Solved: Re: Blocking port 80 on Cicso ISE

shubhampatki1994 · ‎01-13-2022

Hello All,

We have a 6 node deployment of Cisco ISE. Port 80 was found to be open on the Mnt node during a pen test by the relevant team.

They are asking to shut port 80 down as for security concerns.

As for my information, we cannot configure/modify/shutdown port80 or 443. And the port 80 is redirected to port 443 according to the Cisco ISE port Reference document.

Cisco Identity Services Engine Hardware Installation Guide, Release 2.0 - Cisco ISE Ports Reference [Cisco Identity Services Engine] - Cisco

My query is what would happen in case we block the port on firewall. And what is the recommended path here. I believe we should not tamper with the port requirements given in the document but would like to hear expert opinions.

TIA

Greg Gibbs · ‎01-13-2022

As you mentioned in your post, tcp/80 is simply redirected to tcp/443 when received by the ISE web server. There is no legitimate use for tcp/80 in any ISE communications. I have had customers block tcp/80 to the ISE nodes on transit firewalls in the past with no adverse effects.

View solution in original post

Greg Gibbs · ‎01-13-2022

As you mentioned in your post, tcp/80 is simply redirected to tcp/443 when received by the ISE web server. There is no legitimate use for tcp/80 in any ISE communications. I have had customers block tcp/80 to the ISE nodes on transit firewalls in the past with no adverse effects.