Introduction

Ivanti Connect Secure (ICS) is a next generation Secure access product, which offers fast and secure connection between remote users and their organization’s wider network. Ivanti Connect Secure modernizes VPN deployments and is loaded with features such as new end user experience, increased overall throughput and simplified appliance management.

These are cumulative release notes. If a page does not list a release, then there is no new associated information for that release.

Security Advisory and Patch Update

Ivanti has released security advisories and mitigations for critical vulnerabilities in the Ivanti Connect Secure gateways. These vulnerabilities impacts all supported versions of ICS (22.x).

The following CVE's have been fixed:

CVE's

Ivanti Forum links

CVE-2023-46805

CVE-2024-21887

For more details, see Ivanti forum.

CVE-2024-21888

CVE-2024-21893

For more details, see Ivanti forum.

CVE-2024-22024

For more details, see Ivanti forum.

CVE-2024-21894

CVE-2024-22052

CVE-2024-22053

CVE-2024-22023

CVE-2024-29205

For more details, see Ivanti forum.

CVE-2023-39340

CVE-2023-41719

CVE-2023-41720

For more details, see Ivanti forum.

CVE-2023-38551

For more details, see Ivanti forum.

For more details, see Ivanti forum KB.

The build details of ICS Gateways, which includes CVE fixes are listed below:

Caveats

Dynamic Disk Size Allocation:

Admin can modify or increase existing disk size only once.

In case of an upgrade, increased disk size (40 GB to 80 GB) is applicable only on upgraded ICS images not on rollback and factory reset images.

If the users are upgrading to 22.6R2 or later, then the disk size change have to be done prior to upgrade on the respective platforms.

The following feature is not supported in this gateway release:

Analytics Dashboard and Gateway logs are not synchronized with nSA when using an ICS gateway on the cloud running version 22.5R2 or above.

Users upgrading to 22.6R2 with AD servers 2016 or older could see AD domain join failures after upgrade. Refer to the KB link for details and work around before upgrading.

Multicast with IGMP

Enterprise onboarding is not supported in Release 22.4R2.

Upgrade from 22.5R2.1/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.

Browser based Certificate authentication gets impacted when enforcing TLS 1.3 on 22.4R2. Refer the forum link for more details.

Kernel rate limiting cannot be configured from nSA in Release 22.4R2.

The features listed in KB44747 are not supported with 22.x Gateway release. In addition, Pulse Collaboration, HOB Java RDP, and Basic HTML5 are not supported in 22.x Gateway.

Hardware Platforms

You can install and use the software version on the following hardware platforms.

ISA6000

ISA8000

Virtual Appliance Editions

The following table lists the virtual appliance systems qualified with this release:

To download the virtual appliance software, go to: https://forums.ivanti.com/s/contactsupport

Licensing Types

License Type

Gateway Licensing Mode

nSA named user Licensing Mode

Platform/Core license

Install license locally or lease license for license server

Register the ICS Gateway with nSA and if the ICS Gateway is using nSA named user licensing mode then the Platform/Core license is not required.

User licensing

Install license locally or lease license for license server

Register ICS Gateway with nSA

Feature licenses (Adv HTML5 etc)

Install license locally or lease license for license server

Install license locally on ISA-V

For more information see the Licensing Management Guide

Upgrade Path

The following table describes the tested upgrade paths, in addition to fresh installation of 22.x for ICS Product.

Follow the mandatory steps listed in the KB44877 before staging or upgrading to prevent upgrade related issues.

Upgrade from 22.6R2/22.5R2.1/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.

Upgrade path is not supported for FIPS mode (enabled) from release 22.1R1 or prior releases. Upgrade can only be done with FIPS mode disabled.

Upgrade to

Upgrade From (Supported Versions)

Qualified

22.6R2.1

22.6R2, 22.5R2.1, 22.5R1, 22.4R1

Q

22.6R2

22.5R2.1, 22.5R1, 22.4R2.1, 22.4R1

Q

22.5R2.1

22.5R1, 22.4R2.1, 22.4R1

Q

22.5R1 22.4R1, 22.3R1 Q

22.4R2.1

22.4R2, 22.4R1, 22.3Rx, 22.2Rx

Q

22.4R2

22.4R1, 22.3Rx and 22.2Rx

Q

22.4R1(FIPS)

22.3Rx and 22.2Rx

Q

22.3R1

22.2Rx and 22.1Rx

Q

22.2R1

22.1R1 and 21.12R1

Q

22.1R6

22.1R1 and prior releases

Q

22.1R1

21.12R1 and 21.9R1

Q

Configuration Migration Path

The following table describes the tested migration paths. See PSA-ISA-Migration-Guide and it is mandatory to follow the instructions.

Before upgrading or config import from 9.x release where deprecated Auth servers is present, it is recommended to delete the deprecated Auth server before upgrade or config-imports. For Siteminder/Netegrity Auth Server, the XML config import and deletion of auth server fails post migration.

Migrate to

Migrate From (Supported Versions)

Qualified

22.6R2.1

9.1R18.2, 9.1R18, 9.1R14.3 and nSA supported 9.1R17

Q

22.6R2

9.1R18.2, 9.1R18, 9.1R14.3 and nSA supported 9.1R17

Q

22.5R2.1

9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17

Q

22.5R1

9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17

Q

22.4R2.1

9.1R17 and nSA supported 9.1R18

Q

22.4R2

9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17

Q

22.4R1

9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17

Q

22.3R1

9.1R17, 9.1R16, 9.1R15, 9.1R14, and nSA supported 9.1R15

Q

22.2R1

9.1R15, 9.1R14.1, 9.1R13.2, and nSA supported 9.1R14

Q

22.1R6

9.1R14.1 or prior releases

Q

22.1R1

9.1R13.2 or prior releases

Q

21.12R1

9.1R13.2 or prior releases

Q

21.9R1

9.1R12 or prior releases

Q

Upgrade the servers to the nearest matching version per the table to proceed with Migration if the exact versions are not listed.

Noteworthy  Information