What's New
These are cumulative release notes. If a release does not appear in this section, then there are no associated new features.
Product Version | Build |
IPS | 1321 |
Profiler Version |
FPDB Version 54 |
ISAC 22.7R3 | 30777 |
Default ESAP |
4.3.8 |
No new features.
-
-
TLS 1.3 support is newly introduced in this release.
IPS now supports TLS version 1.3 with the additional cipher suites:
-
TLS_AES_128_GCM_SHA256
-
TLS_AES_256_GCM_SHA384
-
TLS_CHACHA20_POLY1305_SHA256
Limitation:
-
End-user certificate authentication feature (Smart Card) is unavailable when Accept only TLS 1.3 is enabled in System > Configuration > Inbound Settings for protocol version.
-
If you choose Accept only TLS 1.2 and later with custom ciphers, then you need to ensure one or more TLS 1.2 ciphers are included, see TLS 1.3 Support.htm
-
-
IPv6 Support: In this release IPv6 is supported for fresh deployment of IPS on Hyper-v, VMware, and KVM.
-
MDM Auth Server: New option is added with interface selection for MDM connections to enable outgoing interface, see configuring_with_mdm_servers.htm
-
Integrity Check: Booting Options on Integrity Check Failure is newly introduced to check integrity check failures during boot up (Disabled by default). Options are added to Reboot, rollback or continue booting if integrity check fails.
-
Use Low-Privilege Account instead of Root (NRP): Web server related processes are executed as non-root user. This prevents malicious code for gaining permissions in the IPS host. This feature is enabled by default.
-
Running Third-Party Tools in Jail: The IPS applications will run third party tools in a controlled environment where the contained process is not allowed to utilize resources outside of the container such as files, memory space devices, etc. This feature is enabled by default.
•IPS 22.6R1.2 Build 673
•Profiler Version (FPDB Version 52)
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
No new features.
•IPS 22.6R1.1 Build 669
•Profiler Version (FPDB Version 52)
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
No new features.
-
You can now set the Minimum Version check in Host checker for the Custom Command rule for Mac OS. For more information, see Configuring Custom Command Rule.
-
NMAP scan subnet increased to 1000 enabling faster scan capability for MAC OS. For more information, see Subnets Configuration
-
Dynamic Disk Size Allocation: IPS fresh deployment includes 80GB disk size (Default). Admin can modify/increase the disk from 40GB to 80GB on upgrade from prior version, see deployment Guides Azure, AWS, KVM, Hyper-V, VM.
•IPS 22.5R1 Build 553
•Profiler Version (FPDB Version 52)
•ISAC 22.3R3 Build 19959
•Default ESAP version 4.0.5
-
Host Checker Timeout can be configured to accommodate the network responsiveness under various conditions. For more information, see Specifying General Host Checker Options.
•Pulse One enablement on IPS 22.4R1 or above. This feature is not enabled by default and has to be enabled through CLI.
•IPS is qualified on Azure cloud and Hyper-V platforms.
•IPv6 support for Host Checker, Download ESAP, Signature files.
•IPv6 support for Log Archiving
•Allow Host checker policy on certificate expiry: This feature allows the administrators to pass host checker policies on endpoints after the user certificate expiry. The Administrator can assign endpoints to have remediation roles, so that users can renew certificate.
•Log Enhancements: This feature allows the admin to enter a custom message to display on the client highlight the host checker compliance errors.
•Report scheduling enhancements: This feature supports scheduling multiple reports of the same type. Allows scheduling report notification on a customized time of a day/month/week.
•Compliance report enhancements: The dashboard displays the chart for the compliant and non-compliant devices. The compliance report is enhanced to display the compliant devices.
•This release qualifies certification of FIPS, JITC (DoDIN APL) and NDcPP.
JITC (DoDIN APL) Certification
•Log Support for detection and prevention of SMURF/SYN Flood/SSL Replay Attack.
•Password Strengthening.
•Notification for unsuccessful admin login attempts.
•NDcPP Certification
•When NDcPP option is enabled, only NDcPP allowed crypto algorithms are allowed.
•Not allowing Import of Device/Client Auth Certificate if Respective CAs are not in Trusted Stores.
•Not allowing Importing of Device Certificate without Server Authentication EKU (Extended Key Usage).
•Device/Client Auth/CA certificate revocation check during Certificate Import
•Syslog certificate revocation check during TLS connection establishment.
•Not Allowing 1024 bit Public Key Length Server Certificate from Syslog during TLS connection.
•Supports feature parity with 9.1R15 release. For more information, see Release Notes
•OAuth/OpenID support for authentication: Ivanti Policy Secure (IPS) supports OAuth as an Auth Server, which can be added and configured for End User authentication. OAuth is an open-standard authorization framework that describes how unrelated servers and services can safely allow authenticated access to their assets, without sharing the initial, related, or single logon credentials. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. This feature allows users to authenticate with any standard OpenID Provider like Google, OKTA, Azure AD, to connect to IPS.
•Support deployment of IPS on AWS cloud platform: IPS can now be deployed on AWS cloud platform.
•IPv6 enforcement support for Palo Alto Networks (PAN) firewall: IPS supports IPv6 resources access through PAN firewall.
•Policy Secure runs on the next generation Ivanti Secure Appliances (ISA) series appliances, which has better performance and throughput due to hardware, software, and kernel optimization.
•It is available as fixed-configuration rack-mounted hardware.
•ISA6000
•ISA8000
•It can also be deployed to the data center or cloud as virtual appliances.
•ISA4000-V
•ISA6000-V
•ISA8000-V
•Supports feature parity with 9.1R14 release. For more information, see Release Notes.
•The following are some of the sample SKU's introduced in this release:
•IPS-SVC-GLD-1000U-1YR
•IPS-SVC-GLD-1000U-3YR
•IPS-SVC-GLD-1000U-5YR
•IPS-PROFILER-LG-3YR
The features listed in https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44747 are not supported with 22.1 GW release. In addition, Pulse Collaboration, HOB Java RDP, Basic HTML5 and Pulse One are not supported in 22.1 Gateway.