Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1651
Views
5
Helpful
3
Replies

Cisco ISE 2.2 moving personas Administration and Monitoring to a new node

maissiat
Level 1
Level 1

‎09-23-2017 01:41 AM - edited ‎02-21-2020 10:34 AM

Hi All, 

The company I work for is growing very fast and our ISE infrastructure is not adapted any more so I d'l like to review totally the design of it and I'd like to know which is the best approach for implementing it. 

 

My current ISE Distributed deployment of nodes  is as follow : 

Note : No PAN active

 

2 Cisco ISE 2.2.0.407 servers running on VM's   

ISE01 : Primary Admin/monitoring and PSN role

ISE02 : Secondary Admin/Monitoring and PSN role

 

Today , I'd like to move the Admin and Monitoring personas to 2 new servers (VM)and keep the PSN on the actual servers , the idea behind is to unload actual servers of Monitoring and admin tasks

 

My ISE deployment will look as follow: 

ISE New 1 : Primary Admin , secondary Monitoring

ISE New 2 : Secondary Admin, Primary Monitoring 

ISE01 : PSN

ISE02 : PSN

 

I already have my two new servers running in standalone with the same ISE version (Hostname and IP are not the same) . 

 

Now I'm not sure what is the best approach to migrate the Admin and Monitoring services to the new servers : 

My first idea is :

1. restore first a backup of the old server 1/2 to the new servers

(make sure I have the Admin certificates of each nodes on all servers)

2. On actual ISE02(Secondary) server remove the Admin/monitoring services 

3. register ISE New 1 as secondary server of ISE01 for Admin/monitoring to the ISE deployment and do a sync between Primary and Secondary

4. Promote ISE New 1 as Primary node for Admin /Monitoring services  sync 

5. remove Admin/monitoring on ISE01 (keep only PSN)

6, register ISE new 2 as secondary server for Admin/Monitoring services , SYNC 

 

Other things : 

What will happen when I will remove the Admin/Monitoring Services of the actual ISE02 servers , will both ISE will restart ? 

 

If someone has a best way to do it  or any suggestions, it will be very appreciated . 

Thank you 

Best regards 

Marc 

 

 

 

 

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-23-2017 07:42 AM

I don't think you should have to do any restore operations. Of course starting the whole process with a current backup is a recommended step no matter what path you follow.

 

I would add the 2 new servers to the deployment as PSNs first. I'd remove the non-PSN roles for the current ISE02 first. Then add a new VM to the deployment and make it secondary PAN and MnT. Once it is all synced, promote it to primary. Then remove the non-PSN roles from ISE01. Finally add the second new VM in the role of Secondary PAN and MnT.

 

You may need to re-issue your certs with additional SANs to accommodate the new servers.

 

You might consider putting the whole deployment on ISE 2.3. It's being seen as less buggy than ISE 2.2.

maissiat
Level 1
Level 1

‎09-23-2017 10:45 AM

Dear Marvin,

 

Sound's very good approach , I will follow it . 

I will update my post with the result of my migration

Thank you very much

Marc

0 Helpful

Peter Koltl
Level 7
Level 7

‎03-07-2018 11:49 PM

Marc, did it go smoothly?

0 Helpful
Customers Also Viewed These Support Documents