Introduction
Ivanti Connect Secure (ICS) is a next generation Secure access product, which offers fast and secure connection between remote users and their organization’s wider network. Ivanti Connect Secure modernizes VPN deployments and is loaded with features such as new end user experience, increased overall throughput and simplified appliance management.
Security Advisory and Patch Update
Ivanti has released security advisories and mitigations for critical vulnerabilities in the Ivanti Connect Secure gateways. These vulnerabilities impacts all supported versions of ICS (22.x).
The following CVE's have been fixed:
•CVE-2024-21894
•CVE-2024-22052
•CVE-2024-22053
•CVE-2024-22023
•CVE-2023-46805
•CVE-2024-21887
•CVE-2024-21888
•CVE-2024-21893
•CVE-2024-22024
For more details, see Ivanti forum.
The build details of ICS Gateways, which includes CVE fixes are listed below:
Build Details for 22.5R2.4
•ICS 22.5R2.4 Build 2229
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
Build Details for 22.5R2.3
•ICS 22.5R2.3 Build 2215
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
Build Details for 22.5R2.1
•ICS 22.5R2.1 Build 2035
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
Build Details for 22.4R2.4
•ICS 22.4R2.4 Build 2169
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
Build Details for 22.4R2.3
•ICS 22.4R2.3 Build 2159
•ISAC 22.3R2 Build 19787
•Default ESAP version 4.0.5
Build Details for 22.4R2.1
•ICS 22.4R2.1 Build 1725
•ISAC 22.3R2 Build 19787
•Default ESAP version 4.0.5
Build Details for 22.4R2
•ICS 22.4R2 Build 1531
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
Build Details for 22.4R1.2
•ICS 22.4R1.2 Build 2173
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
Build Details for 22.4R1.1
•ICS 22.4R1.1 Build 2165
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
Build Details for 22.4R1
•ICS 22.4R1 Build 1439
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
Build Details for 22.3R1.2
•ICS 22.3R1.2 Build 2075
•ISAC 22.3R1 Build 1295
•Default ESAP version 4.0.5
Build Details for 22.3R1.1
•ICS 22.3R1.1 Build 2071
•ISAC 22.3R1 Build 1295
•Default ESAP version 4.0.5
Build Details for 22.3R1
•ICS 22.3R1 Build 1647
•ISAC 22.3R1 Build 1295
•Default ESAP version 4.0.5
Build Details for 22.2R4.2
•ICS 22.2R4.2 Build 1481
•ISAC 22.2R1 Build 1295
Build Details for 22.2R4.1
•ICS 22.2R4.1 Build 1475
•ISAC 22.2R1 Build 1295
Build Details for 22.2R3
•ICS 22.2R3 Build 1283
•ISAC 22.2R1 Build 1295
Build Details for 22.2R1
•ICS 22.2R1 Build 657
•nSA GW 9.1R15 Build 18393
•PDC 9.1R15 Build 15819
•ISAC 22.2R1 Build 1295
•Default ESAP version 3.7.5
Build Details for 22.1R6.2
•ICS 22.1R6.2 Build 897
Build Details for 22.1R6.1
•ICS 22.1R6.1 Build 893
Build Details for 22.1R6
•ICS 22.1R6 Build 575
Build Details for 22.1R1
•ICS 22.1R1 Build 421
• nSA GW 9.1R14 Build 18099
•PDC 9.1R14 Build 13525
•Default ESAP version 3.7.5
Caveats
The following feature is not supported in this gateway release:
•Multicast with IGMP
•Enterprise onboarding is not supported in Release 22.4R2.
•Upgrade from 22.5R2.1/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.
•Browser based Certificate authentication gets impacted when enforcing TLS 1.3 on 22.4R2. Refer the forum link for more details.
•Kernel rate limiting cannot be configured from nSA in Release 22.4R2.
The features listed in KB44747 are not supported with 22.x Gateway release. In addition, Pulse Collaboration, HOB Java RDP, and Basic HTML5 are not supported in 22.x Gateway.
Hardware Platforms
You can install and use the software version on the following hardware platforms.
•ISA6000
• ISA8000
Virtual Appliance Editions
The following table lists the virtual appliance systems qualified with this release:
Virtual appliance qualified in 22.5R2.1, 22.4R2.1, 22.4R2, 22.4R1 and 22.3R1
|
Variant |
Platform |
vCPU |
RAM |
Disk Space |
|---|---|---|---|---|
|
VMware ESXi 7.0.2 (17867351) ESXi 6.7.0
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
|
Azure-V
|
ISA4000-V (Standard DS3 V2 - 3NICs) |
4 |
14 GB |
40 GB |
|
ISA4000-V (Standard_D4s_v3 - 2NICs) |
4 |
14 GB |
40 GB |
|
|
ISA6000-V (Standard DS4 V2 -3 NICs ) |
8 |
28 GB |
40 GB |
|
|
ISA6000-V (Standard D8s V3) |
8 |
32 GB |
40 GB |
|
|
ISA8000-V (Standard D16s V3) |
16 |
64 GB |
40 GB |
|
|
ISA4000-V (F4s_v2) |
4 |
8 GB |
40 GB |
|
|
ISA6000-V (F8s_v2) |
8 |
16 GB |
40 GB |
|
|
ISA8000-V (F16s_v2) |
16 |
32 GB |
40 GB |
|
|
AWS-V
|
ISA4000-V (M5.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA6000-V ( M5.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
ISA8000-V (M5.4xlarge - 3 NICs) |
16 |
64 GB |
40 GB |
|
|
ISA4000-V (t3.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
|
|
ISA6000-V (t3.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
GCP
|
ISA4000-V (n2-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA4000-V (n1-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
|
|
ISA6000-V (n2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
ISA6000-V (c2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
ISA 8000-V(n2-standard-16 - 3 NICs) |
16 |
64 GB |
40 GB |
|
|
OpenStack KVM
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
|
Hyper-V
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
|
Nutanix AHV 2021
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
Virtual appliance qualified in 22.2R1
|
Variant |
Platform |
vCPU |
RAM |
Disk Space |
|---|---|---|---|---|
|
VMware ESXi 7.0.2 (17867351) ESXi 6.7.0
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
|
Azure-V
|
ISA4000-V (Standard DS3 V2 - 3NICs) |
4 |
14 GB |
40 GB |
|
ISA4000-V (Standard_D4s_v3 - 2NICs) |
4 |
14 GB |
40 GB |
|
|
ISA6000-V (Standard DS4 V2 -3 NICs ) |
8 |
28 GB |
40 GB |
|
|
ISA6000-V (Standard D8s V3) |
8 |
32 GB |
40 GB |
|
|
ISA8000-V (Standard D16s V3) |
16 |
64 GB |
40 GB |
|
|
AWS-V
|
ISA4000-V (M5.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA6000-V ( M5.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
ISA8000-V (M5.4xlarge - 3 NICs) |
16 |
64 GB |
40 GB |
|
|
ISA4000-V (t3.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
|
|
ISA6000-V (t3.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
GCP
|
ISA4000-V (n2-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA4000-V (n1-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
|
|
ISA6000-V (n2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
ISA6000-V (c2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
ISA 8000-V(n2-standard-16 - 3 NICs) |
16 |
64 GB |
40 GB |
|
|
OpenStack KVM
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
|
Hyper-V
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
Virtual appliance qualified in 22.1R1
|
Variant |
Platform |
vCPU |
RAM |
Disk Space |
|---|---|---|---|---|
|
VMware ESXi 7.0.2 (17867351) ESXi 6.7.0
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
|
Azure-V
|
ISA4000-V (Standard DS3 V2 - 3NICs) |
4 |
14 GB |
40 GB |
|
ISA4000-V (Standard_D4s_v3 - 2NICs) |
4 |
14 GB |
40 GB |
|
|
ISA6000-V (Standard DS4 V2 -3 NICs ) |
8 |
28 GB |
40 GB |
|
|
ISA6000-V (Standard D8s V3) |
8 |
32 GB |
40 GB |
|
|
ISA8000-V (Standard D16s V3) |
16 |
64 GB |
40 GB |
|
|
AWS-V
|
ISA4000-V (M5.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA6000-V ( M5.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
ISA8000-V (M5.4xlarge - 3 NICs) |
16 |
64 GB |
40 GB |
|
|
ISA4000-V (t3.xlarge - 3 NICs) |
4 |
16 GB |
40 GB |
|
|
ISA6000-V (t3.2xlarge - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
GCP
|
ISA4000-V (n2-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
|
ISA4000-V (n1-standard-4 - 3 NICs) |
4 |
16 GB |
40 GB |
|
|
ISA6000-V (n2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
ISA6000-V (c2-standard-8 - 3 NICs) |
8 |
32 GB |
40 GB |
|
|
ISA 8000-V(n2-standard-16 - 3 NICs) |
16 |
64 GB |
40 GB |
To download the virtual appliance software, go to: https://forums.ivanti.com/s/contactsupport
Licensing Types
|
License Type |
Gateway Licensing Mode |
nSA named user Licensing Mode |
|---|---|---|
|
Platform/Core license |
Install license locally or lease license for license server |
Register the ICS Gateway with nSA and if the ICS Gateway is using nSA named user licensing mode then the Platform/Core license is not required. |
|
User licensing |
Install license locally or lease license for license server |
Register ICS Gateway with nSA |
|
Feature licenses (Adv HTML5 etc) |
Install license locally or lease license for license server |
Install license locally on ISA-V |
For more information see the Licensing Management Guide
Upgrade Path
The following table describes the tested upgrade paths, in addition to fresh installation of 22.x for ICS Product.
Follow the mandatory steps listed in the KB44877 before staging or upgrading to prevent upgrade related issues.
Upgrade from 22.5R2.1/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.
Upgrade path is not supported for FIPS mode (enabled) from release 22.3R1 or prior releases. Upgrade can only be done with FIPS mode disabled.
If you upgrade from 22.5R1 to 22.5R2.1 the DHCP subnet feature won't be available.
|
Upgrade to |
Upgrade From (Supported Versions) |
Qualified |
|---|---|---|
|
22.5R2.1 |
22.5R1, 22.4R2.1, 22.4R1 |
Q |
|
22.4R2.1 |
22.4R2, 22.4R1, 22.3Rx, 22.2Rx |
Q |
|
22.4R2 |
22.4R1, 22.3Rx and 22.2Rx |
Q |
|
22.4R1(FIPS) |
22.3Rx and 22.2Rx |
Q |
|
22.3R1 |
22.2Rx and 22.1Rx |
Q |
|
22.2R1 |
22.1R1 and 21.12R1 |
Q |
|
22.1R6 |
22.1R1 and prior releases |
Q |
|
22.1R1 |
21.12R1 and 21.9R1 |
Q |
Upgrade Path in 22.2R3
|
Upgrade to |
Upgrade From (Supported Version) |
Qualified |
|---|---|---|
|
22.2R3 |
22.2R1 and 22.1R1 |
Q |
FIPS mode supports fresh installation and upgrade for VMware images and only upgrade for Cloud (AWS, Azure, GCP) images.
Configuration Migration Path
The following table describes the tested migration paths. See PSA-ISA-Migration-Guide and it is mandatory to follow the instructions.
|
Migrate to |
Migrate From (Supported Versions) |
Qualified |
|---|---|---|
|
22.5R2.1 |
9.1R18.1, 9.1R18, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
22.4R2.1 |
9.1R17 and nSA supported 9.1R18 |
Q |
|
22.4R2 |
9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
22.4R1 |
9.1R18, 9.1R17.1, 9.1R17, 9.1R16.2, 9.1R14.3 and nSA supported 9.1R17 |
Q |
|
22.3R1 |
9.1R17, 9.1R16, 9.1R15, 9.1R14, and nSA supported 9.1R15 |
Q |
|
22.2R1 |
9.1R15, 9.1R14.1, 9.1R13.2, and nSA supported 9.1R14 |
Q |
|
22.1R6 |
9.1R14.1 or prior releases |
Q |
|
22.1R1 |
9.1R13.2 or prior releases |
Q |
|
21.12R1 |
9.1R13.2 or prior releases |
Q |
|
21.9R1 |
9.1R12 or prior releases |
Q |
Upgrade the servers to the nearest matching version per the table to proceed with Migration if the exact versions are not listed.
Noteworthy Information
Version 22.5R2.1
•The Sign-in policy should be configured with the login URL, if the login URL is different from the Host FQDN to avoid SAML transfer failed issue.
•For Release 22.5R2.1, While Configuring SAML/IdP Settings for Cloud Secure set the Signature Algorithm to Sha-256.
SHA-1 is less secure and not supported by Microsoft 365 from 2016 version onwards.
Version 22.4R2
•Resources may not be accessible through Ivanti Secure Access Client on Android when Enable TOS Bits Copy is configured for the role under VPN Tunneling Options on the ICS. Disable the option under User > User Roles > Role > VPN Tunneling on ICS UI to access all resources.
•Console access using SSH is not available from release 22.4R2 onwards for cloud deployments. The user has to leverage the serial console access instead.
•Enterprise onboarding is not supported in Release 22.4R2.
•Upgrade from 22.5R2/22.4R2 version to R1 version is not supported. Refer the supported upgrade path forum link for more details.
•Browser based Certificate authentication gets impacted when enforcing TLS 1.3 on 22.4R2. Refer the forum link for more details.
Version 22.4R1
•Change in File system type from ext2 to ext3 to avoid power cycle issues for RAID disks.
Version 22.3R1
•Application Visibility logs are not displayed by default. You can delete the default `id` filters to view the logs. Application visibility logs are per connection based on the application access.
Version 22.2R3
•New password must differ from previous 8 password positions (Default) option is newly added under Password options in Local Authentication Settings page.
•Reset Password and Change Password options are newly introduced for Local Authentication Account (User/Admin).
Version 22.2R1
• Platform (Core) License SKUs for ISA platforms are introduced. Concurrent users is reset to two if core license is not installed or leased.
•Hyper-V and KVM support