Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mauricio_Andres
Participant

VPN client site - Office mode

hello guys, currently my client has the VPN and MOB Blade, and at the time of consuming VPN client site, makes use of MOB licensing due to Office Mode enabled, there is some way to use Office mode to avoid overlapping IPs, which do not consume MOB licensing ??

thanks.

0 Kudos
7 Replies
G_W_Albrecht
Legend
Legend

I am sorry, but your question is not fully understandable - so i just provide some basic information:

The "old" RA VPN client licensing worked by counting client IPs (called "seats", CLI "dtps lic" on policy server), and the used licenses count showed the number of clients that did connect during the last 30 days. MAB licenses are defined as the number of concurrent clients and MAB even has five grace clients, so the maximum number of concurrent clients is the number of licenses plus five.

There is no supported tool that can check it like "dtps lic" for new endpoint client, but MAB has its own CLI command, see Mobile Access Administration Guide R77 Versions pp. 188:

listusers - Shows a list of end-users connected to the gateway, along with their source IP addresses.

But that is not all as we can look into the kernel tables :

From sk39034: How to check the number of currently connected Remote Access users and sk14496: How to check the names of remote access users that have sent traffic through the Security G...

To see the number of currently connected Remote Access users, run this command (in Expert mode) on the VPN Security Gateway:

[Expert@HostName]# fw tab -t userc_users -s

To see the username of each "connected" remote access user (in the last 15 minutes), run this command (in Expert mode) on VPN Security Gateway:

[Expert@HostName]# fw tab -t userc_rules -f

You can also run the following command on the gateway, in order to see the number of OM IPs which are currently assigned by the gateway:

# fw tab -t om_assigned_ips -s

HOST NAME ID #VALS #PEAK #SLINKS localhost om_assigned_ips 372 1 1 0

The above output (#VALS=1 ) means currently one client is assigned an OM IP. This includes SNX users with OM IPs as well, who take up from a different license (MAB). In order to find out how many there are of those and subtract them to leave only IPsec VPN clients (i.e. SecureClient, Endpoint Security VPN, Endpoint Connect), check the following table:

# fw tab -t sslt_om_ip_params -s

HOST NAME ID #VALS #PEAK #SLINKS localhost sslt_om_ip_params 372 1 1 0

CCSE CCTE CCSM SMB Specialist
Mauricio_Andres
Participant

hi  Günther thanks 

thanks for your help.

I want to know, if there is any way to enable Office Mode that does not consume MOB(office mode), avoiding the overlap of internal address of the client with the address delivered by the service provider in a client to site vpn connection,

thanks.

0 Kudos
G_W_Albrecht
Legend
Legend

I still do not know what you really want to achieve;

- In a RA VPN / client2site connection, you could use SecuRemote RA client for connecting without office mode

- If using both VPN clients (per seat license) and MAB (concurrent users license), you can enable Office Mode for none, one or both, at the same time selecting for each individually how the OM IPs are distributed to the users (e.g. using two different Office Mode IP Pools)

- Usually, the internal IP used as Office Mode IP and the IP from the ISP of the client machine do not interfere with each other, so avoiding the overlap is not a problem...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Mauricio_Andres
Participant

I want to achieve, use an RA VPN / client2site connection without using office mode without having overlap problems.

0 Kudos
G_W_Albrecht
Legend
Legend

So just use SecuRemote - no OM IP, no license needed! This is very easy:

- use the E80.80 Standalone Windows VPN client from sk122513

- start the installation and select SecuRemote (instead of the default Endpoint Security VPN or Check Point Mobile)

If you did already install one of the two other flavors of the RA VPN client, you don't need to uninstall and reinstall if you want to change the client type 😉 You can just update the Windows registry with the values: "EndpointSecurity", "Mobile" and "SecuRemote" to change client type:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CheckPoint\TRAC client_sub_type=SecuRemote

CCSE CCTE CCSM SMB Specialist
Mauricio_Andres
Participant

0 Kudos
PhoneBoy
Admin
Admin

Just to be clear, Office Mode requires a licensed VPN product (either MOB or Endpoint). 

SecuRemote does not require a license, but does not provide Office Mode either (connection is NATted by gateway).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events