Introduction

Ivanti Connect Secure (ICS) is a next generation Secure access product, which offers fast and secure connection between remote users and their organization’s wider network. Ivanti Connect Secure modernizes VPN deployments and is loaded with features such as new end user experience, increased overall throughput and simplified appliance management.

Noteworthy  Information

Ivanti Connect Secure 22.7R2.1 will disable the DMI (System > Configuration > DMI) feature during upgrade. New installations of this version will also have this disabled by default. This is in line with proactive measures outlined in KB. Enabling this feature in ICS 22.7R2.1 will reintroduce risk associated with the related vulnerability.

Dashboard warning message is implemented in 22.7R2.1 referencing the "Security Certificate validation being enabled or not for the below features"

License Server

Push Config clients

Trusted server enforcement for Ivanti Secure mobile app

LDAP Server

Trusted Client CA's with CRLs

After upgrade , the default ESAP version will be set to 4.3.8.

Ivanti recommends using api/v1/realm_auth instead of api/v1/auth as it will not be supported in future release. Update/Modify your REST based scripts to make use of /api/v1/realm_auth.

For advance HTML5 RDP access via smart card, the smart card driver version at client side and RDP Host should be same

ISAC Packages: Ensure that there is only one client package uploaded along with the default as a best practice. Delete the non-active client package before doing any of the following operations-upgrade, binary export/import and push config. For more details, refer to Limitations with more than two ISAC packages.

Support added for assigning IPv6 address to IKEv2 based VPN connection and access is enabled to IPv6 based protected resources.

IPv6 support for Log archiving on AWS is now supported.

Users upgrading to 22.6R2 with AD servers 2016 or older could see AD domain join failures after upgrade. Refer to the KB link for details and work around before upgrading.

The Sign-in policy should be configured with the login URL, if the login URL is different from the Host FQDN to avoid SAML transfer failed issue.

For Release 22.5R2.1, While Configuring SAML/IdP Settings for Cloud Secure set the Signature Algorithm to Sha-256.

SHA-1 is less secure and not supported by Microsoft 365 from 2016 version onwards.

Resources may not be accessible through Ivanti Secure Access Client on Android when Enable TOS Bits Copy is configured for the role under VPN Tunneling Options on the ICS. Disable the option under User > User Roles > Role > VPN Tunneling on ICS UI to access all resources.

Console access using SSH is not available from release 22.4R2 onwards for cloud deployments. The user has to leverage the serial console access instead.

Enterprise onboarding is not supported in Release 22.4R2.

Upgrade from 22.5R2/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.

Browser based Certificate authentication gets impacted when enforcing TLS 1.3 on 22.4R2. Refer the forum link for more details.

Change in File system type from ext2 to ext3 to avoid power cycle issues for RAID disks.

Application Visibility logs are not displayed by default. You can delete the default `id` filters to view the logs. Application visibility logs are per connection based on the application access.

New password must differ from previous 8 password positions (Default) option is newly added under Password options in Local Authentication Settings page.

Reset Password and Change Password options are newly introduced for Local Authentication Account (User/Admin).

Platform (Core) License SKUs for ISA platforms are introduced. Concurrent users is reset to two if core license is not installed or leased.

Hyper-V and KVM support

Caveats

Dynamic Disk Size Allocation:

Admin can modify or increase existing disk size only once.

In case of an upgrade, increased disk size (40 GB to 80 GB) is applicable only on upgraded ICS images not on rollback and factory reset images.

If the users are upgrading to 22.6R2 or later, then the disk size change have to be done prior to upgrade on the respective platforms.

The following feature is not supported in this gateway release:

Analytics Dashboard and Gateway logs are not synchronized with nSA when using an ICS gateway on the cloud running version 22.5R2 or above.

Users upgrading to 22.6R2 with AD servers 2016 or older could see AD domain join failures after upgrade. Refer to the KB link for details and work around before upgrading.

Multicast with IGMP

Enterprise onboarding is not supported in Release 22.4R2.

Upgrade from any R2 versions to R1 versions is not supported. Refer the supported upgrade path forum link for more details.

Browser based Certificate authentication gets impacted when enforcing TLS 1.3 on 22.4R2. Refer the forum link for more details.

Kernel rate limiting cannot be configured from nSA in Release 22.4R2.

The features listed in KB44747 are not supported with 22.x Gateway release. In addition, Pulse Collaboration, HOB Java RDP, and Basic HTML5 are not supported in 22.x Gateway.