Access Methods

The Ivanti Secure Access Client supports the following kinds of connections to Ivanti gateways:

Layer 3 VPN connections to Ivanti Connect Secure

Layer 2 (802.1x) and Layer 3 connections to Ivanti Secure

Per-application VPN tunneling to Ivanti Connect Secure (Windows Secure Access Manager)

There are a vast number of possible combinations of connections and configurations. For example, both Layer 2 (wired and wireless) and Layer 3 connections can be configured either with or without enforcement (Host Checker enforcement of system health and policy compliance). Although an endpoint can have only one active VPN connection to Ivanti Connect Secure, an endpoint can have multiple simultaneous Ivanti Policy Secure connections with or without a VPN connection.

The following table lists the configurations that are qualified and compatible. Any combination not mentioned in the table is not supported.

Access Method Configuration

Description

Level of Support

Layer 2 Ivanti Policy Secure +
Multiple Layer 3 Ivanti Policy Secure

One Ivanti Policy Secure Layer 2 connection running in parallel to multiple Ivanti Policy Secure Layer 3 connections

Qualified

The following table lists the supported nested tunnel (tunnel-in-tunnel) configurations. The configurations are for a Ivanti Connect Secure v9.1 outer tunnel, a Ivanti Policy Secure inner tunnel, and the Ivanti Secure Access Client.

Ivanti Connect Secure (Outer Tunnel Config)

Ivanti Policy Secure (Inner Tunnel Support)

 

Split-Tunneling Mode

Route Precedence

Route Monitor

Traffic Enforcement

Source IP

Dynamic Source IP

Disabled

Tunnel Routes1

Disabled

Disabled

Supported

Supported

Disabled

Tunnel Routes1

Disabled

IPv4 Disabled and IPv6 Enabled

Supported

Supported

Disabled

Tunnel Routes1

Disabled

IPv4 Enabled and IPv6 Disabled

Supported

Supported

Disabled

Tunnel Routes

Enabled

Enabled or Disabled

Supported

Supported

Enabled

Tunnel Routes1

Disabled

Enabled or Disabled

Supported

Supported

Enabled

Tunnel Routes1

Enabled

Enabled or Disabled

Supported

Supported

Enabled or Disabled

Endpoint routes

Enabled or Disabled

Enabled or Disabled

Supported

Supported

1.Tunnel Routes and Tunnel Routes with Local Subnet Access behave the same way.

2.Ivanti Policy Secure IP address, Infranet Enforcer IP address, and Ivanti Policy Secure VA pool IP addresses should be added to the Ivanti split-tunnelling network policy.

3.Ivanti Policy Secure IP address, Infranet Enforcer IP address, and protected resources should be added to a Ivanti split-tunnelling network policy, and Ivanti Connect Secure should have a route to the Ivanti Policy Secure protected resource.

Ivanti WSAM does not inter-operate with Ivanti Policy Secure.