Ivanti Connect Secure Gateway Management

Introduction

An admin can manage the ICS Gateway/Cluster with the following operations:

• Restart Services: Kills all processes and restarts the Gateway/Cluster. The Gateway/Cluster is available again after a few minutes. See Restarting Services.

• Reboot Gateway: Reboots the Gateway. The Gateway is available again after a few minutes. See Rebooting ICS Gateway/Cluster.

• Reboot Cluster: Reboots all nodes in the Cluster. See Rebooting ICS Gateway/Cluster.

• Rollback to <version>: Reverts the registered Gateway virtual machine instance to the specified version. See Rolling Back a Gateway/Cluster.

• Rollback Cluster: Reverts the cluster instance to the previous version. See Rolling Back a Gateway/Cluster.

• Upgrade to <version>: Upgrades the registered Gateway virtual machine instance to the specified version. See Upgrading a Gateway and Cluster

• Upgrade to <version> Cluster: Upgrades all the nodes in the Cluster to the specified version. See Upgrading a Gateway and Cluster.

• Delete Gateway: Removes the Gateway record. See Removing Ivanti Connect Secure Gateway.

• Configure Integrity Scanner: Scans the system periodically to check for any integrity anomalies.

• Upgrade multiple Gateways/Clusters to new version: Upgrades multiple Gateways/Clusters to the specified version. See Upgrading Multiple Gateways and Clusters

Note

The available menu options vary depending on whether the selected Gateway is registered and connected to the nSA.

Viewing ICS Gateway/Cluster Details

To view the list of ICS Gateways and Clusters:

1. Log in to the Ivanti Neurons for Secure Access portal as a Tenant Admin. See Logging in to Ivanti Neurons for Secure Access.

2. Use the Gateway Switcher and select Ivanti Connect Secure.

3. From the Ivanti Connect Secure menu, click the Gateways icon, then select Gateways > Gateways List.

   The All Gateways page is displayed showing a list of standalone ICS Gateways and Cluster nodes.

   

   FIGURE 144 Gateways list

   Note

   The Gateway management functions can be performed only if the status of the Gateway is green.

To view the details of a specific Gateway:

1. In the All Gateways page, double-click the required Gateway from the Standalone Gateways list.

   The Gateway Overview page is displayed showing the Gateway Status, Version, Registration State, and last Updated time.

   

   FIGURE 145 ICS Gateway Details

2. Click the context menu icon present at the top-right of the page to access the options applicable to the selected Gateway.

To view the details of an Active-Active Cluster:

1. In the All Gateways page, double-click the Active-Active Cluster from the list.

   The Gateway Overview page is displayed showing the Model, Cluster Name and Configuration of the Cluster.

   

   FIGURE 146 Active-Active Cluster Details

2. Click the context menu icon present at the top-right of the page to access the options applicable to the selected Cluster.

To view the details of an Active-Passive Cluster:

1. In the All Gateways page, double-click the Active-Passive Cluster from the list.

   The Gateway Overview page is displayed showing the Model, Cluster Name, Configuration, External and Internal VIP Owner, External and Internal VIP IPV4/IPV6 of the Cluster.

   

   FIGURE 147 Active-Passive Cluster Details

2. Click the context menu icon present at the top-right of the page to access the options applicable to the selected Cluster.

Restarting Services

To restart services:

1. In the Gateway Overview page, click the context menu icon at the top-right to access the options applicable to the selected Gateway or Cluster.

2. Select the Restart Services option.

   The Gateway/Cluster is available again after a few minutes.

Rebooting ICS Gateway/Cluster

To reboot ICS Gateway:

1. In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable to the selected Gateway.

2. Select the Reboot Gateway option.

   The Gateway is available again after a few minutes.

To reboot ICS Cluster:

1. In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable to the selected A/A or A/P Cluster.

2. Select the Reboot Cluster option.

   The Cluster is available again after a few minutes.

Rolling Back a Gateway/Cluster

Your ICS Gateway/Cluster can be rolled back to a previously-installed version through the Tenant Admin Portal. You might want to return to an earlier version if, for example, you encounter an unforeseen issue with a newly-upgrading Gateway instance, or for testing purposes.

You can roll back to a version only where that Gateway instance has been previously upgraded through the Tenant Admin Portal, and only to the previously-installed version.

To roll back a Gateway to an earlier version:

1. In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable for the selected Gateway.

   If a rollback function is available for this Gateway, a corresponding link is displayed in the drop-down menu:

2. Select the Rollback to <version> link.

   As the rollback process starts, your Gateway remains operating on the current version and continues to serve traffic. After the earlier version is reinstated, the Gateway reboots and becomes unavailable for a short time.

   If the procedure is successful, the new software version is displayed in the Gateway Overview page.

To roll back a Cluster to the previous version:

1. In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable for the selected Cluster.

   If a rollback function is available for this Cluster, a corresponding link is displayed in the drop-down menu:

2. Select the Rollback Cluster link.

   As the rollback process starts, your Cluster remains operating on the current version and continues to serve traffic. After the earlier version is reinstated, the Cluster reboots and becomes unavailable for a short time.

   If the procedure is successful, the new software version is displayed in the Gateway Overview page.

Upgrading a Gateway and Cluster

Ivanti periodically creates and releases new software versions to address updates and issues, and to improve performance. As new version packages become available, you can trigger an upgrade for your Gateway/Cluster through the nSA to take advantage of the updates available in the new version.

To upgrade a Gateway to a higher version:

1. In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable for the selected Gateway.

   If the upgrade function is available for this Gateway, a corresponding link is displayed in the drop-down menu:

2. Select the Upgrade to <version> link.

   Note

   In some cases, there might be more than one version available. Select the version you want, or contact your support representative for details.

   As the upgrade process starts, your Gateway remains operating on the current version and continues to serve traffic. After the upgrade to new version, the Gateway reboots and becomes unavailable for a short time.

   If the procedure is successful, the upgrade task is marked with a status of “Success” and the new software version is displayed in the Gateway Overview page.

To upgrade a Cluster to a higher version:

1. In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable for the selected Cluster.

   If the upgrade function is available for this Cluster, a corresponding link is displayed in the drop-down menu:

2. Select the Upgrade to <version> Cluster link.

   Note

   In some cases, there might be more than one version available. Select the version you want, or contact your support representative for details.

   As the upgrade process starts, your Cluster remains operating on the current version and continues to serve traffic. After the upgrade to new version, the Cluster reboots and becomes unavailable for a short time.

   If the procedure is successful, the upgrade task is marked with a status of “Success” and the new software version is displayed in the Gateway Overview page.

Upgrading Multiple Gateways and Clusters

This feature allows you to upgrade one or more gateways and clusters in a tenant with a selected version.

Viewing the Installed Packages

To view the installed packages:

1. Log in to the Ivanti Neurons for Secure Access portal as a Tenant Admin. See Logging in to Ivanti Neurons for Secure Access.

2. Use the Gateway Switcher and select Ivanti Connect Secure.

3. Select Administration > Upgrade > Installation Packages.

   The Installation Packages page shows the list of installed packages of Secure Access client, ESAP, and Connect Secure Gateways.

FIGURE 148 Installation Packages page

Upgrading Gateways and Clusters with Ivanti Secure Access Client

To upgrade one or more Gateways and Clusters with an Ivanti Secure Access Client package newer version:

1. Select Administration > Upgrade > Installation Packages.

2. In the Installation Packages page, select the Ivanti Secure Access Client tab.

   A list of available Ivanti Secure Access Client packages appears.

   

   FIGURE 149 Ivanti Secure Access Client Packages page

3. Select any of the listed Ivanti Secure Access Client packages. This is the version of the Ivanti Secure Access Client software that you want users to have on their device.

As each user next logs into Ivanti Secure Access Client on their device, if their software is at a different version, Ivanti Secure Access Client provides a prompt to the user to change to the version you selected in nSA.

Note

After the Client package download starts from nSA to ICS Gateway, any other operations in nSA, for example a Role or Realm creation and any configuration change, do not work unless the download is complete. After the successful download, config creations or modifications appear.

Upgrading Gateways and Clusters with a New Gateway Version

To upgrade one or more Gateways and Clusters:

1. Select Administration > Upgrade > Installation Packages.

2. In the Installation Packages page, select the Gateways tab.

   The Gateways page shows the list of installed packages of Connect Secure Gateway.

3. Select the required build version from the list and click Select Gateways/Clusters to Upgrade.

4. In the Select Gateways / Clusters for Upgrade dialog, from the Select Gateways drop-down list, select one or more Gateways.

   Note

   The UI shows the applicable Gateways and Clusters running on version 21.12 and above.

5. From the Select Clusters drop-down list, select one or more Clusters.

   

   FIGURE 150 Select Multiple Gateways and Clusters - Gateway Package

   Note

   The Select Gateways and Select Clusters list shows only those Gateways and Clusters that have lower versions than the selected version.

6. Click Upgrade. The upgrade task is scheduled, and a notification is displayed.

7. On the Ivanti Connect Secure menu, select Gateways > Gateways List to see the progress of the Upgrade process.

   

   FIGURE 151 Upgrade Progress

Upgrading Gateways and Clusters with ESAP

Uploading an ESAP Package

To upload an ESAP package version:

1. Select Administration > Upgrade > Installation Packages.

2. In the Installation Packages page, select the ESAP tab.

3. Click the Upload ESAP file box.

   

   FIGURE 152 Upload ESAP file

4. Browse and select the latest ESAP package that you want to upload and then click Import.

   After successful upload to nSA, the ESAP package gets listed in the ESAP packages page.

   Note

   You can upload only one ESAP package.

Upgrading with ESAP

To upgrade one or more Gateways and Clusters to a newer ESAP package version:

1. Select Administration > Upgrade > Installation Packages.

2. In the Installation Packages page, select the ESAP tab.

3. Select the required build version from the list and click Select Gateways/Clusters to Upgrade.

4. In the Select Gateways / Clusters for Upgrade dialog, from the Select Gateways drop-down list, select one or more Gateways.

   Note

   The UI shows the applicable Gateways/Clusters running on version 21.12 and above.

5. From the Select Clusters drop-down list, select one or more Clusters.

   

   FIGURE 153 Select Multiple Gateways and Clusters - ESAP Package

   Note

   The Select Gateways and Select Clusters list shows only those Gateways and Clusters that have lower versions than the selected version.

6. Click Upgrade. The upgrade task is scheduled, and a notification is displayed in the logs.

   Note

   nSA deletes all the existing ESAP packages from the ICS Gateway after the upgrade and retains only the upgraded ESAP version.

Removing Ivanti Connect Secure Gateway

To remove Ivanti Connect Secure Gateway:

1. In the Gateway Overview page, click the context menu icon present at the top-right of the page to access the options applicable to the selected Gateway.

2. Select Delete Gateway.

   The selected Gateway is removed from the list of Gateways.

Configuring Integrity Scanner

You can configure scan the system to periodically check for any integrity anomalies. If any anomaly found, information is displayed in the dashboard.

To configure Integrity Scanner Interval:

1. Log in to the Ivanti Neurons for Secure Access portal as a Tenant Admin. See Logging in to Ivanti Neurons for Secure Access.

2. Use the Gateway Switcher and select Ivanti Connect Secure.

3. From the Ivanti Connect Secure menu, click the Gateways icon, then select Gateways > Gateways List.

   The All Gateways page is displayed showing a list of standalone ICS Gateways and Cluster nodes.

4. Select one or more gateways, click Select Configuration, and select ICT.

   

   FIGURE 154 Switch Configuration - ICT

5. Select the scanner interval.

   • Periodic Scan: Select the time interval to run the integrity scanner during run time.

     For example: Select 2 hrs to run the integrity scanner every 2 hrs.

   • Scheduled Scan: Select to run integrity scanner at a specified time every day.

     For example: When 13 hr 25 min is specified, the scanner runs at the same time every day.

     

     FIGURE 155 Integrity Scanner Interval