On-Demand and Simultaneous Connection Handling

While active, Ivanti Secure Access Client maintains two connection channels for nZTA services, a control channel to the nZTA Controller, and a data channel to your nZTA Gateways. For more details on networking considerations when deploying Gateways, see Working with Gateways.

The control channel connection to the nZTA Controller is activated when Ivanti Secure Access Client is started up and remains in an always-on state, silently in the background. If Ivanti Secure Access Client is able to locate a valid session cookie from an earlier session, the connection is re-established automatically. If no valid cookie is present, Ivanti Secure Access Client requests re-authentication from the user. The nZTA Controller connection is terminated when Ivanti Secure Access Client is shut down.

Ivanti Secure Access Client creates data channel connections to nZTA Gateways as an on-demand service. That is, connections to resources and applications controlled by nZTA Gateways become active only when required, and the connection is suspended after a period of inactivity. The user remains unaware of the connection state, unless re-authentication becomes necessary. As a user makes a request for a resource, Ivanti Secure Access Client transitions automatically from disconnected to connected. The connection remains in this state for the duration of the session, or until one of the following events occurs:

•An idle time-out occurs (after 5 minutes)

•The connection is actively placed in a disconnected state

•Ivanti Secure Access Client is shut down

To avoid the data channel being reconnected unnecessarily, non-nZTA DNS traffic is redirected to the device’s physical network adapter.

Applicable Ivanti Secure Access Client versions can manage simultaneous connections with the nZTA Controller, and with other Ivanti services such as Ivanti Connect Secure (ICS). While ICS connections must be activated and deactivated by the user, connections to nZTA are provided on-demand, as mentioned. Therefore, a nZTA connection in the Ivanti Secure Access Client does not provide the same Connect and Disconnect controls. Instead, nZTA connections include only a ZTA button to provide access to the nZTA Applications page. If this button is active, the connection to the Controller has been established. If the button is inactive, the connection to the Controller has not yet been established, or a communication problem has occurred. In this case, access to your applications is prevented.

When running active connections to both nZTA and ICS simultaneously, note that the following ICS features are not supported:

•Route Monitoring

•Traffic Enforcement

•Stealth Mode

•Always on VPN/LockDown

•Location awareness

•IPv6 support