What's New
•Configurable MTU size for gateways: Tenant admin can now define MTU size for ZTA gateways depending on their requirements and underlying network infrastructure.
For details, see:
•Adding a VMware vSphere Gateway
•Password Strengthening for Local Authentication Server: The local authentication server has stronger password restrictions. For details, see Workflow: Creating a Local Authentication Policy.
•Renewed ZTA IDP metadata in release 22.7R1: To ensure continued compatibility, download the renewed ZTA IDP metadata from the ZTA tenant application configuration page and subsequently apply the updated information to the SaaS SAML SSO configurations.
•Integrating NMDM with ZTA: Ivanti Neurons for MDM provides compliance check and simplified onboarding experience for nZTA end users connecting via mobile. For details, see. For details see Integrating Ivanti Neurons for MDM with nZTA.
•Hardened custom sign-in policies and login URLs: As part of hardening custom sign-in policies and login URLs, the following changes are implemented:
•Instead of requiring administrators to configure enrollment policies, administrators will only need to configure user policies. As a default, all configured user policies support enrollment.
•Single SAML authentication server for user authentication and enrollment.
For details, see:
•Workflow: Creating a SAML Authentication Policy With Azure AD
•Workflow: Creating an Authentication Policy for On-Premises ICS SAML
•Workflow: Creating a SAML Authentication Policy for Okta
•Workflow: Creating a SAML Authentication Policy for Ping Identity
•Oracle Cloud Platform support for ZTA Gateway: ZTA Gateway now supports deployment on Oralce Cloud Platform. For details see Workflow: Creating a Gateway in Oracle Cloud Platform.
•Launching the Windows Edge/Webview2 browser: In a typical enrollment, upon successful authentication to the Controller, Ivanti Secure Access Client automatically shows the end-user portal applications page through a Windows Edge/Webview2 browser. This feature is supported with ISAC client version 22.6R1. For details. see Enrolling a Windows Device.
•Reusable custom icon to associate with application: The create application page provides an option to upload your own icon, which can be used to associate with more than one application. For details. see Adding Applications to the Controller.
•Enhancements to L4, Gateway Logs, and Logs Tables:
The following list shows the enhancements to L4, Gateway Logs, and Logs Tables.
•Column resizing across ZTA pages
•Cell content copy text from Table
•Pagination across ZTA pages
•Minimum number of columns in all the tables in L4 dashboards
•Enhancement to Advanced Filter
For details. see Viewing Detailed Logs for a Chart and Filtering the Logs.
•Simplifying device rules and policies, and global device preferences: Admin experience is enhanced by simplifying the device rules and policies For details, see Creating Device Policies, Setting Global Device Preferences.
Suppress EUP Auto Launch: Allows Admin to suppress the auto launch of the End User portal. This option is enabled by default and works with ISAC 22.5R1 and later. For details, see Setting Global Device Preferences.
•Admin Access Control based on location, Host Checker, and Network: Checks the Admin's device geographic location/network/host checker compliance for admin sign-in policy before providing access to admin login. For details, see Configuring Default Device Policy for Users.
•Enhancements to Non Compliance and Anomalies L4 Drill Down logs:
•The Anomalies L4 table now includes MAC Address and Source IP Address columns.
•The Non-compliances L4 table now includes Acknowledged, Non-compliant Policy Type, Non-compliance Policy reason, MAC Address and Source IP Address columns.
•For details, see Using the Active Anomaly and Non-Compliance Charts.
•Log export options to the admin from Gateway and L4 (drill down view) logs: In any of the L4 pages, export the displayed log as a CSV or JSON text file, or create schedules to set up log export jobs. For details, see Viewing Detailed Logs for a Chart.
•Exporting logs from L4 (drill down view) logs and Gateway logs. For details see Exporting logs.
•Gateway Creation Config UI Simplification: Create ZTA Gateway and Create ZTA Gateway Group are grouped under Create. For details, see Adding a vSphere Gateway.
•Acknowledge non-compliance in the non-compliance info panel on the Landing page: Acknowledge individual non-compliances and remove them from the active total. Filter on acknowledged, unacknowledged (active), or all non-compliances. For details, see Using the Summary Ribbon.
•Role Based Access Control for Admin Users: With Role-based access control (RBAC), organizations can easily add admins and assign them specific roles, with differing levels of access to the nSA Admin Portal. In addition to an existing set of default roles, Administrators can now create custom granular roles for specific functions within the nSA admin portal. For details, see Role-based Access Control for Admin Users
•HTTP Proxy Support: Support Proxy configuration in gateway to connect to ZTA.
For details, see:
•Applications and Application Groups UI change: Group together multiple applications for which a single secure access policy is required. Adding Applications to the Controller and Adding Application Groups to the Controller.
•ZTA Gateway Connection Control for Trusted Networks: ZTA Gateway can sometimes be bypassed so that users can connect directly to specific applications. For example, you might want users to bypass ZTA for a specific application if they are connected directly to your trusted corporate network. ZTA gateway tunnel creation will be bypassed on the endpoint since resource access will go through the physical interface.
For details, see Configuring a Default Gateway for Application Discovery.
•Gateway Re-registration: ZTA Gateway can now be re-registered in case if the Gateway Registration was not successful and can edit gateway configuration parameters. On registration failures, admin can trigger the registration manually along with the current debugging options such as networking tools, reboot etc. You can also regenerate and download the gateway init config from the controller admin interface as when required. The Admin can also use Registration error report, which provides insight about the registration failure and suggest solutions to overcome it.
For details, see Re-registering a VMware vSphere Gateway, Re-registering an Amazon Web Services Gateway and Re-registering a GCP Gateway.
Limitations : Azure and KVM does not allow the user to update configuration after the gateway is deployed. So, if any config update is needed in Azure or KVM gateways (ZTA) ,we need to redeploy the ZTA gateway.
•Location/Network rule support in default device policy: Location/Network policy based enforcement can be applied for any user policy. For details, see Options for Location Rules and Options for Network Rules.
•Management port support on ZTA Gateway: With this feature, ZTA Gateway can use management interface to communicate with controller and NTP Server.
•Optimal Gateway Selection (OGS)
•End User UX Improvements
•Simplified Configuration Users and Secure Access Policy configurations
•Actionable Insights: Step up Authentication, Subsequent login and Chart Visibility
•Device Risk Assessment: RiskSense integration, Default Device Policy
•Application Visibility Improvements: Secure Access Policy for discovered applications
•Lookout SWG/CASB Forward Proxy integration
•External Browser support
•Minimum Client Version
•Lock Down mode support
•PSAL with Browser Extension
Noteworthy Changes: 22.6R1
•Default ESAP version is 4.1.6 or the manually selected previous version will be retained. The newer version of ESAP must be manually enabled from the ZTA controller. In case of any config error after selecting the new version, the admin must delete any unsupported versions (See the Admin logs for any unsupported versions). For more information, see https://forums.ivanti.com/s/article/ESAP-Package-Selection-Behaviour-Changes-Starting-from-ZTA-22-6R1-Release
•ESAP Version 3.9.3 is deprecated in this release. If the deprecated version is previously selected it will be upgraded with ESAP version 4.1.6.
•Default ISAC version is 22.5R1 (25375) or the manually selected previous version will be retained. The newer version of ISAC must be manually enabled from the ZTA controller. For more information, see https://forums.ivanti.com/s/article/Ivanti-Secure-Access-Client-ISAC-Behaviour-Changes-Starting-from-ZTA-22-6R1-Tenant-Release
•ISAC Client 22.3R1 18209 is deprecated in this release. If the deprecated version is previously selected it will be upgraded with ISAC version 22.5R1 (25375).
Noteworthy Changes: 22.5R1
UI changes in Application Create/Edit page:
•Admin can choose to continue creating another application in Create page.
•Admin can change the name of an existing application in Edit page.
Noteworthy Changes in 22.4R3
•App configuration supports configuring subnets and ports. For example, 192.168.1.0/24:443.
For a list of the issues resolved in this release, see the information that follows.
Important Notice for v22.1R1 and Later
Release 22.1R1 includes updates to address the OpenSSL vulnerability described in CVE-2022-0778. Ivanti recommends upgrading your Gateways and Clients to the Recommended Version listed in this document at your earliest convenience.
Limitations
The following limitations apply to this release:
-
nslookup is not supported on Windows and Mac OS.
-
RBAC: If the tenant has both nSA and ZTA gateway, setting any common permissions while creating an Custom RBAC Admin Role applies to both nSA and ZTA gateway. For example, if custom admin role has modify permission for ZTA gateway then the same applies to nSA gateway also.
- Okta and PingID SAML authentication methods are supported for MacOS and Windows variants only.
- Each application can only be accessed with ping/SSH using the addressing method specified when registering it. That is, if you registered the application using an FQDN, you cannot access it using an IP address.
- PZT-24825: Tenants wanting to use their own Public Key
Infrastructure with device certificates (known in this document as BYOC
- Bring Your Own Certificate), the following limitations apply:
For existing tenants, to convert from a non-BYOC tenant to a BYOC tenant is not supported. This is supported only for newly-created tenants.
After tenant creation, the admin must configure the tenant as BYOC before registering a gateway or enrolling an end-user device.
For existing tenants, to convert from a BYOC tenant to a non-BYOC tenant is not supported as the tenant needs at least one customer CA.
If all customer CAs are removed after gateways or devices have been enrolled, those existing gateways and devices will not function properly.
A CA is not permitted to be used by more than one BYOC tenant.
Upgrading Ivanti Secure Access Client Windows Variants to Version 21.6 or Later
Ivanti is aware that Windows-based desktop devices that have Ivanti Secure Access Client installed from a previous nSA release (9.1R11 and earlier) can fail during upgrade to the version applicable to nSA release 21.6 or later. This is due to a certificate expiry issue in the client.
To remedy this situation, please refer to the instructions and helper files contained at:
https://pulsezta.blob.core.windows.net/client/21.6/Pulse_Client_Upgrade_Helper.zip
Administrators using Microsoft Intune for MDM services should instead refer to this document:
https://pulsezta.blob.core.windows.net/client/21.6/Intune_Pulse_client_Upgrade.docx