For now the solution is to connect the Identity Collector to each gateway, effectively turning them into PDP so the broker would be a more complex way to do the same.

The idea is to have a low-end cluster serving as PDP for the ISE tags and sending them to all other gateways but it seems that nothing happens with tags when this is configured.

hey,

as we have deployed also IC in our environment, to grab identities from AD and ISE (TAGS), my recommendation is to have at least 2 IC's per GW/Cluster for redundancy. in our case, as we have 3 clusters, we have set 6 IC's, 2 per each region - so we have redundancy and independency.

as for identity sharing, as I know you can configure a GW to share identities with all other GWs - so what is not working in your case ?

thank you,

I'm using 2 Identity Collectors for redundancy. I had to get a custom JAR file to ensure stability between them and the ISE but since then it works.

Whenever I enable Identity Sharing, tags don't seem to get exchanged. I'm just wondering if they should be or if this feature does not support ISE tags.

"I had to get a custom JAR file to ensure stability between them and the ISE but since then it works." - can you elaborate on this a bit more, as I have a problem with IC versions over R80.0119.000 (new ones uses pxGrid v2) and our ISE environment - looses communication after random periods.

In regards to the shared identity, I doubt it will share the ISE TAG, but I think it will share the identity group that the TAG was matched to.

can you check that part, and have a rule with an identity ISE TAG base on an GW that gets identities from another gateway ?

thank you,

That was quite a long case with TAC about the ISE going to Disconnected mode in the Collector and not coming back up short of a reboot of the server, not just the service.

In the end, I got a custom JAR file to replace one in place which completely solved the issue.

So I see the same, with newer IC versions, the ISE connections go in Established and data is exchanged, but after 1 hour or 3 hours, they go Disconnected.

In some cases if I restart the service it's coming back but the same will happen in couple of hours, or it's staying Disconnected.

Is it possible to share the CheckPoint case so I can ask my support engineer look and see if there is any resemblance between them?

thank you,

PS: were the versions I share behaving the same, or you don't remember the details ?

I will send you the SR in a private message. What happened is that a message from the ISE wouldn't be accepted by the IC because of some unsupported content, after which the IC would disconnect the ISE and keep on sending keepalives without ever reconnecting. This could happen after an hour or a week, there was no definitive pattern.

thank you, 

now on the Identity Sharing, check this and let us know how it goes...

"In regards to the shared identity, I doubt it will share the ISE TAG, but I think it will share the identity group that the TAG was matched to.

can you check that part, and have a rule with an identity ISE TAG base on an GW that gets identities from another gateway ?"

ty,