Prerequisites for Migration

Software: ISA Hardware or Virtual appliance should be available and online prior to starting the migration.

Deployment: This is a server-to-server migration and cannot be performed in-place on the same hardware. The ISA software under version 22.x is not compatible with the PSA hardware.

Licenses: ISA Appliances require new licenses. Procure the new licenses and keep them handy.

ISA hardware would not require any additional core/CPU licenses.

Settings: Identify the network settings for each of the configured ports for the target ISA gateway.

Upgrade: It is recommended to upgrade your existing 9.x MAG/PSA Appliance to 9.1R14.6 or later and export configurations and then import those to ISA Appliance.

Configuration backup: It is preferred to back up the system.cfg and user.cfg binary files, along with XML export of entire configuration immediately prior to migration. For more information, see < Exporting Configurations>

Configuration documentation: Local settings that are mostly kept in system.cfg should be documented, as some of these may need to be manually re-entered to the ISA device.

Note down the following settings before migration:

IP Pool filters

Cluster configuration

Virtual port configuration and certificates mapping

SNMP configuration

Log settings,

Syslog can be configured in either cluster mode or individual nodes.

PSA 9.x Deprecated features are not supported in ISA 22.x. Please refer to Deprecated Features for the list of deprecated features.

Connect Secure only: In an Active/Active cluster, attention should be given to the Network > VPN Tunneling > IP address filter and VPN Tunneling Profile IP pool settings. This is particularly important as the assumption of this guide is that both the existing and target deployment will be active at the same time. If the IP pools overlap, this may cause impact to production users if testing is done on the target deployment during production time. Specifically, the same IP may be leased to two independent users which will cause addressing clashes.

Some settings such as SNMP, Log settings, and the Syslog configuration can be set in either cluster mode or individual nodes.

Configuration Migration Path

The following table describes the tested migration paths.

Migrate to

Migrate From (Supported Versions)

Qualified

Connect Secure

 

 

22.7R2.4

Connect Secure 9.1R18.9, 9.1R18.8, and 9.1R14.6

Q

22.7R2.3

Connect Secure 9.1R18.9, 9.1R18.8, and 9.1R14.6

Q

22.7R2.2

Connect Secure 9.1R18.8, 9.1R18.7, and 9.1R14.6

Q

22.7R2.1

Connect Secure 9.1R18.8, 9.1R18.7, and 9.1R14.6

Q

22.7R2

Connect Secure 9.1R18.6, 9.1R18.4, 9.1R14.6 and nSA supported 9.1R17.4

Q

22.6R2

Connect Secure 9.1R18.2, 9.1R18, 9.1R14.3 and nSA supported 9.1R17

Q

22.5R2.1

Connect Secure 9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17

Q

22.5R1

Connect Secure 9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17

Q

22.4R2.1

Connect Secure 9.1R17 and nSA supported 9.1R18

Q

22.4R2

Connect Secure 9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17

Q

22.4R1

Connect Secure 9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17

Q

Policy Secure

 

 

22.7R1.2

Policy Secure 9.1R18.5, 9.1R18.2, 9.1R18.1

Q

22.7R1/22.7R1.1

Policy Secure 9.1R18.5, 9.1R18.2, 9.1R18.1

Q

22.6R1

Policy Secure 9.1R18.4, 9.1R18.2, 9.1R18.1, 9.1R18, 9.1R17

Q

22.5R1

Policy Secure 9.1R18, 9.1R17, 9.1R16.2

Q

22.3R1

Policy Secure 9.1 R15 and 9.1R14.3

Q

MAG

21.12R1

Connect Secure 8.3R7

Q

The versions mentioned in the table below describe the configuration migration paths that have been tested and qualified by the Ivanti Quality Assurance Engineering team. These provide technical insight into what versions would be suitable to upgrade from and to. However, it is strongly advised that customers refer to the 9.x Release Notes and 22.x Release Notes as significant vulnerabilities have been addressed in the most recent releases. This table does not provide an overriding endorsement to use vulnerable versions in a production landscape.

Upgrade the servers to the nearest matching version per the table to proceed with Migration if the exact versions are not listed.

Deprecated Features: ISA Appliances

To improve stability and overall security posture in new Ivanti Security Appliances, Ivanti has decided to deprecate old set of features. Deprecation list includes older versions of applications, authentication servers and few other features listed in the below table. This helps streamlining support to newer versions of applications for enhanced security and better performance.

Refer to Prerequisites for Migration and Supported Configuration Migration Path before starting the migration.

The configuration elements related to the unsupported features will be removed from the imported configuration as part of the migration. Policies referring to unsupported features will also be deleted after the migration.

For example, if a Host Checker policy is configured for the Statement of Health check or Host Checker for Solaris, such rules are removed during import and the policy will remain otherwise intact.

Deprecated Features in Connect Secure

Deprecated Features in Policy Secure

Deprecated Features in Connect Secure

The following features are not supported in ISA Appliance:

Citrix web interface/JICA

Citrix Storefront(below 3.1 version)

Microsoft OWA 2000, 2003,2007

IBM Lotus iNotes 5, 6, 6.5

Sensors

Cloud App Visibility (CAV)

Telnet and SSH Resource profile

SDP

Connect Secure Wizards (User Access Policy)

Support for SRX Pulse client

Host checker (HC) for Solaris

HC - Custom Rule on Windows - Statement of Health

HC - Cache Cleaner

Pulse Collaboration

Pulse One Integration

Hob Java RDP

Unix file sharing

Basic HTML5

The deprecated features and the corresponding dependent configurations will be deleted post migration and the admin can view them under the event logs in the ISA Appliance.

The following auth servers supported in PSA Appliance will be unsupported in ISA Appliance post migration:

SiteMinder

NIS

Anonymous

LDAP - Novell eDirectory

LDAP – iPlanet

MDM Server with type as PWS

The migration fails if Legacy AD is configured on PSA Appliance, the configuration needsto be modified to use regular AD before migrating to ISA Appliance.

.

IMPORTANT: The realms/sign-in policies configured with these auth servers will not work on ISA Appliances.

  • The configurations related to deprecated auth servers are retained and will be visible on the 21.x ICS Admin UI upon import and needs to be manually deleted by the Admin. Edit/Add operations are not allowed for the deprecated Authentication Servers. The warning message will be displayed to the Admin to delete the Authentication Server.
  • The realms/sign-in policies configured with any of the deprecated auth servers will not work on ISA Appliance and they must be configured with the supported Auth Server.

 

Deprecated Features in Policy Secure

The following features are not supported in ISA Appliance:

Sensors feature in IPS

Cache Cleaner

Basic authentication Policy Wizard.

Host checker (HC) for Solaris.

HC - Custom Rule on Windows - Statement of Health

 

The deprecated features and the corresponding dependent configurations will be deleted post migration and the admin can view them under the event logs in the ISA Appliance.

The following auth servers supported in PSA Appliance will be unsupported in ISA Appliance post migration:

 

SiteMinder

NIS

Anonymous

LDAP - Novell eDirectory

LDAP – iPlanet

MDM Server with type as PWS

IMPORTANT: The realms/sign-in policies configured with these auth servers will not work on ISA Appliance.

  • The configurations related to deprecated auth servers are retained and will be visible on the 22.x IPS Admin UI upon import and needs to be manually deleted by the Admin. Edit/Add operations are not allowed for the deprecated Authentication Servers. The warning message will be displayed to the Admin to delete the Authentication Server.
  • The realms/sign-in policies configured with any of the deprecated auth servers will not work on ISA Appliance and they must be configured with the supported Auth Server.

Post Migration Activities

After performing the migration steps, it is recommended that the following settings be checked and validated manually:

System > Network > Overview settings (set in cluster or individual nodes).

System > Network > Routes (for internal, external and other ports).

System > Network > Hosts (set in cluster or individual nodes).

System > Network > Internal Port/ External Port>Virtual Ports (if clustered, set this up in cluster “Entire Cluster”).

System > Network > VLANs (if clustered, set this up in cluster “Entire Cluster”).

ICS only- System > Network > VPN Tunneling (set in cluster or individual nodes).

System > Log/Monitoring > SNMP (set in cluster or individual nodes).

System > Configuration > Certificates > Device Certificates (and its ports bindings).

ICS only - Users > Resource Policies > VPN Tunneling > Connection Profiles (if configured).

System > Configuration > Licensing - License client-server settings (if used as license client in Enterprise Licensing Server environment), proper licenses installed.