Introduction
Ivanti Policy Secure (IPS) is a next generation Secure access product, which offers customers the ability to adapt to a zero trust network access security model. Enterprises use Policy Secure to enforce endpoint policy compliance for employees, guests and contractors regardless of location, device type or device ownership. Users enjoy greater productivity and the freedom to work anywhere without limiting access to authorized network resources and applications. BYOD onboarding optimizes the user experience by allowing workers to use their preferred device. Policy Secure provides complete visibility of managed and unmanaged network devices.
Security Advisory and Patch Update
Ivanti has released security advisories and mitigations for critical vulnerabilities in the Ivanti Pulse Secure gateways. The following CVE's have been fixed:
- CVE-2023-46805
- CVE-2024-21887
- CVE-2024-21888
- CVE-2024-21893
- CVE-2024-22024
-
CVE-2023-39340
-
CVE-2023-41719
For more details, see forum link.
The build details of IPS, which includes CVE fixes are listed below:
Build Details for 22.4R1.1
•IPS 22.4R1.1 Build 463
•Profiler Version (FPDB Version 51)
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
Build Details for 22.4R1
•IPS 22.4R1 Build 373
•Profiler Version (FPDB Version 51)
•ISAC 22.3R1 Build 18209
•Default ESAP version 4.0.5
Build Details for 22.3R1
•IPS 22.3R1 Build 469
•Profiler Version (FPDB Version 51)
•ISAC 22.2R1 Build 1295
•Default ESAP version 4.0.5
Build Details for 22.2R3
•IPS 22.2R3 Build 993
•ISAC 22.2R1 Build 1295
Build Details for 22.2R1
•IPS 22.2R1 Build 461
•Pulse Profiler Version (FPDB Version 48)
•PDC 9.1R15 Build 15819
•ISAC 22.2R1 Build 1295
•Default ESAP version 3.7.5
Build Details for 22.1R6
•22.1R6 Build 281
Build Details for 22.1R1
•IPS 22.1R1 Build 211
•Pulse Profiler Version (FPDB Version 48)
•PDC 9.1R14 Build 13525
•Default ESAP version 3.7.5
Hardware Platforms
You can install and use the software version on the following hardware platforms.
•ISA6000
• ISA8000
Virtual Appliance Editions
The following table lists the virtual appliance systems qualified with this release:
Virtual appliance qualified in 22.4R1/22.4R1.1
|
Variant |
Platform |
vCPU |
RAM |
Disk Space |
|---|---|---|---|---|
|
VMware ESXi 7.0.3
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
|
AWS
|
ISA4000-V (M5.xlarge) |
4 |
16 GB |
40 GB |
|
ISA6000-V (M5.2xlarge) |
8 |
32 GB |
40 GB |
|
|
ISA8000-V (M5.4xlarge) |
16 |
64 GB |
40 GB |
|
|
Azure
|
ISA4000-V (Standard DS3 V2 - 3NICs) |
4 |
14 GB |
40 GB |
|
ISA4000-V (Standard_D4s_v3 - 2NICs) |
4 |
14 GB |
40 GB |
|
|
ISA6000-V (Standard DS4 V2 -3 NICs ) |
8 |
28 GB |
40 GB |
|
|
ISA6000-V (Standard D8s V3) |
8 |
32 GB |
40 GB |
|
|
ISA8000-V (Standard D16s V3) |
16 |
64 GB |
40 GB |
|
|
ISA4000-V (F4s_v2) |
4 |
8 GB |
40 GB |
|
|
ISA6000-V (F8s_v2) |
8 |
16 GB |
40 GB |
|
|
ISA8000-V (F16s_v2) |
16 |
32 GB |
40 GB |
|
|
Hyper-V
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
Virtual appliance qualified in 22.2R3
|
Variant |
Platform |
vCPU |
RAM |
Disk Space |
|---|---|---|---|---|
|
VMware ESXi 7.0.3
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
Virtual appliance qualified in 22.1R1, 22.2R1, and 22.3R1
|
Variant |
Platform |
vCPU |
RAM |
Disk Space |
|---|---|---|---|---|
|
VMware ESXi 7.0.3
|
ISA4000-V |
4 |
8 GB |
40 GB |
|
ISA6000-V |
8 |
16 GB |
40 GB |
|
|
ISA8000-V |
12 |
32 GB |
40 GB |
|
|
AWS
|
ISA4000-V (M5.xlarge) |
4 |
16 GB |
40 GB |
|
ISA6000-V (M5.2xlarge) |
8 |
32 GB |
40 GB |
|
|
ISA8000-V (M5.4xlarge) |
16 |
64 GB |
40 GB |
To download the virtual appliance software, go to: https://forums.ivanti.com/s/contactsupport
Upgrade Path
The following table describes the tested upgrade paths, in addition to fresh installation of 22.1R1 and 22.1R6 for IPS Product.
|
Upgrade to |
Upgrade From (Supported Version) |
Qualified |
|---|---|---|
|
22.4R1.1 |
22.4R1, 22.3R1 and 22.2R1 |
Q |
|
22.4R1 |
22.3R1 and 22.2R1 |
Q |
|
22.3R1 |
22.2R1 and 22.1R1 |
Q |
|
22.2R1 |
22.1R6 and 22.1R1 |
Q |
|
22.1R6 |
22.1R1 |
Q |
Upgrade Path in 22.2R3
Upgrade can only be done with JITC (DoDIN APL) mode disabled.
|
Upgrade to |
Upgrade From (Supported Version) |
Qualified |
|---|---|---|
|
22.2R3 |
22.2R1 and 22.1R1 |
Q |
JITC (DoDIN APL) supports fresh installation and upgrade for VMware images and only upgrade for cloud (AWS) images.
Configuration Migration Path
The recommended and qualified import option is using Binary Config.
The following table describes the tested migration paths.
|
Migrate to |
Migrate From (Supported Versions) |
Qualified |
|---|---|---|
|
22.4R1/ 22.4R1.1 |
9.1R18, 9.1R17, 9.1R16.2, 9.1R14.3 |
Q |
|
22.3R1 |
9.1R17, 9.1R16, 9.1R16.2, 9.1R15, 9.1R14 |
Q |
|
22.2R1/ 22.2R3 |
9.1 R15, 9.1 R14.1, 9.1 R13.2 |
Q |
|
22.1R6 |
9.1R14.1 or prior releases |
Q |
|
22.1R1 |
9.1R13.2 or prior releases |
Q |
Noteworthy Information
Version 22.3R1
•Host checker on the Ubuntu OS is not supported on Firefox browser.
Version 22.2R3
•New password must differ from previous 8 password positions option is newly added under Password options in Local Authentication Settings page.
•Reset Password and Change Password options are newly introduced for Local Authentication Account (User/Admin).
Version 22.2R1
•For MAC spoof detection based on NMAP, the classification change counter is configurable. To configure, you must navigate to Profiler Configuration > Settings > Advance Configuration.
• Platform (Core) License SKUs for ISA platforms are introduced. Concurrent users are reset to two if core license is not installed or leased.