- Local User Groups
I am Dr. Dorit Dor
Ask Me Anything
Check Point for Beginners
Welcome to the
Review Check Point,
Win Apple AirPods!
CheckMates GO: Is There a Question
Dorit Can't Answer?
hello guys, currently my client has the VPN and MOB Blade, and at the time of consuming VPN client site, makes use of MOB licensing due to Office Mode enabled, there is some way to use Office mode to avoid overlapping IPs, which do not consume MOB licensing ??
I am sorry, but your question is not fully understandable - so i just provide some basic information:
The "old" RA VPN client licensing worked by counting client IPs (called "seats", CLI "dtps lic" on policy server), and the used licenses count showed the number of clients that did connect during the last 30 days. MAB licenses are defined as the number of concurrent clients and MAB even has five grace clients, so the maximum number of concurrent clients is the number of licenses plus five.
There is no supported tool that can check it like "dtps lic" for new endpoint client, but MAB has its own CLI command, see Mobile Access Administration Guide R77 Versions pp. 188:
listusers - Shows a list of end-users connected to the gateway, along with their source IP addresses.
But that is not all as we can look into the kernel tables :
To see the number of currently connected Remote Access users, run this command (in Expert mode) on the VPN Security Gateway:
[Expert@HostName]# fw tab -t userc_users -s
To see the username of each "connected" remote access user (in the last 15 minutes), run this command (in Expert mode) on VPN Security Gateway:
[Expert@HostName]# fw tab -t userc_rules -f
You can also run the following command on the gateway, in order to see the number of OM IPs which are currently assigned by the gateway:
# fw tab -t om_assigned_ips -s
HOST NAME ID #VALS #PEAK #SLINKS localhost om_assigned_ips 372 1 1 0
The above output (#VALS=1 ) means currently one client is assigned an OM IP. This includes SNX users with OM IPs as well, who take up from a different license (MAB). In order to find out how many there are of those and subtract them to leave only IPsec VPN clients (i.e. SecureClient, Endpoint Security VPN, Endpoint Connect), check the following table:
# fw tab -t sslt_om_ip_params -s
HOST NAME ID #VALS #PEAK #SLINKS localhost sslt_om_ip_params 372 1 1 0
hi Günther thanks
thanks for your help.
I want to know, if there is any way to enable Office Mode that does not consume MOB(office mode), avoiding the overlap of internal address of the client with the address delivered by the service provider in a client to site vpn connection,
I still do not know what you really want to achieve;
- In a RA VPN / client2site connection, you could use SecuRemote RA client for connecting without office mode
- If using both VPN clients (per seat license) and MAB (concurrent users license), you can enable Office Mode for none, one or both, at the same time selecting for each individually how the OM IPs are distributed to the users (e.g. using two different Office Mode IP Pools)
- Usually, the internal IP used as Office Mode IP and the IP from the ISP of the client machine do not interfere with each other, so avoiding the overlap is not a problem...
So just use SecuRemote - no OM IP, no license needed! This is very easy:
- use the E80.80 Standalone Windows VPN client from sk122513
- start the installation and select SecuRemote (instead of the default Endpoint Security VPN or Check Point Mobile)
If you did already install one of the two other flavors of the RA VPN client, you don't need to uninstall and reinstall if you want to change the client type 😉 You can just update the Windows registry with the values: "EndpointSecurity", "Mobile" and "SecuRemote" to change client type:
Just to be clear, Office Mode requires a licensed VPN product (either MOB or Endpoint).
SecuRemote does not require a license, but does not provide Office Mode either (connection is NATted by gateway).