Ivanti Secure Access Client FIPS Mode Overview for Ivanti Policy Secure

The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. government. Ivanti Secure Access Client for Windows, Mac, and Linux, support FIPS mode operations when communicating with Ivanti Connect Secure and Ivanti Secure Access Client for Windows and Mac support FIPS mode operations when communicating with Ivanti Policy Secure. When it is operating in FIPS mode, "FIPS On" appears in the bottom corner of the Ivanti Secure Access Client for Windows and Mac clients.

You enable FIPS mode operations for Ivanti Secure Access Client for Windows when you configure Ivanti Secure Access Client connections on the server. You enable FIPS mode operations for a connection set. That connection set can include any or all of the four types of Ivanti Secure Access Client connections:

•UAC (802.1X): Ivanti Secure Access Client uses FIPS mode cryptography for authentication but it uses default Microsoft cryptography for the WEP/WPA wireless encryption.

•Connect Secure or Policy Secure (L3): FIPS mode cryptography is supported.

•SRX: FIPS mode cryptography is not supported.

Users cannot enable FIPS mode for connections that are created on the client. You must deploy connections with FIPS mode enabled using a pre-configured connection set with FIPS mode enabled or have users establish a browser session to the FIPS enabled Ivanti server.

Windows Endpoint Requirements

Ivanti Secure Access Client supports FIPS mode on Windows 8.1 and later Windows versions, and on Ivanti Secure Access Client for iOS and Android for communications with Ivanti Connect Secure. FIPS is not supported by Ivanti Secure Access Client for Apple OS X.

To support client certificate private key operations on Windows, the security policy on the Windows endpoint must have FIPS enabled. To verify that FIPS is enabled, use the Microsoft Management Console (MMC). Make sure that the Group Policy Snap-in is installed, and then open the following item:

Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Scroll through the Policy list and make sure that the following policy is enabled:

"System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing"

Configuration Overview

Ivanti Secure Access Client includes all components required for FIPS mode communications. You enable the Ivanti server for FIPS mode operations as part of the System SSL Options (System > Configuration > Security > SSL Options). To enable FIPS mode communications for Ivanti Secure Access Client for Windows, deploy one or more Ivanti Secure Access Client connections to the client that are FIPS enabled. Figure shows the check box in the Ivanti Secure Access Client connection set configuration screen that enables FIPS mode operations for all connections in the connection set.

If the Ivanti server hardware does not support FIPS mode operations, FIPS mode configuration options are not present in the admin console interface. FIPS mode operations are supported on PSA-V Series Ivanti Gateways and some SA series appliances. The device must be running Ivanti Policy Secure R5.0 or later or Ivanti Connect Secure R8.0 or later.