User Guide for Cisco models including: Identity Services Engine ISE Ports Reference, Services Engine ISE Ports Reference, Engine ISE Ports Reference, ISE Ports Reference, Ports Reference, Reference
Cisco Identity Services Engine Installation Guide, Release 2.7 - Cisco ISE Ports Reference [Cisco Identity Services Engine] - Cisco
File Info : application/pdf, 16 Pages, 1.49MB
DocumentDocumentCisco ISE Ports Reference · Cisco ISE All Persona Nodes Ports, on page 1 · Cisco ISE Infrastructure, on page 2 · Operating System Ports, on page 3 · Cisco ISE Administration Node Ports, on page 6 · Cisco ISE Monitoring Node Ports, on page 8 · Cisco ISE Policy Service Node Ports, on page 10 · Cisco ISE pxGrid Service Ports, on page 14 · OCSP and CRL Service Ports, on page 15 · Cisco ISE Processes, on page 15 · Required Internet URLs, on page 15 Cisco ISE All Persona Nodes Ports Table 1: Ports Used by All Nodes Cisco ISE Service Replication and Synchronization Ports on Gigabit Ethernet 0 or Bond 0 · HTTPS (SOAP): TCP/443 · Data Synchronization/ Replication (JGroups): TCP/12001 (Global) · ISE Messaging Service: SSL: TCP/8671 · ISE internal communication: TCP/15672 · Profiler Endpoint Ownership Synchronization/ Replication: TCP/6379 Ports on Other Ethernet Interfaces (Gigbit Ethernet 1 through 5, or Bond 1 and 2) -- Cisco ISE Ports Reference 1 Cisco ISE Infrastructure Cisco ISE Ports Reference Cisco ISE Infrastructure This appendix lists the TCP and User Datagram Protocol UDP ports that Cisco ISE uses for intranetwork communications with external applications and devices. The Cisco ISE ports listed in this appendix must be open on the corresponding firewall. Keep in mind the following information when configuring services on a Cisco ISE network: · The ports are enabled based on the services that are enabled in your deployment. Apart from the ports that are opened by the services running in ISE, Cisco ISE denies access to all other ports. · Cisco ISE management is restricted to Gigabit Ethernet 0. · RADIUS listens on all network interface cards (NICs). · Cisco ISE server interfaces do not support VLAN tagging. If you are installing on a hardware appliance, ensure that you disable VLAN trunking on switch ports that are used to connect to Cisco ISE nodes and configure them as access layer ports. · The ephemeral port range is from 10000 to 65500. This remains the same for Cisco ISE, Release 2.1 and later. · VMware on Cloud is supported in Site-to-Site VPN network configuration. Hence, the IP address or port reachability from the network access devices and clients to Cisco ISE must be established without NAT or port filtering. · All NICs can be configured with IP addresses. · The policy information point represents the point at which external information is communicated to the Policy Service persona. For example, external information could be a Lightweight Directory Access Protocol (LDAP) attribute. Related Concepts Cisco ISE Ports Reference 2 Cisco ISE Ports Reference Operating System Ports Node Types and Personas in Distributed Deployments Note TCP keep alive time on ISE is 60 minutes. Adjust the TCP timeout values accordingly on the firewall if one exists between ISE nodes. Operating System Ports The following table lists the TCP ports that NMAP uses for OS scanning. In addition, NMAP uses ICMP and UDP port 51824. 1 3 4 6 7 9 13 17 19 20 21 22 23 24 25 26 30 32 33 37 42 43 49 53 70 79 80 81 82 83 84 85 88 89 90 99 100 106 109 110 111 113 119 125 135 139 143 144 146 161 163 179 199 211 212 222 254 255 256 259 264 280 301 306 311 340 366 389 406 407 416 417 425 427 443 444 445 458 464 465 481 497 500 512 513 514 515 524 541 543 544 545 548 554 555 563 587 593 616 617 625 631 636 646 648 666 667 668 683 687 691 700 705 711 714 720 722 726 749 765 777 783 787 800 801 808 843 873 880 888 898 900 901 902 903 911 912 981 987 990 992 993 995 999 1000 1001 1002 1007 1009 1010 1011 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040-1100 1102 1104 1105 1106 1107 1108 1110 1111 1112 1113 1114 1117 1119 1121 1122 1123 1124 1126 Cisco ISE Ports Reference 3 Operating System Ports Cisco ISE Ports Reference 1130 1149 1174 1201 1247 1301 1433 1521 1658 1721 1839 1947 2022 2068 2135 2200 2393 2601 2710 2909 3005 3071 3269 3333 3404 3689 3814 3889 3998 1131 1132 1151 1152 1175 1183 1213 1216 1248 1259 1309 1310 1434 1443 1524 1533 1666 1687 1723 1755 1840 1862 1971 1972 2030 2033 2099 2100 2144 2160 2222 2251 2394 2399 2602 2604 2717 2718 2910 2920 3006 3007 3077 3128 3283 3300 3351 3367 3476 3493 3690 3703 3826 3827 3905 3914 4000-4006 4045 1137 1154 1185 1217 1271 1311 1455 1556 1688 1761 1863 1974 2034 2103 2161 2260 2401 2605 2725 2967 3011 3168 3301 3369 3517 3737 3828 3918 4111 1138 1141 1145 1147 1148 1163 1164 1165 1166 1169 1186 1187 1192 1198 1199 1218 1233 1234 1236 1244 1272 1277 1287 1296 1300 1322 1328 1334 1352 1417 1461 1494 1500 1501 1503 1580 1583 1594 1600 1641 1700 1717 1718 1719 1720 1782 1783 1801 1805 1812 1864 1875 1900 1914 1935 1984 1998-2010 2013 2020 2021 2035 2038 2040-2043 2045-2049 2065 2105-2107 2111 2119 2121 2126 2170 2179 2190 2191 2196 2288 2301 2323 2366 2381-2383 2492 2500 2522 2525 2557 2607 2608 2638 2701 2702 2800 2809 2811 2869 2875 2968 2998 3000 3001 3003 3013 3017 3030 3031 3052 3211 3221 3260 3261 3268 3306 3322 3323 3324 3325 3370 3371 3372 3389 3390 3527 3546 3551 3580 3659 3766 3784 3800 3801 3809 3851 3869 3871 3878 3880 3920 3945 3971 3986 3995 4125 4126 4129 4224 4242 Cisco ISE Ports Reference 4 Cisco ISE Ports Reference Operating System Ports 4279 4321 4343 4443 4567 4662 4848 4899 5033 5050 5051 5054 5101 5102 5120 5190 5226 5269 5280 5298 5440 5500 5510 5544 5633 5666 5678 5679 5810 5811 5815 5822 5900-5907 5910 5911 5915 5960-5963 5987-5989 5998-6007 6009 6112 6123 6129 6156 6547 6565-6567 6580 6646 6692 6699 6779 6788 6969 7000 7001 7002 7100 7103 7106 7200 7512 7625 7627 7676 7920 7921 7937 7938 8008 8009 8010 8011 8080-8090 8093 8099 8100 8200 8222 8254 8290 8400 8402 8443 8500 8701 8800 8873 8888 9003 9009 9010 9011 9090 9091 9099 9100 9200 9207 9220 9290 9503 9535 9575 9593 9877 9878 9898 9900 9998 9999 10000 10001 10012 10024 10025 10082 4444 4900 5060 5200 5357 5550 5718 5825 5922 6025 6346 6666 6789 7004 7201 7741 7999 8021 8180 8291 8600 8899 9040 9101 9415 9594 9917 10002 10180 4445 4998 5061 5214 5405 5555 5730 5850 5925 6059 6389 6667 6792 7007 7402 7777 8000 8022 8181 8292 8649 8994 9050 9102 9418 9595 9929 10003 10215 4446 4449 5000-5004 5009 5080 5087 5221 5222 5414 5431 5560 5566 5800 5801 5859 5862 5950 5952 6100 6101 6502 6510 6668 6669 6839 6881 7019 7025 7435 7443 7778 7800 8001 8002 8031 8042 8192 8193 8300 8333 8651 8652 9000 9001 9071 9080 9103 9110 9485 9500 9618 9666 9943 9944 10004 10009 10243 10566 4550 5030 5100 5225 5432 5631 5802 5877 5959 6106 6543 6689 6901 7070 7496 7911 8007 8045 8194 8383 8654 9002 9081 9111 9502 9876 9968 10010 10616 Cisco ISE Ports Reference 5 Cisco ISE Administration Node Ports Cisco ISE Ports Reference 10617 12000 14238 16000 17877 19780 21571 27352 31038 32775 32784 36869 44501 49158 49400 50500 54045 57797 64680 10621 12174 14441 16001 17988 19801 22939 27353 31337 32776 32785 38292 45100 49159 49999 50636 54328 58080 65000 10626 12265 14442 16012 18040 19842 23502 27355 32768 32777 33354 40193 48080 49160 50000 50800 55055 60020 65129 10628 12345 15000 16016 18101 20000 24444 27356 32769 32778 33899 40911 49152 49161 50001 51103 55056 60443 65389 10629 13456 15002 16018 18988 20005 24800 27715 32770 32779 34571 41511 49153 49163 50002 51493 55555 61532 10778 13722 15003 16080 19101 20031 25734 28201 32771 32780 34572 42510 49154 49165 50003 52673 55600 61900 11110 13782 15004 16113 19283 20221 25735 30000 32772 32781 34573 44176 49155 49167 50006 52822 56737 62078 11111 13783 15660 16992 19315 20222 26214 30718 32773 32782 34601 44442 49156 49175 50300 52848 56738 63331 11967 14000 15742 16993 19350 20828 27000 30951 32774 32783 35500 44443 49157 49176 50389 52869 57294 64623 Cisco ISE Administration Node Ports The following table lists the ports used by the Administration nodes: Cisco ISE Ports Reference 6 Cisco ISE Ports Reference Cisco ISE Administration Node Ports Table 2: Ports Used by the Administration Nodes Cisco ISE Service Administration Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces (Gigbit Ethernet 1 through 5, or Bond 1 and 2) · HTTP: TCP/80, HTTPS: TCP/443 -- (TCP/80 redirected to TCP/443; not configurable) · SSH Server: TCP/22 · CoA · External RESTful Services (ERS) REST API: TCP/9060 · · To manage guest accounts from Admin GUI: TCP/9002 · ElasticSearch (Context Visibility; to replicate data from primary to secondary Admin node): TCP/9300 Note Ports 80 and 443 support Admin web applications and are enabled by default. HTTPS and SSH access to Cisco ISE is restricted to Gigabit Ethernet 0. TCP/9300 must be open on both Primary and Secondary Administration Nodes for incoming traffic. Monitoring · SNMP Query: UDP/161 Note This port is route table dependent. · ICMP Logging (Outbound) · Syslog: UDP/20514, TCP/1468 · Secure Syslog: TCP/6514 Note Default ports are configurable for external logging. · SNMP Traps: UDP/162 Cisco ISE Ports Reference 7 Cisco ISE Monitoring Node Ports Cisco ISE Ports Reference Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces (Gigbit Ethernet 1 through 5, or Bond 1 and 2) External Identity Sources and Resources (Outbound) · Admin User Interface and Endpoint Authentications: · LDAP: TCP/389, 3268, UDP/389 · SMB: TCP/445 · KDC: TCP/88 · KPASS: TCP/464 · WMI : TCP/135 · ODBC: Note The ODBC ports are configurable on the third-party database server. · Microsoft SQL: TCP/1433 · Sybase: TCP/2638 · PortgreSQL: TCP/5432 · Oracle: TCP/1521 · NTP: UDP/323 (localhost interfaces only) · DNS: UDP/53, TCP/53 Note For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. Email Smart Licensing Guest account and user password expirations email notification: SMTP: TCP/25 Connection to Cisco cloud over TCP/443 Cisco ISE Monitoring Node Ports The following table lists the ports used by the Monitoring nodes: Cisco ISE Ports Reference 8 Cisco ISE Ports Reference Cisco ISE Monitoring Node Ports Table 3: Ports Used by the Monitoring Nodes Cisco ISE Service Administration Ports on Gigabit Ethernet 0 or Bond Ports on Other Ethernet Interfaces 0 (Gigabit Ethernet 1 through 5, or Bond 1 and Bond 2) · HTTP: TCP/80, HTTPS: -- TCP/443 · SSH Server: TCP/22 Monitoring Simple Network Management Protocol [SNMP]: UDP/161 Note This port is route table dependent. · ICMP Logging · Syslog: UDP/20514, TCP/1468 · Secure Syslog: TCP/6514 Note Default ports are configurable for external logging. · SMTP: TCP/25 for email of alarms · SNMP Traps: UDP/162 Cisco ISE Ports Reference 9 Cisco ISE Policy Service Node Ports Cisco ISE Ports Reference Cisco ISE Service External Identity Sources and Resources (Outbound) Bulk Download for pxGrid Ports on Gigabit Ethernet 0 or Bond Ports on Other Ethernet Interfaces 0 (Gigabit Ethernet 1 through 5, or Bond 1 and Bond 2) · Admin User Interface and Endpoint Authentications: · LDAP: TCP/389, 3268, UDP/389 · SMB: TCP/445 · KDC: TCP/88, UDP/88 · KPASS: TCP/464 · WMI : TCP/135 · ODBC: Note The ODBC ports are configurable on the third-party database server. · Microsoft SQL: TCP/1433 · Sybase: TCP/2638 · PortgreSQL: TCP/5432 · Oracle: TCP/1521, 15723, 16820 · NTP: UDP/323 (localhost interfaces only) · DNS: UDP/53, TCP/53 Note For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. SSL: TCP/8910 Cisco ISE Policy Service Node Ports Cisco ISE supports HTTP Strict Transport Security (HSTS) for increased security. Cisco ISE sends HTTPS responses indicating to browsers that ISE can only be accessed using HTTPS. If users then try to access ISE using HTTP instead of HTTPS, the browser changes the connection to HTTPS before generating any network traffic. This functionality prevents browsers from sending requests to Cisco ISE using unencrypted HTTP before the server can redirect them. The following table lists the ports used by the Policy Service nodes: Cisco ISE Ports Reference 10 Cisco ISE Ports Reference Cisco ISE Policy Service Node Ports Table 4: Ports Used by the Policy Service Nodes Cisco ISE Service Administration Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 · HTTP: TCP/80, HTTPS: TCP/443 · SSH Server: TCP/22 · OCSP: TCP/2560 Cisco ISE management is restricted to Gigabit Ethernet 0. Clustering (Node Group) SCEP IPSec/ISAKMP Device Administration TrustSec SXP Node Groups/JGroups: TCP/7800 -- TCP/9090 -- UDP/500 -- TACACS+: TCP/49 Note This port is configurable in Release 2.1 and later releases. Use HTTP and Cisco ISE REST API to transfer TrustSec data to network devices over port 9063. · PSN (SXP node) to NADs: TCP/64999 · PSN to SXP (internal communication on the same Cisco ISE): TCP/9644 TC-NAC Monitoring TCP/443 Simple Network Management Protocol [SNMP]: UDP/161 Note This port is route table dependent. Logging (Outbound) · Syslog: UDP/20514, TCP/1468 · Secure Syslog: TCP/6514 Note Default ports are configurable for external logging. · SNMP Traps: UDP/162 Session · RADIUS Authentication: UDP/1645, 1812 · RADIUS Accounting: UDP/1646, 1813 · RADIUS DTLS Authentication/Accounting: UDP/2083. · RADIUS Change of Authorization (CoA) Send: UDP/1700 · RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799 Note UDP port 3799 is not configurable. Cisco ISE Ports Reference 11 Cisco ISE Policy Service Node Ports Cisco ISE Ports Reference Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 External Identity Sources and Resources (Outbound) · Admin User Interface and Endpoint Authentications: · LDAP: TCP/389, 3268 · SMB: TCP/445 · KDC: TCP/88 · KPASS: TCP/464 · WMI : TCP/135 · ODBC: Note The ODBC ports are configurable on the third-party database server. · Microsoft SQL: TCP/1433 · Sybase: TCP/2638 · PortgreSQL: TCP/5432 · Oracle: TCP/1521 · NTP: UDP/323 (localhost interfaces only) · DNS: UDP/53, TCP/53 Note For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. Passive ID (Inbound) · TS Agent: tcp/9094 · AD Agent: tcp/9095 · Syslog: UDP/40514, TCP/11468 Web Portal Services: - Guest/Web Authentication - Guest Sponsor Portal - My Devices Portal - Client Provisioning - Certificate Provisioning - BlackList Portal HTTPS (Interface must be enabled for service in Cisco ISE): · Blacklist Portal: TCP/8000-8999 (default port is TCP/8444) · Guest Portal and Client Provisioning: TCP/8000-8999 (default port is TCP/8443) · Certificate Provisioning Portal: TCP/8000-8999 (default port is TCP/8443) · My Devices Portal: TCP/8000-8999 (default port is TCP/8443) · Sponsor Portal: TCP/8000-8999 (default port is TCP/8445) · SMTP guest notifications from guest and sponsor portals: TCP/25 Cisco ISE Ports Reference 12 Cisco ISE Ports Reference Cisco ISE Policy Service Node Ports Cisco ISE Service Posture - Discovery - Provisioning - Assessment/ Heartbeat Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 · Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS) Note By default, TCP/80 is redirected to TCP/8443. See Web Portal Services: Guest Portal and Client Provisioning. Cisco ISE presents the Admin certificate for Posture and Client Provisioning on TCP port 8905. Cisco ISE presents the Portal certificate on TCP port 8443 (or the port that you have configured for portal use). · Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS) From Cisco ISE, Release 2.2 or later with AnyConnect, Release 4.4 or later, this port is configurable. Bring Your Own Device (BYOD) / Network Service Protocol (NSP) - Redirection - Provisioning - SCEP · Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning. · For Android devices with EST authentication: TCP/8084. Port 8084 must be added to the Redirect ACL for Android devices. · Provisioning - Active-X and Java Applet Install (includes the launch of Wizard Install): See Web Portal Services: Guest Portal and Client Provisioning · Provisioning - Wizard Install from Cisco ISE (Windows and Mac OS): TCP/8443 · Provisioning - Wizard Install from Google Play (Android): TCP/443 · Provisioning - Supplicant Provisioning Process: TCP/8905 · SCEP Proxy to CA: TCP/80 or TCP/443 (Based on SCEP RA URL configuration) Mobile Device Management (MDM) API Integration · URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning · API: Vendor specific · Agent Install and Device Registration: Vendor specific Cisco ISE Ports Reference 13 Cisco ISE pxGrid Service Ports Cisco ISE Ports Reference Cisco ISE Service Profiling Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2 · NetFlow: UDP/9996 Note This port is configurable. · DHCP: UDP/67 Note This port is configurable. · DHCP SPAN Probe: UDP/68 · HTTP: TCP/80, 8080 · DNS: UDP/53 (lookup) Note This port is route table dependent. · SNMP Query: UDP/161 Note This port is route table dependent. · SNMP TRAP: UDP/162 Note This port is configurable. Cisco ISE pxGrid Service Ports The following table lists the ports used by the pxGrid Service nodes: Table 5: Ports Used by the pxGrid Service Node Cisco ISE Service Administration Ports on Gigabit Ethernet 0 or Bond Ports on Other Ethernet Interfaces 0 (Gigabit Ethernet 1 through 5, or Bond 1 and Bond 2) · SSL: TCP/5222 (Inter-Node -- Communication) · SSL: TCP/7400 (Node Group Communication) pxGrid Subscribers Inter-node communication TCP/8910 TCP/8910 Cisco ISE Ports Reference 14 Cisco ISE Ports Reference OCSP and CRL Service Ports OCSP and CRL Service Ports For the Online Certificate Status Protocol services (OCSP) and the Certificate Revocation List (CRL), the ports are dependent on the CA Server or on service hosting OCSP/CRL although references to the Cisco ISE services and ports list basic ports that are used in Cisco ISE Administration Node, Policy Service Node, Monitoring Node separately. For the OCSP, the default ports that can be used are TCP 80/ TCP 443. Cisco ISE Admin portal expects http-based URL for OCSP services, and so, TCP 80 is the default. You can also use non-default ports. For the CRL, the default protocols include HTTP, HTTPS, and LDAP and the default ports are 80, 443, and 389 respectively. The actual port is contingent on the CRL server. Cisco ISE Processes The following table lists the Cisco ISE processes and their service impact: Process Name Database Listener Database Server Application Server Profiler Database AD Connector MnT Session Database MnT Log Collector MnT Log Processor Certificate Authority Service Description Service Impact Oracle Enterprise Database Listener Must be in Running state for all services to work properly Oracle Enterprise Database Server. Must be in Running state for all services to Stores both configuration and work properly operational data. Main Tomcat Server for ISE Must be in Running state for all services to work properly Redis database for ISE Profiling Must be in Running state for ISE profiling service service to work properly Active Directory Runtime Must be in Running state for ISE to perform Active Directory authentications Oracle TimesTen Database for MnT Must be in Running state for all services to service work properly Log collector for MnT service Must be in Running state for MnT Operational Data Log processor for MnT service Must be in Running state for MnT Operational Data ISE Internal CA service Must be in Running state if ISE internal CA is enabled Required Internet URLs The following table lists the features that use certain URLs. Configure either your network firewall or a proxy server so that IP traffic can travel between Cisco ISE and these resources. If access to any URL listed in the following table cannot be provided, the related feature may be impaired or inoperable. Cisco ISE Ports Reference 15 Required Internet URLs Cisco ISE Ports Reference Table 6: Required URLs Access Feature Posture updates Profiling Feed Service Smart Licensing Telemetry Social Login for Self-Registered Guests URLs https://www.cisco.com/ https://iseservice.cisco.com https://ise.cisco.com https://tools.cisco.com https://connectdna.cisco.com/ facebook.co akamaihd.net akamai.co fbcdn.net The Interactive Help feature needs Cisco ISE to connect to the following URLs using the administration portal browser: · *.walkme.com · *.walkmeusercontent.com Cisco ISE Ports Reference 16DITA Open Toolkit XEP 4.30.961; modified using iText 2.1.7 by 1T3XT