Ivanti Connect Secure Gateway Deployment¶
The following sections describe the new parameters that are added for the deployment of Ivanti Connect Secure VA on VMware, Amazon Web Services cloud and Microsoft Azure cloud.
Deploying on VMware¶
For a detailed ICS VA deployment procedure, refer to Virtual Appliance Deployment Guide at https://www.ivanti.com/support/product-documentation.
This below table describes the new parameters that are added in the script file create-va.pl, which is included in your PSA-V package.
Parameter |
Description |
|---|---|
New Parameters |
|
registrationCode |
The registration code, which is generated during the ICS gateway registration on nSA. Example, KyZR6YDL8 |
registrationFQDN |
The registration FQDN name, which is generated during the ICS gateway registration on nSA. Example, auto.lark.pzt.dev.perfsec.com |
enableproxy |
Default is set to n. |
proxyHost |
The proxy server name. |
proxyPort |
The port number of the proxy server. Example, 8080 |
proxyUsername |
The username of the proxy server. Example, usr |
proxyPassword |
The password of the proxy server. Example, pxx124 |
registerNetworkInterface |
The interface through which the gateway registers with nSA. Example, external |
Deploying on Hyper-V¶
For a detailed ICS on Hyper-V deployment procedure, refer to ICS Gateway Deployment on Hyper-V Platform at https://www.ivanti.com/support/product-documentation.
Deploying on KVM¶
For a detailed ICS on KVM deployment procedure, refer to ICS Gateway Deployment on KVM Platform at https://www.ivanti.com/support/product-documentation.
Deploying on AWS Cloud¶
For a detailed ICS VA on AWS Cloud deployment procedure, refer to Virtual Appliance on Amazon Web Services Deployment Guide at https://www.ivanti.com/support/product-documentation.
Ivanti Connect Secure accepts the following parameters as provisioning parameters in the XML format.
<pulse-config>
<primary-dns><value></primary-dns>
<secondary-dns><value></secondary-dns>
<wins-server><value></wins-server>
<dns-domain><value></dns-domain>
<admin-username><value></admin-username>
<admin-password><value></admin-password>
<cert-common-name><value></cert-common-name>
<cert-random-text><value></cert-random-text>
<cert-organisation><value></cert-organisation>
<config-download-url><value></config-download-url>
<config-data><value></config-data>
<auth-code-license><value></auth-code-license>
<enable-license-server><value></enable-license-server>
<accept-license-agreement><value></accept-license-agreement >
<enable-rest><value></enable-rest>
<registration-code> 1grkL2Xbr </registration-code>
<registration-fqdn>auto.toad.pzt.dev.perfsec.com</registration-fqdn>
<enable-proxy>n</enable-proxy>
<proxy-host></proxy-host>
<proxy-port></proxy-port>
<proxy-username></proxy-username>
<proxy-password></proxy-password>
<register-network-interface>external</register-network-interface>
</pulse-config>
The below table describes the new parameters that are added in the XML file.
Parameter |
Type |
Description |
|---|---|---|
New Parameters |
||
registrationCode |
string |
The registration code, which is generated during the ICS gateway registration on nSA. Example, KyZR6YDL8 |
registrationFQDN |
string |
The registration FQDN name, which is generated during the ICS gateway registration on nSA. Example, sample.domain.com |
enableproxy |
string |
Default is set to n. |
proxyHost |
string |
The proxy server name. |
proxyPort |
integer |
The port number of the proxy server. Example, 8080 |
proxyUsername |
string |
The username of the proxy server. Example, usr |
proxyPassword |
string |
The password of the proxy server. Example, pxx124 |
registerNetworkInterface |
string |
The interface through which the gateway registers with nSA. Example, external |
Note
The XML parsing fails if the following characters are used in the strings:
“””
“‘”
“<”
“>”
“&”
System Operations¶
The AWS portal provides Start, Restart Stop and Terminate operations to control the Virtual Appliance connection.
FIGURE 19 System Operations¶
On the AWS portal, select AWS Services > Launch Instance. From the Actions menu, select Instance State.
Click Start to start a VM
Click Stop to stop the VM
Click Restart to restart the VM
Click Terminate to terminate the VM
Troubleshooting¶
Ivanti Connect Secure emits booting logs at a specified storage. You can check the storage details of the boot diagnostic logs as shown below:
Frequently Asked Questions¶
FAQ1: Packets transmitted from ICS Internal Interface are getting dropped by AWS Virtual Gateway in L3 traffic.
Cause: The packets are dropped because the source IP and MAC address are not matching and the transit routing is not supported.
Solution: Ivanti Connect Secure must be able to SNAT these packets to the Internal interface IP which belongs to a subnet within the VPC.
To NAT endpoint tunnel IP to Internal interface IP, do the following:
Log in to Ivanti Connect Secure admin console.
Navigate to System > Network > VPN Tunneling.
Enable Source NATTING. By default, Source NATTING is disabled.
Deploying on Azure Cloud¶
For a detailed deployment procedure, refer to Virtual Appliance on Microsoft Azure Deployment Guide at https://www.ivanti.com/support/product-documentation.
Ivanti Connect Secure accepts the following parameters as provisioning parameters in the XML format.
"<pulse-config> <primary-dns>8.8.8.8</primary-dns> <secondary-dns>8.8.8.9</secondary-dns> <wins-server>1.1.1.1</wins-server> <dns-domain>psecure.net</dns-domain> <admin-username>admin</admin-username> <admin-password>password</admin-password> <cert-common-name>va1.psecure.net</cert-common-name> <cert-random-text>fdsfpisonvsfnms</cert-random-text> <cert-organisation>Psecure Org</cert-organisation> <config-download-url><value></config-download-url> <config-data><value></config-data> <auth-code-license><value></auth-code-license> <enable-license-server>n</enable-license-server> <accept-license-agreement>n</accept-license-agreement> <enable-rest>n</enable-rest> <registration-code> 1grkL2Xbr </registration-code> <registration-fqdn>auto.toad.pzt.dev.perfsec.com</registration-fqdn> <enable-proxy>n</enable-proxy> <proxy-host></proxy-host> <proxy-port></proxy-port> <proxy-username></proxy-username> <proxy-password></proxy-password> <register-network-interface>external</register-network-interface> </pulse-config>"
The below table describes the new parameters that are added in the XML file.
TABLE 3 XML File Details¶ Parameter
Type
Description
New Parameters
registrationCode
string
The registration code, which is generated during the ICS gateway registration on nSA. Example, KyZR6YDL8
registrationFQDN
string
The registration FQDN name, which is generated during the ICS gateway registration on nSA. Example, sample.domain.com
enableproxy
string
Default is set to n.
proxyHost
string
The proxy server name.
proxyPort
integer
The port number of the proxy server. Example, 8080
proxyUsername
string
The username of the proxy server. Example, usr
proxyPassword
string
The password of the proxy server. Example, pxx124
registerNetworkInterface
string
The interface through which the gateway registers with nSA. Example, external
Note
The XML parsing fails if the following characters are used in the strings:
“””
“‘”
“<”
“>”
“&”
System Operations¶
The Azure VA portal provides Start, Restart and Stop operations to control the Virtual Appliance connection.
FIGURE 22 System Operations¶
On the Azure portal top menu bar:
Click Start to start a VM
Click Stop to stop the VM
Click Restart to restart the VM
The corresponding CLI commands are:
Start a VM
az vm start --resource-group myResourceGroup --name myVM
Stop a VM
az vm stop --resource-group myResourceGroup --name myVM
Restart a VM
az vm restart --resource-group myResourceGroup --name myVM
Deploying on Google Cloud Platform¶
For a detailed ICS on GCP deployment procedure, refer to ICS Gateway Deployment on Google Cloud Platform at https://www.ivanti.com/support/product-documentation.