa/posture-update.xml --> https://s3.amazonaws.com/ise-posture-artifacts/ise/posture-update.xml

Endpoint Posture Agent Resources Download

Work Centers > Posture > Settings > Client Provisioning

pre2.4 - https://www.cisco.com/web/secure/pmbu/provisioning-update.xml --> https://www.perfigo.com/ise/provisioning-update.xml

2.4 - https://www.cisco.com/web/secure/spa/provisioning-update.xml --> https://s3.amazonaws.com/ise-posture-artifacts/ise/provisioning-update.xml

CRL (Certificate Revocation List) Download and/or OCSP

This all depends on the certificate configuration

Administration > System > Certificates > Certificate Management > Trusted Certificates > Edit relevant certificate

Currently not supporting wildcard domain list

SMS Message Transmission

Administration > System > settings > SMS Gateway

Depends on the provider

Social Login

Facebook.com

Smart Licensing

https://tools.cisco.com/its/service/oddce/services/DDCEService

View solution in original post

Jason Kunst · ‎05-30-2018

For now please see this:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

I will work on getting a list of URLs but this may take a while

hslai · ‎05-30-2018

CRL is per deployment and configured under a certificate object under Trusted Certificates. Please note this known issue -- CSCuu66261 -- that proxy based not working for a wildcard domain list.

Partner MDM is also per deployment configuration.

Jason Kunst · ‎05-30-2018

Thanks to hslai helping with this

Partner Mobile Management (MDM)

Depends on the provider

Endpoint Profiler Feed Service Update

Work Centers > profiler > Feeds

https://ise.cisco.com:8443/feedserver/

GENERAL ISE 2.4 - The Posture and CP URLs are actually redirected to AWS S3; e.g. example: https://s3.amazonaws.com/ise-posture-artifacts/ise/posture-update.xml

Endpoint Posture Update

Work Centers > Posture > Settings > Posture Update

pre2.4 https://www.cisco.com/web/secure/pmbu/posture-update.xml --> https://www.perfigo.com/ise/posture-update.xml

2.4 - https://www.cisco.com/web/secure/spa/posture-update.xml --> https://s3.amazonaws.com/ise-posture-artifacts/ise/posture-update.xml

Endpoint Posture Agent Resources Download

Work Centers > Posture > Settings > Client Provisioning

pre2.4 - https://www.cisco.com/web/secure/pmbu/provisioning-update.xml --> https://www.perfigo.com/ise/provisioning-update.xml

2.4 - https://www.cisco.com/web/secure/spa/provisioning-update.xml --> https://s3.amazonaws.com/ise-posture-artifacts/ise/provisioning-update.xml

CRL (Certificate Revocation List) Download and/or OCSP

This all depends on the certificate configuration

Administration > System > Certificates > Certificate Management > Trusted Certificates > Edit relevant certificate

Currently not supporting wildcard domain list

SMS Message Transmission

Administration > System > settings > SMS Gateway

Depends on the provider

Social Login

Facebook.com

Smart Licensing

https://tools.cisco.com/its/service/oddce/services/DDCEService

Arne Bier · ‎05-30-2018

Small addendum on the Smart Licensing section: this currently doesn't work because that part of ISE doesn't handle the communications to the Cisco via an authenticated proxy. The TCP connection between PAN and Proxy is created, but ISE doesn't handle the HTTP/407 response from the proxy. So Smart Licensing doesn't work.

The workaround we used was to bypass authentication requirement on the proxy by means of a whitelist (if your proxy supports that). That gets rid of the HTTP/407 query and hence, Smart Licensing then works through the proxy.

Cisco Bug ID: CSCvh77224

This is still current in ISE 2.3 patch 3

matthen · ‎05-30-2018

Jason,

Thank you for the detailed response. I have one follow-up question, some of the responses have multiple URLs, for example the Endpoint Posture Update Pre2.4 has two links:

pre2.4 https://www.cisco.com/web/secure/pmbu/posture-update.xml --> https://www.perfigo.com/ise/posture-update.xml

In this case, which one should we use?

Thanks again!

hslai · ‎05-30-2018

Both are needed. The former is the default configured in the ISE setting and the web request will redirect to the latter.

aravikumar · ‎04-28-2020

Hi Hslai,

From firewall perspective what are the hostnames or IP addresses that has to be allowed over internet for ISE to access the following services.

-profile feed service

-posture update service

-client provisioning update service.

Is it enough if I allow *.cisco.com, *.perfigo.com on s3.amazonaws.com 443 and 8443.

Any help would be appreciated.

Thanks,

Aravind.