Introduction

This document is the release notes for Ivanti Connect Secure Release 9.1R16.3. This document contains information about what is included in this software release: supported features, feature changes, unsupported features, and known issues. If the information in the release notes differs from the information found in the documentation set, follow the release notes.

Security Advisory and Patch Update

Ivanti has released security advisories and mitigations for critical vulnerabilities in the Ivanti Connect Secure gateways. The following CVE's are fixed:

CVE-2023-46805

CVE-2024-21887

CVE-2024-21888

CVE-2024-21893

CVE-2024-22024

For more details, see Ivanti forums.

Hardware Platforms

You can install and use this software version on the following hardware platforms:

PSA300, PSA3000, PSA5000, PSA7000f, PSA7000c

To download software for these hardware platforms, go to Product Downloads.

Virtual Appliance Editions

This software version is available for the Virtual Appliance (PSA-V) editions

  • 9.1R1 release onwards, VA-DTE is not supported.
  • From 9.0R1 release, the End-of-Life (EOL) process has begun for the VA-SPE virtual appliance. In its place, Ivanti has launched the new PSA-V series of virtual appliances designed for use in the data center or with cloud services such as Microsoft Azure, Amazon AWS, OpenStack Fabric and Alibaba Cloud.

The following table lists the virtual appliance systems qualified with this release:

Platform

Qualified System

VMware

  • HP ProLiant DL380 G5 with Intel(R) Xeon(R) CPU
  • ESXi 7.0 Update 2c

OpenStack KVM

  • CentOS 7.7
  • Linux Server Release 6.4 on an Intel Xeon CPU L5640 @ 2.27GHz
  • 24GB memory in host
  • Allocation for virtual appliance: 4vCPU, 4GB memory and 40GB disk space

Hyper-V

  • Microsoft Hyper-V Server 2016 and 2019

Azure-V

  • Standard DS2 V2 (2 Core, 2 NICs)
  • Standard DS3 V2 (4 Core, 3 NICs)
  • Standard DS4 V2 (8 Core, 3 NICs)

AWS-V

  • T2.Medium (2 Core, 3 NICs and 2 NICs)
  • T2.Xlarge (4 Core, 3 NICs)
  • T2.2Xlarge (8 Core, 3 NICs)

Alibaba Cloud

  • ecs.g6.2xlarge (8 vCPU, 32GB, 2 NICs)

To download the virtual appliance software, go to: Product Downloads.

VMware Applications

The following table lists the VMware applications qualified:

Platform

Qualified

VMware

 

VMware Horizon View Connection Server version 7.12

Rewriter

VMware Horizon Agent version 7.12

VDI Profiles

VMware Horizon View HTML Access version 5.4

VDI Profiles

VMware Horizon View Client version 5.4

VDI Profiles

Upgrade Paths

The following table describes the tested upgrade paths. Please note that here x and y refer to the following:

x: Latest maintenance release version:

y: Versions less than x

Upgrade From

Qualified

Compatible

9.1Rx

Yes

-

9.1Ry

-

Yes

For versions prior to 9.0, first upgrade to release 9.0Rx|9.0Ry, and then upgrade to 9.1Rx.

If your system is running beta or hot-fix version of the software, roll back to your previously installed official software release before you upgrade to 9.1Rx. This practice ensures that the rollback version is a release suitable for production.

Upgrade Scenario Specific to Virtual Appliances

PSA-Vs cannot be upgraded to 9.1R10 without a core license installed. Follow these steps to upgrade to 9.1R10:

x: Latest maintenance release version

  1. If PSA-V is running 8.3Rx:
    • Upgrade to 9.0Rx.
    • Install the Core license through Authcode.
    • Upgrade to 9.1Rx.
  2. If PSA-V is running 9.0Rx or later:
  3. Install the Core license through Authcode.
  4. Upgrade to 9.1Rx.
  5. For details, see the “Noteworthy Information in 9.1R4.3 Release” section.

General notes

  1. For policy reasons security issues are not normally mentioned in release notes. For more information on our security advisories, please see our security advisory page.
  2. In 8.2R1.1 and above, all the PCS client access binaries (Network Connect, WSAM, Host Checker, JSAM, Windows Terminal Services, Citrix Terminal Services) are signed with a SHA2 code signing certificate to improve security and ensure compatibility with Microsoft OS’s 2016 restrictions on SHA1 code signing. This certificate will expire on April 12, 2021. For details, refer to the KB articles KB14058 and KB43834.
  3. Important note: Windows 7 machines must contain a March 10, 2015 Windows 7 Update to be able to accept and verify the SHA2-signed binaries properly. This Windows 7 update is described here and here. If this update is not installed, then Ivanti Connect Secure 8.2R1.1 and later will suffer from reduced functionality (see PRS-337311 underneath). (As a general rule, Ivanti recommends that client machines be kept current with the latest OS updates to maximize security and stability).
  4. When custom ciphers are selected, there is a possibility that some of the ciphers are not supported by the web browser. If any ECDH/ECDSA ciphers are selected, they require an ECC certificate to be mapped to the internal/external interface. If a ECC certificate is not installed and mapped to the internal and external ports (if enabled), administrators may not be able to sign in to the appliance. The only way to recover from this situation is to connect to the system console and select option 8 to reset the SSL settings. Option 8 resets the SSL setting to factory default. Any customization is lost and will need to be reconfigured. This is applicable only to Inbound SSL settings.
  5. Pre-5.0 Android and pre-9.1 iOS devices don’t support Suite B ciphers. If Suite B is enabled, Pulse client on pre-5.0 Android and pre-9.1 iOS devices will not be able to connect to the Ivanti Connect Secure device.
  6. The minimum ESAP version supported is 4.0.5 and later.
    • 9.1R2 release onwards, Network Connect (NC) client and legacy Windows Secure Application Manager (WSAM) client are not supported.
    • From 9.1R1 release onwards, Active Directory Legacy Mode configuration is not supported. If you have an existing Active Directory authentication server using Legacy Mode, first migrate to Standard Mode and then upgrade Ivanti Connect Secure. For the detailed migration procedure, refer KB40430.

Noteworthy Information in 9.1R16.1 Release

  • From 9.1R16.1, default ESAP version is 4.0.5.

Noteworthy Information in 9.1R16 Release

  • From 9.1R16, Pulse Secure Client is re-branded as Ivanti Secure Access Client. Complete UX rebranding and the UI upgrade is implemented. There is also an option to switch between the Classic UI and New-UI to maintain user experience. The Pulse Secure client icon is replaced by Ivanti Secure Access Client icon . For more information refer KB45301.
  • Number of Multicast groups an end-user can join is increased to 30 groups.
  • Increase number of ports allowed on a resource from 15 to 32.
  • Resource Profile filter supports IPv6 addresses.
  • Increased number of Split tunneling networks from 512 to 1024.
  • Host Checker logs enhanced to include session IDs.
  • FQDN ACLs allows to include ports.

Noteworthy Information in 9.1R15 Release

  • From 9.1R15 onwards, some features are deprecated. Ensure you remove all related configurations before upgrading to 9.1R15. Upgrade may fail if all configurations are not removed. For more information refer KB45044.
    If upgrade is performed through Admin UI, the upgrade failure message displays the list of deprecated feature configuration that needs to be removed to proceed with upgrade.
    If the upgrade is performed using REST APIs or management servers like Pulse One, check serial console for the list of deprecated feature configurations.
  • This release supports adding gateways with ISA hardware platforms as license clients and can lease licenses from 9.1R15 license server.

Noteworthy Information in 9.1R14 Release

  • Re-branding of the Pulse Secure logo, copyright, and some references to reflect that the Ivanti branding is in progress. The re-branding activity to Ivanti will be continued through next release. Pulse Connect Secure (PCS) is referred to as Ivanti Connect Secure (Ivanti Connect Secure) and Pulse Policy Secure (PPS) is referred to as Ivanti Policy Secure (Ivanti Policy Secure).
  • A few features are targeted for deprecation from release 9.1R14. 9.1R14 update does not support new configurations for these features, however it supports modification to the existing configuration. On upgrade, there are no changes to the existing configurations. These features will be permanently deprecated in the next releases. Refer to KB44747 and KB44913 for a detailed list of the deprecated features.
  • The default periodic host checking interval is set to 60 minutes. Setting aggressive intervals may result in performance issues.
  • A single user name / certificate used by a large number of users might overload the session database and lead to connection drops. New users may be unable to establish connections.
  • Trusted server CA certificate names are changed due to expiry and renewal of the certificates. Following certificate names are changed:
    • Cybertrust Global Root is Baltimore CyberTrust Root
    • GlobalSign-2 is GlobalSign
  • Refer KB44877 and follow the mandatory steps before staging or upgrading an appliance.
  • Split tunneling entries increased from 255 to 512.

Noteworthy Information in 9.1R13.1 Release

    From 9.1R13.1, ISA virtual platforms can be configured as license clients. For more information, refer to the License Management Guide.

Noteworthy Information in 9.1R13 Release

  • At role level, based on the admin selection of solution type, end users can create HTML5 bookmarks.
  • Logs are enhanced to include client certificate information.
  • Refer to KB44408 for the recommendations / best practices to deploy Virtual Appliance and the logs needed for analysis/troubleshooting.
  • An option to configure the PSAL time-out under System Maintenance à Options.
  • A warning message regarding the session disconnection displays when the localization settings are changed.
  • Logs are enhanced to provide more ICT related information.

Noteworthy Information in 9.1R12 Release

  • SNMP monitoring enhancement to map index numbers of the interfaces across ifTable and ipAddrTable.
  • The grace period for expired licenses is now reduced from 91 days to 31 days.
  • Logs are refined and enhanced. They now include session information such as the Session ID, Session start data and end data.
  • Enhancements to dsagentd done to address session resumption issues.
  • Source IP restrictions can now be disabled for admin realms from the serial console menu through an option we have provided newly.

Noteworthy Information in 9.1R11.5 Release

  • Added an option for the Admin to enable users to download the Pulse Client Components removal (Pulse Upgrade Helper) tool on Windows End User machines upon Browser access. This option helps to remediate the certificate expiry issue. For more information, refer KB44781 and KB44810.
  • This release provides important security hardening. For more information refer to SA44800.
  • Source IP restriction (RFC1918) is removed on Admin Realms for fresh deployments on OpenStack KVM platform. Default source IP restrictions are applicable for PSA appliances, VMWare, and Hyper-V platforms.
  • An option is available on adminUI to force the users to re-authenticate on IDP inspite of the active user session.

Noteworthy Information in 9.1R11.4 Release

  • This release provides important security hardening. For more information refer to SA44784.

Noteworthy Information in 9.1R11 Release

  • The HTTP only DSDID session cookies were introduced from Release 9.0R3. From release 9.1R11 onwards, the DSDID cookies are enabled by default for all new roles created. On upgrade, if DSDID is not enabled for any of the roles, a warning message displays on the dashboard. A link displays on the UI, administrator can click to enable DSDID cookies option for all the roles.
  • Major browsers disable TLS1.0 and TLS1.1 by default. Administrators are recommended to use TLS1.2 and later and also select Maximize Security option under Configuration > Security> SSL options for inbound and outbound connections. If not selected, a warning message displays.

    From 9.1R11 onwards, for new ESP VPN Tunneling Connection Profiles, AES256/SHA256 (maximize security) encryption is chosen by default.
  • User logs and Administrator logs are refined and enhanced to display more information.
  • A source IP restriction is added on Admin Realms so that admins can connect with only private addresses (RFC1918) on fresh deployments or when the configurations are cleared. This restriction is applicable to PSA appliances, VMWare, Hyper-V, and OpenStack KVM.
  • From 9.1R11, SHA1 hashing algorithm is removed from the “Maximize Security (High Ciphers)” settings

Noteworthy Information in 9.1R10 Release

  • Added stability improvements for L4 JSAM connections.
  • Added following licensing reporting enhancements on MSSP deployments:
    • When the license client has concurrent users license installed locally, the client excludes the local installed count while sending lease usage to the license server.
    • When the license client has ICE license enabled or has an evaluation license installed which gives maximum platform limit for concurrent users, the license lease usage reported by client is zero.
    • The license client allows 10% extra usage over the licensed limit. This applies for maximum lease limit as well. In such case, the license client reports only the maximum lease limit usage. For example, if license client has leased 100 licenses and 110 users are logged in, license client reports only 100 as usage to the license server.
  • Host header validation is introduced in 9.1R10. When this option is enabled on the server under System > Configuratin > Security > Miscellaneous, the Pulse Client upgrade through Ivanti Connect Secure may fail. For more information, refer to KB44646.
  • Added graphs to display advanced HTML5 connections under System Status dashboard. Refer to “Displaying System Status” in Ivanti Connect Secure Administration Guide.

Noteworthy Information in 9.1R8 Release

    For 9.1R8, Pulse Collaboration Client is packaged using Ivanti Connect Secure 9.1R7 build.

Noteworthy Information in 9.1R4.3 Release

  • In 9.1Rx OVF a critical issue was observed. The 9.1R4.3 release addresses this issue.
  • On some of the installations, it was observed that a few read-only files were being overwritten. Customers are experiencing HTTP 500 response for some of the admin requests. The 9.1R4.3 release addresses this issue.
  • Upgrade works only if VA is deployed with 8.3 OVF onwards. If VA is deployed with pre 8.3 OVF, upgrade to this image will not work.
  • Refer to KB44408 for the recommendations / best practices to deploy Virtual Appliance and the logs needed for analysis/troubleshooting.