ACCESS LICENSING
OVERVIEW
sept 2011
AGENDA
 New cluster licensing
 SSLVPN Licensing review
 UAC Licensing review
 Central Licensing
 Leasing Licenses
 Surrendering Licenses
 Virtual Appliance Licensing
 New Secure Meeting Licensing
 Secure Meeting on Virtual Appliances
 ICE license, ICE maintenance and new 25% burst ICE license
2
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
OLD CLUSTER LICENSING
N-node cluster with 10000 concurrent users needs

ADD-10000U licenses at one node – the license primary

CL-10000U licenses at other N-1 nodes
 CL license at other N-1 nodes for IC

Any feature licenses at primary node
Cluster licensed for at least 10000 users under all circumstances

Up to N-1 node failures

cluster partitions
 Each partition licenses to support 10000 users
If cluster is broken into standalone units
3

One node with licenses to support 10000 users

Rest of the nodes with no licensed capacity
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
NEW CLUSTER LICENSING
Introduced with SSLVPN 7.0 and UAC 4.1
No CL licenses needed

If already present, used in a backward compatible way
Any license can be installed at any node

Total concurrent user capacity = sum total of all user count licenses

Licenses on unreachable nodes stop contributing towards total cluster capacity if they stay
unreachable for longer than the cluster grace period (5 days)

Unless sufficient CL licenses are present

Starting 7.1r2 grace period increased to 10 days
Customers encouraged to distribute ADD user count licenses evenly across the cluster

A node removed from a cluster takes its licenses with it
Feature licenses need be present at only one node

No change from current behavior
ICE Licenses need be present on all nodes you want to use in case of emergency

4
2 ICE licenses required for a 2-node cluster
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
CLUSTER LICENSED CAPACITY
Each node computes cluster licensed capacity independently

Session capacity computed separately for each “feature”
 Base Concurrent Users, EES, RDP
Licenses installed on all reachable nodes are always counted towards the total
cluster capacity
If the computing node has X user count licenses installed, it can count up to X
licenses from each unreachable nodes towards total cluster capacity for a
cluster grace period of 5 days

System keeps track of which has been unreachable for how long

Cluster grace period expiry information displayed at the Admin UI Licensing page
If the computing node has Y –CL licenses, it can count up to a sum total of Y
licenses from the unreachable nodes towards total cluster capacity for an
indefinite period
5
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
CLUSTER UPGRADED FROM A PERVIOUS RELEASE
Two node cluster
 Node A with 1000 user count licenses
 Node B with 1000 CL licenses
Cluster capacity as seen by node A
 1000A = 1000
Cluster capacity as seen by node B
 Min(1000B-CL, 1000A) = 1000
CL licenses are not bound by cluster grace period
No change in effective cluster capacity in most cases
 No upgraded cluster will ever see a drop in licensed capacity
 No unqualified nodes
6
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
CLUSTER CAPACITY EXAMPLE – GOOD
Two node cluster
 Node A with 500 user count licenses
 Node B with 500 user count licenses
Cluster capacity as seen by node A
 Connected cluster
 500A + 500B = 1000
 Disconnected Cluster
 Within grace period of 5 days: 500A + min(500A, 500B) = 1000
 Past grace period: 500A = 500
 Customer has 5 days to diagnose/remedy the problem
Even license distribution
 Desirable system behavior during cluster disconnects
7
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
CLUSTER CAPACITY EXAMPLE – NOT RECOMMENDED
Two node cluster
 Node A with 250 user count licenses
 Node B with 750 user count licenses
Cluster capacity as seen by node A
 Connected cluster
 250A + 750B = 1000
 Disconnected Cluster
 Within grace period of 5 days: 250A + min(250A, 750B) = 500
 Past grace period: 250A = 250
Uneven license distribution
 Undesirable drop in licensed capacity during cluster disconnects
8
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
CLUSTER CAPACITY EXAMPLE – CONVOLUTED
Two node cluster
 Node A with 250 user count and 500 CL licenses
 Node B with 750 user count licenses
Cluster capacity as seen by node A
 Connected cluster
 250A + 750B = 1000
 Disconnected Cluster
 Within grace period of 5 days
– 250A + min(250A, 750B) + min(500A-CL, 750B – 250) = 1000
 Past grace period
– 250A + min(500A-CL, 750B) = 750
9
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SSLVPN Licensing Review
SA2000/4000/6000
Old cluster licensing SAx000-ADD-xxU and –CL still valid.
New cluster licensing SAx000-ADD-xxU on both nodes starting software 7.0.
Remarl: 7.1 is last release to be supported on SAx000
SA2500/4500/6500
Old cluster licensing SAx500-ADD-xxU and -CL still valid.
New cluster licensing SAx500-ADD-xxU on both nodes starting software 7.0.
MAG
Requires ACCESS-X600 licenses.
Licenses have dual personality, SA/IC depending on MAG deployment.
Licensing based on new cluster licensing, no –CL licenses available.
Minimale software release voor MAG is 7.1 voor SSL en 4.1 voor UAC.
10
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
UAC Licensing Review
IC4000/6000
Old cluster licensing ICx000-ADD-xxE and ICx000–CL still valid.
New cluster licensing ICx000-ADD-xxE on both nodes starting software 4.1.
IC4500/6500
Old cluster Iicensing ICx500-ADD-xxE and ICx500–CL / ICx500-CL-250E still
valid.
New cluster licensing ICx500-ADD-xxE on nodes starting software 4.1.
MAG
Requires ACCESS-X600 licenses.
Licenses have dual personality, SA/IC depending on MAG deployment.
Licensing based on new cluster licensing, no –CL licenses available.
Minimale software release voor MAG is 7.1 voor SSL en 4.1 voor UAC.
11
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Central Licensing / Leasing licenses
Central Licensing Server
• SAx000/SAx500/ICx000/ICx500/MAG with a ACCESS-LICENSE-SERVER
• Server maintenance: ‘-L’ version (lowest user count)
• Starting software 7.0 (go to 7.1 where possible) or 4.1
Appliance(s) leasing from the server
• MBR license on the appliance
•
•
•
•
SAx000-LICENSE-MBR ; SAx500-LICENSE-MBR
ICx000-LICENSE-MBR ; ICx500-LICENSE-MBR
MAG2600-LICENSE-MBR ; MAG4610-LICENSE-MBR
SM160-LICENSE-MBR ; SM360-LICENSE-MBR
• ACCESS-X500 licenses on the server for SAx500/ICx500 appliance
• ACCESS-X600 licenses on the server for MAG appliance
• Maintenance: choose maintenance corresponding to the expected user
count on the appliances
• Example: A license server is deployed with 50K licenses along with 10
SA6500s. Since the average count across each of the SA6500s is 5K
concurrent users, that places each appliance in the –H pricing range:
SVC-ND-SA6.5K-H , Juniper Care NextDay Support for SA6.5K-H (5000U+)
12
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Central Licensing – cluster licensing
A client cluster retrieving his licenses from a license server:
The license server can lease licenses to standalone client and clustered client.
Each cluster member must have the –LICENSE-MBR license installed.
Only one cluster member, identified by the SA/UAC software, makes the lease
requests on behalf of all cluster members.
This member can query, renew, and increment licenses for other cluster
members when the members are connected to the cluster.
When setting up the cluster license information, it is not necessary to enter the
cluster configuration at the license server. This information is retrieved
dynamically as each client reports its own cluster affiliation.
The initial communication between the cluster to the license server retrieves
the reserved counts for all cluster members registered with the license server.
Incremental requests are the sum of all members in the cluster that are not at
their maximum configured capacity.
13
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
NO DYNAMIC ALLOCATION OF LICENSES
The license server does not offer dynamic allocation of licenses.
Licenses are allocated ahead of time by the administrator and
are then tied to each appliance for a minimum of 24 hours.
Each member can be configured to allocate a base number of
licenses and instructed to increase the number of allocated
licenses from the central server in case of need.
Greatly aids in service resilience as a single license server can
be deployed and scales without concern that even a basic route
failure in the network might prevent users from being able to log
in.
14
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Central Licensing: clustered license server
Can the license server itself be clustered ?
No plans…
here’s why:
The license server is not a single point of failure such that if it goes offline the service is
impacted. Even if it goes down for days at a time, the virtual appliances will continue to
run. All the license server is there for is to assign the licenses to each virtual
appliance. The design has enough resiliency that even a network outage at any point
between the client virtual appliance and the license server will not impact any
business. And if a license server goes down completely, such as an RMA, they can
quickly bring a backup SA device online and restore the entire configuration from their
last scheduled backup.
The MTBF of a single box that will not support anything but the license server features
is so low that adding all of the overhead of clustering and load balancing could actually
be a loss rather than a gain, especially since the recovery procedure is as simple as
bringing a backup box online and restoring the system and user configuration backup
files and then working with JTAC to make the license move to the new hardware ID
permanent, which is all part of a standard RMA process. Some customers that want the
highest MTBF are looking to build their license server on fully configured SA6500s
(redundant power supplies and hard drives with an MTBF of 98,000 hours).
15
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Central Licensing: surrendering licenses
A license member can surrender his concurrent user licenses to the license
server.
Surrendered licenses can be leased to other license members
Only permanent non-subscription concurrent user licenses can be
surrendered:
ADD
New MTG (7.2 onwards on MAG)
No subscription licenses can be surrendered from any appliance.
Any license that has a duration cannot be surrendered, e.g. LAB, EVAL,
ACCESS subscription…
The following licenses CANNOT be surrendered:
ICE, MTG, EES, PRM, RDP, IVS
16
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
Virtual Appliance Licensing
License Server
•
•
•
•
Required !
SAx000/SAx500/ICx000/ICx500/MAG with a ACCESS-LICENSE-SERVER
Server maintenance: ‘-L’ version (lowest user count)
Starting software 7.0 (go to 7.1 where possible) or 4.1
Virtual Appliance
• MBR license per VA (*)
• ACCESS-xxx-zYR subscription licenses on license server
• only subscription licenses, no perpetual licenses for VA model
• Maintenance covered by the subscription license.
* Currently issue in the 7.1 code that does not allow MBR license validation.
Open customer care case to request–MBR license.
Starting 7.2 –MBR licenses will be available in the pricing list again.
17
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
NEW SECURE MEETING LICENSING ON MAG
From 7.1r2 onwards MAG Secure Meeting will follow a concurrent user model
license ; opposed to SAx500/SAx000 Secure Meeting platform licenses
ACCESSX600-MTG-25U
Add 25 simultaneous Secure Meeting users to X600 Series Appliances
ACCESSX600-MTG-50U
Add 50 simultaneous Secure Meeting users to X600 Series Appliances
ACCESSX600-MTG-100U
Add 100 simultaneous Secure Meeting users to X600 Series Appliances
ACCESSX600-MTG-250U
Add 250 simultaneous Secure Meeting users to X600 Series Appliances
Licenses based on total number of concurrent “meeting” users
Meeting user count is separate from SSLVPN user count
User count includes all types of users (hosts, attendees, internal, external)
SKUs not tied to the platforms ; limited max meeting users per platform
 MAG2600 : support up to 50 concurrent meeting users
 MAG4610 : support up to 100 concurrent meeting users
 MAG-SM160 blade : up to 100 concurrent meeting users
 MAG-SM360 blade : up to 250 concurrent meeting users
18
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
NEW SECURE MEETING LICENSING ON MAG
Clustering is supported under the new clustering model
Total number of concurrent user support in a cluster cannot exceed 2 * (the
maximum user limit of the cluster platform).
The new licenses are additive up to the maximum limit supported on a given
platform.
For e.g. on a single MAG2600, customer can startwith a 25 user license and
then add another 25 users to support up to 50 concurrent meeting users (max
limit) on that platform
Licenses are supported on the MAG series Junos Pulse Gateway platforms
only. Customers on old “SA X500 platform will need to purchase the old
platform based meeting licenses
The new licenses can be installed and leased from a "License Server".
A COR support license must be purchased separately for support coverage
SVC-COR-SA-MTG Juniper Care Core Support for feature SA-MTG & MAG-MTG
19
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
SECURE MEETING ON VIRTUAL APPLIANCES
Each VA includes 50 users/ 25 meetings
No license required
Platform license
20
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
IN CASE OF EMERGENCY
In Case of Emergency is a platform license, cannot be leased
 MAGX600-ICE: Full Capacity ICE
New 25% burst ICE option: ACCESS-ICE-25PC
 Available in 7.1R2, May Pricelist
 Allows ACCESS appliances to burst to 25% of installed license count
 Example: ACCESSX600-ADD-5000U license would go to 6,250 users
during the ICE activation period.
 Supported on MAG and SA
ICE maintenance (eg SVC-COR-MAG4610-ICE) are only there
for situations where a customer has only deployed ICE licenses
on the appliances and nothing else.
The typical use case for this would be a disaster recovery site
where they have installed only the hardware with some ICE
licenses.
21
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
MAG2600
Max Capacity: 100 Concurrent Users
Hardware SKUs
Description
MAG2600
Junos Pulse Gateway 2600 Base System, Fixed Config, Secure Access/Access Control
Services
License SKUs
Description
ACCESSX600-ADD-10U
Add 10 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-25U
Add 25 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-50U
Add 50 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-100U
Add 100 simultaneous users to Junos Pulse Gateway X600 Series Appliances
MAG2600-LICENSE-MBR
Allows Junos Pulse Gateway 2600 appliance to participate in leased licensing
22
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
MAG4610
Max Capacity: 1,000 Concurrent Users
Hardware SKUs
Description
MAG4610
Junos Pulse Gateway 4610 Base System, Fixed Config, Secure Access/Access Control
Services
License SKUs
Description
ACCESSX600-ADD-10U
Add 10 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-25U
Add 25 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-50U
Add 50 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-100U
Add 100 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-250U
Add 250 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-500U
Add 500 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-1000U
Add 1000 simultaneous users to Junos Pulse Gateway X600 Series Appliances
MAG4610-LICENSE-MBR
Allows Junos Pulse Gateway 4610 appliance-blade to participate in leased licensing
23
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
MAG6610 & MAG6611
Max Capacity:
1,000 Concurrent Users (Per SM160 Blade)
10,000 Concurrent Users (Per SM360 Blade)
Hardware SKUs
Description
MAG6610
Junos Pulse Gateway 6610 Base System, Chassis + AC PS
MAG6611
Junos Pulse Gateway 6611 Base System, Chassis + AC PS
MAG-SM160
Junos Pulse Gateway Application Blade 160, Secure Access/Access Control Service
MAG-SM360
Junos Pulse Gateway Application Blade 360, Secure Access/Access Control Service
24
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
MAG6610 & MAG6611 (LICENSING)
License SKUs
Description
ACCESSX600-ADD-10U
Add 10 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-25U
Add 25 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-50U
Add 50 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-100U
Add 100 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-250U
Add 250 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-500U
Add 500 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-1000U
Add 1000 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-2000U
Add 2000 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-2500U
Add 2500 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-5000U
Add 5000 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-7500U
Add 7500 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-10KU
Add 10000 simultaneous users to Junos Pulse Gateway X600 Series Appliances
SM160-LICENSE-MBR
Allows Junos Pulse Gateway SM160 appliance-blade to participate in leased licensing
SM360-LICENSE-MBR
Allows Junos Pulse Gateway SM360 SA/IC appliance-blade to participate in leased
licensing
25
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
ENTERPRISE LICENSE SERVER
Server
License SKU
Description
ACCESS-LICENSE-SVR
Enables enterprise access appliance as a license server
High Scale
License SKUs
Description
ACCESSX600-ADD-15KU
Add 15000 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-20KU
Add 20000 simultaneous users to Junos Pulse Gateway X600 Series Appliances
ACCESSX600-ADD-25KU
Add 25000 simultaneous users to Junos Pulse Gateway X600 Series Appliances
Lease
Enablement
Description
Stackable licenses above and beyond what a single Junos Pulse Gateway can
achieve on its own
SKUs
MAG2600-LICENSE-MBR
Allows Junos Pulse Gateway 2600 appliance to participate in leased licensing
MAG4610-LICENSE-MBR
Allows Junos Pulse Gateway 4610 appliance-blade to participate in leased licensing
SM160-LICENSE-MBR
Allows Junos Pulse Gateway SM160 appliance-blade to participate in leased licensing
SM360-LICENSE-MBR
Allows Junos Pulse Gateway SM360 SA/IC appliance-blade to participate in leased
licensing
26
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net
RESOURCES
License Management Guide
http://www.juniper.net/techpubs/software/ive/guides/j-sa-sslvpn7.1-licensemgmt.pdf
Juniper Forums
http://forums.juniper.net/t5/SSL-VPN/bd-p/SSL_VPN
27
Copyright © 2009 Juniper Networks, Inc.
www.juniper.net