What's New

Product Version

Build

ICS 22.7R2.3

 3431
ISAC 22.7R4 30859
Default ESAP 4.3.8

New Features

TOTP Server: Strengthening the TOTP server by adding password authentication checks for importing and exporting a configuration file, with corresponding changes made to the Rest APIs, see Exporting/Importing TOTP Users and APIs.

Hard Disk Monitoring: Implementing new REST APIs to retrieve disk usage information and perform disk cleaning, see Disk Usage Monitoring and Disk Cleanup.

XML Import/Export: Strengthening the XML config file import/export process with password authentication checks, and updating Rest APIs accordingly, see Exporting an XML Configuration File and Importing an XML Configuration File.

SNMP Polling: Improved SNMP functionality to monitor the status of the Power Supply and Fan in ISA 8000 and ISA 6000 devices, see Displaying Hardware Status.

SNMP: Improvements have been made to SNMP to retrieve results showing the current VPN ACL count, see Configuring SNMP.

End User Portal: Enhancements to the appearance and interface in the end-user portal include:

Collapsible welcome note on the end user UI.

List view for bookmarks, see Customizing the Welcome Page.

Option to enable/disable a background image in the Sign-In Page, see Configuring Sign-In Pages.

Product Version

Build

ICS 22.7R2.2

 3221
ISAC 22.7R3 30227
Default ESAP 4.3.8

New Features

This release includes only bug fixes and there are no new features.

Product Version

Build

ICS 22.7R2 .1

 3191
ISAC 22.7R3 30227
Default ESAP 4.3.8

New Features

Play Integrity API Checks: Helps to check that interactions and server requests are coming from the genuine app binary running on a genuine Android device, see Using the Mobile Options.

Health Check: Ensures that the configured NTP and AD in ICS are reachable and also reduces involvement of support and engineering in addressing the customer environment issues, see Health Check.

Log Size: The Maximum Log size is increased to 200MB for VMs and 1GB for ISA hardware devices, see Configuring Events to Log.

Read-Only Admin: On Traffic Segregation, Administrative Network support is removed for Read-Only Admin, see Traffic Segregation Feature Overview.

Rest API Auth: Removal of support for /api/v1/auth API which does not help in enforcing RBAC on REST endpoints. Instead use /api/v1/realm_auth API for authentication, see Realm-based Authentication.

FDQN Support: Lockdown Mode Exception Rule is added with Remote FDQN Resources to support FDQN, see Custom-based Resource Access.

End User Portal: Bookmark panel on end user portal is enhanced with expand and collapse accordion.

Rewriter: Enhanced Rewriter parser to support Super keyword and Triple dot.

Product Version

Build

ICS 22.7R2

2615
ISAC 22.7R2 29103
Default ESAP 4.3.8

New Features

Remote Debugging: Now support center can access system over a secure connection using Remote Debugging server via internal, external, or management port, see Using Remote Debugging.

Licensing Server: ICS Gateway can connect to license server using IPv6 address, from 22.7R2 release onwards, see License Server.

Delegated Admin: From this release onwards, Delegated admin user can login via rest API.

Content Security Policy: CSP is implemented to harden the security by detecting and mitigating certain types of attacks, see Security Hardening.

Configuring Administrator Roles: You can customize the number of records to be displayed per page in a table, see Creating and Configuring Administrator Roles.

Integrity Check: Booting Options on Integrity Check Failure is newly introduced to check integrity check failures during boot up (Disabled by default). Options are added to Reboot, rollback or continue booting if integrity check fails, see Configuring Miscellaneous Security Options.

Additional Client package(s): Now, only the active client package will get exported/carry forwarded, see Software Upgrade Page.

MDM Auth Server: New option is added with interface selection for MDM connections to enable outgoing interface, see Configuring an MDM Server.

SAML/ Web Server: New setting is added to monitor the SAML/Web server, see Configuring System Maintenance Options.

TLSv1.3: Support for Browser based TLSv1.3 certificate authentication using Port Redirection, see Enabling Inbound SSL Options.

Mobile Options: IF-T/TLS NCP knob option is newly added for Mobile, see Using the Mobile Options.

Host checker Policy: Enhancement of Predefined OS Host Check rule for Windows with Service packs/version number.

IPv6 support: New IPv6 Provisioning Parameters added that are required during the deployment of a virtual appliance, see deployment guides KVM, Hyper-V, VM, Nutanix.

OpenSSL 3.0: Upgrading OpenSSL stack with OpenSSL 3.0 which includes a cryptographic module that can be FIPS validated, see Enabling Inbound SSL Options.

This release is FIPS compliant and includes the following features:

Dynamic Disk Size Allocation: ICS fresh deployment includes 80GB disk size (Default). Admin can modify/increase the disk from 40GB to 80GB on upgrade from prior version, see deployment Guides Azure, AWS, GCP, KVM, Hyper-V, VM.

VLAN enhanced to Support for Hyper-V, see Configuring VLAN Ports.

Inbound Option: CNSA1.0 is added as new option in Inbound selection list to provide stronger ciphers, see CNSA1.0.

DHCPv6 Server: Support DHCPv6 Subnet option. Enhanced to support IPv6 address, see IPv6 address assignment in table.

Support SAML as secondary auth Server.

LDAP Recovery and Health Monitoring: Periodic Health Check for server with details in event logs, see Health Checker.

Proxy Server: PCLS host name supports IPv6 address, see Proxy Server Configuration.

Support added for assigning IPv6 address to IKEv2 based VPN connection and access is enabled to IPv6 based protected resources.

DHCPv6 Server: Enhanced to support IPv6 address. For more details, see IPv6 address assignment in table.

Port Probe support for IPv6: You can verify if TCP and UDP ports for IPv6 destination server is open using IPv6 internal or management source IP. For more details, see Troubleshooting Tools.

Advanced HTML5 improvements: Automatic launch for admin created bookmark on user login is newly added. For more information, see Advanced HTML5.

Filter Duplicate Split Tunnel Routes: Admin gets information message about duplicate configuration entry detection and automatically removed while saving. For more details, see Split tunnel.

REST API enhancements: New set of REST APIs are added for upload, delete and for staging upgrade and also to fetch and save logs. For more details, see Staging Upgrade, Fetching Logs.

OAuth Enhancements to support Encrypted ID Token and Self-Signed Provider Certificates. For more details, see OAuth.

SELinux (Security Enhanced Linux) support: This feature restricts access to the ICS Linux system so that ICS Linux applications can only access the minimum set of resources they require. SELinux mode is enabled as Enforcing by default. See Security Enhanced (SELinux) Support.

TLS 1.3 Support: TLS 1.3 option is newly introduced in this release. See TLS 1.3 Support.

ICS now supports TLS version 1.3 with the following additional cipher suites:

TLS_AES_128_GCM_SHA256

TLS_AES_256_GCM_SHA384

TLS_CHACHA20_POLY1305_SHA256

Limitation:

End-user certificate authentication feature (Smart Card) is not available when Accept only TLS 1.3 is enabled in System > Configuration > Inbound Settings for protocol version.

If you choose Accept only TLS 1.2 and later with custom ciphers, then you need to ensure one or more TLS 1.2 ciphers are included.

Use Low-Privilege Account instead of Root (NRP): Web server related processes are executed as non-root user. This prevents malicious code for gaining permissions in the ICS host. This feature is enabled by default.

Running Third-Party Tools in Jail: The ICS applications will run third party tools in a controlled environment where the contained process is not allowed to utilize resources outside of the container such as files, memory space devices, etc. This feature is enabled by default.

Kernel rate limiting is implemented on external interface to prevent unauthenticated DoS and DDoS attack. See Miscellaneous Security Options.

22.4R1 features are supported in 22.4R2.

IPv6 support for File Resource Profile: This features supports the IPv6 format for the servers IP address and server name. See Creating a File Resource Profile.

IPv6 support for Log Archiving

IPv6 support for Host Checker, Download ESAP, Signature files

Pulse One Support: Beginning with Release 22.3R1, Pulse One support is added.  By default,  nSA is supported, which is feature rich compared with Pulse One) as a controller for the ISA appliances. If you are not able to use nSA due to certification/federal compliance. You can reach out to Ivanti enterprise support for Pulse One enablement on ICS 22.3R1 or above.

IPv6 static routing: This feature provides static routing for IPv6 address. Static routes are useful for smaller networks with only one path to an outside network and to provide security for a larger network for certain types of traffic or links to other networks that need more control routes are manually configured and define an explicit path between two networking devices.

IPv6 in LDAP server: This feature helps to configure IPv6 on LDAP Server.

Support for ICS Deployment on Nutanix: New Qualification for Nutanix deployment

ICS is Qualified on Microsoft Azure F series: The following Microsoft F series variants are now qualified:

F4s_v2

F8s_v2

F16s_v2

AES 256 e-type encryption support: This feature allows the administrators to enable AES 256 encryption type. This feature is applicable only for Active Directory Authentication Server using Kerberos Authentication protocol.

Allow Host checker policy on certificate expiry: This feature allows the administrators to pass host checker policies on endpoints after the user certificate expiry. The Administrator can assign endpoints to have remediation roles, so that users can renew certificate.

FQDN IP entries in ACL: This feature allows to retain FQDN IP entries for lifetime of the FQDN IP in an ACL.

Log Enhancements: This feature allows the admin to enter a custom message to display on the client highlight the host checker compliance errors.

This release qualifies certification of FIPS, JITC (DoDIN APL) and NDcPP.

JITC Certification

Log Support for detection and prevention of SMURF/SYN Flood/SSL Replay Attack.

Disable ICMPv6 echo response for multicast echo request.

Disable ICMPv6 destination unreachable response.

DSCP Support.

Password Strengthening.

Notification for unsuccessful admin login attempts.

Re-authentication of admin users.

Notification on admin status change

NDcPP Certification

When NDcPP option is enabled, only NDcPP allowed crypto algorithms are allowed.

Device/Client Auth certificate 3072 bit key length support.

Not allowing Import of Device/Client Auth Certificate if Respective CAs are not in Trusted Stores.

Not allowing Importing of Device Certificate without Server Authentication EKU (Extended Key Usage).

Device/Client Auth/CA certificate revocation check during Certificate Import

Syslog certificate revocation check during TLS connection establishment.

Not Allowing 1024 bit Public Key Length Server Certificate from Syslog during TLS connection.

Supports feature parity with 9.1R15. For more information, see Release Notes.

Platform (Core) License SKUs for ISA platforms are introduced.

Hyper-V and KVM support for ISA-V devices as below:

ISA4000-V

ISA6000-V

ISA8000-V

License server can lease core licenses to ISA-V license clients.

Connect Secure runs on the next generation Ivanti Secure Appliance (ISA) series appliances, which has better performance and throughput due to hardware, software, and kernel optimization.

It is available as fixed-configuration rack-mounted hardware.

ISA6000

ISA8000

It can also be deployed to the data center or cloud as virtual appliances.

ISA4000-V

ISA6000-V

ISA8000-V

Supports feature parity with 9.1R14. For more information, see Release Notes.

This release addresses OpenSSL vulnerability CVE-2022-0778. It is recommended to upgrade all the Gateways to the latest version of Connect Secure.