cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1147
Views
0
Helpful
7
Replies
Highlighted
Beginner

Prime Infrastructure Download URL Firewall Requiquirements

What are the Cisco URLs that must be allowed through firewalls to allow Prime Infrastructure to connect to Cisco to download updates using a CCO account?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

NOW RESOLVED - Allow Port 443 (HTTPS) to the following URLs in question:
wsgx.cisco.com
tools.cisco.com
sso.cisco.com
Also read: the "Important URLs" section here
https://www.cisco.com/c/en/us/td/docs/net_mgmt/ciscoworks_lan_management_solution/4-2/user/guide/admin/admin/TroubleshootingandFAQ.pdf

View solution in original post

7 REPLIES 7
Highlighted
Hall of Fame Master

I don’t know if there is a url that is published or if TAC can provide. However port 443 is what is needed for the login/download/check. Maybe you can span that port and capture the ip/url info.
Guide just shows what ports are used by Prime.
https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-2/quickstart/guide/cpi_qsg.html#19704
-Scott
*** Please rate helpful posts ***
Highlighted
Beginner

Highlighted

Ok. Perhaps I have not explained the issue very well. On Prime Infrastructure (3.1 in this case) I can browse to 'Administration / Licenses and Software Updates / Software Update' where "You can download the latest updates from cisco.com or upload an update file to your server. "If I select 'downloads' this pops up a window asking for Cisco CCO login and then connects to Cisco, compares your current deployment with available updates/patches and allows you to download those updates/patches directly to Prime for deployment.

To allow this feature to work you need to allow the appropriate Cisco URLs through your firewalls. The URLs involved are NOT the standard software mall.

I know these URLs are published by Cisco but (as usual with Cisco) they are not easily found. I am looking for the Cisco guide that lists the URLs that must be allowed through firewall to allow this direct-download feature to work.

Many thanks in advance.

Highlighted

NOW RESOLVED - Allow Port 443 (HTTPS) to the following URLs in question:
wsgx.cisco.com
tools.cisco.com
sso.cisco.com
Also read: the "Important URLs" section here
https://www.cisco.com/c/en/us/td/docs/net_mgmt/ciscoworks_lan_management_solution/4-2/user/guide/admin/admin/TroubleshootingandFAQ.pdf

View solution in original post

Highlighted

Hey Scott,

We have allowed the following in the firewall:

FTP from Prime to Any

SSL from Prime to Any

Web Browsing from Prime to Any

 

This will by default allow all the response traffic between Prime and the destination.

BTW, the URLs that u have allowed for port 443 , please update us if that works for all the requirements of Prime from the internet. Like software download, Point patch download, IOS image download from Cisco site to Prime, EOL/EOS notifications, PSIRT notifications etc. If these URLs work for you , we will also give it a try. More restricted is the communication for Prime to Internet , more secure it will be.

Cheers,

Manish

Highlighted

OK i understand your issue now

 

you can do one thing for the time being you can by pass your http traffic from your firewall till the updates complete or all every http traffic instead of passing specific URL in your firewall. once the updates completes you can apply the filter again.

 

or contact to TAC to ask about exact URL because url could be the same but cisco keep changes their IP for security reason so tac can assist you better if nothing works 


Zain Khan
https://www.linkedin.com/in/forzain/
Highlighted

Hey Scott,

I remember facing this challenge in our organization. Actually , Cisco , on the backend is using Akamai storage servers to host the images and software. The Prime requests get redirected to Akamai servers during the update downloads. We witnessed this by capturing the traffic on the firewall.

We raised a TAC case to get this info , but as usual TAC was least helpful. We later solved it ourselves. Give me some time and I will get back to you with the exact list. 

Cheers,

Manish