Ivanti my money back
Plus damages
Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December, according to Mandiant's threat intel team. The software biz disclosed the vulnerabilities in Ivanti Connect Secure (ICS) – the VPN server appliance previously known as Pulse Connect Secure – and its Policy Secure gateways on …
Here you have yet another bloated monstrosity, more of a proxy with lots of bureaucracy enforcement features than a traditional VPN tunnel. Of course it's based on SSL so it can "just run in any browser" and guarantees it has the maximal attack surface in accordance to the "sum of all flaws and failures" doctrine.
Or maybe get something based on noise\wireguard, separate your policy tools from your network transit, and deal with the easy problem of pushing an app profile in the modern era.
Or at least consider investing in security tools from a company that isn't the latest home to Goldmine. "We cater to customers who will pay through the nose to resist modernization in any form" isn't a bad marketing plan, but it's also a terrible vision statement for a security product.
Call me crazy if you wish, but I want my VPN to be thin, light, and tough to crack. Let a box on the far end handle orchestration and routing separately to get to the zero trust goals. Nothing wrong with tackling a problem with a solution stack where each tool only does what it's good at. In this case the host box, located inside the clients security perimeter, is serving an SSL based website to the world to allow it's clients to connect. The claim it doesn't need to be deployed in a DMZ, advice that will cause extra pain for organizations that listened to the marketing puffery.
https://help.ivanti.com//ps/help/en_US/ICS/22.x/22.6R2/22.xICSAG.pdf
This is being handled very poorly by Ivanti. No sign of any patched OS versions, despite a number being meant to have been released this week. They are advising people to upgrade from older point versions to the latest release train, but aren't planning on releasing the patched version of the latest release train until the second wave of patches is released. Arse meet elbow.