Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advisor

VPN license consumed by a remote user

Is there a way to see which VPN license (CPSB-MOB in GW or CPSB-EP-VPN in Management) is being consumed by a specific user?

0 Kudos
Reply
5 Replies
Highlighted
Admin
Admin

From the gateway perspective, there are two features that matter: Office Mode and Desktop Policy.
Office Mode uses either MOB (includes legacy SNX licenses) or EP (SBA, CPEP-ACCESS, or legacy SecureClient) licensing.
The number of Office Mode addresses you can use is the sum of your MOB and EP licenses (they are additive).
So, for example, if you have 200 MOB and 50 EP license, your gateway can issue up to 250 Office Mode addresses.

Desktop policy for a Remote Access user is an EP licensed feature.
This is a function of two things: the client variant installed (SNX, SecuRemote, and Check Point Mobile don't have a desktop firewall, Endpoint Security VPN does), and the required policy you've configured.

I suppose you could run into a situation where more than X users decide to install as Endpoint Security VPN than you have licenses for.
Offhand, I'm not sure how you'd troubleshoot that precise situation.
0 Kudos
Reply
Highlighted
Advisor

but how does the gateway know the number of CPSB-EP-VPN licenses you have, if this license is installed in the Management???
0 Kudos
Reply
Admin
Admin

Simple: the management lets it know as part of the policy installation.
Note if your Endpoint Management and Gateway Management are separate, I believe there is a license string to install specifically on the gateway management to enable the specific features.
Highlighted
Advisor

That's right. The SBA comes with two separate licenses and both can be installed on a single management server (endpoint and gateway management) or separate (CPSB-SBA-XXXX for the Endpoint Manager and CPSB-SB-EP-VPN for Network Manager).

Sorry if I should have made a new post for these questions, but...in an escenario with 100 SBA-Basic users already deployed, of which only 20 are laptops that go outside and use VPN (the rest are desktops or servers that will not use VPN):

1.- Would it be valid to deploy only the Endpoint Security VPN agent and consume the remaining 80 unused VPN licenses in the Gateway Management (CPSB-SB-EP-VPN)? This while still using the 100 SBA client installed on the Endpoint Manager??

2.- Would enforcement of CPSB-SB-EP-VPN licenses installed in the gateway Management, using the Endpoint Security VPN client, be by concurrent users connected to the VPN?? .

3.- If the client had two or more VPN gateways managed from the same Gw Management, remote users could connect to either of them with this license (CPSB-SB-EP-VPN)?

I hope I was able to make myself understood and thank you very much in advance!
0 Kudos
Reply
Highlighted
Admin
Admin

1. It might technically work, but I believe it's a EULA violation to do that. For users without the full Endpoint, a MOB license is what you want.
2. Endpoint VPN licenses are counted based on installed instances versus Concurrent Users like MOB licenses.
3. Yes.