Cisco Cisco Identity Services Engine 2.1
Network Ports That Must Be Open for Communication
Notes
Authenticated
Target
Port (remote-local)
Protocol
—
No
DNS Servers/AD
Domain Controllers
Domain Controllers
Random number greater
than or equal to 49152
than or equal to 49152
DNS (TCP/UDP)
—
Yes
Domain Controllers
445
MSRPC
MS AD/KDC
Yes (Kerberos)
Domain Controllers
88
Kerberos (TCP/UDP)
—
Yes
Domain Controllers
389
LDAP (TCP/UDP)
—
Yes
Global Catalog Servers
3268
LDAP (GC)
—
No
NTP Servers/Domain
Controllers
Controllers
123
NTP
—
Yes (Using RBAC
credentials)
credentials)
Other ISE Nodes in the
Deployment
Deployment
80
IPC
DNS Server
While configuring your DNS server, make sure that you take care of the following:
• All DNS servers configured in Cisco ISE must be able to resolve all forward and reverse DNS queries for all domains you wish
to use.
• All DNS server must be able to answer SRV queries for DCs, GCs, and KDCs with or without additional Site information.
• We recommend that you add the server IP addresses to SRV responses to improve performance.
• Avoid using DNS serversthat query the public Internet. They can cause delays and leak information about your network when
an unknown name has to be resolved
Add an Active Directory Join Point and Join Cisco ISE Node to the Join Point
Before You Begin
Make sure that the Cisco ISE node can communicate with the networks where the NTP servers, DNS servers, domain controllers,
and global catalog servers are located. You can check these parameters by running the Domain Diagnostic tool.
and global catalog servers are located. You can check these parameters by running the Domain Diagnostic tool.
Procedure
Step 1
Choose Administration > Identity Management > External Identity Sources > Active Directory.
Step 2
Click Add and enter the domain name and identity store name.
Step 3
Click Submit.
5