Virtual Appliances Overview

Running Ivanti Connect Secure software in a VMware virtual machine as a virtual appliance provides service providers with robust scalability and isolation. The server software from VMware supports several virtual machines on a high-end multiprocessor platform. Deploying a dedicated virtual appliance for each customer guarantees complete isolation among systems.

Virtual Appliance Editions and Requirements

Virtual appliance available:

•ISA-V Edition

ISA-V is targeted at service providers who are interested in provisioning a remote access solution for a large number of customers.

Hardware and Software Requirements

The following VMware Qualified System Qualified System tables list the virtual appliance systems qualified with this release.

The following table contains data regarding the VMware Qualified System:

VMware Tools Version	vCenter/ESXi Version	Hardware Requirements
2147483647	ESXi 8.0.2	ESXi 8.0 requires a host machine with: •At least two CPU cores •Requires the NX/XD bit to be enabled for the CPU in the BIOS. •Requires a minimum of 8 GB of physical RAM. It is recommended to provide at least 12 GB of RAM to run virtual machines in typical production environments. •Support for hardware virtualization (Intel VT-x or AMD RVI) must be enabled on x64 CPUs. Refer here for more details on VMware qualified system.
10.3.10	ESXi 7.0.2	ESXi 7.0 requires a host machine with: •At least two CPU cores •Requires the NX/XD bit to be enabled for the CPU in the BIOS. •Requires a minimum of 4 GB of physical RAM. It is recommended to provide at least 8 GB of RAM to run virtual machines in typical production environments. •Support for hardware virtualization (Intel VT-x or AMD RVI) must be enabled on x64 CPUs. Refer here for more details on VMware qualified system.
10.3.10	ESXi 6.7 Update 2c	ESXi 6.7 Update 2c requires a host machine with: •At least two CPU cores •Requires the NX/XD bit to be enabled for the CPU in the BIOS. •Requires a minimum of 4 GB of physical RAM. It is recommended to provide at least 8 GB of RAM to run virtual machines in typical production environments. •Support for hardware virtualization (Intel VT-x or AMD RVI) must be enabled on x64 CPUs. Refer here for more details on VMware qualified system.
10.2.0	ESXi 6.7

VMware's HA feature is qualified; VMware’s DRS & Fault Tolerance features are not qualified.

Supported Features on Virtual Appliances

All features of Ivanti Connect Secure is available on virtual appliances with the exception of the following:

•Instant Virtual System (IVS)

An option is available for switching between a virtual terminal and a serial console. Switching between these options requires a restart of the virtual appliance.

Virtual appliances do not allow licenses to be installed directly on them. As such, virtual appliances can be only license clients. All virtual appliance licenses are subscription-based.

We recommend you use the same NTP server for the virtual appliance and the license server to keep the times synchronized. When synchronizing with an NTP server, the Synchronize quest time with host option in the VMware vSphere Client user interface must be enabled. On the virtual appliance, select Edit Settings > Options > VMware Tools to set this option.

Virtual appliances support the following SCSI controller types:

•BusLogic

•LSI Logic Parallel (default)

•LSI Logic SAS

vSphere users can select the SCSI controller type by opening their Virtual Machine Properties window, clicking the Hardware tab and then double-clicking the SCSI Controller entry.

Virtual Appliance Package Information

The ISA-V downloadable zip contains the following files:

•README-scripts.txt— Up-to-date information on the contents of the zip file and how to run the scripts.

•ISA-V-VMWARE-PCS-64003.5-VT-disk1.vmdk—A virtual disk file that contains the Ivanti Connect Secure software. The VT version assumes using a virtual terminal to set up the initial network configuration.

•ISA-V-VMWARE-PCS-64003.5-VT.ovf—An OVF specification that defines the virtual appliance and contains a reference to the disk image.

•create-va.pl—A script for deploying a virtual appliance connected to the VMware vCenter Server.

•va.conf—A sample configuration file for use with the create-va.pl script.

•perlclient/plugin/ive.pm—A side file for configuring virtual appliances through NETCONF.

•perlclient/plugin/ive_methods.pl—A side file for configuring virtual appliances through NETCONF.

•perlclient/examples/get_active_users.pl—A script used to get the current active users on the ISA-V virtual appliance. Cannot be used for configuring the ISA-V virtual appliance.

•perlclient/examples/get_active_users.xsl—A file used for formatting and displaying the output returned by get_active_users.pl.

•perlclient/examples/get_active_users.xml—A file used for formatting and displaying the output returned by get_active_users.pl.

•edit_config_ive.pl–-A Perl script for editing the ISA-V virtual appliance configuration.

For Ivanti Connect Secure, the virtual appliance is delivered in OVF and is pre-configured as follows:

•80-GB virtual disk

•4 virtual CPU

•8-GB memory

Recommended vCPU memory configuration

Platform	Cores Per VM	RAM	Disk Space in 22.6R2 and Later	Disk Space prior to 22.6R2
ISA4000-V	4	8 GB	80 GB	40 GB
ISA6000-V	8	16 GB	80 GB	40 GB
ISA8000-V	12	32 GB	80 GB	40 GB

You can change this configuration by editing the OVF prior to importing it or by editing the virtual machine properties once it is created.

When customizing the configuration, do not reduce the disk size.

The OVF specification defines three logical networks:

•Internal Network

•External Network

•Management Network

When importing the OVF file, these three networks must be mapped to the appropriate virtual networks on the ESXi server.

When the virtual appliance is powered on for the first time, it expands the software package and performs the installation. After creating a fully installed and configured ISA-V virtual appliance, clone it to a template and export that template. From the template, you can then instantiate additional ISA-V virtual appliances.

Source Network names are not retained in the exported OVF template.

Once configured, you can use any of the following methods to manage the Ivanti Connect Secure portion of the virtual appliance:

•Ivanti Secure’s Device Management Interface (DMI)

The inbound DMI listens to port 830 on both the internal and management interfaces.

•Ivanti Connect Secure admin console

•Ivanti Connect Secure serial and virtual terminal console menus

The DMI is an XML-RPC-based protocol used to manage Ivanti Secure appliance. This protocol allows administrators and third-party applications to configure and manage Ivanti Secure appliance bypassing their native interfaces. Virtual appliances are compliant with DMI. By default, the inbound DMI is enabled in virtual appliances.

ISA-V Virtual Appliance Utility Scripts

Several utility scripts are included with the ISA-V virtual appliance package. These scripts assist with:

•Deployment

•Initial setup of the ISA-V virtual appliance

•Configuring the ISA-V virtual appliance

You can configure your network with your own set of tools. However, be aware that using tools such as vApp lists options in a different order than what you would see during a typical Ivanti Connect Secure initial configuration session. As such, even though the scripts included in the ISA-V package are optional, we recommend you use them.

The scripts are divided into the following sets:

•Deploy the virtual appliance in the VMware vSphere environment using a serial port.

If you are using VMware ESXi to run the virtual appliance, you can use these scripts for deployment. These scripts use the service console of ESXi and can be used only with the serial edition of virtual appliances.

•Use NETCONF Perl client to configure the virtual appliance.

Plug-in and sample scripts for NETCONF Perl client can be used to configure the virtual appliance after it is deployed and powered on. The scripts use DMI for connecting to Ivanti Connect Secure on port 830.

Clustering Support for Virtual Appliances

The clustering feature has been enabled on ISA-V in both the active-passive and active-active modes. Admins can now configure clustering settings similar to what is available on the hardware. ISA-V supports only two node cluster for both AP and A/A modes. The cluster works with both CONSEC and named user licenses. ISA-Vs will continue to dynamically lease licenses from a license server. The supported scale numbers on AP and A/A cluster will be available during GA time.

The supported platforms are:

•VMWare ESXi

•Hyper-V

•Azure

•AWS

Cluster

On Hypervisors the VA ICS cluster supported. The table below provides the combination of cluster and license support:

Ivanti recommends using standalone nodes or clusters of a maximum of two nodes behind a load balancer.

Ivanti Security Appliance (ISA)/ISA-V does not support clusters containing more than two nodes for ICS.

Sl. No	Hypervisors	Cluster AA	Cluster AP
1	VMware – ESXi	Yes	Yes
2	Hyper-V	Yes	Yes
3	Azure	Yes	NA*
4	AWS	Yes	NA*

* - this is due to limitations in Azure and AWS .

Cluster needs to be formed with similar number of core nodes. Clusters which are formed with dissimilar number of cores/CPUs are not supported.

Increasing the Disk Size in VMware

From 22.6R2 release, on fresh installation 80 GB disk space is available by default. You can modify or increase the disk size only once on fresh installation or upgrade of the ICS images, but not on rollback or factory reset images.

If the user is upgrading to 22.6R2 or later, then the disk size change from 40 GB to 80 GB have to be done prior to upgrade on VM.

Disk Size Allocation is supported from 22.6R2 and later releases.

To increase the disk space:

1.Select the virtual machine and select VM > Settings.

2.On the Hardware tab, select the virtual hard disk to expand.

3.Select Utilities > Expand.

4.Set the new maximum size for the virtual disk and click OK.