Solved: Smart Licensing on ISE: What is the exact URL ISE is talking to when using smart licensing?

rmueller@cisco.com · ‎11-24-2017

Hi,

my customer would like to migrate from traditional licensing towards smart licensing. They want to use a proxy to have the ISE talking to the smart portal and want to configure this very resrective.

So the question here is: What exactly is the specific URL the ISE is talking to when using smart licensing?

Thanks in advance.

Roland

hslai · ‎11-25-2017

See 2.4.6. at Smart Licensing and Smart Accounts FAQ for Partners, Distributors and Customers

View solution in original post

hslai · ‎11-25-2017

See 2.4.6. at Smart Licensing and Smart Accounts FAQ for Partners, Distributors and Customers

Arne Bier · ‎11-26-2017

thanks for the link to the document. I had some issues getting ISE 2.3 patch 1 talking to Smart Licensing because my customer forces all internet traffic to go through an authenticated proxy. The tcpdump revealed that it was trying to talk to tools.cisco.com:443 - but it doesn't handle the proxy part at all (doesn't present the credentials). We are able to use the same proxy for the SMS gateway. I have a TAC case open for this.

Roland, I would be interested to know if you get it working through a proxy.

hslai · ‎11-26-2017

I found your TAC case. TAC is associating it with CSCvd93008 and checking with our engineering team.

sogracek · ‎06-14-2018

Hi, just wondering if you finally got the proxy working for smart licensing? If so did it required a patch or did you have a workaround for it? Thank you.

Arne Bier · ‎06-14-2018

Hello

We have it working now using the https proxy transport mode, but we had to make an exception on the proxy to not request authentication (because that's the issue with ISE - it will gladly use a proxy, but it doesn't remember to send the authentication credentials )

SO either you go https direct, or go https proxy, but with proxy whitelisting (just the IP's of the PAN nodes will do - we told them to whitelist those PAN IP's to go to tools.cisco.com).

There is a third option for Smart Licensing - use a Satellite Server on premise. We have that working in some cases too and it works. It means the ISE PANs talk to Satellite on prem and not to the internet. The Satellite server talks to internet.

But there is an issue with ISE 2.4 and those new VM licenses. If you happen to have purchased the more expensive license (like Medium_VM) but a node needs the Small_VM, then the Satellite server will tell you that your VM license is out of compliance. This is a bug because Cisco allows for License Substitution - and that DOES work if you go direct to tools.cisco.com.

Go figure.

sogracek · ‎06-14-2018

Thank you very much for your reply. I see most people just go back to traditional licensing until the proxy issue has been fixed so really appreciate your perseverance with this.

axeleratorcisco · ‎06-08-2023

Whether you go for direct https connection, or via the https proxy option, do you only need to open access to tools.cisco.com on port 443?

I saw another post where tools1.cisco.com and tools2.cisco.com were mentioned.

I also saw mention of www.cisco.com but based on port 80?

poongarg · ‎06-09-2023

ISE 3.0 p7, 3.1 p5 and 3.2 or higher contact: smartreceiver.cisco.com

Lower ISE versions contact: tools.cisco.com, tools1.cisco.com, tools2.cisco.com

HTH