Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Support_Team_Bi
Contributor

Mobile Access License and VPN License

Hello 

I have something to ask about mobile access license and vpn. [Cluster HA Mode]
1. I have enable mobile access and ipsec vpn blade.
2. I know that maximum for mobile access concurrent is 5 concurrents.
3. I configure policy about all and it work properly.(use vpn check point endpoint security vpn)
4. I use eval license to test. In monitoring I see number of users[more than 100 users in remote user tunnel] on IPsec vpn blade but there is 0 number of active session in mobile access. Why ?
5. I need 200 concurrent. Then I buy CPSB-MOB-200-HA license.
6. I don't understand about concurrent in license. If my eval license end and use CPSB-MOB-200-HA, will my vpn concurrent connection work ?
7. Please clarify about limitation vpn concurent connection in license, remote access[IPsec], Mobile access.

 

Thank you.

0 Kudos
Reply
18 Replies
G_W_Albrecht
Champion
Champion

as been discussed here a lot recently, but i will do a short survey:

CP has two kinds of RA blades and licenses, see sk67820: Check Point Remote Access Solutions for all details! Also helpful is sk166032: Remote Access FAQ covering IPSec and HTTPS portal based VPN solutions.

First way is Endpoint Security IPSec VPN client, that is Endpoint Security VPN (also included in Endpoint Security Suite) licensed per seat (GW remembers the client).

Second is Mobile Access Blade SSL VPN, containing MAB Portal, SNX client, Capsule Workspace for iOS / Android and Check Point Mobile for Windows (also doing IPSec but can do SSL if needed). All these are licensed by concurrent users and do not remember clients. In Clusters, main node has a CPSB-MOB-200, other CPSB-MOB-200-HA.

Support_Team_Bi
Contributor

Thank you for the information.

0 Kudos
Reply
Marcos_Vieira1
Contributor

Just adding a point: the licenses with HA suffix do not apply to all gateways, but only to the ones authorized to use it. Some gateways must use the CPSB-MOB-XXX in all the cluster members.

0 Kudos
Reply
Marcos_Vieira1
Contributor

Another important point is that the CPSB-MOB-XX license is not additive, so you must choose between the 50, 200 or unlimited. In the case off an increment in the number of users the option is a trade-in.

0 Kudos
Reply
PhoneBoy
Admin
Admin

If you're using an IPSEC VPN client, it will terminate on VPN blade (not Mobile Access).
However Endpoint Security VPN/SBA and Mobile Access licenses can be used for IPSEC VPN clients.
0 Kudos
Reply
Support_Team_Bi
Contributor

I have one more question:

I use eval license and I disable IPsec VPN blade and only enable mobile access blade on gateway but I can connect vpn via check point endpoint security vpn.

As follow in an answer in sk166032

16. Can I connect an Endpoint Security VPN client to a gateway having only a Mobile Access Blade license attached?

No, only Check Point Mobile for Windows, SNX, Linux and Capsule Connect clients can be connected.

 

Why can I connect vpn on mobile access mode via endpoint security vpn?

 

Thank you

0 Kudos
Reply
PhoneBoy
Admin
Admin

The only functional difference between Check Point Mobile and Endpoint Security VPN is the inclusion of a Desktop Policy.
If you don't have a Policy Server defined in your environment, the client will act like Check Point Mobile.
Not sure if that's the intended behavior or not, but that appears to be how it operates.
Marcos_Vieira1
Contributor

During installation you must choose between Securemote (free product, but with limitations), Endpoint Security (complete VPN client, and with the addition of a personal firewall) or Mobile VPN (complete VPN client). According to the option used one or other license will be consumed in the gateway.

0 Kudos
Reply
Thomas_Eichelbu
Collaborator

Hello, 
i have also an question regarding this ..
if i need "only" 100 licences i have to buy the CPSB-MOB-200 or can i buy the CPSB-MOB-50 two times? 
i fear that licences are at all not additive ... ?

So if i already have CPSB-MOB-50 and i need MOB for 100 users, i can do a trade in for CPSB-MOB-50 and then i have to buy a CPSB-MOB-200 licence?


best regards
Thomas

0 Kudos
Reply
PhoneBoy
Admin
Admin

Yes, you have to trade in for a CPSB-MOB-200 license.

0 Kudos
Reply
WimB
Explorer

Additinal question to this, if I use two 6700 gateways in cluster mode (so one running normal, one running HA), do I need 2x normal Mobile Acess licenses, or can I use one normal and one HA mobile access license?

0 Kudos
Reply
G_W_Albrecht
Champion
Champion

As with the appliance cluster nodes, you use a HA MOB license for the HA node that is 20% cheaper.

0 Kudos
Reply
PhoneBoy
Admin
Admin

However, you do not necessarily need to use HA SKUs here, but you do need to have a license on each cluster member.
One restriction HA SKUs have is that they can only be used in clusters. 

0 Kudos
Reply
MarkWeber
Employee
Employee

Since the new quantum appliances there aren't HA licenses anymore for this type of appliance.

HA.png

0 Kudos
Reply
MarkWeber
Employee
Employee

Since the new quantum appliances there aren't HA licenses anymore for this type of appliance.HA.png

0 Kudos
Reply
G_W_Albrecht
Champion
Champion

And can you explain why HA licenses do not make sense anymore ?

0 Kudos
Reply
PhoneBoy
Admin
Admin

-HA licenses are tied to ClusterXL, which Maestro does not use.
If you ever want to take an appliance from ClusterXL to Maestro, it cannot have any -HA SKUs associated with it (either the main appliance SKU or any of the add-ons like Mobile Access).

The one benefit to -HA SKUs was a cost break for secondary cluster members at the lower end.
They were never offered on higher-end appliances.
Functionally speaking, you never needed -HA SKUs to cluster, just the same SKUs on all cluster members.

0 Kudos
Reply
G_W_Albrecht
Champion
Champion

High-End appliances are the ones i never met, as Austria is so very small 😢 !  Understandably, HA licenses for a cluster with all nodes active are a no go. But hard to understand that HA Clustering needs full licenses and services even for the standby node. And yes, the mid-range licenses do have local management included as a possible cost break 😎

0 Kudos
Reply