- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
<update> March23/2020: Jump to last post for summary. During week of March16, 2020; Checkpoint released eval version of MOB-U. Client details (and associated eval licensing) detailed in summary table -GA </update>
<update2> March23/2020: added three screenshots of unlimited Mobile Access eval keys on customer R80.xx platform. </update2>
During current COVID19 measures being adopted by various countries, states, cities, and local governments; the topic of accommodating unprecedented remote-access for entire workforces has been consistent thread for our customers.
Many Checkpoint gateway customers already have license for Mobile Access Blade (MOB) specifically because of the session-count licensing. While Mobile Access Blade provide end-user portal and various remote application and file access via web browser, I suggest large portion of MOB customers simply continue to use remote access IPsec VPN in "office mode".
The licensing mechanism for MOB is concurrent sessions.
The licensing mechanism for IPsec VPN is per user (based on a client install over some period of time -- 24hrs, 30days, etc -- I don't recall the specific period).
I perceive -- based entirely on anecdotal evidence -- that MOB session-based license somehow over-rides the IPsec VPN user-count mechanism. Thus, MOB-50 allows for fifty concurrent IPsec VPN connections.
The issue arises when our customers call about significantly increasing their remote-access licensing. We have quoted MOB-U to numerous customers (ie. unlimited concurrent remote-access sessions).
Some procurement may take multiple days, if not weeks. In the mean-time, we had hoped to leverage 30day eval keys to bridge gap (until fulfillment) -- OR for those customers taking approach this current remote access situation will only last 4-6 weeks. I suggest CP execs would be willing to accept that customers shouldn't necessarily have to make a significant "one off" purchase to cover unique pandemic issue for 4-6 weeks. Granted, the current COVID related closures and changes to business operations may last multiple months.
I called CP Account Services on topic and described my concerns and what I was hoping to accomplish.
We need "a temporary way to provide unlimited remote access connections". The conversation concluded that 30day eval key is equivalent to MOB-U (ie. unlimited session).
Based on customer feedback, it appears that 30day eval key applies differently to the MOB and underlying IPsec VPN licensing mechanisms.
It appears that 30day eval key provides the following (based on customer feedback):
Can someone please verify this? In addition, is this by design and to be expected?
This is somewhat beyond the technical comfort zone of Account Services yet entirely a licensing topic (ie. not relevant for standard support services).
An answer from executive CP product mgmt would be appreciated to put this issue to rest for all customers (and resellers attempting to help).
thanks!
related info:
The implied understanding on all 30day eval keys is that endpoint security suite is not relevant to dialog.
The specific remote-access clients we are talking about:
The following is OLD vs NEW naming (neither of these managed by Endpoint Mgmt):
Note the "Endpoint Security Suite VPN blade" is the client that requires endpoint security suite mgmt. this is detailed in sk67820 (see below).
It's my understanding that both #1 and #2 can do "office mode".
reference:
CP Remote Access Solutions
The installer options for MOBILE VPN client that is relevant to discussion.
As to what comes with the All-in-One eval, I'll try and get this clarified.
Mobile Access Blade can terminate users either with HTTPS, SNX, or IPSEC.
IPSEC VPN Blade can terminate clients only with IPSEC VPN.
Where there seem to be questions are when you have licenses for both of these items for IPSEC VPN clients.
My understanding is that it is whatever terminates the VPN connection (either VPN or MAB) is what license will be consumed.
Also to correct something you stated below, there are effectively three types of clients:
We are working on some formal guidance on this topic that is expected to be published very soon.
In any case, if there is a situation where you are exceeding your Remote Access licenses, we'll work with you to get you what you need.
Hello @PhoneBoy . thanks for the post.
I posted similar information on the three clients in follow-up post immediately above.
Based on what you provided, Check Point Mobile should provide "office mode" and provide unlimited sessions with 30day eval key, correct? license would be gateway-only.
Further more, it does make sense the Endpoint Security VPN (replaced Secureclient) would only support 100 users with 30day eval key (as this is licensed differently and requites additional license on SmartCenter).
thanks - GA
Hello @PhoneBoy and @Tomer_Noy , can you please validate the following table I assembled.
Note the RED question marks where I couldn't validate one way or other (and sk67820 provided conflicting info).
Feel free to use as well (I can send you text-version).
UPDATE:
see follow-up comment. I found answer specific to Checkpoint Mobile and office-mode.
Specific to licensing, you can't buy a checkpoint gateway without the VPN "FEATURE" built-in the gateway container. Historically, actual VPN usage (for advanced clients) has required additional VPN license packs installed on gateways.
The issue is whether Checkpoint Endpoint Security VPN (aka SecureClient) will operate solely based on license installed on Network Mgmt Server (aka Smartcenter for gateways).
answered one of my questions here in documentation.
Checkpoint Mobile for Windows does support office-mode.
comparison feature table near beginning of "Remote Access Clients for Windows E82.40 Release Notes"
https://downloads.checkpoint.com/dc/download.htm?ID=102832
Hello @PhoneBoy . thanks for msg.
I appreciated the "Endpoint Security VPN for Windows" (previously known as SecureClient) does require gateway lic, but does the desktop firewall mgmt functionality require license ALSO on SmartCenter (network mgmt server)?
ie. if you don't have the license on SmartCenter (network mgmt server) for desktop firewall mgmt, the "Endpoint Security VPN for Windows" client behaves like CheckPoint Mobile for Windows but with different licensing scheme (per installation vs per session, respectively)?
hello @PhoneBoy . I hear what you are saying but the following contradicts.
excerpt from sk67820
"License required: Endpoint Security Container on Endpoint Security Management Server and Endpoint Security VPN on Network Management Server. License count per installed devices."
@PhoneBoy . whoops. I misread your reply. thanks for the follow-up and assist.
Hey @PhoneBoy .
one final confirmation.
Account Services saying to specifically use All-in-one 30day key with Mobile Access Blade enabled and the Checkpoint Mobile for Windows to provide unlimited remote access "office mode" users.
would you agree?
reference: install option below.
Note: the motivation behind this in original post. We couldn't make sense of why customers only seeing 100 sessions. This because they likely installed wrong client (and may not have MOB enabled).
I am in agreement with this.
It's still an open question whether the license count for Endpoint VPN usage on a All-in-One eval allows for more than 100.
In addition to the All in One eval, we recently added the ability to generate evals just for Mobile Access Blade (unlimited users):
Hello @PhoneBoy . thanks for screenshot.
It's important to note that Account Services specifically told me to use All-in-One 30day eval to provide the equiv of MOB-U. This recommendation continues to confuse me for couple reasons:
On related note: the "Checkpoint Endpoint VPN for Windows" client is licensed PER installation and key required on SmartCenter (network mgmt server).
This is why I've always run aground trying to succinctly summarize these topics. Combined with fact CP marketing continues to change the names of products, there's no one person that knows everything and lot's of conflicting information exists.
Also, I had an error in table I generated under the "two factor" support for "Checkpoint Mobile for Windows". I stated "NO" but didn't read the following caveat under section #2 of Remote Access Guide.
Check Point Mobile for Windows, Check Point VPN Plugin for Windows 8.1 and Check Point Capsule VPN for Windows 10 do not support "two factor user authentication". (The limitation applies only to E80.64 and earlier in the context of Check Point Mobile for Windows.)
here's what you will see when using unlimited Mobile Access eval. The specific blade functionality is "CPSB-SSLVPN-U".
Similar to the All-in-one eval, the unlimited Mobile Access eval is a bundle of two keys: one for gateway, one for mgmt.
The Mobile Access eval SKU "CPSB-SSLVPN-U" is also present in the All-in-one eval. Thus, you can get same unlimited Mobile Access via either eval key strategy.
Once in place, the licensing information available via SmartConsole to now Mobile Access is unlimited (screenshot below).
Finally, it's very curious to note that 30-day GATEWAY key does not include "CPSB-SSLVPN-U" and can't be used for Mobile Access.
thanks @PhoneBoy
some obvious questions come to mind:
Yes, whether you fold "Endpoint Security VPN" into the Endpoint Suite -- OR -- you fold "Endpoint Security VPN" into what is "Checkpoint Mobile", I suggest there is one too many windows client options (and the associated licensing).
The legacy CPEP-ACCESS licensing (that people actually wanted back..) only makes it more convoluted.
I often wonder if CP would be better off purging everything and starting over with something more unified/better/easier. Too much of the remote access clients have feel of "something developed ten years ago".
The Millenials need new/fast/shiny and they will be largely making buying decisions in next five years. (I'm joking and serious at the same time).
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY