Prerequisites for Migration
•Software: ISA Hardware or Virtual appliance should be available and online prior to starting the migration.
•Deployment: This is a server-to-server migration and cannot be performed in-place on the same hardware. The ISA software under version 22.x is not compatible with the PSA hardware.
•Licenses: ISA Appliances require new licenses. Procure the new licenses and keep them handy.
•ISA hardware would not require any additional core/CPU licenses.
•Settings: Identify the network settings for each of the configured ports for the target ISA gateway.
•Upgrade: It is recommended to upgrade your existing 9.x PSA Appliance to 9.1R14.6 or later and export configurations and then import those to ISA Appliance.
•Configuration backup: It is preferred to back up the system.cfg and user.cfg binary files, along with XML export of entire configuration immediately prior to migration. For more information, see < Exporting Configurations>
•Configuration documentation: Local settings that are mostly kept in system.cfg should be documented, as some of these may need to be manually re-entered to the ISA device.
Note down the following settings before migration:
•IP Pool filters
•Cluster configuration
•Virtual port configuration and certificates mapping
•SNMP configuration
•Log settings,
•Syslog can be configured in either cluster mode or individual nodes.
•PSA 9.x Deprecated features are not supported in ISA 22.x. Please refer to Deprecated Features for the list of deprecated features.
Connect Secure only: In an Active/Active cluster, attention should be given to the Network > VPN Tunneling > IP address filter and VPN Tunneling Profile IP pool settings. This is particularly important as the assumption of this guide is that both the existing and target deployment will be active at the same time. If the IP pools overlap, this may cause impact to production users if testing is done on the target deployment during production time. Specifically, the same IP may be leased to two independent users which will cause addressing clashes.
Some settings such as SNMP, Log settings, and the Syslog configuration can be set in either cluster mode or individual nodes.
Configuration Migration Path
The following table describes the tested migration paths.
|
Migrate to |
Migrate From (Supported Versions) |
Qualified |
|---|---|---|
|
Connect Secure |
|
|
|
22.7R2.3 |
Connect Secure 9.1R18.9, 9.1R18.8, and 9.1R14.6 |
Q |
|
22.7R2.2 |
Connect Secure 9.1R18.8, 9.1R18.7, and 9.1R14.6 |
Q |
|
22.7R2.1 |
Connect Secure 9.1R18.8, 9.1R18.7, and 9.1R14.6 |
Q |
|
22.7R2 |
Connect Secure 9.1R18.6, 9.1R18.4, 9.1R14.6 and nSA supported 9.1R17.4 |
Q |
|
22.6R2 |
Connect Secure 9.1R18.2, 9.1R18, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
22.5R2.1 |
Connect Secure 9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
22.5R1 |
Connect Secure 9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
22.4R2.1 |
Connect Secure 9.1R17 and nSA supported 9.1R18 |
Q |
|
22.4R2 |
Connect Secure 9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
22.4R1 |
Connect Secure 9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
Policy Secure |
|
|
|
22.7R1.2 |
Policy Secure 9.1R18.5, 9.1R18.2, 9.1R18.1 |
Q |
|
22.7R1/22.7R1.1 |
Policy Secure 9.1R18.5, 9.1R18.2, 9.1R18.1 |
Q |
|
22.6R1 |
Policy Secure 9.1R18.4, 9.1R18.2, 9.1R18.1, 9.1R18, 9.1R17 |
Q |
|
22.5R1 |
Policy Secure 9.1R18, 9.1R17, 9.1R16.2 |
Q |
|
22.3R1 |
Policy Secure 9.1 R15 and 9.1R14.3 |
Q |
The versions mentioned in the table below describe the configuration migration paths that have been tested and qualified by the Ivanti Quality Assurance Engineering team. These provide technical insight into what versions would be suitable to upgrade from and to. However, it is strongly advised that customers refer to the 9.x Release Notes and 22.x Release Notes as significant vulnerabilities have been addressed in the most recent releases. This table does not provide an overriding endorsement to use vulnerable versions in a production landscape.
Upgrade the servers to the nearest matching version per the table to proceed with Migration if the exact versions are not listed.
Deprecated Features: ISA Appliances
To improve stability and overall security posture in new Ivanti Security Appliances, Ivanti has decided to deprecate old set of features. Deprecation list includes older versions of applications, authentication servers and few other features listed in the below table. This helps streamlining support to newer versions of applications for enhanced security and better performance.
Refer to Prerequisites for Migration and Supported Configuration Migration Path before starting the migration.
The configuration elements related to the unsupported features will be removed from the imported configuration as part of the migration. Policies referring to unsupported features will also be deleted after the migration.
For example, if a Host Checker policy is configured for the Statement of Health check or Host Checker for Solaris, such rules are removed during import and the policy will remain otherwise intact.
•Deprecated Features in Connect Secure
•Deprecated Features in Policy Secure
|
The following features are not supported in ISA Appliance: •Citrix web interface/JICA •Citrix StoreFront •Microsoft OWA 2000, 2003,2007 •IBM Lotus iNotes 5, 6, 6.5 •Sensors •Cloud App Visibility (CAV) •Telnet and SSH Resource profile •SDP •Connect Secure Wizards (User Access Policy) •Support for SRX Pulse client •Host checker (HC) for Solaris •HC - Custom Rule on Windows - Statement of Health •HC - Cache Cleaner •Pulse Collaboration •Pulse One Integration •Hob Java RDP •Unix file sharing •Basic HTML5 The deprecated features and the corresponding dependent configurations will be deleted post migration and the admin can view them under the event logs in the ISA Appliance. |
The following auth servers supported in PSA Appliance will be unsupported in ISA Appliance post migration: •SiteMinder •NIS •Anonymous •LDAP - Novell eDirectory •LDAP – iPlanet •MDM Server with type as PWS The migration fails if Legacy AD is configured on PSA Appliance, the configuration needsto be modified to use regular AD before migrating to ISA Appliance. . IMPORTANT: The realms/sign-in policies configured with these auth servers will not work on ISA Appliances.
|
|
The following features are not supported in ISA Appliance: 1.Sensors feature in IPS 2.Cache Cleaner 3.Basic authentication Policy Wizard. 4.Host checker (HC) for Solaris. 5.HC - Custom Rule on Windows - Statement of Health
The deprecated features and the corresponding dependent configurations will be deleted post migration and the admin can view them under the event logs in the ISA Appliance. |
The following auth servers supported in PSA Appliance will be unsupported in ISA Appliance post migration:
•SiteMinder •NIS •Anonymous •LDAP - Novell eDirectory •LDAP – iPlanet •MDM Server with type as PWS IMPORTANT: The realms/sign-in policies configured with these auth servers will not work on ISA Appliance.
|
Post Migration Activities
After performing the migration steps, it is recommended that the following settings be checked and validated manually:
1.System > Network > Overview settings (set in cluster or individual nodes).
2.System > Network > Routes (for internal, external and other ports).
3.System > Network > Hosts (set in cluster or individual nodes).
4.System > Network > Internal Port/ External Port>Virtual Ports (if clustered, set this up in cluster “Entire Cluster”).
5.System > Network > VLANs (if clustered, set this up in cluster “Entire Cluster”).
6. ICS only- System > Network > VPN Tunneling (set in cluster or individual nodes).
7. System > Log/Monitoring > SNMP (set in cluster or individual nodes).
8. System > Configuration > Certificates > Device Certificates (and its ports bindings).
9. ICS only - Users > Resource Policies > VPN Tunneling > Connection Profiles (if configured).
10. System > Configuration > Licensing - License client-server settings (if used as license client in Enterprise Licensing Server environment), proper licenses installed.