Ivanti Connect Secure Gateway Management

•Introduction

•Viewing ICS Gateway/Cluster Details

• Creating an ICS Cluster

•Restarting Services

•Rebooting ICS Gateway/Cluster

•Rolling Back a Gateway/Cluster

•Upgrading a Gateway and Cluster

•Upgrading Multiple Gateways and Clusters

•Removing Ivanti Connect Secure Gateway

Introduction

An admin can manage the ICS Gateway/Cluster with the following operations:

Restart Services: Kills all processes and restarts the Gateway/Cluster. The Gateway/Cluster is available again after a few minutes. See Restarting Services.
Reboot Gateway: Reboots the Gateway. The Gateway is available again after a few minutes. See Rebooting ICS Gateway/Cluster.
Reboot Cluster: Reboots all nodes in the Cluster. See Rebooting ICS Gateway/Cluster.
Rollback to <version>: Reverts the registered Gateway virtual machine instance to the specified version. See Rolling Back a Gateway/Cluster.
Rollback Cluster: Reverts the cluster instance to the previous version. See Rolling Back a Gateway/Cluster.
Upgrade to <version>: Upgrades the registered Gateway virtual machine instance to the specified version. See Upgrading a Gateway and Cluster
Upgrade to <version> Cluster: Upgrades all the nodes in the Cluster to the specified version. See Upgrading a Gateway and Cluster.
Delete Gateway: Removes the Gateway record. See Removing Ivanti Connect Secure Gateway.
Configure Integrity Scanner: Scans the system periodically to check for any integrity anomalies.
Upgrade multiple Gateways/Clusters to new version: Upgrades multiple Gateways/Clusters to the specified version. See Upgrading Multiple Gateways and Clusters.

The available menu options vary depending on whether the selected Gateway is registered and connected to the nSA.

Viewing ICS Gateway/Cluster Details

To view the list of ICS Gateways and Clusters:

Log in to the Ivanti Neurons for Secure Access portal as a Tenant Admin. See Logging in to Ivanti Neurons for Secure Access.
Use the Gateway Switcher and select Ivanti Connect Secure.
From the Ivanti Connect Secure menu, click the Gateways icon, then select Gateways > Gateways List.

The Gateways List page is displayed showing a list of standalone ICS Gateways and Cluster nodes.

The Gateway management functions can be performed only if the status of the Gateway is green.

To view the details of a specific Gateway:

In the All Gateways page, double-click the required Gateway from the Standalone Gateways list.

The Gateway Overview page is displayed showing the Gateway Status, Version, Registration State, and last Updated time.
Click the context menu icon present at the top-right of the page to access the options applicable to the selected Gateway.

To view the details of an Active-Active Cluster:

In the Gateways List page, double-click the Active-Active Cluster from the list.

The Gateway Overview page is displayed showing the Model, Cluster Name and Configuration of the Cluster.
Click the context menu icon present at the top-right of the page to access the options applicable to the selected Cluster.

To view the details of an Active-Passive Cluster:

In the Gateways List page, double-click Active-Passive Cluster from the list.

The Gateway Overview page is displayed showing the Model, Cluster Name, Configuration, External and Internal VIP Owner, External and Internal VIP IPV4/IPV6 of the Cluster.
Click the context menu icon present at the top-right of the page to access the options applicable to the selected Cluster.

Creating an ICS Cluster

Clusters define a collection of Gateways that operate as if they were a single machine. A cluster pair is used to refer to a cluster of two units and a multiunit cluster refers to a cluster of more than two units. Once two or more units are joined in a cluster, they act as one unit.

To create an ICS Cluster:

In the Gateways List page, click the Create drop-down list.
From the Gateway types list, select ICS Cluster.
Select the ISA Model.
Select the Gateway Version.
Enter a unique Cluster Name. Maximum 19 characters, only alphanumeric and hyphens are allowed between characters.
Select a member node and click Add to add the nodes.
Enable Configuration Only Cluster to limit data transfer between cluster nodes. User and session specific limits are only enforced on the node and not across the cluster.
Click Create Cluster.

After creating a cluster from nSA, add subsequent nodes to the cluster from nSA only.

Restarting Services

To restart services:

In the Gateway Overview page, click the context menu icon at the top-right to access the options applicable to the selected Gateway or Cluster.
Select the Restart Services option.

The Gateway/Cluster is available again after a few minutes.

Rebooting ICS Gateway/Cluster

To reboot ICS Gateway:

In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable to the selected Gateway.
Select the Reboot Gateway option.

The Gateway is available again after a few minutes.

To reboot ICS Cluster:

In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable to the selected A/A or A/P Cluster.
Select the Reboot Cluster option.

The Cluster is available again after a few minutes.

Rolling Back a Gateway/Cluster

Your ICS Gateway/Cluster can be rolled back to a previously-installed version through the Tenant Admin Portal. You might want to return to an earlier version if, for example, you encounter an unforeseen issue with a newly-upgrading Gateway instance, or for testing purposes.

You can roll back to a version only where that Gateway instance has been previously upgraded through the Tenant Admin Portal, and only to the previously-installed version.

To roll back a Gateway to an earlier version:

In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable for the selected Gateway.

If a rollback function is available for this Gateway, a corresponding link is displayed in the drop-down menu:
Select the Rollback to <version> link.

As the rollback process starts, your Gateway remains operating on the current version and continues to serve traffic. After the earlier version is reinstated, the Gateway reboots and becomes unavailable for a short time.

If the procedure is successful, the new software version is displayed in the Gateway Overview page.

To roll back a Cluster to the previous version:

In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable for the selected Cluster.

If a rollback function is available for this Cluster, a corresponding link is displayed in the drop-down menu:
Select the Rollback Cluster link.

As the rollback process starts, your Cluster remains operating on the current version and continues to serve traffic. After the earlier version is reinstated, the Cluster reboots and becomes unavailable for a short time.

If the procedure is successful, the new software version is displayed in the Gateway Overview page.

Upgrading a Gateway and Cluster

Ivanti periodically creates and releases new software versions to address updates and issues, and to improve performance. As new version packages become available, you can trigger an upgrade for your Gateway/Cluster through the nSA to take advantage of the updates available in the new version.

To upgrade a Gateway to a higher version:

In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable for the selected Gateway.

If the upgrade function is available for this Gateway, a corresponding link is displayed in the drop-down menu:
Select the Upgrade to <version> link.

In some cases, there might be more than one version available. Select the version you want, or contact your support representative for details.

As the upgrade process starts, your Gateway remains operating on the current version and continues to serve traffic. After the upgrade to new version, the Gateway reboots and becomes unavailable for a short time.

If the procedure is successful, the upgrade task is marked with a status of “Success” and the new software version is displayed in the Gateway Overview page.

To upgrade a Cluster to a higher version:

In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable for the selected Cluster.

If the upgrade function is available for this Cluster, a corresponding link is displayed in the drop-down menu:
Select the Upgrade to <version> Cluster link.

In some cases, there might be more than one version available. Select the version you want, or contact your support representative for details.

As the upgrade process starts, your Cluster remains operating on the current version and continues to serve traffic. After the upgrade to new version, the Cluster reboots and becomes unavailable for a short time.

If the procedure is successful, the upgrade task is marked with a status of “Success” and the new software version is displayed in the Gateway Overview page.

Upgrading Multiple Gateways and Clusters

This feature allows you to upgrade one or more gateways and clusters in a tenant with a selected version.

Upgrading Gateways and Clusters with Ivanti Secure Access Client

To upgrade one or more Gateways and Clusters with an Ivanti Secure Access Client package newer version:

Log in to the Ivanti Neurons for Secure Access portal as a Tenant Admin. See Logging in to Ivanti Neurons for Secure Access.
Use the Gateway Switcher and select Ivanti Connect Secure.
Select Administration > Upgrade > Installation Packages.
In the Installation Packages page, select the Ivanti Secure Access Client tab.

A list of available Ivanti Secure Access Client packages appears.
Select any of the listed Ivanti Secure Access Client packages. This is the version of the Ivanti Secure Access Client software that you want users to have on their device.

As each user next logs into Ivanti Secure Access Client on their device, if their software is at a different version, Ivanti Secure Access Client provides a prompt to the user to change to the version you selected in nSA.

After the Client package download starts from nSA to ICS Gateway, any other operations in nSA, for example a Role or Realm creation and any configuration change, do not work unless the download is complete. After the successful download, config creations or modifications appear.

Upgrading Gateways and Clusters with ESAP

Downloading an ESAP Package

Download the Endpoint Security Assessment Plug-in from the Software Download Portal to your computer. You need to have the login credentials to access the portal.

1.Open the Software Download Portal page.

2.Click the Software tab.

3.Navigate to the ESAP release you want, and click the link to download the package file to accessible local storage.

Uploading the ESAP Package

To upload the ESAP package that you downloaded from Software Download Portal:

Select Administration > Upgrade > Installation Packages.
In the Installation Packages page, select the ESAP tab.
Click the Upload ESAP file box.
Browse and select the latest ESAP package that you want to upload and then click Import.

After successful upload to nSA, the ESAP package gets listed in the ESAP packages page.

You can upload only one ESAP package.

Upgrading with ESAP

To upgrade one or more Gateways and Clusters to a newer ESAP package version:

Select Administration > Upgrade > Installation Packages.
In the Installation Packages page, select the ESAP tab.
Select the required build version from the list and click Select Gateways/Clusters to Upgrade.
In the Select Gateways / Clusters for Upgrade dialog, from the Select Gateways drop-down list, select one or more Gateways.

The UI shows the applicable Gateways/Clusters running on version 21.12 and above.
From the Select Clusters drop-down list, select one or more Clusters.

The Select Gateways and Select Clusters list shows only those Gateways and Clusters that have lower versions than the selected version.
Click Upgrade. The upgrade task is scheduled, and a notification is displayed in the logs.

nSA deletes all the existing ESAP packages from the ICS Gateway after the upgrade and retains only the upgraded ESAP version.

Upgrading Gateways and Clusters with a New Gateway Version

To upgrade one or more Gateways and Clusters:

Select Administration > Upgrade > Installation Packages.
In the Installation Packages page, select the Gateways tab.

The Gateways page shows the list of installed packages of Connect Secure Gateway.
Select the required build version from the list and click Select Gateways/Clusters to Upgrade.
In the Select Gateways / Clusters for Upgrade dialog, from the Select Gateways drop-down list, select one or more Gateways.

The UI shows the applicable Gateways and Clusters running on version 21.12 and above.
From the Select Clusters drop-down list, select one or more Clusters.

The Select Gateways and Select Clusters list shows only those Gateways and Clusters that have lower versions than the selected version.
Click Upgrade. The upgrade task is scheduled, and a notification is displayed.
On the Ivanti Connect Secure menu, select Gateways > Gateways List to see the progress of the Upgrade process.

Removing Ivanti Connect Secure Gateway

To remove Ivanti Connect Secure Gateway:

In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable to the selected Gateway.
Select Delete Gateway.

The selected Gateway is removed from the list of Gateways.