Introduction

Ivanti Connect Secure (ICS) is a next generation Secure access product, which offers fast and secure connection between remote users and their organization’s wider network. Ivanti Connect Secure modernizes VPN deployments and is loaded with features such as new end user experience, increased overall throughput and simplified appliance management.

Noteworthy Information

With Next Generation Web Server enabled, pushconfig from older releases (using legacy web server) to 22.8Rx is not supported.

Feature parity with ICS release 22.7R2.10 and 22.7R2.9.

After a node joins the cluster, it may take up to 60 seconds for the correct VIP owner to be reflected. This delay ensures accuracy in cluster state reporting.

The External ICT package introduced with the ICS 22.8R2.1 release is not compatible with previous versions of ICS, due to changes made for SELinux inclusion. New releases after 22.8R2.1 will remain compatible with 22.8R2.1, but cannot be used with older ICS versions. For more info refer KB.

The option to disable Web Application Firewall (WAF) and the Next Generation Web Server (Nginx) has been removed. WAF will now run continuously on ICS, ensuring protection. For more info refer KB.

Upgrading from 22.8R2 to 22.8R2.1 on hardware appliances ensures that the factory reset partition is updated along with the active partition. For more information, see KB.

A secure-by-default configuration change is introduced to enable the host header validations on fresh deployment/upgrade in this release. To ensure successful hostname-based requests, administrators must provision certificates with appropriate Subject Alternative Name (SAN) entries matching all intended host header values.

This release includes important security enhancements as part of our ongoing commitment to secure-by-design. Ivanti encourages customers to upgrade to this latest version.

Added validation checks to verify the file-type in /api/v1/system/maintenance/upgrade, when passing the file to the API. Modify your scripts to include the file-type as ‘application/octet-stream’.

Code snippet for python provided by Postman App.

Copy 
import requests

url = "https://<ICS-IP>/api/v1/system/maintenance/upgrade"

payload = {}
files=[
  ('file',('package.pkg',open('/C:/Users/qa1/Downloads/<package.pkg>','rb'),'application/octet-stream'))
]
headers = {
  'Authorization': '••••••'
}

response = requests.request("POST", url, headers=headers, data=payload, files=files)

print(response.text)

Security hardening features are not supported on IPS.

The checkbox under the option Booting Options on Integrity Check Failure at System > Configuration > Security > Miscellaneous becomes irrelevant. Boot time integrity checks performed by SecureBoot will stop the system booting if failure is detected.

Enable Prevent System Overload to proactively protect your Connect Secure infrastructure from heavy load or resource spikes. This is a best practice for mission-critical or high-utilization VPN environments.

With Q1 2026 Release of ICS, the default ESAP version will be 4.6.4. ESAP 4.6.4 has been released in Q2 2025.

Unsupported Features

Admin Access via External Interface is no longer supported in Ivanti Connect Secure (ICS) from Version 22.7R2.9, refer to article.

Ivanti Connect Secure: Features and Options Becoming Unsupported or Deprecated in 22.7Rx, 22.8Rx, and 25.x, refer to article.

Deprecation of TDI Fail-Over Option for Pulse SAM Connection, refer to article.

ICS running version 22.8R2 cannot be configured as a License Server, see Known Issues. However, a License Server running version 22.7Rx can still provide licenses to an ICS 22.8R2 instance acting as a license client.

Caveats

Active Directory (AD) 2025 and above will not be supported on 22.8R2 releases due to incompatibility issues with Samba versions. For AD 2025 support, upgrading to release 25.x is required.