ACCESS LICENSING OVERVIEW sept 2011 AGENDA New cluster licensing SSLVPN Licensing review UAC Licensing review Central Licensing Leasing Licenses Surrendering Licenses Virtual Appliance Licensing New Secure Meeting Licensing Secure Meeting on Virtual Appliances ICE license, ICE maintenance and new 25% burst ICE license 2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net OLD CLUSTER LICENSING N-node cluster with 10000 concurrent users needs ADD-10000U licenses at one node – the license primary CL-10000U licenses at other N-1 nodes CL license at other N-1 nodes for IC Any feature licenses at primary node Cluster licensed for at least 10000 users under all circumstances Up to N-1 node failures cluster partitions Each partition licenses to support 10000 users If cluster is broken into standalone units 3 One node with licenses to support 10000 users Rest of the nodes with no licensed capacity Copyright © 2009 Juniper Networks, Inc. www.juniper.net NEW CLUSTER LICENSING Introduced with SSLVPN 7.0 and UAC 4.1 No CL licenses needed If already present, used in a backward compatible way Any license can be installed at any node Total concurrent user capacity = sum total of all user count licenses Licenses on unreachable nodes stop contributing towards total cluster capacity if they stay unreachable for longer than the cluster grace period (5 days) Unless sufficient CL licenses are present Starting 7.1r2 grace period increased to 10 days Customers encouraged to distribute ADD user count licenses evenly across the cluster A node removed from a cluster takes its licenses with it Feature licenses need be present at only one node No change from current behavior ICE Licenses need be present on all nodes you want to use in case of emergency 4 2 ICE licenses required for a 2-node cluster Copyright © 2009 Juniper Networks, Inc. www.juniper.net CLUSTER LICENSED CAPACITY Each node computes cluster licensed capacity independently Session capacity computed separately for each “feature” Base Concurrent Users, EES, RDP Licenses installed on all reachable nodes are always counted towards the total cluster capacity If the computing node has X user count licenses installed, it can count up to X licenses from each unreachable nodes towards total cluster capacity for a cluster grace period of 5 days System keeps track of which has been unreachable for how long Cluster grace period expiry information displayed at the Admin UI Licensing page If the computing node has Y –CL licenses, it can count up to a sum total of Y licenses from the unreachable nodes towards total cluster capacity for an indefinite period 5 Copyright © 2009 Juniper Networks, Inc. www.juniper.net CLUSTER UPGRADED FROM A PERVIOUS RELEASE Two node cluster Node A with 1000 user count licenses Node B with 1000 CL licenses Cluster capacity as seen by node A 1000A = 1000 Cluster capacity as seen by node B Min(1000B-CL, 1000A) = 1000 CL licenses are not bound by cluster grace period No change in effective cluster capacity in most cases No upgraded cluster will ever see a drop in licensed capacity No unqualified nodes 6 Copyright © 2009 Juniper Networks, Inc. www.juniper.net CLUSTER CAPACITY EXAMPLE – GOOD Two node cluster Node A with 500 user count licenses Node B with 500 user count licenses Cluster capacity as seen by node A Connected cluster 500A + 500B = 1000 Disconnected Cluster Within grace period of 5 days: 500A + min(500A, 500B) = 1000 Past grace period: 500A = 500 Customer has 5 days to diagnose/remedy the problem Even license distribution Desirable system behavior during cluster disconnects 7 Copyright © 2009 Juniper Networks, Inc. www.juniper.net CLUSTER CAPACITY EXAMPLE – NOT RECOMMENDED Two node cluster Node A with 250 user count licenses Node B with 750 user count licenses Cluster capacity as seen by node A Connected cluster 250A + 750B = 1000 Disconnected Cluster Within grace period of 5 days: 250A + min(250A, 750B) = 500 Past grace period: 250A = 250 Uneven license distribution Undesirable drop in licensed capacity during cluster disconnects 8 Copyright © 2009 Juniper Networks, Inc. www.juniper.net CLUSTER CAPACITY EXAMPLE – CONVOLUTED Two node cluster Node A with 250 user count and 500 CL licenses Node B with 750 user count licenses Cluster capacity as seen by node A Connected cluster 250A + 750B = 1000 Disconnected Cluster Within grace period of 5 days – 250A + min(250A, 750B) + min(500A-CL, 750B – 250) = 1000 Past grace period – 250A + min(500A-CL, 750B) = 750 9 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SSLVPN Licensing Review SA2000/4000/6000 Old cluster licensing SAx000-ADD-xxU and –CL still valid. New cluster licensing SAx000-ADD-xxU on both nodes starting software 7.0. Remarl: 7.1 is last release to be supported on SAx000 SA2500/4500/6500 Old cluster licensing SAx500-ADD-xxU and -CL still valid. New cluster licensing SAx500-ADD-xxU on both nodes starting software 7.0. MAG Requires ACCESS-X600 licenses. Licenses have dual personality, SA/IC depending on MAG deployment. Licensing based on new cluster licensing, no –CL licenses available. Minimale software release voor MAG is 7.1 voor SSL en 4.1 voor UAC. 10 Copyright © 2009 Juniper Networks, Inc. www.juniper.net UAC Licensing Review IC4000/6000 Old cluster licensing ICx000-ADD-xxE and ICx000–CL still valid. New cluster licensing ICx000-ADD-xxE on both nodes starting software 4.1. IC4500/6500 Old cluster Iicensing ICx500-ADD-xxE and ICx500–CL / ICx500-CL-250E still valid. New cluster licensing ICx500-ADD-xxE on nodes starting software 4.1. MAG Requires ACCESS-X600 licenses. Licenses have dual personality, SA/IC depending on MAG deployment. Licensing based on new cluster licensing, no –CL licenses available. Minimale software release voor MAG is 7.1 voor SSL en 4.1 voor UAC. 11 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Central Licensing / Leasing licenses Central Licensing Server • SAx000/SAx500/ICx000/ICx500/MAG with a ACCESS-LICENSE-SERVER • Server maintenance: ‘-L’ version (lowest user count) • Starting software 7.0 (go to 7.1 where possible) or 4.1 Appliance(s) leasing from the server • MBR license on the appliance • • • • SAx000-LICENSE-MBR ; SAx500-LICENSE-MBR ICx000-LICENSE-MBR ; ICx500-LICENSE-MBR MAG2600-LICENSE-MBR ; MAG4610-LICENSE-MBR SM160-LICENSE-MBR ; SM360-LICENSE-MBR • ACCESS-X500 licenses on the server for SAx500/ICx500 appliance • ACCESS-X600 licenses on the server for MAG appliance • Maintenance: choose maintenance corresponding to the expected user count on the appliances • Example: A license server is deployed with 50K licenses along with 10 SA6500s. Since the average count across each of the SA6500s is 5K concurrent users, that places each appliance in the –H pricing range: SVC-ND-SA6.5K-H , Juniper Care NextDay Support for SA6.5K-H (5000U+) 12 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Central Licensing – cluster licensing A client cluster retrieving his licenses from a license server: The license server can lease licenses to standalone client and clustered client. Each cluster member must have the –LICENSE-MBR license installed. Only one cluster member, identified by the SA/UAC software, makes the lease requests on behalf of all cluster members. This member can query, renew, and increment licenses for other cluster members when the members are connected to the cluster. When setting up the cluster license information, it is not necessary to enter the cluster configuration at the license server. This information is retrieved dynamically as each client reports its own cluster affiliation. The initial communication between the cluster to the license server retrieves the reserved counts for all cluster members registered with the license server. Incremental requests are the sum of all members in the cluster that are not at their maximum configured capacity. 13 Copyright © 2009 Juniper Networks, Inc. www.juniper.net NO DYNAMIC ALLOCATION OF LICENSES The license server does not offer dynamic allocation of licenses. Licenses are allocated ahead of time by the administrator and are then tied to each appliance for a minimum of 24 hours. Each member can be configured to allocate a base number of licenses and instructed to increase the number of allocated licenses from the central server in case of need. Greatly aids in service resilience as a single license server can be deployed and scales without concern that even a basic route failure in the network might prevent users from being able to log in. 14 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Central Licensing: clustered license server Can the license server itself be clustered ? No plans… here’s why: The license server is not a single point of failure such that if it goes offline the service is impacted. Even if it goes down for days at a time, the virtual appliances will continue to run. All the license server is there for is to assign the licenses to each virtual appliance. The design has enough resiliency that even a network outage at any point between the client virtual appliance and the license server will not impact any business. And if a license server goes down completely, such as an RMA, they can quickly bring a backup SA device online and restore the entire configuration from their last scheduled backup. The MTBF of a single box that will not support anything but the license server features is so low that adding all of the overhead of clustering and load balancing could actually be a loss rather than a gain, especially since the recovery procedure is as simple as bringing a backup box online and restoring the system and user configuration backup files and then working with JTAC to make the license move to the new hardware ID permanent, which is all part of a standard RMA process. Some customers that want the highest MTBF are looking to build their license server on fully configured SA6500s (redundant power supplies and hard drives with an MTBF of 98,000 hours). 15 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Central Licensing: surrendering licenses A license member can surrender his concurrent user licenses to the license server. Surrendered licenses can be leased to other license members Only permanent non-subscription concurrent user licenses can be surrendered: ADD New MTG (7.2 onwards on MAG) No subscription licenses can be surrendered from any appliance. Any license that has a duration cannot be surrendered, e.g. LAB, EVAL, ACCESS subscription… The following licenses CANNOT be surrendered: ICE, MTG, EES, PRM, RDP, IVS 16 Copyright © 2009 Juniper Networks, Inc. www.juniper.net Virtual Appliance Licensing License Server • • • • Required ! SAx000/SAx500/ICx000/ICx500/MAG with a ACCESS-LICENSE-SERVER Server maintenance: ‘-L’ version (lowest user count) Starting software 7.0 (go to 7.1 where possible) or 4.1 Virtual Appliance • MBR license per VA (*) • ACCESS-xxx-zYR subscription licenses on license server • only subscription licenses, no perpetual licenses for VA model • Maintenance covered by the subscription license. * Currently issue in the 7.1 code that does not allow MBR license validation. Open customer care case to request–MBR license. Starting 7.2 –MBR licenses will be available in the pricing list again. 17 Copyright © 2009 Juniper Networks, Inc. www.juniper.net NEW SECURE MEETING LICENSING ON MAG From 7.1r2 onwards MAG Secure Meeting will follow a concurrent user model license ; opposed to SAx500/SAx000 Secure Meeting platform licenses ACCESSX600-MTG-25U Add 25 simultaneous Secure Meeting users to X600 Series Appliances ACCESSX600-MTG-50U Add 50 simultaneous Secure Meeting users to X600 Series Appliances ACCESSX600-MTG-100U Add 100 simultaneous Secure Meeting users to X600 Series Appliances ACCESSX600-MTG-250U Add 250 simultaneous Secure Meeting users to X600 Series Appliances Licenses based on total number of concurrent “meeting” users Meeting user count is separate from SSLVPN user count User count includes all types of users (hosts, attendees, internal, external) SKUs not tied to the platforms ; limited max meeting users per platform MAG2600 : support up to 50 concurrent meeting users MAG4610 : support up to 100 concurrent meeting users MAG-SM160 blade : up to 100 concurrent meeting users MAG-SM360 blade : up to 250 concurrent meeting users 18 Copyright © 2009 Juniper Networks, Inc. www.juniper.net NEW SECURE MEETING LICENSING ON MAG Clustering is supported under the new clustering model Total number of concurrent user support in a cluster cannot exceed 2 * (the maximum user limit of the cluster platform). The new licenses are additive up to the maximum limit supported on a given platform. For e.g. on a single MAG2600, customer can startwith a 25 user license and then add another 25 users to support up to 50 concurrent meeting users (max limit) on that platform Licenses are supported on the MAG series Junos Pulse Gateway platforms only. Customers on old “SA X500 platform will need to purchase the old platform based meeting licenses The new licenses can be installed and leased from a "License Server". A COR support license must be purchased separately for support coverage SVC-COR-SA-MTG Juniper Care Core Support for feature SA-MTG & MAG-MTG 19 Copyright © 2009 Juniper Networks, Inc. www.juniper.net SECURE MEETING ON VIRTUAL APPLIANCES Each VA includes 50 users/ 25 meetings No license required Platform license 20 Copyright © 2009 Juniper Networks, Inc. www.juniper.net IN CASE OF EMERGENCY In Case of Emergency is a platform license, cannot be leased MAGX600-ICE: Full Capacity ICE New 25% burst ICE option: ACCESS-ICE-25PC Available in 7.1R2, May Pricelist Allows ACCESS appliances to burst to 25% of installed license count Example: ACCESSX600-ADD-5000U license would go to 6,250 users during the ICE activation period. Supported on MAG and SA ICE maintenance (eg SVC-COR-MAG4610-ICE) are only there for situations where a customer has only deployed ICE licenses on the appliances and nothing else. The typical use case for this would be a disaster recovery site where they have installed only the hardware with some ICE licenses. 21 Copyright © 2009 Juniper Networks, Inc. www.juniper.net MAG2600 Max Capacity: 100 Concurrent Users Hardware SKUs Description MAG2600 Junos Pulse Gateway 2600 Base System, Fixed Config, Secure Access/Access Control Services License SKUs Description ACCESSX600-ADD-10U Add 10 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-25U Add 25 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-50U Add 50 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-100U Add 100 simultaneous users to Junos Pulse Gateway X600 Series Appliances MAG2600-LICENSE-MBR Allows Junos Pulse Gateway 2600 appliance to participate in leased licensing 22 Copyright © 2009 Juniper Networks, Inc. www.juniper.net MAG4610 Max Capacity: 1,000 Concurrent Users Hardware SKUs Description MAG4610 Junos Pulse Gateway 4610 Base System, Fixed Config, Secure Access/Access Control Services License SKUs Description ACCESSX600-ADD-10U Add 10 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-25U Add 25 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-50U Add 50 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-100U Add 100 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-250U Add 250 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-500U Add 500 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-1000U Add 1000 simultaneous users to Junos Pulse Gateway X600 Series Appliances MAG4610-LICENSE-MBR Allows Junos Pulse Gateway 4610 appliance-blade to participate in leased licensing 23 Copyright © 2009 Juniper Networks, Inc. www.juniper.net MAG6610 & MAG6611 Max Capacity: 1,000 Concurrent Users (Per SM160 Blade) 10,000 Concurrent Users (Per SM360 Blade) Hardware SKUs Description MAG6610 Junos Pulse Gateway 6610 Base System, Chassis + AC PS MAG6611 Junos Pulse Gateway 6611 Base System, Chassis + AC PS MAG-SM160 Junos Pulse Gateway Application Blade 160, Secure Access/Access Control Service MAG-SM360 Junos Pulse Gateway Application Blade 360, Secure Access/Access Control Service 24 Copyright © 2009 Juniper Networks, Inc. www.juniper.net MAG6610 & MAG6611 (LICENSING) License SKUs Description ACCESSX600-ADD-10U Add 10 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-25U Add 25 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-50U Add 50 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-100U Add 100 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-250U Add 250 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-500U Add 500 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-1000U Add 1000 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-2000U Add 2000 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-2500U Add 2500 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-5000U Add 5000 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-7500U Add 7500 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-10KU Add 10000 simultaneous users to Junos Pulse Gateway X600 Series Appliances SM160-LICENSE-MBR Allows Junos Pulse Gateway SM160 appliance-blade to participate in leased licensing SM360-LICENSE-MBR Allows Junos Pulse Gateway SM360 SA/IC appliance-blade to participate in leased licensing 25 Copyright © 2009 Juniper Networks, Inc. www.juniper.net ENTERPRISE LICENSE SERVER Server License SKU Description ACCESS-LICENSE-SVR Enables enterprise access appliance as a license server High Scale License SKUs Description ACCESSX600-ADD-15KU Add 15000 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-20KU Add 20000 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-25KU Add 25000 simultaneous users to Junos Pulse Gateway X600 Series Appliances Lease Enablement Description Stackable licenses above and beyond what a single Junos Pulse Gateway can achieve on its own SKUs MAG2600-LICENSE-MBR Allows Junos Pulse Gateway 2600 appliance to participate in leased licensing MAG4610-LICENSE-MBR Allows Junos Pulse Gateway 4610 appliance-blade to participate in leased licensing SM160-LICENSE-MBR Allows Junos Pulse Gateway SM160 appliance-blade to participate in leased licensing SM360-LICENSE-MBR Allows Junos Pulse Gateway SM360 SA/IC appliance-blade to participate in leased licensing 26 Copyright © 2009 Juniper Networks, Inc. www.juniper.net RESOURCES License Management Guide http://www.juniper.net/techpubs/software/ive/guides/j-sa-sslvpn7.1-licensemgmt.pdf Juniper Forums http://forums.juniper.net/t5/SSL-VPN/bd-p/SSL_VPN 27 Copyright © 2009 Juniper Networks, Inc. www.juniper.net