We've been deploying an ISE solution (1.1.0-665 version) in one customer and we have one doubt regarding Posture Assessment/Remediation. We're trying to check AV installation and definitions and this check is working fine but things get a little bit complicated when we try to remediate the machines.
In our Posture redirect ACL we don't redirect DNS, DHCP and ICMP to some hosts/servers as well as the necessary "posture traffic" (TCP/UDP 8905, 8906 and 8443 to the ISE IP) and redirect all HTTP and HTTPS traffic to the ISE in order to force Posture for users who need the Web Agent.
And this means that when Posture Assessment fails and we need to remediate client's machine we are going to have problems performing automatic remediation since our AV (McAfee), as well as many others, tries to access update servers using port 80 and that traffic will be redirected per Redirect ACL.
Is there a way to overcome this problem? Including update servers in our Redirect ACL deny lines is not an option, since there are too many and they are dynamic.
Thanks for your answer. We've opened a case in TAC and we are working to find the best solution. Denying traffic redirection for McAfee subnet is not a solution for us, since we want to control every machine (from inside and outside the company) and we want to allow all AV vendors.
No, there is no way of doing automatic remediation in external servers unless you exempt them from redirection in the Posture ACL. They have a NAC-style solution in roadmap, however. I'm sending below the answer provided by TAC:
"If in a future release we can integrate a redirect ACL based on DNS, we can have a series of short ACLs match vendor domain names, thus allowing us broad coverage of AV updates. Unfortunately this feature is not yet available."
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...