SecureClient without Policy Server

[bugueur]

Hi all,

After looking to many threads on CPUG, I still have no answer for this important questions :

- Is it legally acceptable to use SecureClient instead of SecuRemote in order to use the Office mode feature?

I don't need the desktop firewall functionality and I don't want to pay for that so I have configured my remote users with SecureClient VPN client. Since there is no Policy server configured on my network, I don't have any licensing warning. I guess this is completely free?

Many thanks for your replies.

[chillyjim]

Quote:

Originally Posted by bugueur

- Is it legally acceptable to use SecureClient instead of SecuRemote in order to use the Office mode feature?

No it is not at this time.

[bugueur]

Thanks, so what can I do then?
I need absolutely this office mode feature :-(

[chillyjim]

You can buy the client. Talk to your SE/Sales Rep from Check Point, they can probably help out on the cost.

[bugueur]

Quote:

Originally Posted by chillyjim

You can buy the client. Talk to your SE/Sales Rep from Check Point, they can probably help out on the cost.

Thanks chillyjim, have a nice day.

[Thorpuse]

To add another perspective on this....

Has Check Point come out recently and specifically stated this lately? I'm actually not certain that this is the case anymore. For example :

1. If you use an Edge device for VPN, you are allowed to use Office mode with it without a SecureClient license.
2. If you use SNX, you must use Office Mode. However the SNX license doesn't specifically include OM.
3. In light of the recent SR vulnerability, Check Point's official recommendation is to use Office Mode. You could make a fair case that on security grounds, you are allowed to use OM without a SecureClient license.
4. SecureClient licensing only enforces logins to a policy server. As OM does not require a policy server, it is arguable that the SC license was never meant to enforce OM use. Seeing as CP has known about this since at least 2002 and has done nothing about it, I don't know that there is actually an objection from CP about this anymore.

Anyone from CP lurking here want to clarify this?

[chillyjim]

The simple answer is that the EULA has not changed in several years for this.

Quote:

Originally Posted by Thorpuse

To add another perspective on this....

Has Check Point come out recently and specifically stated this lately? I'm actually not certain that this is the case anymore. For example :

1. If you use an Edge device for VPN, you are allowed to use Office mode with it without a SecureClient license.

The Edge is licensed for use of SecuRemote and a subset of SecureClient functionality.

Quote:

2. If you use SNX, you must use Office Mode. However the SNX license doesn't specifically include OM.

Different product. It's not the OM that licensed, its the actual client in a VPN-1 environment.

Quote:

3. In light of the recent SR vulnerability, Check Point's official recommendation is to use Office Mode. You could make a fair case that on security grounds, you are allowed to use OM without a SecureClient license.

Yes you probably could, but the official answer is still that you need to license SC for use in a VPN-1 environment.

Quote:

4. SecureClient licensing only enforces logins to a policy server. As OM does not require a policy server, it is arguable that the SC license was never meant to enforce OM use. Seeing as CP has known about this since at least 2002 and has done nothing about it, I don't know that there is actually an objection from CP about this anymore.

Anyone from CP lurking here want to clarify this?

There isn't anyone of us in the field that will not agree with you on this point. We bring it up all the time. Maybe now with the death of SecureClient on the price list (Replaced with CPES-SA, which includes a Policy Server license) there can be some movement on this.

I will bring it up with product management again.

[abusharif]

Since secureclient is gone and part of endpoint security the rules that should (logicaly :s) apply are those stated on the product/licensing description

Quote:

Check Point Endpoint Security licensed per protected endpoint. An Endpoint is defined as a Computer Instance in the Check Point Endpoint Security End User License Agreement.
Licensing is additive.

So basically, if you install it on the PC, you require license.

[Thorpuse]

My argument is not about SecureClient licensing, but about specifically whether OM is a feature that is specific to that product. Seeing as the SecureClient license doesn't enforce this, I think a case can be made around it. Does the EULA specifically state that Office Mode is (was?) a SecureClient feature? Does it matter, seeing as SecureClient as a SKU appears to be disappearing?

I'll be sad to see SecureClient go.... I still maintain that the Desktop Security policy in VPN-1 is miles ahead of the "classic" firewall rules in Integrity (oops, I mean CP Endpoint Security blah blah blah...).

[melipla]

Quote:

Originally Posted by Thorpuse

I'll be sad to see SecureClient go.... I still maintain that the Desktop Security policy in VPN-1 is miles ahead of the "classic" firewall rules in Integrity (oops, I mean CP Endpoint Security blah blah blah...).

The Desktop Security policy may be more advanced but the SCV checking mechanism in SecureClient is, IMHO, incredibly broken.

I am disappointed to see SecureClient "quietly" disappear as we've had a lot of problems with Integrity.

[chillyjim]

Quote:

Originally Posted by chillyjim

There isn't anyone of us in the field that will not agree with you on this point. We bring it up all the time. Maybe now with the death of SecureClient on the price list (Replaced with CPES-SA, which includes a Policy Server license) there can be some movement on this.

I will bring it up with product management again.

There is no plan on changing SC's EULA. As said above, SC is leaving the price list, but for the moment anyway the Client will be maintained "Standalone" for those that do not want/cannot install the CPES-SA client. The CPES-SA license includes SC and Policy Server.