Solved: Re: ISE Posturing and WSUS

Daniel Lucas · ‎03-06-2019

Is there way to check against a local WSUS server for determining if an endpoint is up-to-date? I have a situation where corporate endpoints typically don't have the absolute latest windows patch, and is intentionally left out of WSUS for a period before pushing them out. Is there a way to check if the endpoint has the latest update per the corporate WSUS policy, and not the latest published by microsoft/OPSWAT?

-Thanks

howon · ‎03-13-2019

Yes, ISE posture policy can use local WSUS policy. However, there are no settings to configure on ISE aside from making WSUS condition. AnyConnect posture module simply interfaces with the WSUS agent to get status update. If the WSUS agent is configured for local WSUS then WSUS agent will verify with local WSUS server to see if it compliant and report back to AnyConnect posture module of the status.

View solution in original post

howon · ‎03-13-2019

Yes, ISE posture policy can use local WSUS policy. However, there are no settings to configure on ISE aside from making WSUS condition. AnyConnect posture module simply interfaces with the WSUS agent to get status update. If the WSUS agent is configured for local WSUS then WSUS agent will verify with local WSUS server to see if it compliant and report back to AnyConnect posture module of the status.

Daniel Lucas · ‎03-20-2019

Ok thanks!

joaos · ‎01-23-2020

Hello,

can you provide some more details about this type of integration?

does this mean that we need to allow WSUS agent on PC to communicate to WSUS server? (authorization profile/result when postrue status is unknown ou non-compliant?)

Thanks for your help