Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Beagle15
Participant

Can Remote Access IPsec VPN client licenses be shared across SMB and Quantum appliances?

in sk84560 :https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...  it says:

In order to use the Endpoint Security VPN client, an Endpoint Security VPN license is purchased. This license is applied to the Management server that manages the Remote Access gateways, and it creates a pool of licenses the Remote Access gateways share. This license is purchased based on the total number of endpoints. It is not a concurrent use license. 

My question is if you already currently have 100 x IPSec vpn client licenses on 1 x SMB appliance and the 5 x default IPsec vpn licenses on 1 x 3600 appliance can all the licenses be pooled together and managed in Smart 1 Cloud and used to terminate vpn tunnels for remote users on either the 3600 or the SMB appliances or is the IPSec tunnel termination linked just to a specific device? ie if you have 5 x IPsec licences on a 1x 3600 can you only terminate the tunnel on that 1x device? From the above sk it seems to imply all IPsec vpn client licenses can be pooled and shared to terminate remote access vpn clients and tunnels to any gateway type? Is that correct?

Can you also clarify what additive means in this article please?

Thank you very much.

0 Kudos
5 Replies
Chris_Atkinson
Employee
Employee

SMB appliances come with Mobile Access (SSL) licenses that are bound to the appliance and cannot be shared.

If you buy licenses that can be used with Endpoint security VPN then those can be distributed centrally (from Mgmt) for IPSec clients.

Mobile Access licenses cannot be stacked on an Enterprise appliance such as a 3600 i.e.  you cannot buy MOB50 + MOB200 for a total of 250 instead you need to by the next license tier to cover the concurrent licensed needed.

0 Kudos
Beagle15
Participant

Thank you Chris. I was aware of the SSL Mobile Access license. I am only interested in the Ipsec vpn client license. Just to be totally clear you can use an Ipsec vpn client licence from a SMB appliance to terminate a tunnel on a 3600 appliance and vice versa so licences for just the Ipsec VPN client can be pooled regardless of whether they originated from an 3600 or an SMB appliance ie where you terminate the vpn client does not matter? Is my understanding correct? Thanks.

0 Kudos
Chris_Atkinson
Employee
Employee

SMB gateways don't have transferable VPN licenses.

IPsec Remote "Access VPN" or Endpoint  licenses purchased and applied to mgmt can be shared across appliances within an estate.

0 Kudos
Beagle15
Participant

Hello Chris, 

The sk above does not say this? That is not good news! Why is this not highlighted? I have a client whom has a lot of SMB appliances and a few enterprise appliances and they only want to terminate VPN Licenses on the enterprise appliances so basically they cannot use any of their SMB appliances VPN client licenses at all..... I will speak to the local CP account team and see if they can come to some arrangement. Are there any plans to change this? thanks.

0 Kudos
Chris_Atkinson
Employee
Employee

SMB appliances only have a built-in MOB license allocation for more than 5 users, at the top of the SK it says that each gateway must have its own MOB license allocation.

Endpoint Security / Access VPN is a different license available separately.

 

0 Kudos