Ivanti Secure Access Client FIPS Mode for Ivanti Connect Secure Overview

The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. government. Ivanti Secure Access Client for Windows, Mac, iOS (32-bit iOS devices only), and Android support FIPS mode operations when communicating with Ivanti Connect Secure and Ivanti Secure Access Client for Windows and Mac support FIPS mode operations when communicating with Ivanti Policy Secure. When it is operating in FIPS mode, FIPS On appears in the bottom corner of the Ivanti Secure Access Client for Windows and Mac.

If the Ivanti server hardware does not support FIPS mode operations, FIPS mode configuration options are not present in the admin console interface. FIPS mode operations are supported on PSA-V Series Ivanti Gateways and some SA series appliances. The device must be running Ivanti Policy Secure R5.0 or later or Ivanti Connect Secure R8.0 or later.

You enable FIPS mode operations when you configure Ivanti Secure Access Client connections on the server. You enable FIPS mode operations for a connection set. That connection set can include any or all types of Ivanti Secure Access Client connection:

•Policy Secure (802.1X): Ivanti Secure Access Client uses FIPS mode cryptography for authentication but it uses default Microsoft cryptography for the WEP/WPA wireless encryption.

•Connect Secure or Policy Secure (L3): FIPS mode cryptography is supported.

Users cannot enable FIPS mode for connections that are created on Ivanti Secure Access Client. You must deploy connections with FIPS mode enabled using a pre-configured connection set with FIPS mode enabled or have users establish a browser session to the FIPS-enabled Ivanti Connect Secure.

Ivanti Secure Access Client in FIPS mode is not available for download from Ivanti Connect Secure or Ivanti Policy Secure. The Ivanti Secure Access Client installer for FIPS mode is available for download at Software Download Portal.

Ivanti Secure Access Client package can be uploaded to server for end users access. Upgrading the Ivanti Secure Access Client in FIPS mode to non-FIPS mode is not supported.

Endpoint Requirements

Ivanti Secure Access Client supports FIPS mode on Windows Vista and later Windows versions. FIPS is not supported by the Ivanti Secure Access Client for OS X.

To support client certificate private key operations, the security policy on the endpoint must have FIPS enabled. To verify that FIPS is enabled, use the Microsoft Management Console (MMC). Make sure that the Group Policy Snap-in is installed, and then navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

Scroll through the Policy list and make sure that the following policy is enabled:

“System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing”

Configuration Overview

Ivanti Secure Access Client includes all components required for FIPS mode communications. To enable FIPS mode communications, deploy one or more connections to a Ivanti Secure Access Client that is FIPS enabled. Figure shows the check box in the Ivanti Connect Secure connection set configuration screen that enables FIPS mode operations for all connections in the connection set.