Endpoint Security Assessment Plug-In (ESAP)

The Endpoint Security Assessment Plug-in (ESAP) is a plug-in in Ivanti Policy Secure using which you can upload the latest SDK from Opswat independently.

Ivanti frequently adds enhancements, bug fixes, and support for new third-party applications to the plug-in. New plug-in releases are available independently and more frequently than new releases of the system software package. If necessary, you can upgrade the plug-in independently of a system upgrade.

You can upload up to four versions of the plug-in, but the system uses only one version at a time (called the active version). If necessary, you can rollback to a previously active version of the plug-in.

If the endpoints in your deployment connect to multiple servers simultaneously, all of those connected servers must use the same version of the ESAP plug-in.

Upgrading the ESAP

  1. To upgrade the ESAP plug-in:
    • Download the Endpoint Security Assessment Plug-in from the Ivanti Support Portal.
    • To access the Customer Support Center, enter a username and password for a Ivanti Support Center account.
    • Click the ESAP Download Page link.
    • Navigate to the ESAP release you want.
    • Download the plug-in zip file to your computer.
  2. Select Authentication > Endpoint Security > Host Checker.
  3. On the Host Checker page, under Manage Endpoint Security Assessment Plug-In Versions:
    • If you want Ivanti Policy Secure to actively begin using the new component software immediately after you upload it, select the Set as active after upload option.
    • Click Browse, select the plug-in file to upload and click OK.
    • Click Upload. After the plug-in is installed, the date and time of the plug-in installation is displayed in the plug-in list.
    • If you did not select the Set as active after upload option, activate the plug-in to use by selecting the version in the plug-in, list and click Activate.

- You can rollback to an older plug-in version after you upgrade to a later version by selecting the older version as the active version.
- If you upgrade the system software to a newer version, or if you import a user configuration file, active plug-in version can change based on the supportability of ESAP version. If you want to use a different plug-in version after you upgrade or importing a user configuration file, you must manually activate that plug-in version.

OPSWAT SDK V3 to V4 Migration

Ivanti supports Opswat version 3 and version 4 for endpoint compliance evaluation. The migration option helps the administrators to migrate their servers and clients with Opswat v4 to take advantage of latest updates.

Software Support- Starting with Release 9.1R2 and later releases.

OS support: Windows 7 and later releases and macOS 10.12 and later releases

Prerequisites - ESAP 3.4.2 is the minimum version. A warning message is displayed if the minimum version is not present.

Procedure to migrate from Opswat V3 to V4

To migrate follow the below procedure:

  1. Navigate to “Manage Endpoint Security Assessment PlugIn Versions” section on Authentication > Endpoint Security > Host Checker page.
  2. Enable the option for Enable migration of Opswat SDK from old to new version (V3 to V4).
  3. On enabling this option, the clients start downloading the V4 SDK and migrate to newer SDK.

  4. Uncheck/Disable Enable migration of OPSWAT SDK from old to new version (V3 to V4) option once the migration is complete. Verify the migration status.
  5. A confirmation message display. Click Confirm

    Post migration, Admin can remap the configured products in the policies to map to the newer SDK using the post migration window.

    For example, in the below screenshot the Product /Vendor Name for the policy has been changed from Microsoft Corp. to Microsoft Corporation for successful migration.

  6. Enable Backup User Configuration and XML containing Host Checker, Realms and Role details for performing configuration backup. This option helps to revert to the previous version of Ivanti Policy Secure/Ivanti Connect Secure configuration, if required.
  7. Click Confirm.

Compliance Report

The Compliance Report displays the compliance details of the users connected to the server. The report also includes the Opswat SDK Version used for these connections. Opswat SDK Version is used to filter the users using a specific Opswat SDK version.

The compliance report page displays the Opswat SDK version details only when "Enable migration of OPSWAT SDK from old to new version (V3 to V4)" option is enabled.

To check the SDK version for each connection, view the report under System > Reports > Compliance Report.

Roll back procedure

To roll back to previous version of Opswat SDK:

  1. Navigate to “Manage Endpoint Security Assessment PlugIn Versions” section on Authentication > Endpoint Security > Host Checker page.
  2. Uncheck Enable migration of Opswat SDK from old to new version (V3 to V4).
  3. Enable Activate Older Opswat SDK in ESAP for Host Checker policy evaluation.
  4. Click Save ESAP changes.

End User Flow

User logging in from browser or User logging in from Ivanti Secure Access Client for L3 connection

  • Client machine has Opswat V3 SDK installed.
  • Host Check starts on the client machine as part of connection establishment.
  • Server sends the required information to client for upgrading V3 to V4 SDK.
  • Client downloads V4 SDK and collects the installed security products details using newly installed V4 SDK and sends the detected product details to server.
  • Server evaluates configured Opswat based rules by consuming the details received from client machine.
  • Host Checker continues to use the installed V4 SDK on client machine for subsequent host checks and connections.

User logging in from Ivanti Secure Access Client for L2 connections

  • Client machine has Opswat V3 SDK installed.
  • Host Check starts on the client machine as part of connection establishment.
  • Server sends the required information to client for upgrading V3 to V4 SDK.
  • During L2 connection, client fails to download V4 SDK.
  • Host Checker collects the installed security products details using existing V3 SDK and sends the detected product details to server.
  • Server evaluates configured Opswat based rules by consuming the details received from client machine.
  • L2 connection is established followed with an L3 connection.
  • Server detects L2 followed by L3 connection attempt and remembers that ESAP upgrade is needed on the client machine.
  • Host Check is triggered again on client machine during L3 connection.
  • Server sends the required information to client for upgrading V3 to V4 SDK.
  • Client downloads V4 SDK (because L2 connection is complete already) and collects the installed security products details using newly installed V4 SDK and sends the detected product details to server.
  • Server evaluates configured Opswat based rules by consuming the details received from client machine.
  • Host Checker continues to use the installed V4 SDK on client machine for subsequent host checks and connections.

Host checking is done twice for the same client machine (once during L2 connection and once during L3 connection) for the first time. However, Host Checking is done only once for the subsequent connections as the client machines has the Opswat V4 SDK installed.

Activating the Opswat SDK Version

Beginning with Release 5.3R5, Ivanti Policy Secure supports both v3 and v4 SDKs provided by OPSWAT. The default SDK version used is v4, but it can be reconfigured based on your requirement. The product/vendor names used by v3 and v4 SDK might differ. Due to the product/vendor names mismatch, there is a possibility that the rules become empty while creating Host Checker rule with v3 SDK activated and upon enabling v4 SDK. To avoid this, a migration page is added to help the administrators in migrating the policies from v3 to v4 SDK.

To use v3 or v4 SDK:

  1. Select Authentication > Endpoint Security > Host Checker.
  2. Enable the Activate Older SDK in ESAP for Host Checker policy evaluation check box for v3 SDK.

  3. Disable the Activate Older SDK in ESAP for Host Checker policy evaluation check box for v4 SDK.

    It is recommended to disable this option for using newer version of OPSWAT SDK, after all the Ivanti Secure Access Client are upgraded to 5.2R5 or above and servers are upgraded to Ivanti Policy Secure 5.3R5 or above.

  4. Click Save ESAP Changes. A confirm Activation page appears which lists the products and/or vendors, which are no longer supported in that particular ESAP SDK version. From the drop downlist, admin can select one or many new products /vendors instead of the existing product/vendor.

    • Only the products/vendors, which get changed are listed. If some rules have some products/vendors whose names are not changed, those products/vendors will be automatically migrated and will not be listed.
    • When the ESAP version is changed from upper version to lower version and if any product is not listed in the selected ESAP version, then the backup configuration will not work.

  5. Enable Backup 'User Configuration' and 'XML containing configured Host Checker, Realms and Roles details check box to create a local backup of user configurations under Maintenance > Archiving > Local Backups.

    Server maintains a maximum of 5 backups. To capture a new backup, older backup will be automatically deleted.

  6. Click Confirm.

Changing the Active ESAP Package

Administrator can activate any of the already uploaded ESAP packages by selecting the corresponding radio button under “Manage Endpoint Security Assessment Plugin Versions” table and then clicking on “Save ESAP Changes” button.

To change the active ESAP packages:

  1. Select Authentication > Endpoint Security > Host Checker.
  2. Under Manage Endpoint Security Assessment Plugin Versions, select the required ESAP version.
  3. Click Save ESAP Changes.

If the client machine has newer ESAP package and if it has to be replaced, then select “Enable the Active ESAP package”. See Enabling the Active ESAP Package to know about the procedure.

Enabling the Active ESAP Package

Administrator can enable “Enable Active ESAP package on the client” checkbox to ensure that client machine always uses the active ESAP package, even if the active ESAP package is older than the version installed on the client system. In case client machine has newer ESAP package installed, it will be replaced with the older Active ESAP version with this option enabled.

To enable the active ESAP package:

  1. Select Authentication > Endpoint Security > Host Checker.
  2. Under Manage Endpoint Security Assessment Plugin Versions, enable Enable Active ESAP package on the client checkbox.

  3. Click Save ESAP Changes.

Updating Virus Signature Database

You can automatically import the current virus-signature version-monitoring from the Ivanti staging site at a specified interval, or you can download the files from Ivanti portal and use your own staging server. You can also configure a proxy server as a staging site between Ivanti Policy Secure and the Ivanti site. To use a proxy server, you enter the server network address, port, and authentication credentials, if applicable.

To access the Ivanti staging site for updates, you must enter the credentials for your Ivanti Support account.

For patch assessment remediation with Ivanti you can use OPSWAT (a third-party vendor) to automatically download patches from trusted sources to the endpoint.

To configure Ivanti Policy Secure to automatically import the current virus signature version-monitoring from the Ivanti staging site:

  1. Select Authentication > Endpoint Security > Host Checker.
  2. Select Virus signature version monitoring.
  3. Select Auto-update virus signatures list.
  4. For Download path, leave the existing URLs of the staging sites where the current lists are stored. The default URLs are the paths to the Ivanti staging site:
  5. For Download interval, specify how often you want Ivanti Policy Secure to automatically import the current list(s).
  6. For Username and Password, enter your Ivanti Global Support Center credentials.
  7. Click Save Changes.

To manually import the current virus signature version-monitoring lists:

  1. Select Authentication > Endpoint Security > Host Checker.
  2. Click Virus signature version monitoring.
  3. Download the list(s) from the Ivanti staging site to a network server or local drive on your computer by entering the Ivanti URLs in a browser window:
    • https://download.pulsesecure.net/software/av/uac/epupdate_hist.xml
    • https://download.pulsesecure.net/software/hc/patchdata/patchupdate.dat
  4. Under Manually import virus signatures list, click Browse, select the list, and then click OK.
  5. Click Save Changes.

If you use your own staging site for storing the current list(s), you must upload the trusted root certificate of the CA that signed the staging’s server certificate to Ivanti Policy Secure.

To use a proxy server as the auto-update server:

  1. Select Authentication > Endpoint Security > Host Checker.
  2. Select Virus signature version monitoring.
  3. Select Auto-update virus signatures list.
  4. For Download path, leave the existing URLs of the staging sites where the current lists are stored. The default URLs are the paths to the Ivanti staging site:

    • https://download.pulsesecure.net/software/av/uac/epupdate_hist.xml

      (for auto update virus signatures list)

    • https://download.pulsesecure.net/software/hc/patchdata/patchupdate.dat

      (for auto update patch management)

  5. For Download interval, specify how often you want Ivanti Policy Secure to automatically import the current lists.
  6. For Username and Password, enter your Ivanti Global Support Center credentials.
  7. Select the Use Proxy Server check box.
  8. For IP Address, enter the IP address of your proxy server.
  9. For Port, enter the port that the Ivanti Global Support Center will use to communicate with your proxy server.
  10. If your proxy server is password protected, type the Username and Password of the proxy server.
  11. Click Save Changes.