Prerequisites for Migration
•Software: ISA Hardware or Virtual appliance should be available and online prior to starting the migration.
•Deployment: This is a server-to-server migration and cannot be performed in-place on the same hardware.
•Licenses: ISA Appliances require new licenses. Procure the new licenses and keep them handy.
•ISA hardware would not require any additional core/CPU licenses.
•Settings: Identify the network settings for each of the configured ports for the target ISA gateway.
•Configuration backup: It is preferred to back up the system.cfg and user.cfg binary files, along with XML export of entire configuration immediately prior to migration. For more information, see Exporting Configurations
•Upgrade: It is recommended to upgrade your existing 22.8R2 ISA Appliance to 25.1.0.0 or later and import backup configure to ISA Appliance only, if required.
•Configuration documentation: Local settings that are mostly kept in system.cfg should be documented, as some of these may need to be manually re-entered to the ISA device.
Note down the following settings before migration:
•IP Pool filters
•Cluster configuration
•Virtual port configuration and certificates mapping
•SNMP configuration
•Log settings,
•Syslog can be configured in either cluster mode or individual nodes.
•Deprecated features are not supported in 25.1.0.0. Please refer to Deprecated Features for the list of deprecated features.
Connect Secure only: In an Active/Active cluster, attention should be given to the Network > VPN Tunneling > IP address filter and VPN Tunneling Profile IP pool settings. This is particularly important as the assumption of this guide is that both the existing and target deployment will be active at the same time. If the IP pools overlap, this may cause impact to production users if testing is done on the target deployment during production time. Specifically, the same IP may be leased to two independent users which will cause addressing clashes.
Some settings such as SNMP, Log settings, and the Syslog configuration can be set in either cluster mode or individual nodes.
Configuration Migration Path
The following table describes the tested migration paths.
|
Migrate to |
ISA Hardware device Migrate From (Supported Versions) |
VA Migrate From (Supported Versions) |
|---|---|---|
|
Connect Secure |
|
|
|
25.1.2.0 |
22.7R2.12, 22.8R2.3, 25.1.1.0 |
NA |
|
25.1.1.0 |
25.1.0.1, 25.1.0.0, 22.8R2.3, 22.8R2.2, 22.8R2.1, 22.7R2.12, 22.7R2.11 |
25.1.0.1, 25.1.0.0, 22.8R2.3, 22.8R2.2, 22.8R2.1, 22.7R2.12, 22.7R2.11 |
|
25.1.0.1 |
25.1.0.0, 22.8R2 and 22.7R2.8 |
25.1.0.0, 22.8R2 and 22.7R2.8 |
|
25.1.0.0 |
22.8R2, 22.7R2.8, and 22.7R2.7 |
22.8R2, 22.7R2.8, and 22.7R2.7 |
Upgrade the servers to the nearest matching version per the table to proceed with Migration if the exact versions are not listed.
Deprecated Features
To improve stability and overall security posture in new ICS, Ivanti has decided to deprecate old set of features. For Ivanti Connect Secure: Features and Options Becoming Unsupported or Deprecated in 22.7Rx, 22.8Rx, and 25.x, refer to article.
Configs with deprecated features will be upgraded or imported to 25.x but will not be qualified. Please refer the KB for more details
Refer to Prerequisites for Migration and Supported Configuration Migration Path before starting the migration.
Post Migration Activities
After performing the migration steps, it is recommended that the following settings be checked and validated manually:
1.System > Network > Overview settings (set in cluster or individual nodes).
2.System > Network > Routes (for internal, external and other ports).
3.System > Network > Hosts (set in cluster or individual nodes).
4.System > Network > Internal Port/ External Port>Virtual Ports (if clustered, set this up in cluster “Entire Cluster”).
5.System > Network > VLANs (if clustered, set this up in cluster “Entire Cluster”).
6. ICS only- System > Network > VPN Tunneling (set in cluster or individual nodes).
7. System > Log/Monitoring > SNMP (set in cluster or individual nodes).
8. System > Configuration > Certificates > Device Certificates (and its ports bindings).
9. ICS only - Users > Resource Policies > VPN Tunneling > Connection Profiles (if configured).
10. System > Configuration > Licensing - License client-server settings (if used as license client in Enterprise Licensing Server environment), proper licenses installed.