Introduction

Ivanti Connect Secure (ICS) is a next generation Secure access product, which offers fast and secure connection between remote users and their organization’s wider network. Ivanti Connect Secure modernizes VPN deployments and is loaded with features such as new end user experience, increased overall throughput and simplified appliance management.

Noteworthy Information

With Q1 2026 Release of ICS, the default ESAP version will be 4.6.4. ESAP 4.6.4 has been released in Q2 2025.

This release includes important security enhancements as part of our ongoing commitment to secure-by-design. Ivanti encourages customers to upgrade to this latest version.

In previous ICS releases, the HTTP Only Device Cookie was enabled for all new user roles. However, there can be some of the older user roles on the system which are not enabled with this option. The fix in this version will secure this behavior by default.

Default behavior of "HTTP Only Device Cookie" option will be as follows for all user roles on the system:

There is no change during fresh installation of the ICS. A fresh installation of the ICS will enable "HTTP Only Device Cookie" by default.

During an upgrade, ICS will enable the "HTTP Only Device Cookie" checkbox, overriding its previous state if unchecked.

During a Config import, ICS will enable the "HTTP Only Device Cookie" checkbox, overriding any previous unchecked state.

API and XML import workflows will remain unchanged.

In case of, any changes to the application behavior, the change can be reverted back at User Roles > Default Options for User Roles > General > Session Options.

Push config fails if MFA is enabled on the admin account of the target ICS server.

There is change in default behavior of Push Configuration. The change is as follows:

A fresh installation of the ICS will enable "validate target server certificate" by default.

During an upgrade, ICS will enable the "validate target server certificate" checkbox, overriding its previous state if unchecked. A log message will note this change.

During a Config import, ICS will enable the "validate target server certificate" checkbox, overriding any previous unchecked state. A log message will indicate if this override occurs.

API and XML import workflows will remain unchanged.

The Push Configuration feature will not work if the target server certificate validation fails. Ivanti recommends all customers use trusted certificates on their ICS servers.
If you need more time to install valid digital certificates, you can override the option by disable the "validate target server certificate" checkbox after an upgrade, fresh installation, or configuration import. However, this is a temporary fix as this option will be deprecated in a future release.

Smart card agent requires to be updated on the client machine to support HTML5 login using smart card authentication. For updating, you must uninstall the older version of Smart card agent on your system and reinstall it by downloading the latest version form ICS End user portal.

PSAM has been updated to improve security. As a result, the server will validate that the IP address and FQDN being used by the client match the results that the ICS server gets for the same FQDN. If the IP and FQDN do not match, access will be denied. This is most likely to occur with large cloud resources, which are traditionally not handled via PSAM. If access is denied an entry will appear in the access log. Log message: "Deny connect request to www.xyz.com port 7000. FQDN matched but IP 23.1.3.7 didn't match any resolved IP(s)".

With latest changes by default RADIUS sends the Access Request packet with the Message-Authenticator (80) attribute and does a strict check for the same attribute on the Response packet. If the ICS does not receive the same in response packet, then the connection terminates. Refer the forum article for more Information.

Verify your RADIUS Server's capability to handle the above scenario before upgrading.

The IF MAP feature is not supported starting from Release 22.7R2.6.

Beginning with ICS 22.7R2.6 onwards, thumbprint must be used as identifier instead of the serial number in the certificate APIs, see API Sample.

Functionality provided by the IF-MAP feature has reached a final state. Refer the forum article for more information.

Ivanti Connect Secure 22.7R2.1 will disable the DMI (System > Configuration > DMI) feature during upgrade. New installations of this version will also have this disabled by default. This is in line with proactive measures outlined in KB. Enabling this feature in ICS 22.7R2.1 will reintroduce risk associated with the related vulnerability.

Dashboard warning message is implemented in 22.7R2.1 referencing the "Security Certificate validation being enabled or not for the below features"

License Server

Push Config clients

Trusted server enforcement for Ivanti Secure mobile app

LDAP Server

Trusted Client CA's with CRLs

After upgrade , the default ESAP version will be set to 4.3.8.

Ivanti recommends using api/v1/realm_auth instead of api/v1/auth as it will not be supported in future release. Update/Modify your REST based scripts to make use of /api/v1/realm_auth.

For advance HTML5 RDP access via smart card, the smart card driver version at client side and RDP Host should be same

Unsupported Features

Admin Access via External Interface is no longer supported in Ivanti Connect Secure (ICS) from Version 22.7R2.9, refer to article.

Ivanti Connect Secure: Features and Options Becoming Unsupported or Deprecated in 22.7Rx, 22.8Rx, and 25.x, refer to article.

Deprecation of TDI Fail-Over Option for Pulse SAM Connection, refer to article.

Caveats

Dynamic Disk Size Allocation:

Admin can modify or increase existing disk size only once.

In case of an upgrade, increased disk size (40 GB to 80 GB) is applicable only on upgraded ICS images not on rollback and factory reset images.

If the users are upgrading to 22.6R2 or later, then the disk size change have to be done prior to upgrade on the respective platforms.

The features listed in KB44747 are not supported with 22.x Gateway release. In addition, Pulse Collaboration, HOB Java RDP, and Basic HTML5 are not supported in 22.x Gateway.