Cisco Identity Services Engine ISE Ports Reference User Guide

Cisco Identity Services Engine ISE Ports Reference

Cisco ISE All Persona Nodes Ports

Table 1: Ports Used by All Nodes

Cisco ISE Service| Ports on Gigabit Ethernet 0 or Bond 0| Ports on Other Ethernet Interfaces (Gigbit Ethernet 1 through 5, or Bond 1 and 2)
---|---|---
Replication and Synchronization|

• HTTPS (SOAP): TCP/443
• Data Synchronization/ Replication (JGroups): TCP/12001 (Global)
• ISE Messaging Service: SSL: TCP/8671
• ISE internal communication: TCP/15672
•  Profiler Endpoint Ownership Synchronization/ Replication: TCP/6379

| —

Cisco ISE Infrastructure

This appendix lists the TCP and User Datagram Protocol UDP ports that Cisco ISE uses for intranetwork communications with external applications and devices. The Cisco ISE ports listed in this appendix must be open on the corresponding firewall.

Keep in mind the following information when configuring services on a Cisco ISE network:

• The ports are enabled based on the services that are enabled in your deployment. Apart from the ports that are opened by the services running in ISE, Cisco ISE denies access to all other ports.
• Cisco ISE management is restricted to Gigabit Ethernet 0.
• RADIUS listens on all network interface cards (NICs).
• Cisco ISE server interfaces do not support VLAN tagging. If you are installing on a hardware appliance, ensure that you disable VLAN trunking on switch ports that are used to connect to Cisco ISE nodes and configure them as access layer ports.
• The ephemeral port range is from 10000 to 65500. This remains the same for Cisco ISE, Release 2.1 and later.
• VMware on Cloud is supported inSite-to-Site VPN network configuration. Hence, the IPaddress or port reachability from the network access devices and clients to Cisco ISE must be established without NAT or port filtering.
• All NICs can be configured with IP addresses.
• The policy information point represents the point at which external information is communicated to the Policy Service persona. For example, external information could be a Lightweight Directory Access Protocol (LDAP) attribute.

Related Concepts

Node Types and Personas in Distributed Deployments

Note
TCP keep alive time on ISE is 60 minutes. Adjust the TCP timeout values accordingly on the firewall if one exists between ISE nodes.

Operating System Ports

The following table lists the TCP ports that NMAP uses for OS scanning. In addition, NMAP uses ICMP and UDP port 51824.

Cisco ISE Administration Node Ports

The following table lists the ports used by the Administration nodes:

Table 2: Ports Used by the Administration Nodes

Cisco ISE Service| Ports on Gigabit Ethernet 0 or Bond 0| Ports on Other Ethernet Interfaces (Gigbit Ethernet 1 through 5, or Bond 1 and 2)
---|---|---
Administration|

• HTTP: TCP/80, HTTPS: TCP/443 (TCP/80 redirected to TCP/443; not configurable)
• SSH Server: TCP/22
• CoA
• External RESTful Services (ERS) REST API: TCP/9060
• To manage guest accounts from Admin GUI: TCP/9002
• Elastic Search (Context Visibility; to replicate data from primary to secondary Admin node): TCP/9300

Note
Ports 80 and 443 support Admin web applications and are enabled by default.
HTTPS and SSH access to Cisco ISE is restricted to Gigabit Ethernet 0.
TCP/9300 must be open on both Primary and Secondary Administration Nodes for incoming traffic.

| —
Monitoring|

• SNMP Query: UDP/161
  Note
  This port is route table dependent. __

• ICMP

Logging (Outbound)|

• Syslog: UDP/20514, TCP/1468

• Secure Syslog: TCP/6514
  Note
  Default ports are configurable for external logging.

• __ SNMP Traps: UDP/162

Cisco ISE Service| Ports on Gigabit Ethernet 0 or Bond 0| Ports on Other Ethernet Interfaces (Gigbit Ethernet 1 through 5, or Bond 1 and 2)
---|---|---
External Identity Sources and Resources (Outbound)|

• Admin User Interface and Endpoint Authentications:

  • LDAP: TCP/389, 3268, UDP/389
  • SMB: TCP/445
  • KDC: TCP/88
  • KPASS: TCP/464 __

• WMI : TCP/135

• ODBC:
  Note
  The ODBC ports are configurable on the third-party database server.

  • Microsoft SQL: TCP/1433
  • Sybase: TCP/2638
  • PortgreSQL: TCP/5432
  • Oracle: TCP/1521 __

• NTP: UDP/323 (localhost interfaces only)

• DNS: UDP/53, TCP/53

Note
For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly.

Email| Guest account and user password expirations email notification: SMTP: TCP/25
Smart Licensing| Connection to Cisco cloud over TCP/443

Cisco ISE Monitoring Node Ports

The following table lists the ports used by the Monitoring nodes:

Table 3: Ports Used by the Monitoring Nodes

Cisco ISE Service| Ports on Gigabit Ethernet 0 or Bond 0| Ports on Other Ethernet Interfaces (Gigabit Ethernet 1 through 5, or Bond 1 and Bond 2)
---|---|---
Administration|

• HTTP: TCP/80, HTTPS: TCP/443
• SSH Server: TCP/22

| —
Monitoring| Simple Network Management Protocol [SNMP]: UDP/161
Note
This port is route table dependent.

• ICMP

Logging|

• Syslog: UDP/20514, TCP/1468

• Secure Syslog: TCP/6514
  Note
  Default ports are configurable for external logging.

• SMTP: TCP/25 for email of alarms

• SNMP Traps: UDP/162

Cisco ISE Service| Ports on Gigabit Ethernet 0 or Bond 0| Ports on Other Ethernet Interfaces (Gigabit Ethernet 1 through 5, or Bond 1 and Bond 2)
---|---|---
External Identity Sources and Resources (Outbound)|

• Admin User Interface and Endpoint Authentications:

  • LDAP: TCP/389, 3268, UDP/389
  • SMB: TCP/445
  • KDC: TCP/88, UDP/88
  • KPASS: TCP/464

• WMI : TCP/135

• ODBC:
  Note
  The ODBC ports are configurable on the third-party database server. __

  • Microsoft SQL: TCP/1433
  • Sybase: TCP/2638
  • PortgreSQL: TCP/5432
  • Oracle: TCP/1521, 15723, 16820 __

• NTP: UDP/323 (localhost interfaces only)

• DNS: UDP/53, TCP/53

Note
For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly.

Bulk Download for pxGrid| SSL: TCP/8910

Cisco ISE Policy Service Node Ports

Cisco ISE supports HTTP Strict Transport Security (HSTS) for increased security. Cisco ISE sends HTTPS responses indicating to browsers that ISE can only be accessed using HTTPS. If users then try to access ISE using HTTP instead of HTTPS, the browser changes the connection to HTTPS before generating any network traffic. This functionality prevents browsers from sending requests to Cisco ISE using unencrypted HTTP before the server can redirect them.

The following table lists the ports used by the Policy Service nodes:

Table 4: Ports Used by the Policy Service Nodes

Cisco ISE Service| Ports on Gigabit Ethernet 0 or Bond 0| Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2
---|---|---
Administration|

• HTTP: TCP/80, HTTPS: TCP/443
• SSH Server: TCP/22
• OCSP: TCP/2560

| Cisco ISE management is restricted to Gigabit Ethernet 0.
Clustering (Node Group)| Node Groups/JGroups: TCP/7800| —
SCEP| TCP/9090| —
IPSec/ISAKMP| UDP/500| —
Device Administration| TACACS+: TCP/49

Note
This port is configurable in Release 2.1 and later releases.

TrustSec| Use HTTP and Cisco ISE REST API to transfer TrustSec data to network devices over port 9063.
SXP|

• PSN (SXP node) to NADs: TCP/64999
• PSN to SXP (internal communication on the same Cisco ISE): TCP/9644

TC-NAC| TCP/443
Monitoring| Simple Network Management Protocol [SNMP]: UDP/161

Note
This port is route table dependent.

Logging (Outbound)|

• Syslog: UDP/20514, TCP/1468

• Secure Syslog: TCP/6514
  Note
  Default ports are configurable for external logging.

• SNMP Traps: UDP/162

Session|

• RADIUS Authentication: UDP/1645, 1812
• RADIUS Accounting: UDP/1646, 1813
• RADIUS DTLS Authentication/Accounting: UDP/2083.
• RADIUS Change of Authorization (CoA) Send: UDP/1700
• RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799

Note
UDP port 3799 is not configurable.

Cisco ISE Service| Ports on Gigabit Ethernet 0 or Bond 0| Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2
---|---|---
External Identity Sources and Resources (Outbound)|

• Admin User Interface and Endpoint Authentications:

  • LDAP: TCP/389, 3268
  • SMB: TCP/445
  • KDC: TCP/88
  • KPASS: TCP/464

• WMI : TCP/135

• ODBC:
  Note
  The ODBC ports are configurable on the third-party database server.

  • Microsoft SQL: TCP/1433
  • Sybase: TCP/2638
  • PortgreSQL: TCP/5432
  • Oracle: TCP/1521

• NTP: UDP/323 (localhost interfaces only)

• DNS: UDP/53, TCP/53

Note
For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly.

Passive ID (Inbound)|

• TS Agent: tcp/9094
• AD Agent: tcp/9095
• Syslog: UDP/40514, TCP/11468

Web Portal Services:

–  Guest/Web Authentication
–  Guest Sponsor Portal
–  My Devices Portal
–  Client Provisioning
–  Certificate Provisioning
–  BlackList Portal

| HTTPS (Interface must be enabled for service in Cisco ISE):

• Blacklist Portal: TCP/8000-8999 (default port is TCP/8444)
• Guest Portal and Client Provisioning: TCP/8000 8999 (default port is TCP/8443)
• Certificate Provisioning Portal: TCP/8000-8999 (default port is TCP/8443)
• My Devices Portal: TCP/8000-8999 (default port is TCP/8443)
• Sponsor Portal: TCP/8000-8999 (default port is TCP/8445)
• SMTP guest notifications from guest and sponsor portals: TCP/25

Cisco ISE Service| Ports on Gigabit Ethernet 0 or Bond 0| Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2
---|---|---
Posture

–  Discovery
–  Provisioning
–  Assessment/ Heartbeat

|

• Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS)
  Note
  By default, TCP/80 is redirected to TCP/8443. See Web Portal Services: Guest Portal and Client Provisioning.
  Cisco ISE presents the Admin certificate for Posture and Client Provisioning on TCP port 8905.
  Cisco ISE presents the Portal certificate on TCP port 8443 (or the port that you have configured for portal use).

• Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS)
  From Cisco ISE, Release 2.2 or later with AnyConnect, Release 4.4 or later, this port is configurable.

Bring Your Own Device (BYOD) / Network Service Protocol (NSP)

–  Redirection
–  Provisioning
–  SCEP

|

• Provisioning – URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning.
• For Android devices with EST authentication: TCP/8084. Port 8084 must be added to the Redirect ACL for Android devices.
• Provisioning – Active-X and Java Applet Install (includes the launch of Wizard Install): See Web Portal Services: Guest Portal and Client Provisioning
• Provisioning – Wizard Install from Cisco ISE (Windows and Mac OS): TCP/8443
• Provisioning – Wizard Install from Google Play (Android): TCP/443
• Provisioning – Supplicant Provisioning Process: TCP/8905
• SCEP Proxy to CA: TCP/80 or TCP/443 (Based on SCEP RA URL configuration)

Mobile Device Management (MDM) API Integration|

• URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning
• API: Vendor specific
• Agent Install and Device Registration: Vendor specific

Cisco ISE Service| Ports on Gigabit Ethernet 0 or Bond 0| Ports on Other Ethernet Interfaces, or Bond 1 and Bond 2
---|---|---
Profiling|

• NetFlow: UDP/9996
  Note
  This port is configurable.

• DHCP: UDP/67
  Note
  This port is configurable.

• DHCP SPAN Probe: UDP/68

• HTTP: TCP/80, 8080

• DNS: UDP/53 (lookup)
  Note
  This port is route table dependent.

• SNMP Query: UDP/161
  Note
  This port is route table dependent.

• __ SNMP TRAP: UDP/162

• Note
  This port is configurable.

Cisco ISE pxGrid Service Ports

The following table lists the ports used by the pxGrid Service nodes:

Table 5: Ports Used by the pxGrid Service Node

Cisco ISE Service| Ports on Gigabit Ethernet 0 or Bond 0| Ports on Other Ethernet Interfaces (Gigabit Ethernet 1 through 5, or Bond 1 and Bond 2)
---|---|---
Administration|

• SSL: TCP/5222 (Inter-Node Communication)
• SSL: TCP/7400 (Node Group Communication)

| —
pxGrid Subscribers| TCP/8910
Inter-node communication| TCP/8910

OCSP and CRL Service Ports

For the Online Certificate Status Protocol services (OCSP) and the Certificate Revocation List (CRL), the ports are dependent on the CA Server or on service hosting OCSP/CRL although references to the Cisco ISE services and ports list basic ports that are used in Cisco ISE Administration Node, Policy Service Node, Monitoring Node separately.

For the OCSP, the default ports that can be used are TCP 80/ TCP 443. Cisco ISE Admin portal expects http-based URL for OCSP services, and so, TCP 80 is the default. You can also use non-default ports.

For the CRL, the default protocols include HTTP, HTTPS, and LDAP and the default ports are 80, 443, and 389 respectively. The actual port is contingent on the CRL server.

Cisco ISE Processes

The following table lists the Cisco ISE processes and their service impact:

state for all services to work properly
Database Server| Oracle Enterprise Database Server. Stores both configuration and operational data.| Must be in Running state for all services to work properly
Application Server| Main Tomcat Server for ISE| Must be in Running state for all services to work properly
Profiler Database| Redis database for ISE Profiling service| Must be in Running state for ISE profiling service to work properly
AD Connector| Active Directory Runtime| Must be in Running state for ISE to perform Active Directory authentications
MnT Session Database| Oracle TimesTen Database for MnT service| Must be in Running state for all services to work properly
MnT Log Collector| Log collector for MnT service| Must be in Running state for MnT Operational Data
MnT Log Processor| Log processor for MnT service| Must be in Running state for MnT Operational Data
Certificate Authority Service| ISE Internal CA service| Must be in Running state if ISE internal CA is enabled

Required Internet URLs

The following table lists the features that use certain URLs. Configure either your network firewall or a proxy server so that IP traffic can travel between Cisco ISE and these resources. If access to any URL listed in the following table cannot be provided, the related feature may be impaired or inoperable.

Table 6: Required URLs Access

https://iseservice.cisco.com
Profiling Feed Service| https://ise.cisco.com
Smart Licensing| https://tools.cisco.com
Telemetry| https://connectdna.cisco.com/
Social Login for Self-Registered Guests| facebook.co
akamaihd.net
akamai.co
fbcdn.net

The Interactive Help feature needs Cisco ISE to connect to the following URLs using the administration portal browser:

• *.walkme.com
• *.walkmeusercontent.com

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>