cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1205
Views
0
Helpful
5
Replies

Outlook is getting delayed after Cisco ISE posture assessment

Jithishkk1514
Level 1
Level 1

ISE posture assessment flow:

In order to do posture check on the windows endpoint (Wired & wireless), we will initially assign the machine in production data vlan with limited network access for redirecting the browser traffic to Cisco ISE NAC posture portal URL where user will have an option to download and run the posture agent. After posture assessment, when the machine is identified as compliant machine, ISE will assign the full access role in the production data vlan. If the machine is identified as non-compliant machine, then it will be moved to quarantine vlan.

 

Current Issue:

Once the machine is identified as compliant machine, ISE is assigning the full access role to the user machine and all other application works normally. But Outlook application status shows ‘Disconnected’. It is taking more time to become connected status (approximately 5 mins to 15 mins).

 

Our observation:

Generally in the client environment Windows machine is trying to connect outlook [outlook.office365.com] via proxy IP only [xxx.xxx.xx.xx over port 3128]. But after posture assessment, windows machine is trying to connect with outlook IPs directly instead of accessing via proxy IP for few minutes (5 mins to 15 mins) and getting no response (As 80/443 traffic is allowed via proxy only). When the windows machine try to connect outlook via proxy, connection is allowed and Outlook application is started working.

 

We are not sure why the Windows machine is taking more time to sending the traffic via proxy even though the machine is assigned with full access to the network by Cisco ISE NAC.

 

We are looking for your help to identify and resolve the issue.  

5 Replies 5

This is probably because Outlook is not aware of the dACL/network change pre and post posture.  IMHO this is a user training issue to not open any applications until the posture scan has completed.  

After the machine is compliant the outlook is taking time to connect. 

Is Outlook open BEFORE the posture assessment takes place?

Hi,

Contact your server team and ask them to disable rpc fallback from GPO.
This will force connections through proxy only. Test with that disabled.

https://support.microsoft.com/en-us/topic/outlook-anywhere-rpc-http-settings-are-unavailable-in-the-outlook-2010-group-policy-template-41ed448f-9da4-e0a0-2443-fc4b481224c2

***** please remember to rate useful posts

Thanks for the update.

 

Any impact in the production, if we disable the rpc fallback from the GPO.?