Introduction
Ivanti Connect Secure (ICS) is a next generation Secure access product, which offers fast and secure connection between remote users and their organization’s wider network. Ivanti Connect Secure modernizes VPN deployments and is loaded with features such as new end user experience, increased overall throughput and simplified appliance management.
Noteworthy Information
Version 22.7R2.8
HTTP Only Device Cookie Behavioral Changes
•In previous ICS releases, the HTTP Only Device Cookie was enabled for all new user roles. However, there can be some of the older user roles on the system which are not enabled with this option. The fix in this version will secure this behavior by default.
•Default behavior of "HTTP Only Device Cookie" option will be as follows for all user roles on the system:
•There is no change during fresh installation of the ICS. A fresh installation of the ICS will enable "HTTP Only Device Cookie" by default.
•During an upgrade, ICS will enable the "HTTP Only Device Cookie" checkbox, overriding its previous state if unchecked.
•During a Config import, ICS will enable the "HTTP Only Device Cookie" checkbox, overriding any previous unchecked state.
•API and XML import workflows will remain unchanged.
Push Configuration Behavioral Changes
•Push config fails if MFA is enabled on the admin account of the target ICS server.
•There is change in default behavior of Push Configuration. The change is as follows:
•A fresh installation of the ICS will enable "validate target server certificate" by default.
•During an upgrade, ICS will enable the "validate target server certificate" checkbox, overriding its previous state if unchecked. A log message will note this change.
•During a Config import, ICS will enable the "validate target server certificate" checkbox, overriding any previous unchecked state. A log message will indicate if this override occurs.
•API and XML import workflows will remain unchanged.
If you need more time to install valid digital certificates, you can override the option by disable the "validate target server certificate" checkbox after an upgrade, fresh installation, or configuration import. However, this is a temporary fix as this option will be deprecated in a future release.
Vesrion 22.7R2.7
•Smart card agent requires to be updated on the client machine to support HTML5 login using smart card authentication. For updating, you must uninstall the older version of Smart card agent on your system and reinstall it by downloading the latest version form ICS End user portal.
Version 22.7R2.6
•PSAM has been updated to improve security. As a result, the server will validate that the IP address and FQDN being used by the client match the results that the ICS server gets for the same FQDN. If the IP and FQDN do not match, access will be denied. This is most likely to occur with large cloud resources, which are traditionally not handled via PSAM. If access is denied an entry will appear in the access log. Log message: "Deny connect request to www.xyz.com port 7000. FQDN matched but IP 23.1.3.7 didn't match any resolved IP(s)".
•With latest changes by default RADIUS sends the Access Request packet with the Message-Authenticator (80) attribute and does a strict check for the same attribute on the Response packet. If the ICS does not receive the same in response packet, then the connection terminates. Refer the forum article for more Information.
•The IF MAP feature is not supported starting from Release 22.7R2.6.
• Beginning with ICS 22.7R2.6 onwards, thumbprint must be used as identifier instead of the serial number in the certificate APIs, see API Sample.
Version 22.7R2.3
•Functionality provided by the IF-MAP feature has reached a final state. Refer the forum article for more information.
Version 22.7R2.1
•Dashboard warning message is implemented in 22.7R2.1 referencing the "Security Certificate validation being enabled or not for the below features"
•License Server
•Push Config clients
•Trusted server enforcement for Ivanti Secure mobile app
•LDAP Server
•Trusted Client CA's with CRLs
Version 22.7R2
•After upgrade , the default ESAP version will be set to 4.3.8.
•Ivanti recommends using api/v1/realm_auth instead of api/v1/auth as it will not be supported in future release. Update/Modify your REST based scripts to make use of /api/v1/realm_auth.
•For advance HTML5 RDP access via smart card, the smart card driver version at client side and RDP Host should be same
Unsupported Features
•Enterprise onboarding is not supported starting from release 22.4R2.
•The IF MAP feature is not supported starting from release 22.7R2.6.
Caveats
Dynamic Disk Size Allocation:
•Admin can modify or increase existing disk size only once.
•In case of an upgrade, increased disk size (40 GB to 80 GB) is applicable only on upgraded ICS images not on rollback and factory reset images.
•If the users are upgrading to 22.6R2 or later, then the disk size change have to be done prior to upgrade on the respective platforms.
The following feature is not supported in this gateway release:
•Analytics Dashboard and Gateway logs are not synchronized with nSA when using an ICS gateway on the cloud running version 22.5R2 or above.
•Users upgrading to 22.6R2 with AD servers 2016 or older could see AD domain join failures after upgrade. Refer to the KB link for details and work around before upgrading.
•Multicast with IGMP
•Upgrade from any R2 versions to R1 versions is not supported. Refer the supported upgrade path forum link for more details.
•Browser based Certificate authentication gets impacted when enforcing TLS 1.3 on 22.4R2. Refer the forum link for more details.
•Kernel rate limiting cannot be configured from nSA in Release 22.4R2.
The features listed in KB44747 are not supported with 22.x Gateway release. In addition, Pulse Collaboration, HOB Java RDP, and Basic HTML5 are not supported in 22.x Gateway.