Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.x
Appendix H, Cisco ISE Appliance Ports Reference
Downloads: This chapterpdf (PDF - 91.0KB) The complete bookPDF (PDF - 8.2MB) | Feedback

Table of Contents

Cisco ISE Appliance Ports Reference

Cisco ISE Appliance Ports Reference

This appendix lists the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports that Cisco ISE uses for intranetwork communications with external applications and devices.

Table A-1 lists the ports by TCP and UDP port number, identifies the associated feature, service, or protocol, and describes any specific port-related information that applies to the four Gigabit Ethernet ports: GbEth0, GbEth1, GbEth2, and GbEth3. The Cisco ISE ports listed in this table must be open on the corresponding firewall. The ports list provides information that can be useful when configuring a firewall, creating access control lists (ACL), and configuring services on a Cisco ISE network.

 

Table A-1 Cisco ISE Services and Ports

Cisco ISE Node
ISE Service
Ports on Gigabit Ethernet 0
Ports on Gigabit Ethernet 1
Ports on Gigabit Ethernet 2
Ports on Gigabit Ethernet 3

Administration ISE node

Administration

  • TCP: 22 (Secure Shell [SSH] server)

• TCP: 801 (HTTP)

  • TCP: 443 1 (HTTPS)
Note Port 80 is redirected to port 443 (not configurable).

Note Ports 80 and 443 support Admin web applications and are enabled by default.

Cisco ISE management is restricted to Gigabit Ethernet 0.

Cisco ISE management is restricted to Gigabit Ethernet 0.

Cisco ISE management is restricted to Gigabit Ethernet 0.

Replication and Synchronization

  • TCP: 443 (HTTPS SOAP)
  • TCP: 15212 (Database Listener and AQ)
  • Internet Control Message Protocol (ICMP) (Heartbeat)

Monitoring

  • UDP: 161 (Simple Network Management Protocol [SNMP] QUERY)
Note This port is route table dependent.

Monitoring ISE node

Administration

  • TCP: 22 (SSH server)
  • TCP: 80 1 (HTTP)
  • TCP: 443 1 (HTTPS)

Replication and Synchronization

  • TCP: 443 (HTTPS SOAP)
  • TCP: 1521 2 (Database Listener and AQ)
  • ICMP (Heartbeat)
  • TCP: 1521 2 (Database Listener and AQ)
  • TCP: 1521 2 (Database Listener and AQ)
  • TCP: 1521 2 (Database Listener and AQ)

Logging

  • UDP: 20514 (Syslog)
Note Default ports are configurable for external logs.

  • Alarms/activemq: TCP: 62627 (ISE 1.1)

Policy Service ISE node

Administration

  • TCP: 22 (SSH server)
  • TCP: 80 1 (HTTP)
  • TCP: 443 1 (HTTPS)

Replication and Synchronization

  • TCP: 443 (HTTPS SOAP)
  • TCP: 1521 2 (Database Listener and AQ)
  • TCP: 1521 2 (Database Listener and AQ)
  • TCP: 1521 2 (Database Listener and AQ)
  • TCP: 1521 2 (Database Listener and AQ)

Session

  • UDP: 1645,1812 (RADIUS Authentication)
  • UDP: 1646, 1813 (RADIUS Accounting)
  • UDP: 1700, 3799 (RADIUS change of authorization [CoA])
Note UDP port 1700 is not configurable.

  • TCP: 88, 389, 464 (Outbound AD and Lightweight Directory Access Protocol [LDAP])
  • UDP: 30514 (Syslog))
Note This is internal via session services.

Policy Service ISE node (continued)

Guest and Sponsor Portal

  • TCP: 8443 (HTTPS)
Note TCP port 8443 is enabled by default and configurable.

Client Provisioning

  • TCP: 80, 8443 (web or Cisco NAC agent installation)
Note TCP port 8443 is enabled by default, configurable, and corresponds to Guest configuration

  • TCP: 8905 (Cisco NAC agent update)
  • TCP: 8909 and UDP: 8909 (web, Cisco NAC Agent, supplicant provisioning wizard installation)
  • TCP: 8905 (Cisco NAC agent update)
  • TCP: 8909 and UDP: 8909 (web, Cisco NAC Agent, supplicant provisioning wizard installation)
  • TCP: 8905 (Cisco NAC agent update)
  • TCP: 8909 and UDP: 8909 (web, Cisco NAC Agent, supplicant provisioning wizard installation)
  • TCP: 8905 (Cisco NAC agent update)
  • TCP: 8909 and UDP: 8909 (web, Cisco NAC Agent, supplicant provisioning wizard installation)

Posture and Heartbeat

  • TCP: 8905 Discovery (HTTPS)
  • UDP: 8905 (Layer 2) Discovery (SWISS)
  • UDP: 8905 PRA/Keep-alive (SWISS)

Policy Service ISE node (continued)

Profiler

  • UDP: 9996 (NetFlow)
Note This port is configurable.

  • UDP: 67 (DHCP)
Note This port is configurable.

  • TCP: 80, 8080 (DHCPSPAN probe and HTTP)
  • UDP: 30514 (RADIUS logging)
Note This is internal via session services.

  • NMAP uses ports 0-65535 3 (outbound).
  • UDP: 53 (DNS lookup)
Note This port is route table dependent.

  • UDP: 161 (SNMP QUERY)
Note This port is route table dependent.

  • UDP: 162 (SNMP trap)
Note This port is configurable.

Clustering

  • UDP: 45588, 45590

Inline Posture ISE node

Administration

  • TCP: 22 (SSH server)
  • TCP: 8443 (HTTPS)
Note It is used by the Administrat- ion ISE node.

Inline Posture

  • UDP: 1645, 1812 (RADIUS proxy for authentication)
  • UDP: 1646, 1813 (RADIUS proxy for accounting)
  • UDP: 1700, 3799 (RADIUS CoA)
  • TCP 9090: (Redirect)
  • UDP: 1645, 1812 (RADIUS proxy for authentication)
  • UDP: 1646, 1813 (RADIUS proxy for accounting)
  • RADIUS CoA: Not applicable
  • TCP 9090: (Redirect)

Note High Availability and Management services are Inline Posture-specific and do not apply to any other Cisco ISE node types.

High Availability

UDP: 694 (Heartbeat)

UDP: 694 (Heartbeat)

Management

TCP: 9090 (Redirect)

TCP: 9090 (Redirect)

1.Because Inline Posture nodes do not support the Administration persona, they will not have access to this port.

2.Because Inline Posture nodes do not support the database listener function, they will not have access to this port.

3.NMAP OS Scan uses ports 0.65535 to detect endpoint operating system.