What's New

The following features are applicable from ICS Gateway version 22.7R2.12, 22.8R2.3, and 25.1.1.0

• Proxy Servers for PSAM Connections: ICS Gateway supports Proxy Server for connections to PSAM destination (TCP only) via Proxy Servers. Administrators can modify existing policies to route traffic through proxy servers, enhancing both security and scalability. For details, see Proxy Servers for PSAM Connection.

•Samsung Knox Manage: This feature enhances security by ensuring that only authorized android devices are permitted access based on validated device identifiers. For details, see Configuring MDM Authentication Server.

•Source IP and Geo-Location access restriction: Allows administrators to configure and enable both Geo-Location and manual IP lists simultaneously. This enhancement improves ICS security by allowing customers to better restrict access from bad actors while permitting legitimate traffic. For details, see Configuring Administrator Access.

•DSIDID Enforcement for Secure VPN Authentication: DSIDID enforcement ensures secure VPN authentication by verifying both DSID and DSIDID cookies. This provides an additional layer of device and session validation, enhancing overall security. For details, see Miscellaneous Setup.

This feature allows tenant admin to take config backup of any of the supported gateways. For more details, see Config Backup.

•Current version column is added in the Gateways list table.

•Confirmation dialog is added for manual upgrades. For more details, see Upgrading Gateways and Clusters with a New Gateway Version.

To optimize syslog server connectivity and performance, the Syslog Server configuration interface now includes a new dropdown enabling users to explicitly select the Trusted Server CA (Certificate Authority) when setting up secure connections. This enhancement complements the existing client certificate option and addresses latency issues during SSL handshakes.

Key Improvements

Targeted Server CA Selection:

Administrators can now specify which Server CA to use when configuring Syslog servers. Previously, if no Server CA was selected, the system sequentially tested all trusted CAs in the tenant during connection establishment, which increased connection times. This results in a better performance and a better user experience.

Reduced Latency and Streamlined Handshakes:

Enhanced the syslog forwarding mechanism to enable real-time log delivery by directly consuming gateway log events.

Improved Security and Accuracy:

By ensuring the correct Server CA is always used, this enhancement minimizes the risk of mismatched certificates and strengthens secure logging communications.

Enhanced User Experience:

The refined UI makes syslog server setup more intuitive and efficient, speeding up configuration and accelerating message delivery.

For details, see Syslog Forwarding.

The following features are Deprecated/Changed (Applicable from 22.7R2.11, 22.8R2.2, 25.1.1.0 onwards):

•Enterprise Onboarding is disabled in Users main menu.

•Fallback to NTLMv1 authentication option is not supported.

•Hosted Java applets, OWA (2010/13/16+), Lotus iNotes 7/8/8.5, and MSRDWeb in Rewriter applications are not supported.

•IP plus Location based restrictions at realm level.

•Java Support options in Citrix/VDI/Terminal Services resource profiles are not supported.

•NTLMv1 protocol in Active Directory authentication is not supported.

•SAML 1.1 is not supported.

•SAML Artifact options in IDP and SP configurations are not supported.

•TOTP as a fallback server is supported. For details, see Configuring User Realm.

•Virtual Desktop menu is hidden.

This preview feature allows Ivanti Neurons for Secure Access Tenant admin to use AI interface to migrate one or more ICS configurations to ZTA gateways. For more details, see AI-based Migration of ICS Configurations to ZTA Gateways (Preview).

The following features are not included in NSA 22.8R1.7:

• External ICT Scan

• Web Application Firewall (WAF) enable/disable capability

This release includes scheduling, history and snapshot downloading options along with RBAC support. For more details, see Scanning with External Integrity Checker Tool.

First Login time and Last Login time details are provided in the Subscriptions > Users page. For more details, see Device to User Normalization.

•Troubleshooting with Portprobe command: Use Portprobe command to display the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP) port status. For more details, see Troubleshooting TCP and UDP Port Status.

•Proof Key of Code Exchange (PKCE) Support: Enabling PKCE helps to protect against interception of the authorization code returned from the authorization endpoint. For more details, see Configuring OAuth Server.

•SFTP method of archiving servers. For more details, see Archiving Servers.

•Selection of IE as embedded browser in Client Connections is removed. For more details, see Ivanti Secure Access Client Connections.

Enhanced page controls to select the number of log records per page and to select a specific page. For more details, see Viewing Log Records.

A configurable option on the ICS gateway is added to stop forwarding logs to the NSA. By default, log forwarding is enabled during registration, but it can be toggled off. When disabled, the NSA controller will not display any log or analytics data. For more details, see Completing Registration of an ICS Appliance.

Upgrading to ICS GW version 25.1.0.0 is supported only from version 22.8R2 for standalone ISA hardware appliances and ISA-V ESX virtual appliances.

Note that cluster upgrades are not supported. Additionally, upgrades from earlier versions (22.7R2.x and below) to 25.1.0.0 are not supported.

For more details, see Upgrading a Gateway and Cluster and Upgrading Gateways and Clusters with a New Gateway Version.

For ICS 25.x Gateway, a popup/tooltip message will be shown in the NSA for the following pages:

•SAML ECP Use Cases ​– need “ECP definition”

•Named Users model on the gateways​. Applies only for Classic Named user model.

•Enterprise Onboarding, see Enterprise Onboarding.​

•DMI​ & NetConf

•OWA 2010, OWA 2013​ and All OWA versions, see Microsoft OWA Versions.

•Lotus iNotes 7 and 8, see Lotus iNotes Versions.

•Hosted Java Applet, see Hosted Java Applet.

•Java support options under Citrix and VDI profiles, see Terminal Services, Virtual Desktop.

•Resource profiles > HTML5 > Performance flags, see HTML5 Access.

•Resource profiles > WEB > MS Rdweb, see Microsoft RDWeb.

•Protocol Binding to use for SAML Response

•SAML > Artifact, see SAML Identity Provider.

•AD > NTLM V1, see Configuring Active Directory Authentication Server.

•VMWare View and Citrix Client Delivery, see Virtual Desktops Configuration

•VDI: System > Configuration > Virtual Desktops, see Virtual Desktops Configuration.

•Citrix: System > Configuration > Virtual Desktops > Disable Citrix tab, see Virtual Desktops Configuration.

•Cloud Secure

•Multicast

•Telnet client in HTML5 Resource Profile, see HTML5 Access.

•SSLv3, TLS1.0 and TLS1.1, see Inbound SSL Options, Outbound SSL Options.

•JSAM (Lotus Notes and MS Outlook), see Client Applications JSAM

•Sort option for Updated time is provided in the Subscriptions > Users page.

•Auto-delete function is now extended to machine logins.

For more details, see Device to User Normalization.

•Tenant admin can now apply feature licenses (Advanced HTML5) for gateways. For more details, see Feature Licenses.

•Tenant admin can configure alerts with users Email IDs to whom the Email notification should be sent. For more details, see Managing Alerts and Notifications.

•External Integrity Check scanning tool is provided to scan the system to check for any integrity anomalies. For more details, see Scanning with External Integrity Checker Tool.

•Web Application Firewall (WAF) configuration for ICS Gateways protects web applications by filtering and monitoring HTTP traffic, preventing attacks such as SQL injection, cross-site scripting (XSS), and other web exploits. This feature is supported from ICS Gateway 22.8R2 release. For more details, see Configuring Web Application Firewall.

•Debug logs now provides Web server logs with debug severity codes for web-related events. This feature is supported from ICS Gateway 22.8R2 release. For more details, see Using the Debug Log.

• Ivanti recommends MFA for all realms. This feature is supported from ICS Gateway 22.7R2.7 release. If not configured with MFA, realms will be listed in red color. For more details, see Configuring User Realm.

•Suspend tunnel on smart card removal. This feature is supported from ICS Gateway 22.7R2.8 release. For details, see Ivanti Secure Access Client Connection is Established Options.

•Specifying passwords for configuration files is mandatory. This feature is supported from ICS Gateway 22.8R2 release. For details, see Configuration File Administration, and Exporting/Importing TOTP Users.

•Limiting simultaneous connections from a single IP address to the server. This feature is supported from ICS Gateway 22.8R2 release. For details, see Miscellaneous Setup.

•When the Auto Delete process deletes a user, a corresponding "Auto Delete" message (with message ID, such as ADM65432) is created in the admin logs, thus providing visibility into how many and which licenses were deleted over a specified period. For more details, see NSA Licensing/Subscription.

•Disable/Enable functionality is provided for Admin policies. For details, see Viewing Admin Authentication Policies.

NSA now provides option to stage the package on individual Gateway/Cluster or multiple Gateways/Clusters, and upgrade the Gateways manually or on a specified date and time. The Gateway stage and upgrade from NSA is supported for ICS Gateway with base version 22.7R2.8. For more details, see Upgrading Gateways and Clusters with a New Gateway Version.

NSA enables you to configure external syslog server to forward ICS Gateway logs and NSA Tenant Admin logs. This enables centralized and secure log management and enhanced visibility into the health and efficiency of the services running in your ICS Gateways, or to facilitate debugging in the event of unexpected service behavior. For details, see Using Enterprise Integration to Export Your Logs for External Analysis.

Config Sync enhancement supports configuring the entire configuration synchronization across multiple targets (up to 15 targets for entire configuration and 50 targets for selective configuration). This enhancement enhances flexibility and scalability for managing multiple gateways or clusters. This is particularly useful for enterprises with extensive networks, as it simplifies configuration management across various systems. This feature is supported from ICS Gateway 22.7R2.8 release. For details, see Config Synchronization.

In order to avoid performance issue, app visibility logs is segregated from user access logs. App visibility logs is available in debug log/snapshot for troubleshooting. This feature is supported from ICS Gateway 22.7R2.8 release. For details, see Using the Debug Log.

The maximum debug log file size for Gateways with disk space > 80 GB is increased to 1024 MB.

•The number of scheduled/on-demand reports is increased to 10.

•Summary charts of gateways, user roles, application access, anomalies, non-compliance, and user risk now displays top 100 with more than 1 lakh users aggregation.

•User analytics now shows maximum top 30 users.

Search and Sort options are added for selective tables:

•Gateway > Users > Resource Policies

•Gateway > System > Configuration, Network, IF-MAP Federation, Log/Monitoring

•Gateway > Authentication > Signing In, Authentication Servers

Move Up and Down arrow option is disabled when Search function is applied to a table.

UI changes made for the following features:

•For Gateways with disk space > 80 GB, maximum debug log file size is increased to 1024 MB. For details, see Using the Debug Log. This change is applicable from ICS 22.7R2.6.

•VPN Tunneling Resource Policy configuration allows you to enable / disable IPv4 and IPv6 address assignments and specify IPv4 and IPv6 address ranges. For details, see VPN Tunneling Resource Policy Configuration Use Case. This change is applicable from ICS 22.7R2.3.

Tenant Admin logs now captures all the admin activities from login to logout. For more details, see Checking Tenant Admin Logs

Admin can now schedule config sync rule jobs to run only on a specified time or to run daily, weekly or monthly frequencies. For more details, see Scheduling Config Sync Rule Job.

NSA Config Authoring can handle multiple certificates with the same serial number.

•Search and Sort options are added for tables in Gateway > Users > Roles, Realms, and Resource Profiles, and Authentication > Endpoint Security.

Tenant Admin Logs page now additionally shows the audit logs generated for config change operations (create/update/delete) performed by all admins. For more details, see Checking Tenant Admin Logs

"Duplicate Rule" option is newly added in the Config Synchronization page to clone an existing, suitable config sync rule.. For more details, see Cloning a Config Sync Rule.

•"Group by" option is added in the Gateway List page to filter the list based on Gateway Type, Connection status, Version or Region.

Tenant Admin Logs page is newly added to show NSA admin audit logs generated for Gateway operations such as create, delete, upgrade, reboot and rollback.

For more details, see Checking Tenant Admin Logs.

•Strengthening the XML configuration file import/export process with password authentication checks. For more details, see: Exporting an XML Configuration File

•Strengthening the TOTP server by adding password authentication checks for importing and exporting the users data file. For more details, see: Exporting/Importing TOTP Users.

"Refresh Gateway Status" option is newly added in Config Synchronization Status page for target gateways with status "Pending", "Importing" or "Timed out". For more details, see Config Synchronization.

•Alphabetical sorting (ascending / descending) is now possible in the Gateways List and the Config Synchronization pages. Use the arrow icon () provided in the column header to show alphabetically sorted list.

•"Expand all / Collapse all" functionality is added in the Gateways List page. Use the Expand all / Collapse all icon () provided in the Gateways List page to expand / collapse the Clusters and Gateways lists.

Column reordering is newly added in the Users L3 and L4 pages. To move a column, a user can click the header and drag to its new position.

For more details, see Ivanti Connect Secure Gateway Analytics.

Drill down support for the Sankey chart is newly added on the consolidated landing page. With each chart, the View All link provides a page with detailed log records for that category. For more details, see Consolidated Landing Page.

Multinode configuration status now includes start and end timestamps and additional status information. For more details, see Config Synchronization.

All Gateways counter is newly added on ZTA and NSA specific analytics landing page. For more details, see Reviewing Your Network Activity.

The maximum length of ICS Gateway name / Cluster name is increased to 19 characters. Admin can now register the existing ICS Gateway Cluster with cluster name length up to 19 characters to NSA. For more details, see Registering Ivanti Connect Secure Gateway and Creating an ICS Cluster.

•Max log Size for Event logs: The range is 1- 200 MB and the maximum size is 200 MB for Virtual Appliances. The range is 1- 1024 MB and the maximum is 1GB/1024MB for ISA Hardware. For details, see Events to Log.

•Play integrity check for rooting detection on Android devices: checks if interactions and server requests are coming from the genuine app binary running on a genuine Android device. For details, see Mobile Configuration

A new unified landing page allows tenant admin to examine the shared Analytics tables and charts for nZTA and ICS Gateways. For more details, see Consolidated Landing Page.

Improvements to the admin experience (Modernize the table view for session management and log view). Advanced filter on the page for managed users. For more details, see:

•Checking the Logs

•Managing the Sessions

•Viewing Admin Authentication Methods

•Viewing Admin Authentication Policies

•Creating Admin Groups

A new Sync Now page allows tenant admin to implement changes made to Admin Management and correct any configuration problems based on the alerts. For more details, see Ivanti Connect Secure Gateway Analytics.

User experience for Administration > Admin Management is enhanced in this release. For details, see NSA Administration.

The local authentication server has stronger password restrictions. For details, see Workflow: Creating a Local Authentication Policy.

• FAV Icon: User can add/update FAV icon on Authentication > Signing Pages to change Gateway admin and end user FAV icon. For details, see Configuring Standard Sign-In Pages.
• IMEI option is removed for Microsoft Intune on Authentication > Authentication Servers > MDM server. For details, see Configuring MDM Authentication Server.
• AAA traffic is added for MDM and OAuth Server on Authentication > Authentication Servers. For details, see AAA Traffic Management.
• SAML/ Web Server: New setting is added to monitoring the SAML/Web server, see Configuring System Maintenance Options.
• Integrity Check: Booting Options on Integrity Check Failure is newly introduced to check integrity check failures during boot up (Disabled by default). Options are added to Reboot, rollback or continue booting if integrity check fails, see Miscellaneous Setup.
• TLSv1.3: Browser based TLSv1.3 certificate authentication using Port Redirection is now added. Also more Key Exchange Options are added for Encryption Strength. For details, see Inbound SSL Options.
• Warning is added to Config Export and Gateway Upgrade pop-up if more than one active client package exists, see Exporting a Binary System Configuration File.
• Mobile Options: IF-T/TLS NCP knob option is newly added for Mobile, see Mobile Configuration.

Support for IPV6 L3 VPN visibility in NSA. You can view both IPv4 and IPv6 applications for L3 user sessions from the Applications overview page. For details, see Using the Applications Filter Bar.

Normalization of license seat reservation across devices and users. Single license is consumed instead of two through associating devices with users for Machine Cert Authentication and subsequent User Authentication. For details, see NSA Licensing/Subscription.

• Resource policies > VPN Tunneling > Connection Profile > DHCP Subnet - 22.x
• HTML5 Bookmark - Enable Auto Resolution Option - 22.x and 9.x
• User Roles Options - Enable Auto Resolution Option - 22.x and 9.x
• System > Configuration > SAML > New SAML > Hide PDP Option - 22.x
• Hide Authentication > Auth Servers > LDAP server > Health check - Test username, Test Password and Validate User Credential fields - 9.x
• Authentication > Auth Servers > LDAP server > Health check - Test username, Test Password and Validate User Credential fields - 22.x
• System > Configuration > Security > Miscellaneous > Relay state option - 22.x

NSA now supports configuration of Certification Authentication server with SAML Authentication server as a secondary authentication server. For details, see Configuring Certificate Authentication Server.

The following list shows the enhancements to L4, Gateway Logs, and Logs Tables.

• Column resizing across ICS pages
• Cell content copy text from Table
• Pagination across ICS pages
• Minimum number of columns in all the tables in L4 dashboards
• Enhancement to Advanced Filter

For details, see Using the Top Active Breakdown Charts and Filtering the Logs.

Checks the Admin's device geographic location/network/host checker compliance for admin sign-in policy before providing access to admin login. For details, see Creating Admin Policies.

While creating config sync rule, if there is any dependency mismatch, admin can review dependent configurations and select them before creating/editing rule.

For example, If realm configuration is mapped to Authentication server and if config sync rule is created with only realm. The dependent configuration is highlighted (Auth server). Realm configuration is highlighted with i icon and when dependencies are reviewed, Authentication server is mentioned in the dependency tree.

Preview of changes done in source gateway before config sync. This feature is available only with Manual sync.

Preview before sync works only when one manual config sync rule is triggered.

For details, see Config Synchronization.

With Role-based access control (RBAC), organizations can easily add admins and assign them specific roles, with differing levels of access to the NSA Admin Portal. In addition to an existing set of default roles, Administrators can now create custom granular roles for specific functions within the NSA admin portal.

For details, see Role-based Access Control for Admin Users.

Analytics supports data visualization in Active View. Admin can see the historic data on different time windows. Admin's can find all connections details for different time frames past 30 days. For details, see Using the Filter Bar.

This feature allows a user to view the config sync rule status of all target gateways. For details, see Config Synchronization.

This feature allows a user to use different login formats - Domain\username, Common Name (CN), and User Principal Name (UPN) - from different devices, but consumes only one seat for the user. For details, see NSA Licensing/Subscription.