Thank you.

Per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

EndPoint Security VPN seems to require: 

Which seems to disagree with your statement that no additional blades are required? (Endpoint Container + Endpoint VPN Blade on Mgmt?) Or am I looking at the wrong thing?

The IPsec VPN is included with 5 RA Users - if you can paste your cplic print we will see that.

Features
CPSG-VE+4 CPSB-BASE CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-ADNC CPSB-SSLVPN-5 CPSB-IPS-S1 CPSB-URLF CPSB-APCL-S1 CPSB-AV CPSB-ABOT-S CPSB-ASPM CPSB-CTNT CK-577E***** (Wasn't sure if that was unique to me)

I think I see the IPSEC Vpn, but what about the "Endpoint Container" & "Endpoint VPN Blade on Mgmt" part?

For RA VPN clients Endpoint Container and Endpoint Management Blade are not needed. Endpoint Security VPN is the StandAlone client managed by NPM Blade on Management (Desktop Policy) only.

Actually, you have to install as Check Point Mobile (same package as Endpoint Security VPN, just different option).
Endpoint Security requires different licensing that isn't included on a gateway. 

This is clear from sk84560: Check Point VPN License Guide  listing the possible clients for CPSB-SSLVPN-5 - License.

Sorry, I don't see where thats clear.

I followed the "Standalone Client" link here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Downloaded the MSI and I think what you're saying is during install out of the 3 Options:

*Endpoint Security VPN

*Checkpoint Mobile

*SecuRemote

I select Checkpoint Mobile? Is that correct?

Yes, this is correct !

Thanks. Trying to now figure out how to set the "gateway ip address" for my WAN interface instead of one of the internal ones now. Endpoint Client gets stuck on "retrieving site information" and if I check trac.log it shows a non-wan ip address for the vpn gateway.

Edit: figured that out. Remaining challenge is to allow my remote client access to manage the CP Cluster itself (2 GWs and a mgmt server). I have two rules with an access role as source on both. One destination as all CP objects, another rule specifies the entire subnet. Services are any, VPN community set to remote access. I can ping but https for instance is blocked.

Edit 2: Ah it seems that Identity Awareness (which it forced me to enable to Access Roles in a rule) is not picking up the user that signed in from Endpoint. I could probably use the "Office Mode" ip pool, but would prefer to leverage Access Roles. Any ideas on what I could be missing?

Aha! It as under cluster properties -> identity awareness -> check the Remote Access (the "install screen" for identity awareness only provided Browser, AD and Agent options)

Can we get an official statement from CP licensing to that effect please?

the line "By default, a Security Gateway comes with a license for 5 users. You can attach a larger blade, if more users are required. " does not allude to specific license type.

Choice of CP Mobile requires enabling another blade and configuration of the different branch of the gateway/cluster properties.

Additionally, it creates an impression that MOB should be enabled in the Layer.

Agreed. Its not very clear and Checkpoint seems to love rebranding the names.