This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave_Hoggan
Contributor
‎2020-03-05 05:24 AM

Two ways to handle Remote Access: How seamlessly can they integrate?

Hi all,

I've been struggling to find an answer to the following two questions, so hoping someone here might be able to help. I also think some of us might also have the same questions.

---

First, the easy question. As I understand it both Endpoint Security VPN and Mobile for Windows are IPSec clients that can wrap the communication to the gateway in HTTPS (aka visitor mode). Am I right in assuming that this is simply a case of IPSec over port 443 and there is no SSL involved? I am trying to work out if adding, for example, 200 extra VPN client users will have a big effect of gateway performance. If they are simple IPsec tunnels then no, but if they each need to be SSL decrypted, then that is more of an impact.

---

Second, the harder question. Imagine I have an existing deployment of Endpoint Security VPN with appropriate endpoint container licensing for VPN and FW and that I have enough licensing for 50 VPN users. Due to the COVID-19 situation I want to use the  Check Point's 60-day MAB license offer for an additional 200 remote users. I understand that these extra users won't have the client FW capability as it's not part of the MAB license. Let's assume that I have obtained the 200 MAB user license from Check Point and added it.

1) Can I deploy the Endpoint Security VPN client to ALL users. I understand users connecting under MAB licensing will not get the endpoint FW capability, but I would like to keep things simple by only having a single client type deployed.

2) I now have two two remote access VPN license schemes installed (50 Endpoint containers and 200 MAB licenses). When a remote VPN user connects, which license scheme is used first? This is important as it will dictate whether the user gets the endpoint FW or not. 

1) When enough remote users connect to exhaust one licensing scheme, will it automatically start using the next licensing scheme?  For example, if the endpoint container scheme is used first, when the 51st user connects will it automatically see this as a MAB license?   

Thanks,


Dave

0 Kudos
31 Replies
CheckPointerXL
Advisor
Advisor
‎2025-06-12 01:06 PM
In response to PhoneBoy

i ran the script and i got:

 

Immagine 2025-06-12 215930.png

basically, i already was aware about 150 licenses (user center and cplic print) and i'm/was aware about peak and current usage (fw tab -t userc_users -s)... so nothing new on my side

cannot still understand how that old license works... looking at the stats it seems per-concurrent

if not, how you said and how some sk said, i cannot understand where corrispondence about user and consumed license by them are stored/displayed... spent hours till now 🙂 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-12 01:29 PM
In response to CheckPointerXL

Output of cplic print -x might be helpful to "deconstruct" that SKU into its atomic license elements.
That should tell us definitively.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events