Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Cisco ISE Ports Reference • Cisco ISE All Persona Nodes Ports, on page 1 • Cisc

Cisco ISE Ports Reference • Cisco ISE All Persona Nodes Ports, on page 1 • Cisco ISE Infrastructure, on page 1 • Cisco ISE Administration Node Ports, on page 2 • Cisco ISE Monitoring Node Ports, on page 4 • Cisco ISE Policy Service Node Ports, on page 6 • Cisco ISE pxGrid Service Ports, on page 10 • OCSP and CRL Service Ports, on page 11 Cisco ISE All Persona Nodes Ports Table 1: Ports Used by All Nodes Ports on Other Ethernet Interfaces (Gigbit Ethernet 1 through 5, or Bond 1 and 2) Ports on Gigabit Ethernet 0 or Bond 0 Cisco ISE Service — • HTTPS (SOAP): TCP/443 • Data synchronization/ Replication (JGroups): TCP/12001 (Global) • ISE Messaging Service: SSL: TCP/8671 Replication and Synchronization Cisco ISE Infrastructure This appendix lists the TCP and User Datagram Protocol UDP ports that Cisco ISE uses for intranetwork communications with external applications and devices. The Cisco ISE ports listed in this appendix must be open on the corresponding firewall. Keep in mind the following information when configuring services on a Cisco ISE network: • Cisco ISE management is restricted to Gigabit Ethernet 0. Cisco ISE Ports Reference 1 • RADIUS listens on all network interface cards (NICs). • Cisco ISE server interfaces do not support VLAN tagging. If you are installing on a hardware appliance, ensure that you disable VLAN trunking on switch ports that are used to connect to Cisco ISE nodes and configure them as access layer ports. • All NICs can be configured with IP addresses. Cisco ISE Administration Node Ports The following table lists the ports used by the Administration nodes: Cisco ISE Ports Reference 2 Cisco ISE Ports Reference Cisco ISE Administration Node Ports Table 2: Ports Used by the Administration Nodes Ports on Other Ethernet Interfaces (Gigbit Ethernet 1 through 5, or Bond 1 and 2) Ports on Gigabit Ethernet 0 or Bond 0 Cisco ISE Service — • HTTP: TCP/80, HTTPS: TCP/443 (TCP/80 redirected to TCP/443; not configurable) • SSH Server: TCP/22 • External RESTful Services (ERS) REST API: TCP/9060 • To manage guest accounts from Admin GUI: TCP/9002 • ElasticSearch (Context Visibility; to replicate data from primary to secondary Admin node): TCP/9300 Ports 80 and 443 support Admin web applications and are enabled by default. HTTPS and SSH access to Cisco ISE is restricted to Gigabit Ethernet 0. TCP/9300 must be open on both Primary and Secondary Administration Nodes for incoming traffic. Note Administration SNMP Query: UDP/161 This port is route table dependent. Note Monitoring • Syslog: UDP/20514, TCP/1468 • Secure Syslog: TCP/6514 Default ports are configurable for external logging. Note • SNMP Traps: UDP/162 Logging (Outbound) Cisco ISE Ports Reference 3 Cisco ISE Ports Reference Cisco ISE Administration Node Ports Ports on Other Ethernet Interfaces (Gigbit Ethernet 1 through 5, or Bond 1 and 2) Ports on Gigabit Ethernet 0 or Bond 0 Cisco ISE Service • Admin User Interface and Endpoint Authentications: • LDAP: TCP/389, 3268, UDP/389 • SMB: TCP/445 • KDC: TCP/88 • KPASS: TCP/464 • WMI : TCP/135 • ODBC: The ODBC ports are configurable on the third-party database server. Note • Microsoft SQL: TCP/1433 • Sybase: TCP/2638 • PortgreSQL: TCP/5432 • Oracle: TCP/1521 • NTP: UDP/123 • DNS: UDP/53, TCP/53 For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. Note External Identity Sources and Resources (Outbound) Guest account and user password expirations email notification: SMTP: TCP/25 Email Connection to Cisco cloud over TCP/443 Smart Licensing Cisco ISE Monitoring Node Ports The following table lists the ports used by the Monitoring nodes: Cisco ISE Ports Reference 4 Cisco ISE Ports Reference Cisco ISE Monitoring Node Ports Table 3: Ports Used by the Monitoring Nodes Ports on Other Ethernet Interfaces (Gigabit Ethernet 1 through 5, or Bond 1 and Bond 2) Ports on Gigabit Ethernet 0 or Bond 0 Cisco ISE Service — • HTTP: TCP/80, HTTPS: TCP/443 • SSH Server: TCP/22 Administration Simple Network Management Protocol [SNMP]: UDP/161 This port is route table dependent. Note Monitoring • Syslog: UDP/20514, TCP/1468 • Secure Syslog: TCP/6514 Default ports are configurable for external logging. Note • SMTP: TCP/25 for email of alarms • SNMP Traps: UDP/162 Logging Cisco ISE Ports Reference 5 Cisco ISE Ports Reference Cisco ISE Monitoring Node Ports Ports on Other Ethernet Interfaces (Gigabit Ethernet 1 through 5, or Bond 1 and Bond 2) Ports on Gigabit Ethernet 0 or Bond 0 Cisco ISE Service • Admin User Interface and Endpoint Authentications: • LDAP: TCP/389, 3268, UDP/389 • SMB: TCP/445 • KDC: TCP/88, UDP/88 • KPASS: TCP/464 • WMI : TCP/135 • ODBC: The ODBC ports are configurable on the third-party database server. Note • Microsoft SQL: TCP/1433 • Sybase: TCP/2638 • PortgreSQL: TCP/5432 • Oracle: TCP/1521 • NTP: UDP/123 • DNS: UDP/53, TCP/53 For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. Note External Identity Sources and Resources (Outbound) SSL: TCP/8910 Bulk Download for pxGrid Cisco ISE Policy Service Node Ports The following table lists the ports used by the Policy Service nodes: Table 4: Ports Used by the Policy Service Nodes Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 Ports on Gigabit Ethernet 0 or Bond 0 Cisco ISE Service Cisco ISE management is restricted to Gigabit Ethernet 0. • HTTP: TCP/80, HTTPS: TCP/443 • SSH Server: TCP/22 • OCSP: TCP/2560 Administration Cisco ISE Ports Reference 6 Cisco ISE Ports Reference Cisco ISE Policy Service Node Ports Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 Ports on Gigabit Ethernet 0 or Bond 0 Cisco ISE Service — Node Groups/JGroups: TCP/7800 Clustering (Node Group) — TCP/9090 SCEP — UDP/500 IPSec/ISAKMP TACACS+: TCP/49 This port is configurable in Release 2.1 and later releases. Note Device Administration • PSN (SXP node) to NADs: TCP/64999 • PSN to SXP (inter-node communication): TCP/443 SXP TCP/443 TC-NAC Simple Network Management Protocol [SNMP]: UDP/161 This port is route table dependent. Note Monitoring • Syslog: UDP/20514, TCP/1468 • Secure Syslog: TCP/6514 Default ports are configurable for external logging. Note • SNMP Traps: UDP/162 Logging (Outbound) • RADIUS Authentication: UDP/1645, 1812 • RADIUS Accounting: UDP/1646, 1813 • RADIUS DTLS Authentication/Accounting: UDP/2083. • RADIUS Change of Authorization (CoA) Send: UDP/1700 • RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799 UDP port 3799 is not configurable. Note Session Cisco ISE Ports Reference 7 Cisco ISE Ports Reference Cisco ISE Policy Service Node Ports Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 Ports on Gigabit Ethernet 0 or Bond 0 Cisco ISE Service • Admin User Interface and Endpoint Authentications: • LDAP: TCP/389, 3268 • SMB: TCP/445 • KDC: TCP/88 • KPASS: TCP/464 • WMI : TCP/135 • ODBC: The ODBC ports are configurable on the third-party database server. Note • Microsoft SQL: TCP/1433 • Sybase: TCP/2638 • PortgreSQL: TCP/5432 • Oracle: TCP/1521 • NTP: UDP/123 • DNS: UDP/53, TCP/53 For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. Note External Identity Sources and Resources (Outbound) • TS Agent: tcp/9094 • AD Agent: tcp/9095 • Syslog: UDP/40514, TCP/11468 Passive ID (Inbound) HTTPS (Interface must be enabled for service in Cisco ISE): • Blacklist Portal: TCP/8000-8999 (Default port is TCP/8444.) • Guest Portal and Client Provisioning: TCP/8000-8999 (Default port is TCP/8443.) • Certificate Provisioning Portal: TCP/8000-8999 (Default port is TCP/8443.) • My Devices Portal: TCP/8000-8999 (Default port is TCP/8443.) • Sponsor Portal: TCP/8000-8999 (Default port is TCP/8443.) • SMTP guest notifications from guest and sponsor portals: TCP/25 Web Portal Services: - Guest/Web Authentication - Guest Sponsor Portal - My Devices Portal - Client Provisioning - Certificate Provisioning - BlackListing Portal Cisco ISE Ports Reference 8 Cisco ISE Ports Reference Cisco ISE Policy Service Node Ports Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 Ports on Gigabit Ethernet 0 or Bond 0 Cisco ISE Service • Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS) By default, TCP/80 is redirected to TCP/8443. See Web Portal Services: Guest Portal and Client Provisioning. Cisco ISE presents the Admin certificate for Posture and Client Provisioning on TCP port 8905. Cisco ISE presents the Portal certificate on TCP port 8443 (or the port that you have configured for portal use). Note • Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS) From Cisco ISE, Release 2.2 or later with AnyConnect, Release 4.4 or later, this port is configurable. • Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning • Provisioning - Active-X and Java Applet Install including IP refresh, Web Agent Install, and launch NAC Agent Install: See Web Portal Services: Guest Portal and Client Provisioning. • Provisioning - NAC Agent Install: TCP/8443 • Provisioning - NAC Agent Update Notification: UDP/8905 • Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905 (HTTPS) • Assessment - Posture Negotiation and Agent Reports: TCP/8905 (HTTPS) • Assessment - PRA/Keep-alive: UDP/8905 Posture - uploads/s1/ guide - 2023-05-30T082920.444.pdf