What's New
•DHCPv6 Server: Enhanced to support IPv6 address. For more details, see IPv6 address assignment in table.
•Port Probe support for IPv6: Port probing method now supports both IPv4 and IPv6 addresses with improved reliability. You can verify if TCP and UDP ports for IPv6 destination server is open using IPv6 internal or management source IP. For more details, see Troubleshooting Tools.
•Advanced HTML5 improvements: Automatic launch for admin created bookmark on user login is newly added. For more information, see Advanced HTML5.
•Filter Duplicate Split Tunnel Routes: Admin gets information message about duplicate configuration entry detection and automatically removed while saving. For more details, see Split tunnel.
•REST API enhancements: New set of REST APIs are added for upload, delete and for staging upgrade and also to fetch and save logs. For more details, see Staging Upgrade, Fetching Logs.
•OAuth Enhancements to support Encrypted ID Token and Self-Signed Provider Certificates. For more details, see OAuth.
•SELinux (Security Enhanced Linux) support: This feature restricts access to the ICS Linux system so that ICS Linux applications can only access the minimum set of resources they require. SELinux mode is enabled as Enforcing by default. See Security Enhanced (SELinux) Support.
•TLS 1.3 Support: TLS 1.3 option is newly introduced in this release. See TLS 1.3 Support.
ICS now supports TLS version 1.3 with the following additional cipher suites:
•TLS_AES_128_GCM_SHA256
•TLS_AES_256_GCM_SHA384
•TLS_CHACHA20_POLY1305_SHA256
Limitation:
•End-user certificate authentication feature (Smart Card) is not available when Accept only TLS 1.3 is enabled in System > Configuration > Inbound Settings for protocol version.
•If you choose Accept only TLS 1.2 and later with custom ciphers, then you need to ensure one or more TLS 1.2 ciphers are included.
•Use Low-Privilege Account instead of Root (NRP): Web server related processes are executed as non-root user. This prevents malicious code for gaining permissions in the ICS host. This feature is enabled by default.
•Running Third-Party Tools in Jail: The ICS applications will run third party tools in a controlled environment where the contained process is not allowed to utilize resources outside of the container such as files, memory space devices, etc. This feature is enabled by default.
•Kernel rate limiting is implemented on external interface to prevent unauthenticated DoS and DDoS attack. See Miscellaneous Security Options.
22.4R1 features are supported in 22.4R2.
•IPv6 support for File Resource Profile: This features supports the IPv6 format for the servers IP address and server name. See Creating a File Resource Profile.
•IPv6 support for Log Archiving
•IPv6 support for Host Checker, Download ESAP, Signature files
•Pulse One Support: Beginning with Release 22.3R1, Pulse One support is added. By default, nSA is supported, which is feature rich compared with Pulse One) as a controller for the ISA appliances. If you are not able to use nSA due to certification/federal compliance. You can reach out to Ivanti enterprise support for Pulse One enablement on ICS 22.3R1 or above.
•IPv6 static routing: This feature provides static routing for IPv6 address. Static routes are useful for smaller networks with only one path to an outside network and to provide security for a larger network for certain types of traffic or links to other networks that need more control routes are manually configured and define an explicit path between two networking devices.
•IPv6 in LDAP server: This feature helps to configure IPv6 on LDAP Server.
•Support for ICS Deployment on Nutanix: New Qualification for Nutanix deployment
•ICS is Qualified on Microsoft Azure F series: The following Microsoft F series variants are now qualified:
•F4s_v2
•F8s_v2
•F16s_v2
•AES 256 e-type encryption support: This feature allows the administrators to enable AES 256 encryption type. This feature is applicable only for Active Directory Authentication Server using Kerberos Authentication protocol.
•Allow Host checker policy on certificate expiry: This feature allows the administrators to pass host checker policies on endpoints after the user certificate expiry. The Administrator can assign endpoints to have remediation roles, so that users can renew certificate.
•FQDN IP entries in ACL: This feature allows to retain FQDN IP entries for lifetime of the FQDN IP in an ACL.
•Log Enhancements: This feature allows the admin to enter a custom message to display on the client highlight the host checker compliance errors.
•This release qualifies certification of FIPS, JITC (DoDIN APL) and NDcPP.
•JITC Certification
•Log Support for detection and prevention of SMURF/SYN Flood/SSL Replay Attack.
•Disable ICMPv6 echo response for multicast echo request.
•Disable ICMPv6 destination unreachable response.
•DSCP Support.
•Password Strengthening.
•Notification for unsuccessful admin login attempts.
•Re-authentication of admin users.
•Notification on admin status change
•NDcPP Certification
•When NDcPP option is enabled, only NDcPP allowed crypto algorithms are allowed.
•Device/Client Auth certificate 3072 bit key length support.
•Not allowing Import of Device/Client Auth Certificate if Respective CAs are not in Trusted Stores.
•Not allowing Importing of Device Certificate without Server Authentication EKU (Extended Key Usage).
•Device/Client Auth/CA certificate revocation check during Certificate Import
•Syslog certificate revocation check during TLS connection establishment.
•Not Allowing 1024 bit Public Key Length Server Certificate from Syslog during TLS connection.
•Supports feature parity with 9.1R15. For more information, see Release Notes.
• Platform (Core) License SKUs for ISA platforms are introduced.
•Hyper-V and KVM support for ISA-V devices as below:
•ISA4000-V
•ISA6000-V
•ISA8000-V
•License server can lease core licenses to ISA-V license clients.
•Connect Secure runs on the next generation Ivanti Secure Appliance (ISA) series appliances, which has better performance and throughput due to hardware, software, and kernel optimization.
•It is available as fixed-configuration rack-mounted hardware.
•ISA6000
•ISA8000
•It can also be deployed to the data center or cloud as virtual appliances.
•ISA4000-V
•ISA6000-V
•ISA8000-V
•Supports feature parity with 9.1R14. For more information, see Release Notes.
•This release addresses OpenSSL vulnerability CVE-2022-0778. It is recommended to upgrade all the Gateways to the latest version of Connect Secure.