Configuring the Ivanti Cloud Services Appliance

The Ivanti Cloud Services Appliance (CSA) is an Internet appliance that provides secure communication and functionality over the Internet. It acts as a meeting place where the console and managed devices are connected through their Internet connections—even if they are behind firewalls or use a proxy to access the Internet.

Read this topic to learn about:

Visit the Ivanti Community's CSA articles for additional CSA information:

Using multiple Cloud Services Appliances

You can install multiple CSAs. For example, you can do this to help balance CSA workloads. When you configure the core server to use multiple CSAs, managed devices can use any of the configured CSAs to connect to the core. The CSA a managed device uses depends on the CSA specified in that device's agent configuration. There is no automatic load balancing or failover. If you want to balance CSA loads, create a custom agent configuration for each CSA and selectively deploy those agent configurations.

Configuring the core server to use a Cloud Services Appliance

The Cloud Services Appliance (CSA) is available for purchase separately as a VMWare virtual machine image. Once you install a CSA, you need to configure the core to use it.

The Configure > Manage Cloud Services Appliances option is only available from the core server's management console. Additional consoles don't have this option. Only users with the Ivanti Administrator right can modify a CSA configuration.

To connect a Cloud Service Appliance to the core server
  1. In the core server's management console, click Configure > Manage Cloud Services Appliances.
  2. On the Cloud Services Appliances tab, specify the CSA information.
  3. If the CSA uses an internal address that is different from its public address (for example, if it's located in a DMZ-type environment), specify the CSA internal name and CSA internal IP address.
  4. If the core will connect to the CSA through a proxy, select Use proxy and specify the proxy settings.
  5. Click Apply. If the CSA settings are correct, the new CSA appears in the list.

You can also select any CSA in the list and change its settings on the right side. Click Apply when you're done making changes. The core server then connects to the CSA and registers with it by installing the core's security certificate on the CSA.

Managing client certificates

Each managed device is required to have a valid digital certificate in order to connect through the CSA. If your core has client certificate-based security enabled, Ivanti agents on managed devices also need a valid certificate to decrypt secure core data. These certificates are generated automatically during agent installation, but they default to an unapproved state that prevents communication through the CSA and secure core data decryption.

You can manage the list of devices that have been granted certificates by blocking or deleting the those device certificates. Use the search box to easily filter the list.

Approve device certificates to allow CSA access and secure core data decryption. The core server defaults to notifying you when the number of unapproved certificates is 10 or more. You can customize or disable this notification at the bottom of the dialog box.

Block a device certificate to temporarily stop it from using the CSA to communicate with the core server or decrypt secure core data. You can unblock it later if you want to restore access.

If you delete a device certificate, it will be removed from the list. The certificate remains on the device. If that device attempts to reconnect later or when it runs a security scan (which triggers a reconnection attempt), it will reappear in the list.

Blocked or deleted devices can still communicate with the core server if they are on the same network as the core server and if the setting for Dynamically determine connection route option is selected in the Agent settings tool under Client connectivity settings.

There is also an option to Automatically approve new certificates. This option isn't recommended because it gives all new devices access to the core. However, in some instances administrators may want to enable this for a short time, such as when enrolling a lot of devices.

To approve, block, or delete device certificates
  1. In the core server's management console, click Configure > Manage Cloud Services Appliances.
  2. On the Manage client certificates tab, select the devices you want to approve, block, or delete. You can use Shift+click or Ctrl+click to select multiple devices.
  3. Click Approve selected to approve selected device certificates.
  4. Click Block selected to block selected device certificates.
  5. Click Delete selected to delete the selected device certificates from the core server.
  6. When finished, click Apply.

Creating an on-demand remote control agent package

You can create an on-demand remote control agent executable package that can be downloaded by devices that have not been configured to connect through the CSA. This allows them to be remote controlled through the CSA.

There are two parts to the remote control downloadable agent:

  • The CSA you want to use.
  • The remote control settings file specifying the remote control features to allow.

When creating a remote control package, make sure in Security settings that you select either Local template or Windows NT security. The CSA doesn't support Integrated security.

To create an on-demand remote control agent
  1. Click Configure > Manage Cloud Services Appliances.
  2. On the Remote control agent tab, select the CSA and remote control settings profile you want to use.
  3. Click Create.
  4. Specify the location to which you want the remote control agent to be saved.
  5. Click Save.

After creating the remote control agent, you can distribute it on a USB drive or post it to an accessible location for download by managed devices.