Re: Mobile Access License and VPN License

Support_Team_Bi · ‎2020-04-02

Hello

I have something to ask about mobile access license and vpn. [Cluster HA Mode]
1. I have enable mobile access and ipsec vpn blade.
2. I know that maximum for mobile access concurrent is 5 concurrents.
3. I configure policy about all and it work properly.(use vpn check point endpoint security vpn)
4. I use eval license to test. In monitoring I see number of users[more than 100 users in remote user tunnel] on IPsec vpn blade but there is 0 number of active session in mobile access. Why ?
5. I need 200 concurrent. Then I buy CPSB-MOB-200-HA license.
6. I don't understand about concurrent in license. If my eval license end and use CPSB-MOB-200-HA, will my vpn concurrent connection work ?
7. Please clarify about limitation vpn concurent connection in license, remote access[IPsec], Mobile access.

Thank you.

G_W_Albrecht · ‎2020-04-02

as been discussed here a lot recently, but i will do a short survey:

CP has two kinds of RA blades and licenses, see sk67820: Check Point Remote Access Solutions for all details! Also helpful is sk166032: Remote Access FAQ covering IPSec and HTTPS portal based VPN solutions.

First way is Endpoint Security IPSec VPN client, that is Endpoint Security VPN (also included in Endpoint Security Suite) licensed per seat (GW remembers the client).

Second is Mobile Access Blade SSL VPN, containing MAB Portal, SNX client, Capsule Workspace for iOS / Android and Check Point Mobile for Windows (also doing IPSec but can do SSL if needed). All these are licensed by concurrent users and do not remember clients. In Clusters, main node has a CPSB-MOB-200, other CPSB-MOB-200-HA.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Support_Team_Bi · ‎2020-04-02

Thank you for the information.

Marcos_Vieira · ‎2020-08-14

Just adding a point: the licenses with HA suffix do not apply to all gateways, but only to the ones authorized to use it. Some gateways must use the CPSB-MOB-XXX in all the cluster members.

Marcos_Vieira · ‎2020-08-14

Another important point is that the CPSB-MOB-XX license is not additive, so you must choose between the 50, 200 or unlimited. In the case off an increment in the number of users the option is a trade-in.

Nima_Chogyal · ‎2023-07-11

Is buying the CPSB-MOB-50 a one time purchase ? I havent found any document regarding the renewals on it.

_Val_ · ‎2023-07-11

The SKU itself is permanent, but you do need to renew the support contract attached to it. It is best to address these kinds of questions with your local Check Point office and/or your local partner.

Robin_H · ‎2023-12-21

Do you happen to know what happens if the support contract is not renewed in time?
I´d hope that the Mobile Access Blades keep running, contrary to an expired URLF subscription for example.

Apparently our Blades got moved from UC account to UC account one too many times and now can´t get a renewal. I´m waiting for newly ordered Blades with new support contract but they might not come in time.

PhoneBoy · ‎2023-12-22

MAB licenses are generally perpetual and will still operate without a support agreement in place.

PhoneBoy · ‎2020-04-02

If you're using an IPSEC VPN client, it will terminate on VPN blade (not Mobile Access).
However Endpoint Security VPN/SBA and Mobile Access licenses can be used for IPSEC VPN clients.

Support_Team_Bi · ‎2020-04-02

I have one more question:

I use eval license and I disable IPsec VPN blade and only enable mobile access blade on gateway but I can connect vpn via check point endpoint security vpn.

As follow in an answer in sk166032

16. Can I connect an Endpoint Security VPN client to a gateway having only a Mobile Access Blade license attached?

No, only Check Point Mobile for Windows, SNX, Linux and Capsule Connect clients can be connected.

Why can I connect vpn on mobile access mode via endpoint security vpn?

Thank you

PhoneBoy · ‎2020-04-02

The only functional difference between Check Point Mobile and Endpoint Security VPN is the inclusion of a Desktop Policy.
If you don't have a Policy Server defined in your environment, the client will act like Check Point Mobile.
Not sure if that's the intended behavior or not, but that appears to be how it operates.

Marcos_Vieira · ‎2020-08-14

During installation you must choose between Securemote (free product, but with limitations), Endpoint Security (complete VPN client, and with the addition of a personal firewall) or Mobile VPN (complete VPN client). According to the option used one or other license will be consumed in the gateway.

Thomas_Eichelbu · ‎2020-08-28

Hello,
i have also an question regarding this ..
if i need "only" 100 licences i have to buy the CPSB-MOB-200 or can i buy the CPSB-MOB-50 two times?
i fear that licences are at all not additive ... ?

So if i already have CPSB-MOB-50 and i need MOB for 100 users, i can do a trade in for CPSB-MOB-50 and then i have to buy a CPSB-MOB-200 licence?

best regards
Thomas

PhoneBoy · ‎2020-08-28

Yes, you have to trade in for a CPSB-MOB-200 license.

WimB · ‎2020-09-02

Additinal question to this, if I use two 6700 gateways in cluster mode (so one running normal, one running HA), do I need 2x normal Mobile Acess licenses, or can I use one normal and one HA mobile access license?

G_W_Albrecht · ‎2020-09-02

As with the appliance cluster nodes, you use a HA MOB license for the HA node that is 20% cheaper.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2020-09-02

However, you do not necessarily need to use HA SKUs here, but you do need to have a license on each cluster member.
One restriction HA SKUs have is that they can only be used in clusters.

MarkWeber · ‎2020-09-03

Since the new quantum appliances there aren't HA licenses anymore for this type of appliance.

MarkWeber · ‎2020-09-03

Since the new quantum appliances there aren't HA licenses anymore for this type of appliance.

G_W_Albrecht · ‎2020-09-08

And can you explain why HA licenses do not make sense anymore ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2020-09-10

-HA licenses are tied to ClusterXL, which Maestro does not use.
If you ever want to take an appliance from ClusterXL to Maestro, it cannot have any -HA SKUs associated with it (either the main appliance SKU or any of the add-ons like Mobile Access).

The one benefit to -HA SKUs was a cost break for secondary cluster members at the lower end.
They were never offered on higher-end appliances.
Functionally speaking, you never needed -HA SKUs to cluster, just the same SKUs on all cluster members.

G_W_Albrecht · ‎2020-09-10

High-End appliances are the ones i never met, as Austria is so very small 😢 ! Understandably, HA licenses for a cluster with all nodes active are a no go. But hard to understand that HA Clustering needs full licenses and services even for the standby node. And yes, the mid-range licenses do have local management included as a possible cost break 8)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Garrett_DirSec · ‎2024-07-11

Hello CP Support -- and CP Product Mgmt ( @PhoneBoy @_Val_ , etc) --

Based on various statements with local Checkpoint Team, Account Services, and my own experience in field; it was assumed that all "-HA" licensing went away with the era of the 5000-series.

The "-HA" has been used by both physical appliances and software blades.

It was widely understood that the sunset of "-HA" terms went away with the 5000-series appliances.

I augment this perception with onsite experience where customer with 5000-series cluster upgraded to QLS250 cluster and the MOB-U-HA they had from 5000-series would not work on QLS box. We went through significant hassle (and customer pain) to work through purchase/trade-in of MOB-U-HA ==> MOB-U for customer.

Fast forward to yesterday (July10-2024) and imagine my surprise that local CP team pumped out MOB-200 quote (diff customer) that included a MOB-200-HA license.

Seriously, what is happening. Please kill all "-HA" licensing because bringing it back (or not effectively nuking it from orbit) would be hugely confusing for customer and reseller community.

-GA

PhoneBoy · ‎2024-07-11

Given that -HA licenses can't be used for Maestro and likely ElasticXL in R82, that's a potential issue.
Will check internally and revert.

_Val_ · ‎2024-07-15

Just to make it clear on the record, neither @PhoneBoy, nor I are CP Support or Product Management. We are the community team.

That said, your argument is understandable. I would suggest sending it to the correct channel though, which is your local sales representatives.

PhoneBoy · ‎2024-07-15

I did check with Product Management and clarified the situation:

Current Check Point appliances do not have -HA SKUs
Open Server and certain add-on licenses like MOB SKUs still have -HA counterparts

Are you a member of CheckMates?

Mobile Access License and VPN License