Ivanti Connect Secure Gateway Deployment
The following sections describe the new parameters that are added for the deployment of Ivanti Connect Secure VA on VMware, Amazon Web Services cloud and Microsoft Azure cloud.
•Deploying on Google Cloud Platform
Deploying on VMware
For a detailed ICS VA deployment procedure, refer to Virtual Appliance Deployment Guide at https://www.ivanti.com/support/product-documentation.
This below table describes the new parameters that are added in the script file create-va.pl, which is included in your ISA-V package.
| Parameter | Description |
|---|---|
| New Parameters | |
|
registrationCode |
The registration code, which is generated during the ICS gateway registration on nSA. Example, KyZR6YDL8 |
|
registrationFQDN |
The registration FQDN name, which is generated during the ICS gateway registration on nSA. Example, auto.lark.pzt.dev.perfsec.com |
|
enableproxy |
Default is set to n. |
|
proxyHost |
The proxy server name. |
|
proxyPort |
The port number of the proxy server. Example, 8080 |
|
proxyUsername |
The username of the proxy server. Example, usr |
|
proxyPassword |
The password of the proxy server. Example, pxx124 |
|
registerNetworkInterface |
The interface through which the gateway registers with nSA. Example, external |
Deploying on Hyper-V
For a detailed ICS on Hyper-V deployment procedure, refer to ICS Gateway Deployment on Hyper-V Platform at https://www.ivanti.com/support/product-documentation.
Deploying on KVM
For a detailed ICS on KVM deployment procedure, refer to ICS Gateway Deployment on KVM Platform at https://www.ivanti.com/support/product-documentation.
Deploying on AWS Cloud
For a detailed ICS VA on AWS Cloud deployment procedure, refer to Virtual Appliance on Amazon Web Services Deployment Guide at https://www.ivanti.com/support/product-documentation.
Ivanti Connect Secure accepts the following parameters as provisioning parameters in the XML format.
<pulse-config>
<primary-dns><value></primary-dns>
<secondary-dns><value></secondary-dns>
<wins-server><value></wins-server>
<dns-domain><value></dns-domain>
<admin-username><value></admin-username>
<admin-password><value></admin-password>
<cert-common-name><value></cert-common-name>
<cert-random-text><value></cert-random-text>
<cert-organisation><value></cert-organisation>
<config-download-url><value></config-download-url>
<config-data><value></config-data>
<auth-code-license><value></auth-code-license>
<enable-license-server><value></enable-license-server>
<accept-license-agreement><value></accept-license-agreement >
<enable-rest><value></enable-rest>
<registration-code> 1grkL2Xbr </registration-code>
<registration-fqdn>auto.toad.pzt.dev.perfsec.com</registration-fqdn>
<enable-proxy>n</enable-proxy>
<proxy-host></proxy-host>
<proxy-port></proxy-port>
<proxy-username></proxy-username>
<proxy-password></proxy-password>
<register-network-interface>external</register-network-interface>
</pulse-config>The below table describes the new parameters that are added in the XML file.
| Parameter | Type | Description |
|---|---|---|
| New Parameters | ||
|
registrationCode |
string |
The registration code, which is generated during the ICS gateway registration on nSA. Example, KyZR6YDL8 |
|
registrationFQDN |
string |
The registration FQDN name, which is generated during the ICS gateway registration on nSA. Example, sample.domain.com |
|
enableproxy |
string |
Default is set to n. |
|
proxyHost |
string |
The proxy server name. |
|
proxyPort |
integer |
The port number of the proxy server. Example, 8080 |
|
proxyUsername |
string |
The username of the proxy server. Example, usr |
|
proxyPassword |
string |
The password of the proxy server. Example, pxx124 |
|
registerNetworkInterface |
string |
The interface through which the gateway registers with nSA. Example, external |
The XML parsing fails if the following characters are used in the strings:
- """
- "‘"
- "<"
- ">"
- "&"
System Operations
The AWS portal provides Start, Restart Stop and Terminate operations to control the Virtual Appliance connection.
On the AWS portal, select AWS Services > Launch Instance. From the Actions menu, select Instance State.
- Click Start to start a VM
- Click Stop to stop the VM
- Click Restart to restart the VM
- Click Terminate to terminate the VM
Troubleshooting
Ivanti Connect Secure emits booting logs at a specified storage. You can check the storage details of the boot diagnostic logs as shown below:
-
Select AWS Services > Instances > Launch Instance.
-
From the list displayed, select Instance Settings > Get System Log.
The system logs window is displayed.
Frequently Asked Questions
FAQ1: Packets transmitted from ICS Internal Interface are getting dropped by AWS Virtual Gateway in L3 traffic.
Cause: The packets are dropped because the source IP and MAC address are not matching and the transit routing is not supported.
Solution: Ivanti Connect Secure must be able to SNAT these packets to the Internal interface IP which belongs to a subnet within the VPC.
To NAT endpoint tunnel IP to Internal interface IP, do the following:
-
Log in to Ivanti Connect Secure admin console.
-
Navigate to System > Network > VPN Tunneling.
-
Enable Source NATTING. By default, Source NATTING is disabled.
Deploying on Azure Cloud
For a detailed deployment procedure, refer to Virtual Appliance on Microsoft Azure Deployment Guide at https://www.ivanti.com/support/product-documentation.
Ivanti Connect Secure accepts the following parameters as provisioning parameters in the XML format.
"<pulse-config> <primary-dns>8.8.8.8</primary-dns> <secondary-dns>8.8.8.9</secondary-dns> <wins-server>1.1.1.1</wins-server> <dns-domain>psecure.net</dns-domain> <admin-username>admin</admin-username> <admin-password>password</admin-password> <cert-common-name>va1.psecure.net</cert-common-name> <cert-random-text>fdsfpisonvsfnms</cert-random-text> <cert-organisation>Psecure Org</cert-organisation> <config-download-url><value></config-download-url> <config-data><value></config-data> <auth-code-license><value></auth-code-license> <enable-license-server>n</enable-license-server> <accept-license-agreement>n</accept-license-agreement> <enable-rest>n</enable-rest> <registration-code> 1grkL2Xbr </registration-code> <registration-fqdn>auto.toad.pzt.dev.perfsec.com</registration-fqdn> <enable-proxy>n</enable-proxy> <proxy-host></proxy-host> <proxy-port></proxy-port> <proxy-username></proxy-username> <proxy-password></proxy-password> <register-network-interface>external</register-network-interface> </pulse-config>"
The below table describes the new parameters that are added in the XML file.
XML File Details Parameter Type Description New Parameters registrationCode
string The registration code, which is generated during the ICS gateway registration on nSA. Example, KyZR6YDL8
registrationFQDN
string
The registration FQDN name, which is generated during the ICS gateway registration on nSA. Example, sample.domain.com
enableproxy
string
Default is set to n.
proxyHost
string
The proxy server name.
proxyPort
integer
The port number of the proxy server. Example, 8080
proxyUsername
string
The username of the proxy server. Example, usr
proxyPassword
string
The password of the proxy server. Example, pxx124
registerNetworkInterface
string
The interface through which the gateway registers with nSA. Example, external
The XML parsing fails if the following characters are used in the strings:
- """
- "‘"
- "<"
- ">"
- "&"
System Operations
The Azure VA portal provides Start, Restart and Stop operations to control the Virtual Appliance connection.
On the Azure portal top menu bar:
- Click Start to start a VM
- Click Stop to stop the VM
- Click Restart to restart the VM
The corresponding CLI commands are:
-
Start a VM
az vm start --resource-group myResourceGroup --name myVM -
Stop a VM
az vm stop --resource-group myResourceGroup --name myVM -
Restart a VM
az vm restart --resource-group myResourceGroup --name myVM
Deploying on Google Cloud Platform
For a detailed ICS on GCP deployment procedure, refer to ICS Gateway Deployment on Google Cloud Platform at https://www.ivanti.com/support/product-documentation.