SAM client that is installed from the Ivanti server.
Supports Host Checker.
Ivanti Secure Access Client R2.0
Windows Mobile (6.0, 6.1, and 6.5)
Ivanti Secure Access Client R2.0 is supported on touch-based Windows Mobile devices only.
Ivanti Secure Access Client for Windows Mobile smart phone app; available for download from ( https://support.pulsesecure.net ).
If you install Ivanti Secure Access Client R2.0 on a Windows Mobile device that already has Ivanti Secure Access Client R1.0, the installation detects the presence of the old client and removes it prior to installing the new client. It also detects and removes Host Checker. Host Checker is not supported.
If Ivanti Secure Access Client R2.0 for Windows Mobile is installed on a Windows Mobile device, the user should not use a browser to sign into a realm that has Ivanti Secure Access Client R1.0 enabled. Ivanti Secure Access Client R1.0 cannot detect if Ivanti Secure Access Client R2.0 for Windows Mobile is already installed, and so it prompts the user to install Ivanti Secure Access Client R1.0.
If Ivanti Secure Access Client R2.0 is installed on a Windows Mobile device, and the user connects to a role that has Host Checker enabled, the user is prompted to install Host Checker. However, if the user allows the installation, nothing happens. To avoid this scenario, you should create a separate role for Ivanti Secure Access Client R2.0 for Windows Mobile devices.
Ivanti Secure Access Client R3.0 and R4.0
Included with Ivanti Access Service software R7.2 and later.
Ivanti Secure Access Client incorporates SAM functionality as a native Ivanti Secure Access Client connection method.
Supports Host Checker.
Ivanti Secure Access Client R5.0
Ivanti Secure Access Client R5.1 and later
This section describes how to configure Ivanti Connect Secure to support Windows endpoints. Ivanti Connect Secure also supports a Java-based SAM client (JSAM). The JSAM client can be deployed from a Ivanti Connect Secure server to any endpoint that supports Java.
To enable SAM for Windows endpoints and configure a role:
1. Log in to the Ivanti Connect Secure admin console.
2. Select User Roles > New User Role.
3. On the New Role page, specify a name for the role and, optionally, a description. Make note of the name because later in this procedure, you create a realm and map realm users to this role.
4. In the Options section, select " Ivanti ".
If you leave the Ivanti check box cleared, and then enable Secure Application Manager, Windows version in the Access Features section, you enable the Ivanti /SAM for the Ivanti Secure Access Client for Windows Mobile smart phone app. The Ivanti check box must be selected to enable the role for Ivanti Secure Access Client for Windows endpoints.
5. In the Access Features section of the New Role page, select the Secure Application Manager check box and then select Windows version.
6. Click Save Changes to create the role and to display the role configuration tabs.
The General tab options (Restrictions (which includes Host Checker), VLAN/Source IP, Session Options, and UI Options) are all valid settings for a SAM role.
We recommend that you use resource profiles to specify the applications available to users, but you can use role settings instead.
To specify applications for SAM to secure as part of a role:
1. Open the role you created for Ivanti Secure Access Client /SAM.
2. Click the SAM tab.
3. In the Applications section, click Add Application or select an existing application in the list and then click Add Duplicate.
4. In the Details section, select a type from the Type list, and then specify a name and description.
If you select Custom to specify an application that is not included in the list, the Application Parameters section appears. Specify the following:
• Filename: Specify the name of the file’s executable file
• Path: Specify the file’s path
• MD5 Hash: Optionally specify the MD5 hash of the executable file. If you enter an MD5 hash value, Ivanti Secure Access Client verifies that the checksum value of the executable matches this value. If the values do not match, Ivanti Secure Access Client notifies the user that the identity of the application could not be verified and does not allow access.
If you select Pick a Resource Profile, and at least one application or destination has been configured as a Resource Profile SAM client application, a selection list appears and you can click a Resource Profile. Then, when you click Save Application or Save + New, the role is added to the profile’s list of roles, and the profile’s resource polices are updated. If there are no Resource Profile SAM client applications or destinations configured, this option is not available.
5. Click Save Application or Save + New.
To specify servers for SAM to secure as part of a role:
1. Open the role you created for Ivanti Secure Access Client /SAM.
2. Click the SAM tab.
3. In the Applications section, click Add Server or select an existing server in the list and then click Add Duplicate.
If you select "Standard", specify a name and a description, and then identify the server by name or IP address.
If you select "Pick a Resource Profile", a selection list appears and you can click a Resource Profile. Then, when you click Save Application or Save + New, the role is added to the profile’s list of roles, and the profile’s resource polices are updated.
4. Click Save Application or Save + New.
To specify options for the SAM role:
1. Open the role you created for Ivanti Secure Access Client /SAM.
2. Click the SAM tab.
3. Click Options.
4. Make sure Windows SAM is enabled, and then choose from the following:
• Secure Application Manager options:
• Auto-launch Secure Application Manager: If you enable this option, Ivanti Connect Secure automatically launches Secure Application Manager services when a user signs in through the Ivanti Connect Secure Web portal. If you do not select this option, users must manually start the Secure Application Manager from the Client Applications Sessions section of the Web portal.
• Auto-allow application servers: If you enable this option, Ivanti Connect Secure automatically creates a SAM resource policy that allows access to the servers specified for the role in the SAM tab application and server lists.
• Windows SAM Options:
• Auto-uninstall Secure Application Manager: This setting is a not applicable to Ivanti Secure Access Client R3.0 or later. It applies to the previous WSAM client software only. If you enable it, it is ignored for connections that use Ivanti Secure Access Client R3.0 or later.
• Prompt for username and password for intranet sites: If you enable this option, the Ivanti Connect Secure requires users to enter sign-in credentials before connecting to sites on your internal network. This option changes intranet zone setting so that Microsoft Edge always prompts the user for network sign-in credentials for an intranet site.
• Auto-upgrade Secure Application Manager: This setting is a not applicable to Ivanti Secure Access Client R3.0 or later. It applies to the previous WSAM client software only. If you enable it, it is ignored for connections that use Ivanti Secure Access Client R3.0 or later.
• Resolve only hostnames with domain suffixes in the device DNS domains: If you enable this option, users can only browse to Web sites that are part of their login domain.
• Session start script and Session end scripts: You can specify a script (.bat, .cmd, or .exe) to run on the users endpoint after Ivanti Secure Access Client connects and disconnects. For example, you can specify a script that maps network drives on an endpoint to shares on protected resources when the user connects. The script must be in a location (either local or on the network) that is accessible by the user.
5. Click Save Changes.
To use resource profiles to specify the applications available to Ivanti Secure Access Client users:
1. Create resource profiles that enable access to client applications and destinations and configure the appropriate settings. Select Users > Resource Profiles > SAM > Client Applications.
2. Click New Profile.
3. From the Type list, select "WSAM".
4. From the Application list, select one of the following options:
• Custom: When you select this option, you must manually enter your custom application’s executable filename (such as telnet.exe). Additionally, you can specify this file’s path and MD5 hash of the executable file (although it is not required that you specify the exact path to the executable). If you enter an MD5 hash value, SAM verifies that the checksum value of the executable matches this value. If the values do not match, SAM notifies the user that the identity of the application could not be verified and does not forward connections from the application to the server.
• Lotus Notes: Select this option to have SAM intermediate traffic from the Lotus Notes fat client application.
• Microsoft Outlook: Select this option to have SAM intermediate traffic from the Microsoft Outlook application.
• NetBIOS file browsing: Select this option to have SAM intercept NetBIOS name lookups in the TDI drivers on ports 137 and 139.
NetBIOS file browsing is not supported for IPv6.
• Citrix: Select this option to have SAM intermediate traffic from Citrix applications.
• Domain Authentication: Select this option to allow integrated Windows applications, such as file sharing, Outlook, and so forth to authenticate to the domain controller when the client machine is part of a domain. Before using this option, you must:
• Specify domain controllers that are reachable through the Ivanti Connect Secure in the WSAM Destination list so that LDAP and Kerberos traffic can be proxied and sent to Ivanti Connect Secure .
• Configure a WSAM Access Control Policy to allow access to all domain controllers.
You can configure access to a standard application once per user role. For example, you can enable one configuration of Microsoft Outlook and one configuration of Lotus Notes for the “Users” role.
5. Enter a unique name and optionally a description for the resource profile.
6. In the Autopolicy: SAM Access Control section create supporting auto policies and assign the policies to the role:
• If it is not already enabled, select the Autopolicy: SAM Access Control check box.
• In the Resource field, specify the application server to which this policy applies. You can specify the server as a hostname or an IP/netmask pair. You can also include a port.
If you select "Domain Authentication" from the Application list, enter your domain controller server addresses into the Resource field. You can add multiple domain controller servers if more than one is available.
• From the Action list, select Allow to enable access to the specified server or Deny to block access to the specified server.
• Click Add.
7. Click Save and Continue.
• In the Roles tab, select the roles to which the resource profile applies and click Add.
The selected roles inherit the autopolicy created by the resource profile. If it is not already enabled, the server also automatically enables the SAM option in the roles General > Overview page for all of the roles you select.
• Click Save Changes.
• Select Users > User Realms > New User Realm.
• Specify a name and, optionally, a description and then click Save Changes to create the realm and to display the realm option tabs.
• On the Role Mapping tab for the realm, create a new rule that maps all users to the role you created earlier in this procedure.
You can also use resource profiles to configure destination servers, network subnets and hosts and then add the resource profile to a role.
To use resource profiles to specify the network endpoints available to Ivanti Secure Access Client users:
1. In the admin console, choose Users > Resource Profiles > SAM > WSAM Destinations.
2. Click New Profile.
3. Enter a unique name and optionally a description for the resource profile.
4. In the WSAM Destinations section, specify which servers you want to secure using WSAM and click Add. You can specify the servers as hostname or IP/netmask pairs. You can also include a port.
5. Select the Create an access control policy allowing SAM access to this server check box (enabled by default) to enable access to the server specified in the previous step.
6. Click Save and Continue.
7. In the Roles tab, select the roles to which the resource profile applies and click Add.
The selected roles inherit the autopolicy created by the resource profile.
Was this article useful?