Solved: MyDevice Portal Redirect

Nicholas Copeland · ‎11-19-2018

I have an environment where we are hosting the MyDevice portal on our external domain but the ISE nodes have names issued by the internal domain which is not resolvable for users outside the domain. When connecting to MyDevice Portal by the FQDN that was inputted there is a brief redirect to the DNS entry of the PSN's actual FQDN. Is there a way to prevent that from happening?

paul · ‎11-20-2018

Are they trying to go to http://mydevices.mycompany.com (not https;//). That is what they would need to do to get the redirect to work properly. Even if they are going to http:// it may still not work quite right because of HSTS support on most browsers and ISE. This will cause the call to automatically go to https:// and hit the Admin cert on the PSN.

Honestly I think you probably have two solutions

Publish the full URL to the offsite employees. All the FQDN does is give a short cut, but ultimately you get a 302 redirect to the full URL with the correct port. Just publish the use of the full URL.
Configure a redirect on one of your existing externally facing web servers. Configure a shortcut to point to an existing web server you have and configure it to do the 302 redirect to the full URL using the alternate FQDN you configured on the portal.

View solution in original post

Timothy Abbott · ‎11-19-2018

Nicholas,

Are you hosting the MyDevices portal externally so it may be reached by offsite employees? My other question is are offsite employees able to reach the MyDevices portal successfully. My gut says no because of the redirect to the internal domain.

Regards,
-Tim

Nicholas Copeland · ‎11-20-2018

That's correct we are hosting for offsite employees and they are unable to access due to the redirect. That is the issue we are trying to correct.

paul · ‎11-20-2018

Are they trying to go to http://mydevices.mycompany.com (not https;//). That is what they would need to do to get the redirect to work properly. Even if they are going to http:// it may still not work quite right because of HSTS support on most browsers and ISE. This will cause the call to automatically go to https:// and hit the Admin cert on the PSN.

Honestly I think you probably have two solutions

Publish the full URL to the offsite employees. All the FQDN does is give a short cut, but ultimately you get a 302 redirect to the full URL with the correct port. Just publish the use of the full URL.
Configure a redirect on one of your existing externally facing web servers. Configure a shortcut to point to an existing web server you have and configure it to do the 302 redirect to the full URL using the alternate FQDN you configured on the portal.

paul · ‎11-20-2018

As I mentioned on my other response HSTS could be getting in your way. If you are using FQDN shortcuts your Admin Cert needs to contain a SAN field for the FQDN shortcut you are using. I just tested on one of my ISE deployments where the Admin Cert and the Portal Cert both have the FQDN shortcut in the cert and I didn't see any reference to FQDN of the ISE PSN in the sequence. I used Firefox Live Headers to track everything.