Re: MOB, IPsec VPN licensing, and how each related...

Garrett_DirSec · ‎2020-03-18

<update> March23/2020: Jump to last post for summary. During week of March16, 2020; Checkpoint released eval version of MOB-U. Client details (and associated eval licensing) detailed in summary table -GA </update>

<update2> March23/2020: added three screenshots of unlimited Mobile Access eval keys on customer R80.xx platform. </update2>

During current COVID19 measures being adopted by various countries, states, cities, and local governments; the topic of accommodating unprecedented remote-access for entire workforces has been consistent thread for our customers.

Many Checkpoint gateway customers already have license for Mobile Access Blade (MOB) specifically because of the session-count licensing. While Mobile Access Blade provide end-user portal and various remote application and file access via web browser, I suggest large portion of MOB customers simply continue to use remote access IPsec VPN in "office mode".

The licensing mechanism for MOB is concurrent sessions.

The licensing mechanism for IPsec VPN is per user (based on a client install over some period of time -- 24hrs, 30days, etc -- I don't recall the specific period).

I perceive -- based entirely on anecdotal evidence -- that MOB session-based license somehow over-rides the IPsec VPN user-count mechanism. Thus, MOB-50 allows for fifty concurrent IPsec VPN connections.

The issue arises when our customers call about significantly increasing their remote-access licensing. We have quoted MOB-U to numerous customers (ie. unlimited concurrent remote-access sessions).

Some procurement may take multiple days, if not weeks. In the mean-time, we had hoped to leverage 30day eval keys to bridge gap (until fulfillment) -- OR for those customers taking approach this current remote access situation will only last 4-6 weeks. I suggest CP execs would be willing to accept that customers shouldn't necessarily have to make a significant "one off" purchase to cover unique pandemic issue for 4-6 weeks. Granted, the current COVID related closures and changes to business operations may last multiple months.

I called CP Account Services on topic and described my concerns and what I was hoping to accomplish.

We need "a temporary way to provide unlimited remote access connections". The conversation concluded that 30day eval key is equivalent to MOB-U (ie. unlimited session).

Based on customer feedback, it appears that 30day eval key applies differently to the MOB and underlying IPsec VPN licensing mechanisms.

It appears that 30day eval key provides the following (based on customer feedback):

MOB-U but ONLY to the HTTPS/SSL/TLS remote access solutions.
VPN-100 for remote-access IPsec VPN in "office mode"

Can someone please verify this? In addition, is this by design and to be expected?

This is somewhat beyond the technical comfort zone of Account Services yet entirely a licensing topic (ie. not relevant for standard support services).

An answer from executive CP product mgmt would be appreciated to put this issue to rest for all customers (and resellers attempting to help).

thanks!

Garrett_DirSec · ‎2020-03-18

A related topic would be how quickly Checkpoint has add remote access VPN to Cloudguard Connect (aka 'gateway in the cloud') to compete with similar SASE solutions from competition like the following:
(1) Netskope Private Access
(2) Palo Alto Networks Prisma Access
(3) Perimter 81

I would MUCH rather sell a good SASE solution vs MOB-U or similar. Most customers are already looking to cloud for various things and selling a checkpoint SASE solution would further insure checkpoint stays "sticky" in all forward dialog.

Garrett_DirSec · ‎2020-03-18

related info:

The implied understanding on all 30day eval keys is that endpoint security suite is not relevant to dialog.

The specific remote-access clients we are talking about:

The following is OLD vs NEW naming (neither of these managed by Endpoint Mgmt):

SecureRemote ==> Check Point Mobile for Windows (IPsec, SCV but no endpoint fw)
SecureClient ==> Endpoint Security VPN (IPsec, SCV, endpoint FW, no endpoint security suite mgmt, lic required on SmartCenter)

Note the "Endpoint Security Suite VPN blade" is the client that requires endpoint security suite mgmt. this is detailed in sk67820 (see below).

It's my understanding that both #1 and #2 can do "office mode".

reference:

CP Remote Access Solutions

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The installer options for MOBILE VPN client that is relevant to discussion.

PhoneBoy · ‎2020-03-18

As to what comes with the All-in-One eval, I'll try and get this clarified.

Mobile Access Blade can terminate users either with HTTPS, SNX, or IPSEC.
IPSEC VPN Blade can terminate clients only with IPSEC VPN.

Where there seem to be questions are when you have licenses for both of these items for IPSEC VPN clients.
My understanding is that it is whatever terminates the VPN connection (either VPN or MAB) is what license will be consumed.

Also to correct something you stated below, there are effectively three types of clients:

Endpoint Security VPN (which also includes any current SandBlast Agent bundle), previously known by names as Endpoint Connect and even Secure Client. These require Endpoint VPN licenses (either current SBA bundles, CPEP-ACCESS SKUs, or legacy SecureClient SKUs)
Check Point Mobile which is same as Endpoint Security VPN except there is no Desktop Firewall and uses MAB licenses. SNX and the Mobile Access Web Portal also fall into this same category from a licensing perspective.
SecuRemote, which is a feature-limited IPSEC VPN client that does NOT include Office Mode or a Desktop Firewall. This is included with a gateway VPN license and is effectively unlimited. (Note that L2TP clients are treated as SecuRemote also)

We are working on some formal guidance on this topic that is expected to be published very soon.
In any case, if there is a situation where you are exceeding your Remote Access licenses, we'll work with you to get you what you need.

Garrett_DirSec · ‎2020-03-18

Hello @PhoneBoy . thanks for the post.

I posted similar information on the three clients in follow-up post immediately above.

Based on what you provided, Check Point Mobile should provide "office mode" and provide unlimited sessions with 30day eval key, correct? license would be gateway-only.

Further more, it does make sense the Endpoint Security VPN (replaced Secureclient) would only support 100 users with 30day eval key (as this is licensed differently and requites additional license on SmartCenter).

thanks - GA

PhoneBoy · ‎2020-03-18

That is my understanding.

I was trying to look at the feature strings in the Eval license on my management to verify what the limit was for "Endpoint" VPN usage and it wasn't entirely obvious.
In any case, if you do manage to run into a license limitation even with the All in One eval, we can work with you to get you what you need.

Garrett_DirSec · ‎2020-03-19

Hello @PhoneBoy and @Tomer_Noy , can you please validate the following table I assembled.

Note the RED question marks where I couldn't validate one way or other (and sk67820 provided conflicting info).

Feel free to use as well (I can send you text-version).

UPDATE:

see follow-up comment. I found answer specific to Checkpoint Mobile and office-mode.

Specific to licensing, you can't buy a checkpoint gateway without the VPN "FEATURE" built-in the gateway container. Historically, actual VPN usage (for advanced clients) has required additional VPN license packs installed on gateways.

The issue is whether Checkpoint Endpoint Security VPN (aka SecureClient) will operate solely based on license installed on Network Mgmt Server (aka Smartcenter for gateways).

Garrett_DirSec · ‎2020-03-19

answered one of my questions here in documentation.

Checkpoint Mobile for Windows does support office-mode.

comparison feature table near beginning of "Remote Access Clients for Windows E82.40 Release Notes"

https://downloads.checkpoint.com/dc/download.htm?ID=102832

PhoneBoy · ‎2020-03-19

Endpoint Security VPN does imply a VPN license on the gateway.
But that's the only license required.
You answered your other question below.

Garrett_DirSec · ‎2020-03-19

Hello @PhoneBoy . thanks for msg.

I appreciated the "Endpoint Security VPN for Windows" (previously known as SecureClient) does require gateway lic, but does the desktop firewall mgmt functionality require license ALSO on SmartCenter (network mgmt server)?

ie. if you don't have the license on SmartCenter (network mgmt server) for desktop firewall mgmt, the "Endpoint Security VPN for Windows" client behaves like CheckPoint Mobile for Windows but with different licensing scheme (per installation vs per session, respectively)?

PhoneBoy · ‎2020-03-19

To my knowledge, no other license is required on the gateway.

Garrett_DirSec · ‎2020-03-19

hello @PhoneBoy . I hear what you are saying but the following contradicts.

excerpt from sk67820

"License required: Endpoint Security Container on Endpoint Security Management Server and Endpoint Security VPN on Network Management Server. License count per installed devices."

PhoneBoy · ‎2020-03-19

Those are both still management servers, not the gateway.

Garrett_DirSec · ‎2020-03-19

@PhoneBoy . whoops. I misread your reply. thanks for the follow-up and assist.

Garrett_DirSec · ‎2020-03-19

Hey @PhoneBoy .

one final confirmation.

Account Services saying to specifically use All-in-one 30day key with Mobile Access Blade enabled and the Checkpoint Mobile for Windows to provide unlimited remote access "office mode" users.

would you agree?

reference: install option below.

Note: the motivation behind this in original post. We couldn't make sense of why customers only seeing 100 sessions. This because they likely installed wrong client (and may not have MOB enabled).

PhoneBoy · ‎2020-03-19

I am in agreement with this.
It's still an open question whether the license count for Endpoint VPN usage on a All-in-One eval allows for more than 100.

In addition to the All in One eval, we recently added the ability to generate evals just for Mobile Access Blade (unlimited users):

See: https://community.checkpoint.com/t5/General-Topics/How-to-Request-an-Evaluation-License-for-Security...

Garrett_DirSec · ‎2020-03-22

Hello @PhoneBoy . thanks for screenshot.

It's important to note that Account Services specifically told me to use All-in-One 30day eval to provide the equiv of MOB-U. This recommendation continues to confuse me for couple reasons:

per your screenshot, there is a MOB-U eval key. this seems to be the most OBVIOUS solution.
since we talked about unlimited SESSIONS, and only "Checkpoint MOBILE for Windows" operates bases on session, this client requires a GATEWAY key (per sk67820). Why would not Account services at least recommend the GATEWAY 30-day key?

On related note: the "Checkpoint Endpoint VPN for Windows" client is licensed PER installation and key required on SmartCenter (network mgmt server).

This is why I've always run aground trying to succinctly summarize these topics. Combined with fact CP marketing continues to change the names of products, there's no one person that knows everything and lot's of conflicting information exists.

Also, I had an error in table I generated under the "two factor" support for "Checkpoint Mobile for Windows". I stated "NO" but didn't read the following caveat under section #2 of Remote Access Guide.

Check Point Mobile for Windows, Check Point VPN Plugin for Windows 8.1 and Check Point Capsule VPN for Windows 10 do not support "two factor user authentication". (The limitation applies only to E80.64 and earlier in the context of Check Point Mobile for Windows.)

PhoneBoy · ‎2020-03-22

The addition of the MOB-specific eval was fairly recent (last week or so) and Account Services may not have been aware of it.

Yes, anything that runs on Mobile Access licenses is licensed per Concurrent Users on the gateway whereas anything requiring Endpoint licensing is licensed per installation by the management (either Endpoint or Network depending on your environment).

Garrett_DirSec · ‎2020-03-23

thanks @PhoneBoy . I updated the table and attaching everything relevant here.

Garrett_DirSec · ‎2020-03-23

here's what you will see when using unlimited Mobile Access eval. The specific blade functionality is "CPSB-SSLVPN-U".

Similar to the All-in-one eval, the unlimited Mobile Access eval is a bundle of two keys: one for gateway, one for mgmt.

The Mobile Access eval SKU "CPSB-SSLVPN-U" is also present in the All-in-one eval. Thus, you can get same unlimited Mobile Access via either eval key strategy.

Once in place, the licensing information available via SmartConsole to now Mobile Access is unlimited (screenshot below).

Finally, it's very curious to note that 30-day GATEWAY key does not include "CPSB-SSLVPN-U" and can't be used for Mobile Access.

PhoneBoy · ‎2020-03-24

Also, confirmed a couple things with R&D today:

1. The All-In-One Eval includes support for 100 Endpoints, as you discovered.
2. When you have both Endpoint and MOB licenses, the MOB licenses take effect first for VPN access.

We are working on a comprehensive FAQ that should answer this and other questions.
Stay tuned!

Garrett_DirSec · ‎2020-03-24

thanks @PhoneBoy

some obvious questions come to mind:

why does the MOB eval lic include keys for both mgmt and gateway? Everything about MOB is gateway. Checkpoint Mobile for Windows client is per-session and requires gateway key. It would just be interesting to understand the under cover mechanics of why MOB eval includes mgmt key.
why does the gateway eval lic only include a few specific feature blades (but not obvious stuff like AppCtl, MOB, etc). I suggest that key should be removed from options.
I suggest that CP should do away with the ancient "per installation" license model altogether. The original VPN mechanism and associated "per installation" licensing has origins from the late 90's, right? Just consolidate everything under MOB and merge in the optional desktop fw mgmt. In the world of zero-trust (ZTNA), I suggest SCV is relevant but desktop FW is not. The basic target is ONE cost-based windows client and license model (per session). Let everyone migrate over to new world over time.

PhoneBoy · ‎2020-03-24

There's probably a legacy reason for MOB having a management component to it.
The supplied license primitive is for SNX in particular.

The GW only license probably exists for a legacy reason, and not sure why it is still present.
Definitely the All in One license is what you should use.

If you're just focused on "remote access" then I agree, the MOB licensing model makes a lot more sense.
The access provided by MOB licenses is intended for unmanaged endpoints, thus why it doesn't include a desktop firewall.

If you consider that managed endpoints also likely have other security controls on it you're managing--licensed per-seat--including a VPN client along with that makes sense.

The CPEP-ACCESS SKUs could work in either use case (managed or unmanaged).
We had removed these SKUs from the Product Catalog, presumably to simplify the offering.
However, due to customer demand, they have returned.
We are not promoting these SKUs, but if you search by SKU, you will find them.

And yes, the progenitor to the CPEP-ACCESS (specifically the functionality it enables) is a product called SecureClient.
It was sold per-seat, as I recall, and dates back to the 90s.

Garrett_DirSec · ‎2020-03-24

Yes, whether you fold "Endpoint Security VPN" into the Endpoint Suite -- OR -- you fold "Endpoint Security VPN" into what is "Checkpoint Mobile", I suggest there is one too many windows client options (and the associated licensing).

The legacy CPEP-ACCESS licensing (that people actually wanted back..) only makes it more convoluted.

I often wonder if CP would be better off purging everything and starting over with something more unified/better/easier. Too much of the remote access clients have feel of "something developed ten years ago".

The Millenials need new/fast/shiny and they will be largely making buying decisions in next five years. (I'm joking and serious at the same time).

Are you a member of CheckMates?

MOB, IPsec VPN licensing, and how each related to 30day eval keys (during COVID19)