R60 to R65 Upgrade issue

[brierw]

Hello,

We want to use Web Intelligence and have used a 30 evaluation license to do so to this point. When we started the evaluation, we have used about 3 30 day evals so far, we were on R60 on our management server and have R60 gateways. The issue started when we ran the R65 upgrade on our management server, as this now has us having an R65 management server with R60 gateways (We haven't completed the upgrade of the gateways yet). We are now not able to add the same eval license to continue to use Web Intelligence because it says we are short on licenses. We are doing the same process we did before successfully when we had an R60 management server and R60 gateways... It just doesn't work anymore now that our management server is R65???

Is there something that changes in the settings when you run the R65 upgrade? Is there an incompatibility with R65 management server and R60 gateways when using Web Intelligence?

Please Help...

We bought a 10 web permanent license and now it doesn't even work with the evaluation... :(

[brierw]

Hello,

Here is the error when I try to push a policy... I get this error even if I try to push a policy with only one web added to the list???

"Additional licenses for Web Intelligence are required.You have (1) Web Intelligence installed, while (10) gateways are involved in Web Intelligence protection. Operation ended with errors."


Thanks in advance for the assistance

[lammbo]

This one got me too, I was a raving lunatic when I could not push policy and had to figure this change out - this should help but may not be complete. I am fairly new to WIT myself but have every confidence someone will correct me if I've made a mistake.

First, WIT deployment has changed between R60 and R65. The proper licensing model for WI is this:
1 gateway enforcing WIT uses 1 license for X number of servers (you say yours is 10, so you can protect 10 servers on 1 gateway). For example, an Active/Passive HA cluster would use 2 licenses for X hosts. The licenses are attached to your SCS server, not the gateways themselves.

Second, there is no compatibility issue I am aware of between R65 SCS and R60 Gateways. I am running this configuration with WI deployed.

Third (and the most important) you must define multiple profiles for multiple gateways. Right now, your default security policy is named Default_Protection.

To locate this and create a different profile:
1) Go to the SmartDefense policy tab --> Profile Management.
2) Select New --> Clone Selected Profile (I named my new one WIT_Enabled)
3) Now you will need to go through the web servers you have defined and remove them from the Default_Protection profile.
4) Now go to Profile assignment and assign the new profile that has your WIT enabled servers to the appropriate gateway/cluster.

With all that done, your non-WIT-licensed servers will (also read MUST) have the profile that has no WIT enabled servers or it will tell you not enough licenses.

Also, one last note: You can create separate profiles for each site if you wish, it does not have to stay limited to the 2 profile.

[brierw]

Hello,

Thanks for the reply...

If I have a IP cluster in production will I need a second license when I try to add webs that are protected by that gateway?

I was always given the impression that the protection doesn't have to do with the gateways but instead just involves a license on the management server. I was always told that as long as you don't exceed the number of webs, the number of gateways doesn't matter. Is this correct? Is there an added wrinkle if one of the webs is prtected by a gateway that is IP clustered?

Once again thanks for the response!!

[lammbo]

Sorry, but I don't believe that is the case. I have 4 Unlimited licenses and if what you are saying is true, then I would only need the 1 license for all 4 of the gateways I use WIT on. I assure you, mine fails without all 4 licenses attached to SCS.

Anyone else more familiar with the licensing that can verify this?

[brierw]

Hello,

So I am guessing that I need to swap my 10 web license for three 3 web licenses... I will then also assume that my three gateways will each have a license which gets added under the management server in smart update. Does the management server need a license with its IP to?

I have webs I need to protect behind 3 different gateways... and they are controlled, as you would expect, by the management server. With your 4 licenses... Are you protecting webs behind 4 gateways? Or are you protecting behind three and one for the management server?

[lammbo]

Quote:

Originally Posted by brierw

With your 4 licenses... Are you protecting webs behind 4 gateways? Or are you protecting behind three and one for the management server?

I'm protecting hundreds of web servers behind 2 Active/Passive HA Clusters at 2 sites of the 6 I manage.

2 Clusters times 2 gateways per cluster = 4 Licenses (in my case, for Unlimited hosts)

So for your situation... Yes, you will need 3 licenses for 3 hosts each and all 3 licenses will be attached to your SCS. If this was your model when you were sold the single license for 10 hosts, you really need to check with your retailer and your CP sales rep so you will get full purchase price credit because they sold you the wrong thing.

[brierw]

Hi,

Thanks for the reply...

I have one active/active Nokia IP cluster and two other single gateways... Looks like I'm in for four 3 web licenses...

Do I use the IP of the management server each time? Or the IP's of each of the gateways when I setup the licenses?

[lammbo]

All 4 will use the internal IP for your SCS. Like SecureClient Licenses, they are centrally managed and only live on the SCS.