Cisco Identity Services Engine Installation Guide, Release 3.5

Administration node ports

Updated: May 28, 2026

Want to summarize with AI?

Overview

Lists TCP ports required to access and manage the Cisco ISE Policy Administration node for administrative tasks and web-based configuration.

The Policy Administration node is the primary interface for managing your Cisco ISE deployment. To ensure secure and uninterrupted access to the administrative console and configuration services, specific TCP ports must be configured.

This table lists the ports required for administrative connectivity, helping you maintain secure control over your security policies and system settings.

Table 1. Ports used by the Administration nodes
Cisco ISE service	Ports on Gigabit Ethernet 0 or Bond 0	Ports on other Ethernet Interfaces (Gigabit Ethernet 1 through 5, or Bond 1 and 2)
Administration	HTTPS: TCP/443 SSH Server: TCP/22 CoA External RESTful Services (ERS) REST API: , TCP/9060 The ERS and OpenAPI services are HTTPS-only REST APIs and operate over port 443. Currently, ERS APIs also operate over port 9060. This port might not be supported for ERS APIs in later Cisco ISE releases. We recommend that you only use port 443 for ERS APIs. The default conn-limit value for port 9060 is 30. If consecutive ERS API calls are returning a HTTP 502 error, we recommend that you increase the conn-limit value of port 9060 to 60 using the command conn-limit cl1 60 port 9060. External RESTful Services (ERS) REST API Certificate-based authentication for DNAC integration mode: TCP/9062 To manage guest accounts from Admin GUI: TCP/9002 Port 443 supports Admin web applications and is enabled by default. Access to Cisco ISE via HTTPS and SSH is restricted to Gigabit Ethernet 0. For SAML admin login, Port 8443 of PSN should be reachable from the device where the admin is trying to do the SAML login.	Not applicable
Monitoring	SNMP Query: UDP/161 This port is route table dependent. ICMP
Logging (Outbound)	Syslog: UDP/20514, TCP/1468 Secure Syslog: TCP/6514 Default ports are configurable for external logging. SNMP Traps: UDP/162
External identity sources and resources (Outbound)	Admin user interface and endpoint authentications: LDAP: TCP/389, 3268, UDP/389 SMB: TCP/445 KDC: TCP/88 KPASS: TCP/464 WMI : TCP/135 ODBC: The ODBC ports are configurable on the third-party database server. Microsoft SQL: TCP/1433 Sybase: TCP/2638 PostgreSQL: TCP/5432 Oracle: TCP/1521, TCPS/2484 NTP: UDP/123 (localhost interfaces only) DNS: UDP/53, TCP/53 For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static routes accordingly. Cisco ISE sends an ICMP ping to the configured DNS server when diagnosing connectivity for an Active Directory connection.
Email	Guest account and user password expiration email notification: SMTP: TCP/25
Smart licensing	Connection to Cisco cloud over TCP/443 Connection to SSM on-premises server over TCP/443 and ICMP

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.