Introduction
Ivanti Connect Secure (ICS) is a next generation Secure access product, which offers fast and secure connection between remote users and their organization’s wider network. Ivanti Connect Secure modernizes VPN deployments and is loaded with features such as new end user experience, increased overall throughput and simplified appliance management.
These are cumulative release notes. If a page does not list a release, then there is no new associated information for that release.
Security Advisory and Patch Update
Ivanti has released security advisories and mitigations for critical vulnerabilities in the Ivanti Connect Secure gateways. These vulnerabilities impacts all supported versions of ICS (22.x).
The following CVE's have been fixed:
CVE's |
Ivanti Forum links |
---|---|
CVE-2023-46805 CVE-2024-21887 |
For more details, see Ivanti forum. |
CVE-2024-21888 CVE-2024-21893 |
For more details, see Ivanti forum. |
CVE-2024-22024 |
For more details, see Ivanti forum. |
CVE-2024-21894 CVE-2024-22052 CVE-2024-22053 CVE-2024-22023 CVE-2024-29205 |
For more details, see Ivanti forum. |
CVE-2023-39340 CVE-2023-41719 CVE-2023-41720 |
For more details, see Ivanti forum. |
CVE-2023-38551 |
For more details, see Ivanti forum. |
For more details, see Ivanti forum KB.
The build details of ICS Gateways, which includes CVE fixes are listed below:
•ICS 22.6R2.3 Build 2719
•ISAC 22.6R1 Build 26825
•Default ESAP version 4.0.5
•ICS 22.6R2.2 Build 2677
•ISAC 22.6R1 Build 26825
•Default ESAP version 4.0.5
•ICS 22.6R2.1 Build 2487
•ISAC 22.6R1 Build 26825
•Default ESAP version 4.0.5
•ICS 22.6R2 Build 2365
•ISAC 22.6R1 Build 26825
•Default ESAP version 4.0.5
•ICS 22.5R2.4 Build 2229
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
•ICS 22.5R2.3 Build 2215
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
•ICS 22.5R2.1 Build 2035
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
•ICS 22.5R1.3 Build 2227
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
•ICS 22.5R1.2 Build 2213
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
•ICS 22.5R1 Build 2037
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
•ICS 22.4R2.4 Build 2169
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
•ICS 22.4R2.3 Build 2159
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
•ICS 22.4R2.1 Build 1725
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
•ICS 22.4R2 Build 1531
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
•ICS 22.4R1.2 Build 2173
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
•ICS 22.4R1.1 Build 2165
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
•ICS 22.4R1 Build 1439
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
•ICS 22.3R1.2 Build 2075
•ISAC 22.3R1 Build 1295
•Default ESAP version 4.0.5
•ICS 22.3R1.1 Build 2071
•ISAC 22.3R1 Build 1295
•Default ESAP version 4.0.5
•ICS 22.3R1 Build 1647
•ISAC 22.3R1 Build 1295
•Default ESAP version 4.0.5
•ICS 22.2R4.2 Build 1481
•ISAC 22.2R1 Build 1295
•ICS 22.2R4.1 Build 1475
•ISAC 22.2R1 Build 1295
•ICS 22.2R3 Build 1477
•ISAC 22.2R1 Build 1295
•ICS 22.2R1 Build 657
•nSA GW 9.1R15 Build 18393
•PDC 9.1R15 Build 15819
•ISAC 22.2R1 Build 1295
•Default ESAP version 3.7.5
•ICS 22.1R6.2 Build 897
•ICS 22.1R6.1 Build 893
•ICS 22.1R6 Build 575
•ICS 22.1R1 Build 421
• nSA GW 9.1R14 Build 18099
•PDC 9.1R14 Build 13525
•Default ESAP version 3.7.5
Caveats
Dynamic Disk Size Allocation:
•Admin can modify or increase existing disk size only once.
•In case of an upgrade, increased disk size (40 GB to 80 GB) is applicable only on upgraded ICS images not on rollback and factory reset images.
•If the users are upgrading to 22.6R2 or later, then the disk size change have to be done prior to upgrade on the respective platforms.
The following feature is not supported in this gateway release:
•Analytics Dashboard and Gateway logs are not synchronized with nSA when using an ICS gateway on the cloud running version 22.5R2 or above.
•Users upgrading to 22.6R2 with AD servers 2016 or older could see AD domain join failures after upgrade. Refer to the KB link for details and work around before upgrading.
•Multicast with IGMP
•Enterprise onboarding is not supported in Release 22.4R2.
•Upgrade from 22.5R2.1/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.
•Browser based Certificate authentication gets impacted when enforcing TLS 1.3 on 22.4R2. Refer the forum link for more details.
•Kernel rate limiting cannot be configured from nSA in Release 22.4R2.
The features listed in KB44747 are not supported with 22.x Gateway release. In addition, Pulse Collaboration, HOB Java RDP, and Basic HTML5 are not supported in 22.x Gateway.
Hardware Platforms
You can install and use the software version on the following hardware platforms.
•ISA6000
• ISA8000
Virtual Appliance Editions
The following table lists the virtual appliance systems qualified with this release:
Limitations:
•Admin can modify or increase existing disk size only once, Admin can create an extra 2 physical disk partitions, which can be added to existing logical volume groups of rollback and currently only for the first time.
•As part of dynamic disk size allocation feature, Increase disk size is applicable only on upgraded ICS image and not on rollback and factory reset image.
Variant |
Platform |
vCPU |
RAM |
Disk Space |
---|---|---|---|---|
VMware ESXi 7.0.2 (17867351) ESXi 6.7.0
|
ISA4000-V |
4 |
8 GB |
80 GB |
ISA6000-V |
8 |
16 GB |
80 GB |
|
ISA8000-V |
12 |
32 GB |
80 GB |
|
Azure-V
|
ISA4000-V (Standard DS3 V2 - 3NICs) |
4 |
14 GB |
80 GB |
ISA4000-V (Standard_D4s_v3 - 2NICs) |
4 |
14 GB |
80 GB |
|
ISA6000-V (Standard DS4 V2 -3 NICs ) |
8 |
28 GB |
80 GB |
|
ISA6000-V (Standard D8s V3) |
8 |
32 GB |
80 GB |
|
ISA8000-V (Standard D16s V3) |
16 |
64 GB |
80 GB |
|
ISA4000-V (F4s_v2) |
4 |
8 GB |
80 GB |
|
ISA6000-V (F8s_v2) |
8 |
16 GB |
80 GB |
|
ISA8000-V (F16s_v2) |
16 |
32 GB |
80 GB |
|
AWS-V
|
ISA4000-V (M5.xlarge - 3 NICs) |
4 |
16 GB |
80 GB |
ISA6000-V ( M5.2xlarge - 3 NICs) |
8 |
32 GB |
80 GB |
|
ISA8000-V (M5.4xlarge - 3 NICs) |
16 |
64 GB |
80 GB |
|
ISA4000-V (t3.xlarge - 3 NICs) |
4 |
16 GB |
80 GB |
|
ISA6000-V (t3.2xlarge - 3 NICs) |
8 |
32 GB |
80 GB |
|
GCP
|
ISA4000-V (n2-standard-4 - 3 NICs) |
4 |
16 GB |
80 GB |
ISA4000-V (n1-standard-4 - 3 NICs) |
4 |
16 GB |
80 GB |
|
ISA6000-V (n2-standard-8 - 3 NICs) |
8 |
32 GB |
80 GB |
|
ISA6000-V (c2-standard-8 - 3 NICs) |
8 |
32 GB |
80 GB |
|
ISA 8000-V(n2-standard-16 - 3 NICs) |
16 |
64 GB |
80 GB |
|
OpenStack KVM
|
ISA4000-V |
4 |
8 GB |
80 GB |
ISA6000-V |
8 |
16 GB |
80 GB |
|
ISA8000-V |
12 |
32 GB |
80 GB |
|
Hyper-V
|
ISA4000-V |
4 |
8 GB |
80 GB |
ISA6000-V |
8 |
16 GB |
80 GB |
|
ISA8000-V |
12 |
32 GB |
80 GB |
|
Nutanix AHV 2021
|
ISA4000-V |
4 |
8 GB |
80 GB |
ISA6000-V |
8 |
16 GB |
80 GB |
|
ISA8000-V |
12 |
32 GB |
80 GB |
Variant |
Platform |
vCPU |
RAM |
Disk Space |
---|---|---|---|---|
VMware ESXi 7.0.2 (17867351) ESXi 6.7.0
|
ISA4000-V |
4 |
8 GB |
40 GB |
ISA6000-V |
8 |
16 GB |
40 GB |
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
Azure-V
|
ISA4000-V (Standard DS3 V2 - 3NICs) |
4 |
14 GB |
40 GB |
ISA4000-V (Standard_D4s_v3 - 2NICs) |
4 |
14 GB |
40 GB |
|
ISA6000-V (Standard DS4 V2 -3 NICs ) |
8 |
28 GB |
40 GB |
|
ISA6000-V (Standard D8s V3) |
8 |
32 GB |
40 GB |
|
ISA8000-V (Standard D16s V3) |
16 |
64 GB |
40 GB |
|
ISA4000-V (F4s_v2) |
4 |
8 GB |
40 GB |
|
ISA6000-V (F8s_v2) |
8 |
16 GB |
40 GB |
|
ISA8000-V (F16s_v2) |
16 |
32 GB |
40 GB |
|
AWS-V
|
ISA4000-V (M5.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
ISA6000-V ( M5.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
ISA8000-V (M5.4xlarge - 3 NICs) |
16 |
64 GB |
40 GB |
|
ISA4000-V (t3.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA6000-V (t3.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
GCP
|
ISA4000-V (n2-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
ISA4000-V (n1-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA6000-V (n2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
ISA6000-V (c2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
ISA 8000-V(n2-standard-16 - 3 NICs) |
16 |
64 GB |
40 GB |
|
OpenStack KVM
|
ISA4000-V |
4 |
8 GB |
40 GB |
ISA6000-V |
8 |
16 GB |
40 GB |
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
Hyper-V
|
ISA4000-V |
4 |
8 GB |
40 GB |
ISA6000-V |
8 |
16 GB |
40 GB |
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
Nutanix AHV 2021
|
ISA4000-V |
4 |
8 GB |
40 GB |
ISA6000-V |
8 |
16 GB |
40 GB |
|
ISA8000-V |
12 |
32 GB |
40 GB |
Variant |
Platform |
vCPU |
RAM |
Disk Space |
---|---|---|---|---|
VMware ESXi 7.0.2 (17867351) ESXi 6.7.0
|
ISA4000-V |
4 |
8 GB |
40 GB |
ISA6000-V |
8 |
16 GB |
40 GB |
|
ISA8000-V |
12 |
32 GB |
40 GB |
Variant |
Platform |
vCPU |
RAM |
Disk Space |
---|---|---|---|---|
VMware ESXi 7.0.2 (17867351) ESXi 6.7.0
|
ISA4000-V |
4 |
8 GB |
40 GB |
ISA6000-V |
8 |
16 GB |
40 GB |
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
Azure-V
|
ISA4000-V (Standard DS3 V2 - 3NICs) |
4 |
14 GB |
40 GB |
ISA4000-V (Standard_D4s_v3 - 2NICs) |
4 |
14 GB |
40 GB |
|
ISA6000-V (Standard DS4 V2 -3 NICs ) |
8 |
28 GB |
40 GB |
|
ISA6000-V (Standard D8s V3) |
8 |
32 GB |
40 GB |
|
ISA8000-V (Standard D16s V3) |
16 |
64 GB |
40 GB |
|
AWS-V
|
ISA4000-V (M5.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
ISA6000-V ( M5.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
ISA8000-V (M5.4xlarge - 3 NICs) |
16 |
64 GB |
40 GB |
|
ISA4000-V (t3.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA6000-V (t3.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
GCP
|
ISA4000-V (n2-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
ISA4000-V (n1-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA6000-V (n2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
ISA6000-V (c2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
ISA 8000-V(n2-standard-16 - 3 NICs) |
16 |
64 GB |
40 GB |
|
OpenStack KVM
|
ISA4000-V |
4 |
8 GB |
40 GB |
ISA6000-V |
8 |
16 GB |
40 GB |
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
Hyper-V
|
ISA4000-V |
4 |
8 GB |
40 GB |
ISA6000-V |
8 |
16 GB |
40 GB |
|
ISA8000-V |
12 |
32 GB |
40 GB |
Variant |
Platform |
vCPU |
RAM |
Disk Space |
---|---|---|---|---|
VMware ESXi 7.0.2 (17867351) ESXi 6.7.0
|
ISA4000-V |
4 |
8 GB |
40 GB |
ISA6000-V |
8 |
16 GB |
40 GB |
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
Azure-V
|
ISA4000-V (Standard DS3 V2 - 3NICs) |
4 |
14 GB |
40 GB |
ISA4000-V (Standard_D4s_v3 - 2NICs) |
4 |
14 GB |
40 GB |
|
ISA6000-V (Standard DS4 V2 -3 NICs ) |
8 |
28 GB |
40 GB |
|
ISA6000-V (Standard D8s V3) |
8 |
32 GB |
40 GB |
|
ISA8000-V (Standard D16s V3) |
16 |
64 GB |
40 GB |
|
AWS-V
|
ISA4000-V (M5.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
ISA6000-V ( M5.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
ISA8000-V (M5.4xlarge - 3 NICs) |
16 |
64 GB |
40 GB |
|
ISA4000-V (t3.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA6000-V (t3.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
GCP
|
ISA4000-V (n2-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
ISA4000-V (n1-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA6000-V (n2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
ISA6000-V (c2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
ISA 8000-V(n2-standard-16 - 3 NICs) |
16 |
64 GB |
40 GB |
To download the virtual appliance software, go to: https://forums.ivanti.com/s/contactsupport
Licensing Types
License Type |
Gateway Licensing Mode |
nSA named user Licensing Mode |
---|---|---|
Platform/Core license |
Install license locally or lease license for license server |
Register the ICS Gateway with nSA and if the ICS Gateway is using nSA named user licensing mode then the Platform/Core license is not required. |
User licensing |
Install license locally or lease license for license server |
Register ICS Gateway with nSA |
Feature licenses (Adv HTML5 etc) |
Install license locally or lease license for license server |
Install license locally on ISA-V |
For more information see the Licensing Management Guide
Upgrade Path
The following table describes the tested upgrade paths, in addition to fresh installation of 22.x for ICS Product.
Follow the mandatory steps listed in the KB44877 before staging or upgrading to prevent upgrade related issues.
Upgrade from 22.6R2/22.5R2.1/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.
Upgrade path is not supported for FIPS mode (enabled) from release 22.1R1 or prior releases. Upgrade can only be done with FIPS mode disabled.
Upgrade to |
Upgrade From (Supported Versions) |
Qualified |
---|---|---|
22.6R2.1 |
22.6R2, 22.5R2.1, 22.5R1, 22.4R1 |
Q |
22.6R2 |
22.5R2.1, 22.5R1, 22.4R2.1, 22.4R1 |
Q |
22.5R2.1 |
22.5R1, 22.4R2.1, 22.4R1 |
Q |
22.5R1 | 22.4R1, 22.3R1 | Q |
22.4R2.1 |
22.4R2, 22.4R1, 22.3Rx, 22.2Rx |
Q |
22.4R2 |
22.4R1, 22.3Rx and 22.2Rx |
Q |
22.4R1(FIPS) |
22.3Rx and 22.2Rx |
Q |
22.3R1 |
22.2Rx and 22.1Rx |
Q |
22.2R1 |
22.1R1 and 21.12R1 |
Q |
22.1R6 |
22.1R1 and prior releases |
Q |
22.1R1 |
21.12R1 and 21.9R1 |
Q |
Upgrade to |
Upgrade From (Supported Version) |
Qualified |
---|---|---|
22.2R3 |
22.2R1 and 22.1R1 |
Q |
FIPS mode supports fresh installation and upgrade for VMware images and only upgrade for Cloud (AWS, Azure, GCP) images.
Configuration Migration Path
The following table describes the tested migration paths. See PSA-ISA-Migration-Guide and it is mandatory to follow the instructions.
Before upgrading or config import from 9.x release where deprecated Auth servers is present, it is recommended to delete the deprecated Auth server before upgrade or config-imports. For Siteminder/Netegrity Auth Server, the XML config import and deletion of auth server fails post migration.
Migrate to |
Migrate From (Supported Versions) |
Qualified |
---|---|---|
22.6R2.1 |
9.1R18.2, 9.1R18, 9.1R14.3 and nSA supported 9.1R17 |
Q |
22.6R2 |
9.1R18.2, 9.1R18, 9.1R14.3 and nSA supported 9.1R17 |
Q |
22.5R2.1 |
9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17 |
Q |
22.5R1 |
9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17 |
Q |
22.4R2.1 |
9.1R17 and nSA supported 9.1R18 |
Q |
22.4R2 |
9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17 |
Q |
22.4R1 |
9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17 |
Q |
22.3R1 |
9.1R17, 9.1R16, 9.1R15, 9.1R14, and nSA supported 9.1R15 |
Q |
22.2R1 |
9.1R15, 9.1R14.1, 9.1R13.2, and nSA supported 9.1R14 |
Q |
22.1R6 |
9.1R14.1 or prior releases |
Q |
22.1R1 |
9.1R13.2 or prior releases |
Q |
21.12R1 |
9.1R13.2 or prior releases |
Q |
21.9R1 |
9.1R12 or prior releases |
Q |
Upgrade the servers to the nearest matching version per the table to proceed with Migration if the exact versions are not listed.
Noteworthy Information
•ISAC Packages: Ensure that there is only one client package uploaded along with the default as a best practice. Delete the non-active client package before doing any of the following operations-upgrade, binary export/import and push config. For more details, refer to Limitations with more than two ISAC packages.
•Support added for assigning IPv6 address to IKEv2 based VPN connection and access is enabled to IPv6 based protected resources.
•IPv6 support for Log archiving on AWS is now supported.
•Users upgrading to 22.6R2 with AD servers 2016 or older could see AD domain join failures after upgrade. Refer to the KB link for details and work around before upgrading.
•The Sign-in policy should be configured with the login URL, if the login URL is different from the Host FQDN to avoid SAML transfer failed issue.
For Release 22.5R2.1, While Configuring SAML/IdP Settings for Cloud Secure set the Signature Algorithm to Sha-256.
SHA-1 is less secure and not supported by Microsoft 365 from 2016 version onwards.
•Resources may not be accessible through Ivanti Secure Access Client on Android when Enable TOS Bits Copy is configured for the role under VPN Tunneling Options on the ICS. Disable the option under User > User Roles > Role > VPN Tunneling on ICS UI to access all resources.
•Console access using SSH is not available from release 22.4R2 onwards for cloud deployments. The user has to leverage the serial console access instead.
•Enterprise onboarding is not supported in Release 22.4R2.
•Upgrade from 22.5R2/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.
•Browser based Certificate authentication gets impacted when enforcing TLS 1.3 on 22.4R2. Refer the forum link for more details.
•Change in File system type from ext2 to ext3 to avoid power cycle issues for RAID disks.
•Application Visibility logs are not displayed by default. You can delete the default `id` filters to view the logs. Application visibility logs are per connection based on the application access.
•New password must differ from previous 8 password positions (Default) option is newly added under Password options in Local Authentication Settings page.
•Reset Password and Change Password options are newly introduced for Local Authentication Account (User/Admin).
• Platform (Core) License SKUs for ISA platforms are introduced. Concurrent users is reset to two if core license is not installed or leased.
•Hyper-V and KVM support