New Features

Release 9.1R17.1 Features

No new features introduced in this release.

Release 9.1R17 Features

This feature allows the administrators to enable AES 256 encryption type. This feature is applicable only for Active Directory Authentication Server using Kerberos Authentication protocol.

This feature allows to retain FQDN IP entries for lifetime of the FQDN IP in an ACL.

Note: This feature works with Ivanti Secure Access Client 22.3R1 and later.

This feature allows the administrators to pass host checker policies on endpoints after the user certificate expiry. The Administrator can assign endpoints to have remediation roles, so that users can renew certificate.

This feature allows the admin to enter a custom message to display on the client highlight the host checker compliance errors.

Release 9.1R16.1 Features

No new features applicable to this release.

Release 9.1R16 Features

Ivanti Connect Secure supports Microsoft Office 365 through re-writer.

An option for administrator to enable browser extension for the end-users. For installation instructions refer to Pulse Secure Application Launcher Deployment Guide under Ivanti Secure Access Client Documents.

Ivanti Connect Secure now supports Ivanti Neurons for MDM (formerly MobileIron Cloud).

Release 9.1R15 Features

This feature allows the users to create SSH/Telnet/VNC HTML5 bookmarks to initiate which SSH/Telnet/VNC connections.

This feature also allows admins to select the bookmark types that users can create.

This feature allows admins to control and store the session recordings, for end user and admin created bookmarks, to internal or external storage on Advanced HTML5 sessions.

This feature allows to check compliance of an end user and retrieval of Device attributes using the Device ID.

Support Intune Government cloud is available in Preview only mode for this release.

This feature allows ICS to act as a relay agent and communicate to the DHCP server the subnet/link to allocate an IP address.

This feature allows Admins to configure any sub-option (1-255) for DHCP option including DHCP option 82, sub-option 5.

This feature enhancement includes:

• using an URL to fetch OAuth metadata
• force authentication
• traffic segregation for OAuth server

Accessibility conformance report helps to check the level of accessibility compliance of the product.

Release 9.1R14 Features

Ivanti Connect Secure supports OAuth as an Auth Server which can be added and configured for End User authentication.

OAuth is an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without sharing the initial, related, single logon credential. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol.

This feature allows users to authenticate with any standard OpenID Provider like Google, OKTA, Azure AD, to connect to Ivanti Connect Secure.

The new REST API methods allows the admin to configure and manage the Ivanti Connect Secure seamlessly. Supports new REST API functions for Upgrade, Reboot, Rollback, Read-Only Admin, Console password protection, Monitor NTP status, Map interfaces to certificates, Toggle Fault Tolerance and Telemetry Settings.

A new option introduced in SAML Auth Server config, where admin can override default FQDN and provide custom FQDN to talk to SAML providers and end user authentications.

For RDP bookmarks, fetch domain feature supports automatic detection of domain for AD servers. This feature supports AD servers only.

License count is changed from session basis to user login basis.

Introduced an option to provide a fallback URL in case the Auth server is not reachable while admin tries to login.

This feature provides an option to restrict or allow logins based on location.

Note: Ensure UEBA package is uploaded on the ICS for this feature to work.

This feature allows Kerberos to use AES128 as the highest encryption type.

Audio support for Citrix desktops that are hosted on a Citrix server using an admin created VDI bookmark.

Release 9.1R13.1 Features

ISA virtual platforms can be configured as license clients from 9.1R13.1. For more information, refer to the License Management Guide.

Release 9.1R13 Features

AWS marketplace publishing with GP3 AMI image to reduce the Ivanti Connect Secure upgrade time on AWS.

Release 9.1R12.1 Features

No new features applicable to this release.

Release 9.1R12 Features

The integrity tool allows an administrator to verify the Ivanti Connect Secure package installed on Virtual or Hardware Appliances This tool checks the integrity of the complete file system and finds any additional/modified files in the system.

This feature enhancement allows Windows users to fetch attributes from Intune by using MAC address option.

The feature enhancement allows users to create admin/end-user Advanced HTML5 bookmarks.

This feature allows to modify internal port and external port of Ivanti Connect Secure deployed in AWS.

This feature enhancement allows to add Source interface selection for each syslog servers configured in the Ivanti Connect Secure. It enables the admin to select a source interface with which address packets are sent to the syslog server.

This feature enables the admin to access the named users and its information and delete them on both Ivanti Connect Secure and License Server in Named User Repository mode using REST APIs.

Release 9.1R11.5 Features

No new features applicable for this release.

Release 9.1R11.4 Features

No new features applicable for this release.

Release 9.1R11.3 Features

No new features applicable for this release.

Release 9.1R11 Features

Ivanti Connect Secure supports Advanced HTML5 Access solution. This Advanced HTML5 Access solution supports two Advanced HTML5 sessions by default and includes multiple monitors, session recording, audio recording, high sound quality, and camera support.

From 9.1.R11, Advanced HTML5 access is available as General Availability version.

Release 9.1R10 Features

No new features applicable for this release. Refer to Noteworthy Information in 9.1R10 Release for more details.

Release 9.1R9.1 Features

No new features applicable for this release.

Release 9.1R9 Features

Ivanti Connect Secure supports two users to be registered with an SNMP engine with different authentication and privilege settings.

Ivanti Connect Secure provides option to use ESP tunnel for 6in4 and 4in6 traffic.

Ivanti Connect Secure supports Advanced HTML5 Access solution. This Advanced HTML5 Access solution supports two Advanced HTML5 sessions by default and includes multiple monitors, session recording, audio recording, high sound quality, and camera support.

Supports microphones connected to the client computer during the remote session.

Release 9.1R8.2 Features

No new features added in this release.

Release 9.1R8.1 Features

No new features added in this release.

Release 9.1R8 Features

In case you have a fresh installation of Ivanti Connect Secure/Ivanti Policy Secure, you may download latest UEBA package from Support Site (my.pulsesecure.net) and add the package at Behavior Analysis page before using Adaptive Authentication or Geolocation based Conditional Access.

Apart from showing the number of concurrent user sessions, Ivanti Connect Secure Dashboard now shows the L4 access type (PSAM) and Clientless access type (Browser) logins as non-tunnel users.

This feature disallows user login, user login via Pulse Desktop, HTML5 connection or connection to a web resource when the CPU load is above a certain threshold. By default, this option is disabled for Ivanti Connect Secure upgrades and enabled for new installation.

This release provides REST API to Reset/Unlock a user under a TOTP server.

In this release, added around 120 new license SKUs for Ivanti Connect Secure/Ivanti Policy Secure.

Ivanti Connect Secure now supports pool of NTP servers up to 4 NTP servers to sync date and time.

Release 9.1R7 Features

This release provides automatic management of ICE license. Ivanti Connect Secure enables ICE license when the logged in users count crosses the maximum licensed users count and disables ICE license when the logged in users count drops below the maximum licensed users count.

As an example, If you installed 100 licensed user counts, when the 101th user logs in, ICE license gets automatically enabled.

This release provides HTML5 sessions information in the dashboard and the trend graph that helps admin to view the CPU usage and take necessary action to provide better remote access experience for the users.

Ivanti Connect Secure provides support for the responsive images (in web applications) via rewriter by rewriting the srcset attribute value. The corresponding images would be fetched on client application based on screen size, resolutions and other features.

FQDN ACL feature was enabled by default earlier even though there are no policies configured. A new admin configurable option to enable or disable FQDN ACL feature is added in 9.1R7 at System > Configuration > VPN tunneling.

Release 9.1R6 Features

In the User Realms > Authentication Policy > Host Checker page, the policy names now have hyperlinks. Click the link to view the policy configuration.

The System > Maintenance > Platform page displays Hardware ID along with the other platform details.

The System > Configuration > Licensing page, displays Hardware Id and Serial number.

This release provides REST API to do the following on a Standalone/Cluster:

• enable/disable ICE license
• get the current status of ICE license.

Release 9.1R5 Features

Ivanti Connect Secure can be deployed using Terraform templates on supported hypervisors and cloud platforms.

Conditional Access feature for Cloud Secure now provides a mechanism to enforce access control policies based on location parameters by defining policies for applications.

LDAP based password management works with generic LDAP servers such as OpenLDAP.

In this release, device access management framework supports integration with Microsoft Intune.

Active number of HTML5 sessions on Ivanti Connect Secure can be obtained using a REST API call to api/v1/stats/active-html5-sessions.

It is now possible to extract any particular license client/cluster report through REST API. Enhancements include:

• Cluster-wise view in the license report.
• License report in JSON format through REST.
• Options to get cluster/client/period sub-section of the granular report through REST.

In this release, SSLDump utility supports VLAN. Admins can use this tool for debugging / data collection purpose.

In Ivanti Connect Secure hosted on a cloud environment, it is now possible to edit default gateway configuration from UI.

Host Checker policy to detect and allow hard disk in which encryption is in progress.

Administrators can:

• create license server with Active Active cluster on virtual/cloud and hardware platforms.
• lease all different type of licenses to license clients from any node of active-active cluster.
• surrender/recall licenses from any node of active-active cluster.

Release 9.1R4.3 Features

No new features added for this release

Release 9.1R4.2 Features

No new features added for this release

Release 9.1R4.1 Features

No new features added for this release

Release 9.1R4 Features

Ivanti Connect Secure now supports VA deployment on Alibaba Cloud.

Conditional Access feature for Cloud Secure provides a mechanism to enforce access control policies based on user and device parameters by defining policies for applications. Conditional Access policies are evaluated during application access time while roles are mapped to the session during the session creation time.

Enhancements include:

• Update to “Getting Active Sessions”
• Update to “Getting System Information”
• Added “Fetching the User Login Statistics”
• Added “Health Check Status”
• Added “VIP Failover”
• Added “Applying License”
• Added “Deleting License”
• Added “Getting License Clients”
• Added ”Getting License Report from License Server”
• Added Profiler REST APIs

The Platform Limit, Maximum Licensed User Count and Cluster Name attribute values are available for optimal load balancing.

In 9.1R4 release, Windows Redstone 6 - version 1909 is qualified.

In 9.1R4 release, SharePoint 2019 is qualified.

In 9.1R4 release, VMware VDI versions 7.9 and 7.10 are qualified.

In 9.1R4 release, Citrix Virtual Apps and Desktops 7 1909 is qualified.

When a new local authentication server is created, now admin has a choice to store the password with strong hashing using pbkdf2.

Licensing report is enhanced with usage statistics for each Ivanti Connect Secure instance - maximum user count per month per Ivanti Connect Secure/per MSSP.

MSSPs can now:

• generate accurate usage reports of their customers.
• make the structured report in XML format to enable for parsing and usage for dashboard.

Release 9.1R3 Features

The various system logs and troubleshooting logs that help in investigating user access issues and system issues can be configured and accessed using the Log Selection page.

The LDAP authentication configuration is enhanced in 9.1R3 to locate the nearest Microsoft domain controllers, which are spread across the globe, by resolving DNS SRV records.

From 9.1R3 release, Ivanti Connect Secure can detect and assign DHCP networking settings automatically at the Ivanti Connect Secure VM boot up. In the script included in the PSA-V package, the Ivanti Connect Secure parameters should be set to null in order to fetch the networking configuration automatically from the DHCP server.

This feature is not supported on PSA hardware.

OpenStack is an open source cloud computing platform that allows deploying and managing a cloud infrastructure as an IaaS service. As part of this release, Ivanti Connect Secure supports deploying Ivanti Connect Secure KVM in OpenStack cloud.

From 9.1R3 release, VMware support is qualified for VMware 10.3.10, ESXi 6.7 Update 2c.

From 9.1R3 release, the maximum debug log size is increased to 1024 MB on hardware platforms.

From 9.1R3 release, the “iostat” information is gathered periodically and made available as part of node monitoring in system snapshot.

9.1R3 release provides option to the administrators as well as end-user to enable/disable copy/paste from HTML5 RDP sessions. This option will be available under User Roles as well as Admin Created Bookmarks”.

From 9.1R3 release, for a fresh installation, the valid password range defined is 0-999. Minimum length 10 and maximum length 128 are set as default values.

From 9.1R3 release, for a fresh installation, the following predefined resource policies are set to “Deny” state by default.

• Web Access Resource Policy “Initial Policy for Local Resources”
• Windows File Access Resource Policy “Initial File Browsing Policy”

The predefined policy for VPN Tunneling is not provided.

IKEv2 packets can be larger than the MTU especially the IKE_AUTH packets which include the certificate chain. These larger IKE packets get fragmented in the intermediate devices. This feature implements fragmentation at IKE level and avoids IP fragmentation.

Due to larger IPv6 header as compared to IPv4, if the MSS of the Ivanti Connect Secure external interface is not set appropriately, the packets would be dropped on the external interface. This feature enables to set MSS to a lower value so that TCP connections are not dropped for 6-in-4 cases or when there is NAT translation somewhere in the network before reaching Ivanti Connect Secure.

Release 9.1R2 Features

Ivanti Connect Secure supports SP-initiated SAML SSO when Ivanti Connect Secure is configured as IdP in gateway mode. Ivanti Connect Secure uses the existing user session in generating SAML assertion for the user for SSO.

This feature provides a single logout functionality wherein if a user gets logged out of a session from one application, Ivanti Connect Secure (configured as IdP) notifies all other connected applications of that user with Single Logout.

Pulse client expects the machine ID is unique on each machine. If multiple endpoints have the same machine ID, for security reasons, the existing sessions with the same machine id are closed.

A new access log message is added to flag the detection of a duplicate Machine ID in the following format:

Message: Duplicate machine ID "<Machine_ID>" detected. Ending user session from IP address <IP_address>. Refer document KB25581 for details.

The newly introduced Microsoft RDWeb resource profile controls access to the published desktops and applications based on HTML5. The Microsoft RDWeb templates significantly reduce the configuration time by consolidating configuration settings into one place and by pre-populating a variety of resource policy settings.

In the 9.1R2 release, Microsoft RDWeb HTML5 access does not support Single Sign On. SSO will be made available in the future release.

Two new methods of archiving the configurations and archived logs are available now apart from SCP and FTP methods:

Ivanti Connect Secure now supports pushing configurations and archived logs to the S3 bucket in the Amazon AWS deployment and to the Azure storage in the Microsoft Azure deployment.

Ivanti Connect Secure supports the migration of servers and clients to OPSWAT v4 to take advantage of latest updates.

From 9.1R2 release, the licensing client (Ivanti Connect Secure) starts reporting maximum used sessions count instead of the maximum leased licenses count. For MSP customers, this change helps in billing the tenants based on maximum sessions used.

Ivanti Connect Secure/Ivanti Policy Secure supports upgrading from 8.2Rx to 9.1R2 for the following supported platforms:

• VMware ESXi
• OpenStack KVM
• Hyper-V

When upgrading a VA-SPE running 8.2R5.1 or below that was deployed with an OVF template to a higher version, the upgrade was failing. This feature solves the upgrade problem for VMware, OpenStack KVM and Hyper-V. Refer KB41049 for more details.

Release 9.1R1 Features

SDP uses ICS appliances which individually act as either an SDP controller or an SDP gateway. Mobile users of the Pulse Client perform authentication on an SDP controller which runs an Authentication, Authorization and Accounting (AAA) Service. The SDP controller then enables direct communication between the user and the SDP gateways that protect the user’s authorized resources and enables requested encryption.

Prior to 9.1R1 release, DNS traffic was sent over the Internal interface. Starting with 9.1R1 release, an administrator can modify the DNS setting to any physical interface namely Internal Port, External Port or Management Port.

Account Lockout option is provided to manage user authentication failures for admin users of local authentication server. The admin user account will be locked after specified number of consecutive wrong password attempts. The account will be unlocked after the specified lockout period or by using the Unlock option.

User can pass "client-name" in HTML5 rdp using launcher method. The %clientname% variable is matched with a workstation ID and normally that variable is unique and dedicated remote desktop computer name.

User can deploy PSA-V in OpenStack KVM using a template.

AWS VPC GW and Azure VNet GW drop packets if the source IP is the endpoint tunnel IP. This feature NATs endpoint tunnel IP to Internal interface IP. The NAT allows user to access internet resources when connected to a VPN tunnel on an Azure or AWS-based Ivanti Connect Secure.