ssl extender license

accesslimiter · #1 (**permalink**) 2008-02-04

Can anyone tell me how the SNX (ssl extender) license is counted? Better yet, how to clear this count once it is exceeded? Thanks,

chillyjim · #2 (**permalink**) 2008-02-04

It depends.

On Connectra it is licensed for concurrent users
On firewalls (VPN-1 and VSX) it is licensed per user (named user).

accesslimiter · #3 (**permalink**) 2008-02-05

Thanks, but this is not what I see and I am getting conflicting information from Checkpoint. CP states the ssl extender license, for VPN-1, is based off the users IP once they connect and stored in a table that gets "refreshed" around 2-4 weeks and is con-current. Since a users IP can change constantly this will cause the ssl extender license count to get erroneously exceeded and the table containing this info needs to be cleared. I assume that a cpstop;cpstart would clear this, not an assumption I want to make, this would cause down time and still not clear this table AFAIK. Unlike secureclient with the policy server group I do not have an option to place licensed ssl extender users in a group. Not being able to restrict which users can and can not use ssl extender also presents a problem.

hotice_ · #4 (**permalink**) 2008-02-06

It wouldn't make sense that it counts different Client IPs...

The goal of SSL Extender being to allow users on the road to connect from numerous various remote sites...The table would fill up very quickly

I'd really like to know the real Checkpoint answer to this question though...

chillyjim · #5 (**permalink**) 2008-02-06

Quote:

Originally Posted by accesslimiter

Thanks, but this is not what I see and I am getting conflicting information from Checkpoint. CP states the ssl extender license, for VPN-1, is based off the users IP once they connect and stored in a table that gets "refreshed" around 2-4 weeks and is con-current.

I don't know who is telling you this, but it is wrong.
The license is based on users, not IP addresses.
The "refresh" should be 30 days.
A cpstop;cpstart will not (at least should not) clear the user list.

Unlike SecureClient there is no distinction between users. In SC the count is based on how many users can use the "Policy Server". This is an issue that has been talked about, but the low demand for limiting who can use SNX, leaves it on the back burner.

If this is a real issue for you, please raise it with your Check Point SE and file an RFE.

hotice_ · #6 (**permalink**) 2008-02-07

Quote:

Originally Posted by chillyjim

I don't know who is telling you this, but it is wrong.
The license is based on users, not IP addresses.
The "refresh" should be 30 days.
A cpstop;cpstart will not (at least should not) clear the user list.

Unlike SecureClient there is no distinction between users. In SC the count is based on how many users can use the "Policy Server". This is an issue that has been talked about, but the low demand for limiting who can use SNX, leaves it on the back burner.

If this is a real issue for you, please raise it with your Check Point SE and file an RFE.

Interesting...I'll try to get confirmation from my SE about the 30 days thing

Thanks!

accesslimiter · #7 (**permalink**) 2008-02-07

This info came from the CP license group. I have already contacted our SE on this, waiting on reply. Regardless on user or IP I need to know how to clear this table without waiting 30 days.

hotice_ · #8 (**permalink**) 2008-02-08

Well the entries are located in the table sslt_om_ip_params but I can't seem to find it with the DB edit tool...

but then again, I'm not very experienced with that tool...

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode