Thanks for your reply.

But why we need Access Control and Data Protection package?

CPEP-ACCESS-1y provide us Firewall and VPN Remote Access (following  sk116598). I understand that we attach this license to the management server. But in case when we use only VPN access with the license CPEP-ACCESS-1Y, do we need Endpoint Management? Or can we use unmanaged endpoints only for VPN access (similar to MOB license)?

You have to decide if you need Endpoint Management Server (with Endpoint Security Clients) or just use Standalone Clients (Endpoint Security VPN). Desktop Firewall and RA VPN do not need an Endpoint Management Server.

We have 20 CPEP-ACCESS licenses and we want to use standalone clients (without Endpoint Management). In case when 20 hosts connected to the GW and disconnected after some time - when is the license released? And can we release this license manually?

According to sk33869:

• "Used Licenses" column shows the number of users that have connected in the last 30 days. The Policy Server counts users on a monthly period basis. When the month is over, it resets to "zero". The dtps lic output "Used Licenses" column counts the users according to their name (or DN). This means that the same user is counted only once. The "Used Licenses" column does not display the number of currently connected users. Instead, it displays the number of unique users that have connected to this Policy Server during a month. The intention of the "Used License" column information is not to display how many users are being concurrently connected, but rather to display how many SecureClient users exist.

Users are stored in userc_users - This table holds remote access client's IP address. All connections from this IP address are expected to be encrypted.

Run the below command in expert mode to clear the users check table:

[Expert@GW]# fw tab -t userc_users -x -y

The firewall + VPN features of CPEP-ACCESS can be managed with Network Management.
If you need Endpoint Compliance for some reason (instead of SCV), that does require Endpoint Management.
Believe the license is counted for each installed user once they connect and it’s held for 30 days.

HI Phoneboy,

So in our case if we already have NGSM25 + CPEP-ACESS -1Y for  5500 user, do we need additional license to cover 5500 user if we want to deploy endpoint access control ( firewall, application control, compliance and vpn ) ?

thanks n regards

Believe Application Control is outside the scope of what Access licenses provide.
In current SKUs you’d probably need SBA Basic licenses and either Endpoint Management or you can leverage SBA Managed from the cloud which comes with SBA Basic licenses.

Thanks for your reply!

You said that license held for 30 days. Can I release it mannualy for some way?

Hello.
In case of third scenario (RA VPN with standalone Endpoint Security clients in Office Mode connecting to R80.30 security gateway), is it possible to check how many licenses have been given out and to which LDAP users? We have installed CPEP-ACESS -1Y for only 1 seat on our SMS and have Mobile Blade disabled on Security Gateway. For some reason, more than one users are able to connect and obtain office mode IPs. Big bash one-liner command shows this output on security gateway:

REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 9 (Peak: 11)
Capsule/Endpoint VPN Users : 8 (Peak: 12) using Visitor Mode: 7
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 0)

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 500
Endpoint Connect Users : 1
Mobile Access Users : 5
SNX Users :

How is this possible?

#cplic print from SMS

Host             Expiration  Features            
10.20.100.60     never       cpep-c-1+1 cpsb-ep-fw+1 cpep-subscr cpsb-swb cpsb-ngep CK-D7E7DB6F6812
10.20.100.60     never       cpvp-vps-1-ngx cpvp-vsc-5-ngx+1 cpep-perp cpsb-swb CK-D7E7DB6F6812
10.20.100.60     never       CPSG-VE+8 CPSB-BASE CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-ADNC CPSB-SSLVPN-5 CPSB-IPS-S1 CPSB-URLF CPSB-APCL-S1 CPSB-AV CPSB-ABOT-S CPSB-ASPM CPSB-CTNT CK-149823EE8135
10.20.100.60     never       CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M CK-149823EE8135
10.20.100.60     never       CPSM-C-5 CPSM-NGSM CPSB-WKFL-5 CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-MPTL CPSB-UDIR CPSB-PRVS CPSB-COMP-5 CPSB-COMP-5 CPSB-COMP-5 CPSB-SME-5 CPSB-RPRT-N-C1000 CK-9FDDA77E676A