What's New

Admin Experience Enhancements: To enhance the administrative experience, there have been improvements in the form of table modernization for both Admin Management and Session Management. For details, see nSA Administration.

Password Strengthening for Local Authentication Server: The local authentication server has stronger password restrictions. For details, see Workflow: Creating a Local Authentication Policy.

IPv6 L3 VPN Application Visibility (Supported only for 22.x ICS Gateway): Support for IPV6 L3 VPN visibility in nSA. You can view both IPv4 and IPv6 applications for L3 user sessions from the Applications overview page. For details, see Using the Applications Filter Bar.

nSA Named User License Normalization (Supported only for 22.6R2 ICS Gateway with 22.6R1 ISAC Client and later versions): Normalization of license seat reservation across devices and users. Single license is consumed instead of two through associating devices with users for Machine Cert Authentication and subsequent User Authentication. For details, see nSA Licensing/Subscription.

Licensing Enhancements for named user licenses (UAL): Support added to perform out of band license checks. The subscription page in nSA tenant admin portal will be updated with few minutes of delay from the new user login.

nSA Feature parity with 22.6R2 ICS gateway

Resource policies > VPN Tunnelling > Connection Profile > DHCP Subnet - 22.x

HTML5 Bookmark - Enable Auto Resolution Option - 22.x and 9.x

User Roles Options - Enable Auto Resolution Option - 22.x and 9.x

System > Configuration > SAML > New SAML > Hide PDP Option - 22.x

Hide Authentication > Auth Servers > LDAP server > Health check - Test username, Test Password and Validate User Credential fields - 9.x

Authentication > Auth Servers > LDAP server > Health check - Test username, Test Password and Validate User Credential fields - 22.x

System > Configuration > Security > Miscellaneous > Relay state option - 22.x

Support SAML Authentication server as a secondary authentication server when configuring Certificate Authentication server (Supported only for 22.x ICS Gateway): nSA now supports configuration of Certification Authentication server with SAML Authentication server as a secondary authentication server. For details, see Configuring Certificate Authentication Server.

Admin experience enhancements to L4, Gateway Logs, and Logs Tables in terms of selection and resizing, pagination, and text copy/paste

The following list shows the enhancements to L4, Gateway Logs, and Logs Tables.

Column resizing across ICS pages

Cell content copy text from Table

Pagination across ICS pages

Minimum number of columns in all the tables in L4 dashboards

Enhancement to Advanced Filter

For details, see Using the Top Active Breakdown Charts and Filtering the Logs.

Auto Selecting Dependent Configurations as part of Config Sync: While creating config sync rule, if there is any dependency mismatch, admin can review dependent configurations and select them before creating/editing rule. For details, see Config Synchronization.

For example, If realm configuration is mapped to Authentication server and if config sync rule is created with only realm. The dependent configuration is highlighted (Auth server). Realm configuration is highlighted with i icon and when dependencies are reviewed, Authentication server is mentioned in the dependency tree.

Preview of changes done in source gateway before config sync. This feature is available only with Manual sync.

Preview before sync will work only when one manual config sync rule is triggered.

22.5R2 ICS configuration parity in nSA.

Admin Access Control based on location, Host Checker, and Network: Checks the Admin's device geographic location/network/host checker compliance for admin sign-in policy before providing access to admin login. For details, see Creating Admin Policies.

nSA Licensing Enhancements: When nSA licensing is enabled on Gateway, and if there is connectivity issue between gateway and controller, grace period of 24 hours is applied for new user logins up to platform limit.

Role Based Access Control for Admin Users: With Role-based access control (RBAC), organizations can easily add admins and assign them specific roles, with differing levels of access to the nSA Admin Portal. In addition to an existing set of default roles, Administrators can now create custom granular roles for specific functions within the nSA admin portal. For details, see Role-based Access Control for Admin Users

Analytics: Historical View: Analytics supports data visualization in Active View. Admin can see the historic data on different time windows. Admin's can find all connections details for different time frames past 30 days. For details, see Using the Filter Bar

Config Sync Rule Status: This feature allows a user to view the config sync rule status of all target gateways. For details, see Config Synchronization.

nSA named user licensing normalization: This feature allows a user to use different login formats - Domain\username, Common Name (CN), and User Principal Name (UPN) - from different devices, but consumes only one seat for the user. For details, see nSA Licensing/Subscription.

Configuring ZTA Policy to an ICS Application: Administrators can now configure ICS application with ZTA secure access policy from the nSA-ICS Applications page.

nSA Named User Licensing - Freeing named user licenses automatically: Users who have not logged in to the ICS Gateway for the last 30 days can be deleted automatically from the Users list.

Addition of a new alert "Config Sync Target Cluster Deleted": This alert is generated when the Target Cluster, which is in any of the Config Sync rule gets deleted.

Configuration template functionality is consolidated into Configuration sync feature.

Actionable Insights: Step up Authentication, Subsequent login and Chart Visibility.

Enhanced Admin experience

Config Sync enhancements

Alerts and Notification enhancements

nSA UI parity with 9.1R16 and R17

L3 VPN App Visibility

Config Replace/reorder

Important Notice for v22.3R1 and Later

To prevent any upgrade related issues and to clean up the disk space, follow the mandatory steps listed in the KB article before staging or upgrading: KB44877.

Important Notice for v22.1R1 and Later

nSA 22.1R1 includes updates to address the OpenSSL vulnerability described in CVE-2022-0778. Ivanti recommends upgrading your Gateways to version 22.1R1 at your earliest convenience.

Caveats

The following caveats are applicable to this release:

Analytics Dashboard and Gateway logs are not synchronized with nSA when using an ICS gateway on the cloud running version 22.5R2 or above.

Gateway ESAP package version 4.1.6 is default.

Config group management works best with ESAP version 4.0.5. The ESAP version on the Gateway can be upgraded to desired version.

For uploading the ESAP package, you must have the package in ESAP<version>_Prod.pkg format.

Config Synchronization feature:

Active ESAP versions must be same on both Source and Target Gateways.

Admin Realms, Admin Sign-In URLs, Device certificates and Client Auth certificates are not supported.

During Config Synchronization, the configurations will be getting merged from Source Gateway to Target Gateway and hence the delete operation is not supported.

nSA accepts only certificates in PEM format, DER format certificates are not supported from nSA.

nSA custom validation is not supported through Configuration Templates. The UI may accept invalid configuration parameters.

Remote profiler and OAuth server are not supported through Configuration templates.

Always on VPN wizard is not supported on nSA.

Dark theme for nSA ICS admin UI is not supported.

ICS Cluster creation with IPv6 address from nSA is not supported.

Limitations

RBAC: If the tenant has both nSA and ZTA gateway, setting any common permissions while creating an Custom RBAC Admin Role applies to both nSA and ZTA gateway. For example, if custom admin role has modify permission for ZTA gateway then the same applies to nSA gateway also.

The ICS upgrade time from nSA depends on the network bandwidth and latency. If the downloading of package takes more than 4 hours then the upgrade process is marked as failed.

Cluster creation from nSA takes few minutes to create cluster and add/join members.

The time taken for Config Synchronization process from source to target Gateway depends on the configuration size.

Additional Notes

Rollback - When we rollback to previous versions of 9.1Rx (where nSA is not supported), the status in nSA shows disconnected.