Lab Minutes Forum

Technical Discussion => Security => Topic started by: peterb on October 27, 2014, 08:01:47 AM

Title: ISE 1.2 distributed deployment with 2 PSN - change https port for portals
Post by: peterb on October 27, 2014, 08:01:47 AM
Hi,

We need to change the port numbers for sponsor portal and mydevices portal in a ISE 1.2 distributed deployment.
The documentation states that all ISE nodes will restart when doing so.

My question is if all the nodes will restart simultaneously or if they will restart one at a time, as they do when applying patches to ISE.

Thank you,
Peter
Title: Re: ISE 1.2 distributed deployment with 2 PSN - change https port for portals
Post by: MC on October 28, 2014, 05:35:41 PM
Interesting question. Since both sponsor and MyDevices portal tie to PSN, I would think only PSN will reload although I cannot say whether they will all reload at the same time. I would definitely do this after-hour and prepare for the worst (ie. all nodes service reset). Sorry I currently do not have a 2+ node setup that I can test this with but definitely would like to know the result.
Title: Re: ISE 1.2 distributed deployment with 2 PSN - change https port for portals
Post by: peterb on October 30, 2014, 06:30:32 AM

We have made the changes now and here is the result.

Our setup is like this:
ISE-1  primary admin node, secondary monitor node
ISE-2  secondary admin node, primary monitor node
ISE-3 and ISE-4  policy services nodes

All 4 nodes restarted the ISE application, but not simultaneously.
This is how it worked out:
1. ISE-1 restarted ISE application
2. ISE-2 + one of the PSN:s restarted ISE application
3. The other PSN restarted ISE application

So all roles (admin, monitor and policy) worked all the time, there was minimal or no impact for the users. All the same, after-hours for this kind of change is a good recommendation!

/Peter


Title: Re: ISE 1.2 distributed deployment with 2 PSN - change https port for portals
Post by: MC on October 30, 2014, 10:58:10 PM
You are not allowed to view links. Register or Login

We have made the changes now and here is the result.

Our setup is like this:
ISE-1  primary admin node, secondary monitor node
ISE-2  secondary admin node, primary monitor node
ISE-3 and ISE-4  policy services nodes

All 4 nodes restarted the ISE application, but not simultaneously.
This is how it worked out:
1. ISE-1 restarted ISE application
2. ISE-2 + one of the PSN:s restarted ISE application
3. The other PSN restarted ISE application

So all roles (admin, monitor and policy) worked all the time, there was minimal or no impact for the users. All the same, after-hours for this kind of change is a good recommendation!

/Peter

Thank you for sharing your result Peter. I am sure we all can benefit from this. +1