Cisco ISE Ports Reference

• Cisco ISE All Persona Nodes Ports, on page 1

• Cisco ISE Infrastructure, on page 1
• Cisco ISE Administration Node Ports, on page 2
• Cisco ISE Monitoring Node Ports, on page 4
• Cisco ISE Policy Service Node Ports, on page 6
• Cisco ISE pxGrid Service Ports, on page 10
• OCSP and CRL Service Ports, on page 10
• Cisco ISE Processes, on page 11
• Required Internet URLs, on page 11

Cisco ISE All Persona Nodes Ports

Table 1: Ports Used by All Nodes

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond Ports on Other Ethernet Interfaces
0 (Gigbit Ethernet 1 through 5, or
Bond 1 and 2)

Replication and Synchronization • HTTPS (SOAP): TCP/443 —

• Data synchronization/
Replication (JGroups):
TCP/12001 (Global)
• ISE Messaging Service: SSL:
TCP/8671

Cisco ISE Infrastructure

This appendix lists the TCP and User Datagram Protocol UDP ports that Cisco ISE uses for intranetwork
communications with external applications and devices. The Cisco ISE ports listed in this appendix must be
open on the corresponding firewall.
Keep in mind the following information when configuring services on a Cisco ISE network:

Cisco ISE Ports Reference

1
 Cisco ISE Ports Reference
Cisco ISE Administration Node Ports

• The ports are enabled based on the services that are enabled in your deployment. Apart from the ports
that are opened by the services running in ISE, Cisco ISE denies access to all other ports.
• Cisco ISE management is restricted to Gigabit Ethernet 0.
• RADIUS listens on all network interface cards (NICs).
• Cisco ISE server interfaces do not support VLAN tagging. If you are installing on a hardware appliance,
ensure that you disable VLAN trunking on switch ports that are used to connect to Cisco ISE nodes and
configure them as access layer ports.
• The ephemeral port range is from 10000 to 65500. This remains the same for Cisco ISE, Release 2.1 and
later.
• VMware on Cloud is supported in Site-to-Site VPN network configuration. Hence, the IP address or port
reachablity from the network access devices and clients to Cisco ISE must be established without NAT
or port filtering.
• All NICs can be configured with IP addresses.

Note TCP keep alive time on ISE is 60 minutes. Adjust the TCP timeout values accordingly on the firewall if one
exists between ISE nodes.

Cisco ISE Administration Node Ports

The following table lists the ports used by the Administration nodes:

Cisco ISE Ports Reference

2
Cisco ISE Ports Reference
Cisco ISE Administration Node Ports

Table 2: Ports Used by the Administration Nodes

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond Ports on Other Ethernet Interfaces
0 (Gigbit Ethernet 1 through 5, or
Bond 1 and 2)

Administration • HTTP: TCP/80, HTTPS: —

TCP/443 (TCP/80 redirected
to TCP/443; not configurable)
• SSH Server: TCP/22
• External RESTful Services
(ERS) REST API: TCP/9060
• To manage guest accounts
from Admin GUI: TCP/9002
• ElasticSearch (Context
Visibility; to replicate data
from primary to secondary
Admin node): TCP/9300

Note Ports 80 and 443

support Admin web
applications and are
enabled by default.
HTTPS and SSH access
to Cisco ISE is restricted
to Gigabit Ethernet 0.
TCP/9300 must be open
on both Primary and
Secondary
Administration Nodes
for incoming traffic.

Monitoring • SNMP Query: UDP/161

Note This port is route table dependent.

• ICMP

Logging (Outbound) • Syslog: UDP/20514, TCP/1468

• Secure Syslog: TCP/6514

Note Default ports are configurable for external logging.

• SNMP Traps: UDP/162

Cisco ISE Ports Reference

3
 Cisco ISE Ports Reference
Cisco ISE Monitoring Node Ports

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond Ports on Other Ethernet Interfaces
0 (Gigbit Ethernet 1 through 5, or
Bond 1 and 2)

External Identity Sources and • Admin User Interface and Endpoint Authentications:
Resources (Outbound)
• LDAP: TCP/389, 3268, UDP/389
• SMB: TCP/445
• KDC: TCP/88
• KPASS: TCP/464

• WMI : TCP/135
• ODBC:
Note The ODBC ports are configurable on the third-party
database server.

• Microsoft SQL: TCP/1433

• Sybase: TCP/2638
• PortgreSQL: TCP/5432
• Oracle: TCP/1521

• NTP: UDP/123
• DNS: UDP/53, TCP/53

Note For external identity sources and services reachable only

through an interface other than Gigabit Ethernet 0, configure
static routes accordingly.

Email Guest account and user password expirations email notification: SMTP:
TCP/25

Smart Licensing Connection to Cisco cloud over TCP/443

Cisco ISE Monitoring Node Ports

The following table lists the ports used by the Monitoring nodes:

Cisco ISE Ports Reference

4
Cisco ISE Ports Reference
Cisco ISE Monitoring Node Ports

Table 3: Ports Used by the Monitoring Nodes

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond Ports on Other Ethernet Interfaces
0 (Gigabit Ethernet 1 through 5, or
Bond 1 and Bond 2)

Administration • HTTP: TCP/80, HTTPS: —

TCP/443
• SSH Server: TCP/22

Monitoring Simple Network Management Protocol [SNMP]: UDP/161

Note This port is route table dependent.

• ICMP

Logging • Syslog: UDP/20514, TCP/1468

• Secure Syslog: TCP/6514

Note Default ports are configurable for external logging.

• SMTP: TCP/25 for email of alarms

• SNMP Traps: UDP/162

Cisco ISE Ports Reference

5
 Cisco ISE Ports Reference
Cisco ISE Policy Service Node Ports

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond Ports on Other Ethernet Interfaces
0 (Gigabit Ethernet 1 through 5, or
Bond 1 and Bond 2)

External Identity Sources and
Resources (Outbound)
• Admin User Interface and Endpoint Authentications:
• LDAP: TCP/389, 3268, UDP/389
• SMB: TCP/445
• KDC: TCP/88, UDP/88
• KPASS: TCP/464

• WMI : TCP/135
• ODBC:
Note The ODBC ports are configurable on the third-party
database server.

• Microsoft SQL: TCP/1433

• Sybase: TCP/2638
• PortgreSQL: TCP/5432
• Oracle: TCP/1521, 15723, 16820

• NTP: UDP/123
• DNS: UDP/53, TCP/53

Note For external identity sources and services reachable only

through an interface other than Gigabit Ethernet 0, configure
static routes accordingly.

Bulk Download for pxGrid SSL: TCP/8910

Cisco ISE Policy Service Node Ports

Cisco ISE supports HTTP Strict Transport Security (HSTS) for increased security. ISE sends HTTPS responses
indicating to browsers that ISE can only be accessed using HTTPS. If users then try to access ISE using HTTP
instead of HTTPS, the browser changes the connection to HTTPS before generating any network traffic. This
functionality prevents browsers from sending requests to ISE using unencrypted HTTP before the server can
redirect them.
The following table lists the ports used by the Policy Service nodes:

Cisco ISE Ports Reference

6
Cisco ISE Ports Reference
Cisco ISE Policy Service Node Ports

Table 4: Ports Used by the Policy Service Nodes

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces,
or Bond 1 and Bond 2

Administration • HTTP: TCP/80, HTTPS: Cisco ISE management is restricted

TCP/443 to Gigabit Ethernet 0.
• SSH Server: TCP/22
• OCSP: TCP/2560

Clustering (Node Group) Node Groups/JGroups: TCP/7800 —

SCEP TCP/9090 —

IPSec/ISAKMP UDP/500 —

Device Administration TACACS+: TCP/49

Note This port is configurable in Release 2.1 and later releases.

SXP • PSN (SXP node) to NADs: TCP/64999

• PSN to SXP (inter-node communication): TCP/443

TC-NAC TCP/443

Monitoring Simple Network Management Protocol [SNMP]: UDP/161

Note This port is route table dependent.

Logging (Outbound) • Syslog: UDP/20514, TCP/1468

• Secure Syslog: TCP/6514

Note Default ports are configurable for external logging.

• SNMP Traps: UDP/162

Session • RADIUS Authentication: UDP/1645, 1812

• RADIUS Accounting: UDP/1646, 1813
• RADIUS DTLS Authentication/Accounting: UDP/2083.
• RADIUS Change of Authorization (CoA) Send: UDP/1700
• RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700,
3799

Note UDP port 3799 is not configurable.

Cisco ISE Ports Reference

7
 Cisco ISE Ports Reference
Cisco ISE Policy Service Node Ports

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces,
or Bond 1 and Bond 2

External Identity Sources and • Admin User Interface and Endpoint Authentications:
Resources (Outbound)
• LDAP: TCP/389, 3268
• SMB: TCP/445
• KDC: TCP/88
• KPASS: TCP/464

• WMI : TCP/135
• ODBC:
Note The ODBC ports are configurable on the third-party
database server.

• Microsoft SQL: TCP/1433

• Sybase: TCP/2638
• PortgreSQL: TCP/5432
• Oracle: TCP/1521

• NTP: UDP/123
• DNS: UDP/53, TCP/53

Note For external identity sources and services reachable only through
an interface other than Gigabit Ethernet 0, configure static routes
accordingly.

Passive ID (Inbound) • TS Agent: tcp/9094

• AD Agent: tcp/9095
• Syslog: UDP/40514, TCP/11468

Web Portal Services: HTTPS (Interface must be enabled for service in Cisco ISE):
- Guest/Web Authentication • Blacklist Portal: TCP/8000-8999 (Default port is TCP/8444.)
- Guest Sponsor Portal • Guest Portal and Client Provisioning: TCP/8000-8999 (Default port
- My Devices Portal is TCP/8443.)

- Client Provisioning • Certificate Provisioning Portal: TCP/8000-8999 (Default port is

TCP/8443.)
- Certificate Provisioning
• My Devices Portal: TCP/8000-8999 (Default port is TCP/8443.)
- BlackListing Portal
• Sponsor Portal: TCP/8000-8999 (Default port is TCP/8443.)
• SMTP guest notifications from guest and sponsor portals: TCP/25

Cisco ISE Ports Reference

8
Cisco ISE Ports Reference
Cisco ISE Policy Service Node Ports

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces,
or Bond 1 and Bond 2

Posture • Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS)

- Discovery Note By default, TCP/80 is redirected to TCP/8443. See Web
Portal Services: Guest Portal and Client Provisioning.
- Provisioning
Cisco ISE presents the Admin certificate for Posture and
- Assessment/ Heartbeat
Client Provisioning on TCP port 8905.
Cisco ISE presents the Portal certificate on TCP port 8443
(or the port that you have configured for portal use).

• Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS)

From Cisco ISE, Release 2.2 or later with AnyConnect, Release 4.4
or later, this port is configurable.

• Assessment - Posture Negotiation and Agent Reports: TCP/8905

(HTTPS)

Bring Your Own Device • Provisioning - URL Redirection: See Web Portal Services: Guest Portal
(BYOD) / Network Service and Client Provisioning.
Protocol (NSP)
• For Android devices with EST authentication: TCP/8084. Port 8084
- Redirection must be added to the Redirect ACL for Android devices.
- Provisioning • Provisioning - Active-X and Java Applet Install (includes the launch
- SCEP of Wizard Install): See Web Portal Services: Guest Portal and Client
Provisioning
• Provisioning - Wizard Install from Cisco ISE (Windows and Mac OS):
TCP/8443
• Provisioning - Wizard Install from Google Play (Android): TCP/443
• Provisioning - Supplicant Provisioning Process: TCP/8905
• SCEP Proxy to CA: TCP/80 or TCP/443 (Based on SCEP RA URL
configuration)

Mobile Device Management • URL Redirection: See Web Portal Services: Guest Portal and Client
(MDM) API Integration Provisioning
• API: Vendor specific
• Agent Install and Device Registration: Vendor specific

Cisco ISE Ports Reference

9
 Cisco ISE Ports Reference
Cisco ISE pxGrid Service Ports

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond 0 Ports on Other Ethernet Interfaces,
or Bond 1 and Bond 2

Profiling • NetFlow: UDP/9996

Note This port is configurable.

• DHCP: UDP/67
Note This port is configurable.

• DHCP SPAN Probe: UDP/68

• HTTP: TCP/80, 8080
• DNS: UDP/53 (lookup)
Note This port is route table dependent.
• SNMP Query: UDP/161
Note This port is route table dependent.

• SNMP TRAP: UDP/162

Note This port is configurable.

Cisco ISE pxGrid Service Ports

The following table lists the ports used by the pxGrid Service nodes:

Table 5: Ports Used by the pxGrid Service Node

Cisco ISE Service Ports on Gigabit Ethernet 0 or Bond Ports on Other Ethernet Interfaces
0 (Gigabit Ethernet 1 through 5, or
Bond 1 and Bond 2)

Administration • SSL: TCP/5222 (Inter-Node —

Communication)
• SSL: TCP/7400 (Node Group
Communication)

pxGrid Subscribers TCP/8910

OCSP and CRL Service Ports

For the Online Certificate Status Protocol services (OCSP) and the Certificate Revocation List (CRL), the
ports are dependent on the CA Server or on service hosting OCSP/CRL although references to the Cisco ISE

Cisco ISE Ports Reference

10
 Cisco ISE Ports Reference
Cisco ISE Processes

services and ports list basic ports that are used in Cisco ISE Administration Node, Policy Service Node,
Monitoring Node separately.
For the OCSP, the default ports that can be used are TCP 80/ TCP 443. Cisco ISE Admin portal expects
http-based URL for OCSP services, and so, TCP 80 is the default. You can also use non-default ports.
For the CRL, the default protocols include HTTP, HTTPS, and LDAP and the default ports are 80, 443, and
389 respectively. The actual port is contingent on the CRL server.

Cisco ISE Processes

The following table lists the Cisco ISE processes and their service impact:

Process Name Description Service Impact

Database Listener Oracle Enterprise Database Listener Must be in Running state for all services to
work properly
Database Server Oracle Enterprise Database Server. Must be in Running state for all services to
Stores both configuration and work properly
operational data.
Application Server Main Tomcat Server for ISE Must be in Running state for all services to
work properly
Profiler Database Redis database for ISE Profiling Must be in Running state for ISE profiling
service service to work properly
AD Connector Active Directory Runtime Must be in Running state for ISE to perform
Active Directory authentications
MnT Session Database Oracle TimesTen Database for MnT Must be in Running state for all services to
service work properly
MnT Log Collector Log collector for MnT service Must be in Running state for MnT
Operational Data
MnT Log Processor Log processor for MnT service Must be in Running state for MnT
Operational Data
Certificate Authority ISE Internal CA service Must be in Running state if ISE internal CA
Service is enabled

Required Internet URLs

The following table lists the features that make use of certain URLs. You must configure either your network
firewall or a proxy server so that IP traffic can travel between Cisco ISE and these resources. If you cannot
provide this access for any listed URL, the associated feature will be impaired or inoperable.

Cisco ISE Ports Reference

11
 Cisco ISE Ports Reference
Required Internet URLs

Table 6: Required URLs Access

Feature URLs

Posture updates https://www.cisco.com/

https://iseservice.cisco.com
Profiling Feed Service https://ise.cisco.com

Smart Licensing https://tools.cisco.com

Interactive Help https://cdn.walkme.com

https://playerserver.walkme.com
https://ec.walkme.com
https://rapi.walkme.com
https://papi.walkme.com
https://s3.amazonaws.com
https://s3.walkmeusercontent.com

Cisco ISE Ports Reference

12