Introduction

Ivanti Connect Secure (ICS) is a next generation Secure access product, which offers fast and secure connection between remote users and their organization’s wider network. Ivanti Connect Secure modernizes VPN deployments and is loaded with features such as new end user experience, increased overall throughput and simplified appliance management.

Security Advisory and Patch Update

Ivanti has released security advisories and mitigations for critical vulnerabilities in the Ivanti Connect Secure gateways. These vulnerabilities impacts all supported versions of ICS (22.x).

The following CVE's have been fixed:

CVE-2024-21894

CVE-2024-22052

CVE-2024-22053

CVE-2024-22023

CVE-2023-46805

CVE-2024-21887

CVE-2024-21888

CVE-2024-21893

CVE-2024-22024

For more details, see Ivanti forum.

The build details of ICS Gateways, which includes CVE fixes are listed below:

Caveats

The following feature is not supported in this gateway release:

Multicast with IGMP

Enterprise onboarding is not supported in Release 22.4R2.

Upgrade from 22.5R2.1/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.

Browser based Certificate authentication gets impacted when enforcing TLS 1.3 on 22.4R2. Refer the forum link for more details.

Kernel rate limiting cannot be configured from nSA in Release 22.4R2.

The features listed in KB44747 are not supported with 22.x Gateway release. In addition, Pulse Collaboration, HOB Java RDP, and Basic HTML5 are not supported in 22.x Gateway.

Hardware Platforms

You can install and use the software version on the following hardware platforms.

ISA6000

ISA8000

Virtual Appliance Editions

The following table lists the virtual appliance systems qualified with this release:

To download the virtual appliance software, go to: https://forums.ivanti.com/s/contactsupport

Licensing Types

License Type

Gateway Licensing Mode

nSA named user Licensing Mode

Platform/Core license

Install license locally or lease license for license server

Register the ICS Gateway with nSA and if the ICS Gateway is using nSA named user licensing mode then the Platform/Core license is not required.

User licensing

Install license locally or lease license for license server

Register ICS Gateway with nSA

Feature licenses (Adv HTML5 etc)

Install license locally or lease license for license server

Install license locally on ISA-V

For more information see the Licensing Management Guide

Upgrade Path

The following table describes the tested upgrade paths, in addition to fresh installation of 22.x for ICS Product.

Follow the mandatory steps listed in the KB44877 before staging or upgrading to prevent upgrade related issues.

Upgrade from 22.5R2.1/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.

Upgrade path is not supported for FIPS mode (enabled) from release 22.3R1 or prior releases. Upgrade can only be done with FIPS mode disabled.

If you upgrade from 22.5R1 to 22.5R2.1 the DHCP subnet feature won't be available.

Upgrade to

Upgrade From (Supported Versions)

Qualified

22.5R2.1

22.5R1, 22.4R2.1, 22.4R1

Q

22.4R2.1

22.4R2, 22.4R1, 22.3Rx, 22.2Rx

Q

22.4R2

22.4R1, 22.3Rx and 22.2Rx

Q

22.4R1(FIPS)

22.3Rx and 22.2Rx

Q

22.3R1

22.2Rx and 22.1Rx

Q

22.2R1

22.1R1 and 21.12R1

Q

22.1R6

22.1R1 and prior releases

Q

22.1R1

21.12R1 and 21.9R1

Q

Configuration Migration Path

The following table describes the tested migration paths. See PSA-ISA-Migration-Guide and it is mandatory to follow the instructions.

Migrate to

Migrate From (Supported Versions)

Qualified

22.5R2.1

9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17

Q

22.4R2.1

9.1R17 and nSA supported 9.1R18

Q

22.4R2

9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17

Q

22.4R1

9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17

Q

22.3R1

9.1R17, 9.1R16, 9.1R15, 9.1R14, and nSA supported 9.1R15

Q

22.2R1

9.1R15, 9.1R14.1, 9.1R13.2, and nSA supported 9.1R14

Q

22.1R6

9.1R14.1 or prior releases

Q

22.1R1

9.1R13.2 or prior releases

Q

21.12R1

9.1R13.2 or prior releases

Q

21.9R1

9.1R12 or prior releases

Q

Upgrade the servers to the nearest matching version per the table to proceed with Migration if the exact versions are not listed.

Noteworthy  Information