Cisco ISE Ports Reference

Similar documents
Cisco ISE Ports Reference

Cisco ISE Ports Reference

Cisco ISE Ports Reference

Guest Access User Interface Reference

Support Device Access

Set Up Cisco ISE in a Distributed Environment

Configuring F5 LTM for Load Balancing Cisco Identity Service Engine (ISE)

Support Device Access

Set Up Cisco ISE in a Distributed Environment

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Network Deployments in Cisco ISE

Cisco ISE Features Cisco ISE Features

ISE Identity Service Engine

Introduction to ISE-PIC

Integrating Meraki Networks with

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

ONE POLICY. Tengku Shahrizam, CCIE Asia Borderless Network Security 20 th June 2013

Security, Internet Access, and Communication Ports

Cisco Secure Access Control

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

CertKiller q

Configuring Client Posture Policies

Security, Internet Access, and Communication Ports

Port Usage Information for the IM and Presence Service

ISE Primer.

Network Deployments in Cisco ISE

Reports. Cisco ISE Reports

Implementing Cisco Edge Network Security Solutions ( )

Port Usage Information for the IM and Presence Service

Configure Guest Flow with ISE 2.0 and Aruba WLC

Cisco TrustSec How-To Guide: Central Web Authentication

A. Post-Onboarding. the device wit be assigned the BYOQ-Provision firewall role in me Aruba Controller.

Cisco Questions & Answers

Troubleshooting Cisco ISE

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Identity Based Network Access

The Bomgar Appliance in the Network

User Identity Sources

Configuring Endpoint Profiling Policies

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Security, Internet Access, and Communication Ports

Palo Alto Networks PCNSE7 Exam

Security, Internet Access, and Communication Ports

Cisco Exam Questions & Answers

User Identity Sources

2012 Cisco and/or its affiliates. All rights reserved. 1

Navigate the Admin portal

Troubleshoot and Enable Debugs on ISE

BlackBerry UEM Configuration Guide

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

Configuration Guide. BlackBerry UEM. Version 12.9

Cisco Exam. Volume: 223 Questions. Question No: 1 Which three commands can be used to harden a switch? (Choose three.)

The Privileged Remote Access Appliance in the Network

BYOD: Management and Control for the Use and Provisioning of Mobile Devices

Cisco Day Hotel Mons Wednesday

P ART 3. Configuring the Infrastructure

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

The Privileged Access Appliance in the Network

CCNP Security VPN

Cisco Exam Questions & Answers

Read the following information carefully, before you begin an upgrade.

Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

Configure Guest Access

Guest Management. Overview CHAPTER

IP Communications Required by the Cisco TelePresence Exchange System

Cisco Passguide Exam Questions & Answers

Configuring Client Provisioning Policies

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Security in Bomgar Remote Support

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Monitoring and Troubleshooting

What Is Wireless Setup

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

Manage Administrators and Admin Access Policies

Monitoring and Troubleshooting Service in ISE-PIC

Managing External Identity Sources

ForeScout Extended Module for VMware AirWatch MDM

Cisco Expressway-E and Expressway-C - Basic Configuration

Barracuda Firewall Release Notes 6.6.X

Cisco - ASA Lab Camp v9.0

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

High Availability Synchronization PAN-OS 5.0.3

Manage Certificates. Certificate Management in Cisco ISE. Certificates Enable Cisco ISE to Provide Secure Access

Gigabit Managed Ethernet Switch

Contents. Introduction. Prerequisites. Requirements. Components Used

Identity Services Engine Passive Identity Connector (ISE-PIC) Administrator Guide, Release 2.4

Manage Administrators and Admin Access Policies

Cisco Meraki EMM Integration with Cisco Identity Service Engine. Secure Access How -To Guides Series

Cisco RV180 VPN Router

24-Port: 20 x (100/1000M) SFP + 4 x Combo (10/100/1000T or 100/1000M SFP)

Cisco Virtual Networking Solution for OpenStack

BIG-IP Access Policy Manager (APM) v11.2 Table of Contents

Security in the Privileged Remote Access Appliance

Installing Cisco APIC-EM on a Virtual Machine

ForeScout Extended Module for MaaS360

Configuring Cisco ACE for Load Balancing Cisco Identity Service Engine (ISE)

Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

Transcription:

Cisco ISE Infrastructure Cisco ISE Infrastructure, on page 1 Cisco ISE Administration Node Ports, on page 2 Cisco ISE Monitoring Node Ports, on page 4 Cisco ISE Policy Service Node Ports, on page 5 Inline Posture Node Ports, on page 9 Cisco ISE pxgrid Service Ports, on page 10 OCSP and CRL Service Ports, on page 11 This appendix lists the TCP and User Datagram Protocol UDP ports that Cisco ISE uses for intranetwork communications with external applications and devices. The Cisco ISE ports listed in this appendix must be open on the corresponding firewall. Keep in mind the following information when configuring services on a Cisco ISE network: Cisco ISE management is restricted to Gigabit Ethernet 0. RADIUS listens on all network interface cards (NICs). Cisco ISE server interfaces do not support VLAN tagging. If you are installing on a hardware appliance, ensure that you disable VLAN trunking on switch ports that are used to connect to Cisco ISE nodes and configure them as access layer ports. All NICs can be configured with IP addresses. 1

Cisco ISE Administration Node Ports Cisco ISE Administration Node Ports The following table lists the ports used by the Administration nodes: 2

Table 1: Ports Used by the Administration Nodes Administration Ports on Gigabit Ethernet 0 or Bond 0 HTTP: TCP/80, HTTPS: TCP/443 (TCP/80 redirected to TCP/443; not configurable) SSH Server: TCP/22 External RESTful Services (ERS) REST API: TCP/9060 To display Sponsor portal from the Admin GUI: TCP/9002 Ports on Other Ethernet Interfaces (Gigbit Ethernet 1 through 5, or Bond 1 and 2) As Inline Posture nodes do not support Administration persona, they will not have access to port 80 and 443. Ports 80 and 443 support Admin web applications and are enabled by default. HTTPS and SSH access to Cisco ISE is restricted to Gigabit Ethernet 0. Replication and Synchronization HTTPS (SOAP): TCP/443 Data synchronization/ Replication (JGroups): TCP/12001 (Global) Monitoring Logging (Outbound) SNMP Query: UDP/161 This port is route table dependent. Syslog: UDP/20514, TCP/1468 Secure Syslog: TCP/6514 Default ports are configurable for external logging. SNMP Traps: UDP/162 3

Cisco ISE Monitoring Node Ports Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces (Gigbit Ethernet 1 through 5, or Bond 1 and 2) External Identity Sources and Resources (Outbound) Admin User Interface and Endpoint Authentications: LDAP: TCP/389, 3268, UDP/389 SMB: TCP/445 KDC: TCP/88 KPASS: TCP/464 NTP: UDP/123 DNS: UDP/53, TCP/53 For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. Guest Guest account expiry email notification: SMTP: TCP/25 Cisco ISE Monitoring Node Ports The following table lists the ports used by the Monitoring nodes: Table 2: Ports Used by the Monitoring Nodes Administration Ports on Gigabit Ethernet 0 or Bond 0 HTTP: TCP/80, HTTPS: TCP/443 SSH Server: TCP/22 Ports on Other Ethernet Interfaces (Gigabit Ethernet 1 through 5, or Bond 1 and Bond 2) Replication and Synchronization HTTPS (SOAP): TCP/443 Oracle DB Listener: TCP/1521 Data Synchronization/Replication (JGroups): TCP/12001 (Global) Oracle DB Listener: TCP/1521 Monitoring Simple Network Management Protocol [SNMP]: UDP/161 This port is route table dependent. 4

Cisco ISE Policy Service Node Ports Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces (Gigabit Ethernet 1 through 5, or Bond 1 and Bond 2) Logging Syslog: UDP/20514, TCP/1468 Secure Syslog: TCP/6514 Default ports are configurable for external logging. SMTP: TCP/25 SNMP Traps: UDP/162 External Identity Sources and Resources (Outbound) Admin User Interface and Endpoint Authentications: LDAP: TCP/389, 3268, UDP/389 SMB: TCP/445 KDC: TCP/88, UDP/88 KPASS: TCP/464 NTP: UDP/123 DNS: UDP/53, TCP/53 For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. Bulk Download for pxgrid SSL: TCP/8910 Cisco ISE Policy Service Node Ports The following table lists the ports used by the Policy Service nodes: Table 3: Ports Used by the Policy Service Nodes Administration Ports on Gigabit Ethernet 0 or Bond 0 HTTP: TCP/80, HTTPS: TCP/443 SSH Server: TCP/22 OCSP: TCP/2560 Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 Cisco ISE management is restricted to Gigabit Ethernet 0. 5

Replication and Synchronization Clustering (Node Group) CA PKI Device Administration Ports on Gigabit Ethernet 0 or Bond 0 HTTPS (SOAP): TCP/443 Data Synchronization / Replication (JGroups): TCP/12001 (Global) Node Groups/JGroups: TCP/7800 TCP/9090 TACACS+: TCP/49 Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 Monitoring Logging (Outbound) Simple Network Management Protocol [SNMP]: UDP/161 This port is route table dependent. Syslog: UDP/20514, TCP/1468 Secure Syslog: TCP/6514 Default ports are configurable for external logging. SNMP Traps: UDP/162 Session RADIUS Authentication: UDP/1645, 1812 RADIUS Accounting: UDP/1646, 1813 RADIUS Change of Authorization (CoA) Send: UDP/1700 RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799 UDP port 3799 is not configurable. 6

Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 External Identity Sources and Resources (Outbound) Admin User Interface and Endpoint Authentications: LDAP: TCP/389, 3268 SMB: TCP/445 KDC: TCP/88 KPASS: TCP/464 NTP: UDP/123 DNS: UDP/53, TCP/53 For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. Web Portal Services: - Guest/Web Authentication - Guest Sponsor Portal - My Devices Portal - Client Provisioning - Certificate Provisioning - BlackListing Portal HTTPS (Interface must be enabled for service in Cisco ISE): Blacklist Portal: TCP/8000-8999 (Default port is TCP/8444.) Guest Portal and Client Provisioning: TCP/8000-8999 (Default port is TCP/8443.) Certificate Provisioning Portal: TCP/8000-8999 (Default port is TCP/8443.) My Devices Portal: TCP/8000-8999 (Default port is TCP/8443.) Sponsor Portal: TCP/8000-8999 (Default port is TCP/8443.) SMTP Notification: TCP/25 7

Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 Posture - Discovery - Provisioning - Assessment/ Heartbeat Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS) By default, TCP/80 is redirected to TCP/8443. See Web Portal Services: Guest Portal and Client Provisioning. Cisco ISE presents the Admin certificate for Posture and Client Provisioning on TCP port 8905. Cisco ISE presents the Portal certificate on TCP port 8443 (or the port that you have configured for portal use). Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS) Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning Provisioning - Active-X and Java Applet Install including IP refresh, Web Agent Install, and launch NAC Agent Install: See Web Portal Services: Guest Portal and Client Provisioning. Provisioning - NAC Agent Install: TCP/8443 Provisioning - NAC Agent Update Notification: UDP/8905 Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905 (HTTPS) Assessment - Posture Negotiation and Agent Reports: TCP/8905 (HTTPS) Assessment - PRA/Keep-alive: UDP/8905 Bring Your Own Device (BYOD) / Network Service Protocol (NSP) - Redirection - Provisioning - SCEP Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning. Provisioning - Active-X and Java Applet Install (includes the launch of Wizard Install): See Web Portal Services: Guest Portal and Client Provisioning Provisioning - Wizard Install from Cisco ISE (Windows and Mac OS): TCP/8443 Provisioning - Wizard Install from Google Play (Android): TCP/443 Provisioning - Supplicant Provisioning Process: TCP/8905 SCEP Proxy to CA: TCP/80 or TCP/443 (Based on SCEP RA URL configuration) 8

Inline Posture Node Ports Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 Mobile Device Management (MDM) API Integration URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning API: Vendor specific Agent Install and Device Registration: Vendor specific Profiling NetFlow: UDP/9996 This port is configurable. DHCP: UDP/67 This port is configurable. DHCP SPAN Probe: UDP/68 HTTP: TCP/80, 8080 DNS: UDP/53 (lookup) This port is route table dependent. SNMP Query: UDP/161 This port is route table dependent. SNMP TRAP: UDP/162 This port is configurable. Inline Posture Node Ports he following table lists the ports used by the Inline Posture nodes: As Inline Posture nodes do not support the Administration persona, they will not have access to ports TCP 80 and 443. Inline Posture node High Availability does not apply to any other Cisco ISE node types. 9

Cisco ISE pxgrid Service Ports Table 4: Ports Used by Inline Posture Nodes Ports on Gigabit Ethernet 0 Ports on Gigabit Ethernet 1 Ports on Gigabit Ethernet 2 Ports on Gigabit Ethernet 3 Administration HTTPS: TCP/8443 TCP: 8443 is used by the Administration node. SSH Server: TCP/22 Inline Posture RADIUS Proxy for Authentication: UDP/1645, 1812 RADIUS Proxy for Authentication: UDP/1645, 1812 RADIUS Proxy for Accounting: UDP/1646, 1813 RADIUS Proxy for Accounting: UDP/1646, 1813 RADIUS CoA: UDP/1700, 3799 Redirect: TCP/9090 RADIUS CoA: Not applicable Redirect: UDP port TCP/9090 3799 is not configurable. Logging (Outbound) Syslog: UDP/20154 This port is configurable. Syslog: UDP/20154 This port is configurable. High Availability Heartbeat: UDP/694 (Heartbeat) Heartbeat: UDP/694 Cisco ISE pxgrid Service Ports The following table lists the ports used by the pxgrid Service nodes: 10

OCSP and CRL Service Ports Table 5: Ports Used by the pxgrid Service Node Administration Ports on Gigabit Ethernet 0 or Bond 0 SSL: TCP/5222 (Inter-Node Communication) SSL: TCP/7400 (Node Group Communication) Ports on Other Ethernet Interfaces (Gigabit Ethernet 1 through 5, or Bond 1 and Bond 2) Replication and Synchronization Data Synchronization and Replication (JGroups): TCP/12001 (Global) OCSP and CRL Service Ports For the Online Certificate Status Protocol services (OCSP) and the Certificate Revocation List (CRL), the ports are dependent on the CA Server or on service hosting OCSP/CRL although references to the Cisco ISE services and ports list basic ports that are used in Cisco ISE Administration Node, Policy Service Node, Monitoring Node, and Inline Posture Node separately. For the OCSP, the default ports that can be used are TCP 80/ TCP 443. Cisco ISE Admin portal expects http-based URL for OCSP services, and so, TCP 80 is the default. You can also use non-default ports. For the CRL, the default protocols include HTTP, HTTPS, and LDAP and the default ports are 80, 443, and 389 respectively. The actual port is contingent on the CRL server. 11

OCSP and CRL Service Ports 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback