Re: ISE 2.2 MS AD Communication Ports

victguti · ‎08-08-2018

Hello,

I am looking at the communications requirements to integrate the PSNs (ISE v2.2) with MS AD. Checking the guides I found some differences. Could you specify what are the "strictly" communications required?

- From Installation guide: https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/install_guide/b_ise_InstallationGuide22/b_ise_InstallationGuide22_chapter_0110.html

Admin User Interface and Endpoint Authentications:
- LDAP: TCP/389, 3268
- SMB: TCP/445
- KDC: TCP/88
- KPASS: TCP/464
WMI : TCP/135
NTP: UDP/123
DNS: UDP/53, TCP/53

From admin guide and active directory integration guide: https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01101.html?bookSearch=true#reference_8DC463597A644A5C9CF5D582B77BB24F

Protocol	Port (remote-local)	Target	Authenticated	Notes
DNS (TCP/UDP)	Random number greater than or equal to 49152	DNS Servers/AD Domain Controllers	No	—
MSRPC	445	Domain Controllers	Yes	—
Kerberos (TCP/UDP)	88	Domain Controllers	Yes (Kerberos)	MS AD/KDC
LDAP (TCP/UDP)	389	Domain Controllers	Yes	—
LDAP (GC)	3268	Global Catalog Servers	Yes	—
NTP	123	NTP Servers/Domain Controllers	No	—
IPC	80	Other ISE Nodes in the Deployment	Yes (Using RBAC credentials)	—

In case the communications on the table below are required ones:

1. In the first row, does it mean we could need to open all the ports >= 49152 to make it work?

2. In the last row, is the IPC traffic through port 80 encrypted?

Best regards,

Víctor.

Mohammed al Baqari · ‎08-09-2018

I think this will help

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.pdf

victguti · ‎08-09-2018

Hi Mohammed,

Thanks for your answer. I copied the table on my message from that guide so I assume they are the communications requirements I should follow. However, I have still the following questions:

1. In the first row, does it mean we could need to open all the ports >= 49152 to make it work? Or it is working without allowing this communication?

2. In the last row, is the IPC traffic through port 80 encrypted?

Protocol	Port (remote-local)	Target	Authenticated	Notes
DNS (TCP/UDP)	Random number greater than or equal to 49152	DNS Servers/AD Domain Controllers	No	—
MSRPC	445	Domain Controllers	Yes	—
Kerberos (TCP/UDP)	88	Domain Controllers	Yes (Kerberos)	MS AD/KDC
LDAP (TCP/UDP)	389	Domain Controllers	Yes	—
LDAP (GC)	3268	Global Catalog Servers	Yes	—
NTP	123	NTP Servers/Domain Controllers	No	—
IPC	80	Other ISE Nodes in the Deployment	Yes (Using RBAC credentials)	—

Best regards,

Víctor.

Mohammed al Baqari · ‎08-09-2018

That's something you need to test. You either follow the guide or try what
you want to block. If the guide says something not sure whats the point of
roaming around it then later start troubleshooting issues.

victguti · ‎08-09-2018

Ok thanks, I got the point. What about the second question:

2. In the last row, is the IPC traffic through port 80 encrypted?

Best regards,

Víctor.

Mohammed al Baqari · ‎08-09-2018

Not sure, Run a pcap and see

victguti · ‎08-09-2018

Many thanks Mohammed

victguti · ‎08-09-2018

Hi Mohammed,

Thanks for your answer. I copied the table on my message from that guide so I assume they are the communications requirements I should follow. However, I have still the following questions:

1. In the first row, does it mean we could need to open all the ports >= 49152 to make it work? Or it is working without allowing this communication?

2. In the last row, is the IPC traffic through port 80 encrypted?

Protocol	Port (remote-local)	Target	Authenticated	Notes
DNS (TCP/UDP)	Random number greater than or equal to 49152	DNS Servers/AD Domain Controllers	No	—
MSRPC	445	Domain Controllers	Yes	—
Kerberos (TCP/UDP)	88	Domain Controllers	Yes (Kerberos)	MS AD/KDC
LDAP (TCP/UDP)	389	Domain Controllers	Yes	—
LDAP (GC)	3268	Global Catalog Servers	Yes	—
NTP	123	NTP Servers/Domain Controllers	No	—
IPC	80	Other ISE Nodes in the Deployment	Yes (Using RBAC credentials)	—

Best regards,

Víctor.