Introduction
Ivanti Connect Secure (ICS) is a next generation Secure access product, which offers fast and secure connection between remote users and their organization’s wider network. Ivanti Connect Secure modernizes VPN deployments and is loaded with features such as new end user experience, increased overall throughput and simplified appliance management.
Security Advisory and Patch Update
Ivanti has released security advisories and mitigations for critical vulnerabilities in the Ivanti Connect Secure gateways. These vulnerabilities impacts all supported versions of ICS (22.x).
The following CVE's have been fixed:
•CVE-2023-38551- For more details, see Ivanti forum.
Build details for ICS Gateway is listed below:
Build Details for 22.7R2
•ICS 22.7R2 Build 2615
•ISAC 22.7R2 Build 29103
•Default ESAP version 4.3.8
Caveats
Dynamic Disk Size Allocation:
•Admin can modify or increase existing disk size only once.
•In case of an upgrade, increased disk size (40 GB to 80 GB) is applicable only on upgraded ICS images not on rollback and factory reset images.
•If the users are upgrading to 22.6R2 or later, then the disk size change have to be done prior to upgrade on the respective platforms.
The following feature is not supported in this gateway release:
•Analytics Dashboard and Gateway logs are not synchronized with nSA when using an ICS gateway on the cloud running version 22.5R2 or above.
•Users upgrading to 22.6R2 with AD servers 2016 or older could see AD domain join failures after upgrade. Refer to the KB link for details and work around before upgrading.
•Multicast with IGMP
•Enterprise onboarding is not supported in Release 22.4R2.
•Upgrade from any R2 versions to R1 versions is not supported. Refer the supported upgrade path forum link for more details.
•Browser based Certificate authentication gets impacted when enforcing TLS 1.3 on 22.4R2. Refer the forum link for more details.
•Kernel rate limiting cannot be configured from nSA in Release 22.4R2.
The features listed in KB44747 are not supported with 22.x Gateway release. In addition, Pulse Collaboration, HOB Java RDP, and Basic HTML5 are not supported in 22.x Gateway.
Hardware Platforms
You can install and use the software version on the following hardware platforms.
•ISA6000
• ISA8000
Virtual Appliance Editions
The following table lists the virtual appliance systems qualified with this release:
Virtual appliance qualified in 22.7R2
Limitations:
•Admin can modify or increase existing disk size only once, Admin can create an extra 2 physical disk partitions, which can be added to existing logical volume groups of rollback and currently only for the first time.
•As part of dynamic disk size allocation feature, Increase disk size is applicable only on upgraded ICS image and not on rollback and factory reset image.
|
Variant |
Platform |
vCPU |
RAM |
Disk Space |
|---|---|---|---|---|
|
VMware ESXi 7.0.3 (23307199) ESXi 6.7.0
|
ISA4000-V |
4 |
8 GB |
80 GB |
|
ISA6000-V |
8 |
16 GB |
80 GB |
|
|
ISA8000-V |
12 |
32 GB |
80 GB |
|
|
Azure-V
|
ISA4000-V (Standard DS3 V2 - 3NICs) |
4 |
14 GB |
80 GB |
|
ISA4000-V (Standard_D4s_v3 - 2NICs) |
4 |
14 GB |
80 GB |
|
|
ISA6000-V (Standard DS4 V2 -3 NICs ) |
8 |
28 GB |
80 GB |
|
|
ISA6000-V (Standard D8s V3) |
8 |
32 GB |
80 GB |
|
|
ISA8000-V (Standard D16s V3) |
16 |
64 GB |
80 GB |
|
|
ISA4000-V (F4s_v2) |
4 |
8 GB |
80 GB |
|
|
ISA6000-V (F8s_v2) |
8 |
16 GB |
80 GB |
|
|
ISA8000-V (F16s_v2) |
16 |
32 GB |
80 GB |
|
|
AWS-V
|
ISA4000-V (M5.xlarge - 3 NICs) |
4 |
16 GB |
80 GB |
|
ISA6000-V ( M5.2xlarge - 3 NICs) |
8 |
32 GB |
80 GB |
|
|
ISA8000-V (M5.4xlarge - 3 NICs) |
16 |
64 GB |
80 GB |
|
|
ISA4000-V (t3.xlarge - 3 NICs) |
4 |
16 GB |
80 GB |
|
|
ISA6000-V (t3.2xlarge - 3 NICs) |
8 |
32 GB |
80 GB |
|
|
GCP
|
ISA4000-V (n2-standard-4 - 3 NICs) |
4 |
16 GB |
80 GB |
|
ISA4000-V (n1-standard-4 - 3 NICs) |
4 |
16 GB |
80 GB |
|
|
ISA6000-V (n2-standard-8 - 3 NICs) |
8 |
32 GB |
80 GB |
|
|
ISA6000-V (c2-standard-8 - 3 NICs) |
8 |
32 GB |
80 GB |
|
|
ISA 8000-V(n2-standard-16 - 3 NICs) |
16 |
64 GB |
80 GB |
|
|
OpenStack KVM
|
ISA4000-V |
4 |
8 GB |
80 GB |
|
ISA6000-V |
8 |
16 GB |
80 GB |
|
|
ISA8000-V |
12 |
32 GB |
80 GB |
|
|
Hyper-V
|
ISA4000-V |
4 |
8 GB |
80 GB |
|
ISA6000-V |
8 |
16 GB |
80 GB |
|
|
ISA8000-V |
12 |
32 GB |
80 GB |
|
|
Nutanix AHV 2021
|
ISA4000-V |
4 |
8 GB |
80 GB |
|
ISA6000-V |
8 |
16 GB |
80 GB |
|
|
ISA8000-V |
12 |
32 GB |
80 GB |
To download the virtual appliance software, go to: https://forums.ivanti.com/s/contactsupport
Licensing Types
|
License Type |
Gateway Licensing Mode |
nSA named user Licensing Mode |
|---|---|---|
|
Platform/Core license |
Install license locally or lease license for license server |
Register the ICS Gateway with nSA and if the ICS Gateway is using nSA named user licensing mode then the Platform/Core license is not required. |
|
User licensing |
Install license locally or lease license for license server |
Register ICS Gateway with nSA |
|
Feature licenses (Adv HTML5 etc) |
Install license locally or lease license for license server |
Install license locally on ISA-V |
For more information see the Licensing Management Guide
Upgrade Path
The following table describes the tested upgrade paths, in addition to fresh installation of 22.x for ICS Product.
Follow the mandatory steps listed in the KB44877 before staging or upgrading to prevent upgrade related issues.
|
Upgrade to |
Upgrade From (Supported Versions) |
Qualified |
|---|---|---|
|
22.7R2 |
22.6R2.3, 22.6R1.2, 22.5R2.4, 22.2R4.2 |
Q |
Configuration Migration Path
The following table describes the tested migration paths. See PSA-ISA-Migration-Guide and it is mandatory to follow the instructions.
Before upgrading or config import from 9.x release where deprecated Auth servers is present, it is recommended to delete the deprecated Auth server before upgrade or config-imports. For Siteminder/Netegrity Auth Server, the XML config import and deletion of auth server fails post migration.
|
Migrate to |
Migrate From (Supported Versions) |
Qualified |
|---|---|---|
|
22.7R2 |
9.1R18.6, 9.1R18.4, 9.1R14.6 and nSA supported 9.1R17.4 |
Q |
Upgrade the servers to the nearest matching version per the table to proceed with Migration if the exact versions are not listed.
Noteworthy Information
Version 22.7R2
•After upgrade , the default ESAP version will be set to 4.3.8.
•Ivanti recommends using api/v1/realm_auth instead of api/v1/auth as it will not be supported in future release. Update/Modify your REST based scripts to make use of /api/v1/realm_auth.
•For advance HTML5 RDP access via smart card, the smart card driver version at client side and RDP Host should be same
Version 22.6R2
•ISAC Packages: Ensure that there is only one client package uploaded along with the default as a best practice. Delete the non-active client package before doing any of the following operations-upgrade, binary export/import and push config. For more details, refer to Limitations with more than two ISAC packages.
•Support added for assigning IPv6 address to IKEv2 based VPN connection and access is enabled to IPv6 based protected resources.
•IPv6 support for Log archiving on AWS is now supported.
•Users upgrading to 22.6R2 with AD servers 2016 or older could see AD domain join failures after upgrade. Refer to the KB link for details and work around before upgrading.
Version 22.5R2.1
•The Sign-in policy should be configured with the login URL, if the login URL is different from the Host FQDN to avoid SAML transfer failed issue.
For Release 22.5R2.1, While Configuring SAML/IdP Settings for Cloud Secure set the Signature Algorithm to Sha-256.
SHA-1 is less secure and not supported by Microsoft 365 from 2016 version onwards.
Version 22.4R2
•Resources may not be accessible through Ivanti Secure Access Client on Android when Enable TOS Bits Copy is configured for the role under VPN Tunneling Options on the ICS. Disable the option under User > User Roles > Role > VPN Tunneling on ICS UI to access all resources.
•Console access using SSH is not available from release 22.4R2 onwards for cloud deployments. The user has to leverage the serial console access instead.
•Enterprise onboarding is not supported in Release 22.4R2.
•Upgrade from 22.5R2/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.
•Browser based Certificate authentication gets impacted when enforcing TLS 1.3 on 22.4R2. Refer the forum link for more details.
Version 22.4R1
•Change in File system type from ext2 to ext3 to avoid power cycle issues for RAID disks.
Version 22.3R1
•Application Visibility logs are not displayed by default. You can delete the default `id` filters to view the logs. Application visibility logs are per connection based on the application access.
Version 22.2R3
•New password must differ from previous 8 password positions (Default) option is newly added under Password options in Local Authentication Settings page.
•Reset Password and Change Password options are newly introduced for Local Authentication Account (User/Admin).
Version 22.2R1
• Platform (Core) License SKUs for ISA platforms are introduced. Concurrent users is reset to two if core license is not installed or leased.
•Hyper-V and KVM support