1 / 27

ACCESS LICENSING OVERVIEW sept 2011

ACCESS LICENSING OVERVIEW sept 2011. agenda. New cluster licensing SSLVPN Licensing review UAC Licensing review Central Licensing Leasing Licenses Surrendering Licenses Virtual Appliance Licensing New Secure Meeting Licensing Secure Meeting on Virtual Appliances

amaris
Download Presentation

ACCESS LICENSING OVERVIEW sept 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ACCESS LICENSINGOVERVIEWsept 2011

  2. agenda • New cluster licensing • SSLVPN Licensing review • UAC Licensing review • Central Licensing • Leasing Licenses • Surrendering Licenses • Virtual Appliance Licensing • New Secure Meeting Licensing • Secure Meeting on Virtual Appliances • ICE license, ICE maintenance and new 25% burst ICE license

  3. OLD CLUSTER LICENSING N-node cluster with 10000 concurrent users needs ADD-10000U licenses at one node – the license primary CL-10000U licenses at other N-1 nodes CL license at other N-1 nodes for IC Any feature licenses at primary node Cluster licensed for at least 10000 users under all circumstances Up to N-1 node failures cluster partitions Each partition licenses to support 10000 users If cluster is broken into standalone units One node with licenses to support 10000 users Rest of the nodes with no licensed capacity

  4. NEW CLUSTER LICENSING Introduced with SSLVPN 7.0 and UAC 4.1 No CL licenses needed If already present, used in a backward compatible way Any license can be installed at any node Total concurrent user capacity = sum total of all user count licenses Licenses on unreachable nodes stop contributing towards total cluster capacity if they stay unreachable for longer than the cluster grace period (5 days) Unless sufficient CL licenses are present Starting 7.1r2 grace period increased to 10 days Customers encouraged to distribute ADD user count licenses evenly across the cluster A node removed from a cluster takes its licenses with it Feature licenses need be present at only one node No change from current behavior ICE Licenses need be present on all nodes you want to use in case of emergency 2 ICE licenses required for a 2-node cluster

  5. CLUSTER LICENSED CAPACITY Each node computes cluster licensed capacity independently Session capacity computed separately for each “feature” Base Concurrent Users, EES, RDP Licenses installed on all reachable nodes are always counted towards the total cluster capacity If the computing node has X user count licenses installed, it can count up to X licenses from each unreachable nodes towards total cluster capacity for a cluster grace period of 5 days System keeps track of which has been unreachable for how long Cluster grace period expiry information displayed at the Admin UI Licensing page If the computing node has Y –CL licenses, it can count up to a sum total of Y licenses from the unreachable nodes towards total cluster capacity for an indefinite period

  6. CLUSTER UPGRADED FROM A PERVIOUS RELEASE Two node cluster Node A with 1000 user count licenses Node B with 1000 CL licenses Cluster capacity as seen by node A 1000A = 1000 Cluster capacity as seen by node B Min(1000B-CL, 1000A) = 1000 CL licenses are not bound by cluster grace period No change in effective cluster capacity in most cases No upgraded cluster will ever see a drop in licensed capacity No unqualified nodes

  7. CLUSTER CAPACITY EXAMPLE – GOOD Two node cluster Node A with 500 user count licenses Node B with 500 user count licenses Cluster capacity as seen by node A Connected cluster 500A + 500B = 1000 Disconnected Cluster Within grace period of 5 days: 500A + min(500A, 500B) = 1000 Past grace period: 500A = 500 Customer has 5 days to diagnose/remedy the problem Even license distribution Desirable system behavior during cluster disconnects

  8. CLUSTER CAPACITY EXAMPLE – NOT RECOMMENDED Two node cluster Node A with 250 user count licenses Node B with 750 user count licenses Cluster capacity as seen by node A Connected cluster 250A + 750B = 1000 Disconnected Cluster Within grace period of 5 days: 250A + min(250A, 750B) = 500 Past grace period: 250A = 250 Uneven license distribution Undesirable drop in licensed capacity during cluster disconnects

  9. CLUSTER CAPACITY EXAMPLE – CONVOLUTED Two node cluster Node A with 250 user count and 500 CL licenses Node B with 750 user count licenses Cluster capacity as seen by node A Connected cluster 250A + 750B = 1000 Disconnected Cluster Within grace period of 5 days 250A + min(250A, 750B) + min(500A-CL, 750B – 250) = 1000 Past grace period 250A + min(500A-CL, 750B) = 750

  10. SSLVPN Licensing Review SA2000/4000/6000 Old cluster licensing SAx000-ADD-xxU and –CL still valid. New cluster licensing SAx000-ADD-xxU on both nodes starting software 7.0. Remarl: 7.1 is last release to be supported on SAx000 SA2500/4500/6500 Old cluster licensing SAx500-ADD-xxU and -CL still valid. New cluster licensing SAx500-ADD-xxU on both nodes starting software 7.0. MAG Requires ACCESS-X600 licenses. Licenses have dual personality, SA/IC depending on MAG deployment. Licensing based on new cluster licensing, no –CL licenses available. Minimale software release voor MAG is 7.1 voor SSL en 4.1 voor UAC.

  11. UAC Licensing Review IC4000/6000 Old cluster licensing ICx000-ADD-xxE and ICx000–CL still valid. New cluster licensing ICx000-ADD-xxE on both nodes starting software 4.1. IC4500/6500 Old cluster Iicensing ICx500-ADD-xxE and ICx500–CL / ICx500-CL-250E still valid. New cluster licensing ICx500-ADD-xxE on nodes starting software 4.1. MAG Requires ACCESS-X600 licenses. Licenses have dual personality, SA/IC depending on MAG deployment. Licensing based on new cluster licensing, no –CL licenses available. Minimale software release voor MAG is 7.1 voor SSL en 4.1 voor UAC.

  12. Central Licensing / Leasing licenses • Central Licensing Server • SAx000/SAx500/ICx000/ICx500/MAG with a ACCESS-LICENSE-SERVER • Server maintenance: ‘-L’ version (lowest user count) • Starting software 7.0 (go to 7.1 where possible) or 4.1 • Appliance(s) leasing from the server • MBR license on the appliance • SAx000-LICENSE-MBR ; SAx500-LICENSE-MBR • ICx000-LICENSE-MBR ; ICx500-LICENSE-MBR • MAG2600-LICENSE-MBR ; MAG4610-LICENSE-MBR • SM160-LICENSE-MBR ; SM360-LICENSE-MBR • ACCESS-X500 licenses on the server for SAx500/ICx500appliance • ACCESS-X600 licenses on the server for MAG appliance • Maintenance: choose maintenance corresponding to the expected user count on the appliances • Example: A license server is deployed with 50K licenses along with 10 SA6500s. Since the average count across each of the SA6500s is 5K concurrent users, that places each appliance in the –H pricing range: SVC-ND-SA6.5K-H , Juniper Care NextDay Support for SA6.5K-H (5000U+)

  13. Central Licensing – cluster licensing A client cluster retrieving his licenses from a license server: The license server can lease licenses to standalone client and clustered client. Each cluster member must have the –LICENSE-MBR license installed. Only one cluster member, identified by the SA/UAC software, makes the lease requests on behalf of all cluster members. This member can query, renew, and increment licenses for other cluster members when the members are connected to the cluster. When setting up the cluster license information, it is not necessary to enter the cluster configuration at the license server. This information is retrieved dynamically as each client reports its own cluster affiliation. The initial communication between the cluster to the license server retrieves the reserved counts for all cluster members registered with the license server. Incremental requests are the sum of all members in the cluster that are not at their maximum configured capacity.

  14. No Dynamic allocation of licenses • The license server does not offer dynamic allocation of licenses. • Licenses are allocated ahead of time by the administrator and are then tied to each appliance for a minimum of 24 hours. • Each member can be configured to allocate a base number of licenses and instructed to increase the number of allocated licenses from the central server in case of need. • Greatly aids in service resilience as a single license server can be deployed and scales without concern that even a basic route failure in the network might prevent users from being able to log in.

  15. Central Licensing: clustered license server • Can the license server itself be clustered ? • No plans… • here’s why:The license server is not a single point of failure such that if it goes offline the service is impacted.  Even if it goes down for days at a time, the virtual appliances will continue to run.  All the license server is there for is to assign the licenses to each virtual appliance.  The design has enough resiliency that even a network outage at any point between the client virtual appliance and the license server will not impact any business.  And if a license server goes down completely, such as an RMA, they can quickly bring a backup SA device online and restore the entire configuration from their last scheduled backup. The MTBF of a single box that will not support anything but the license server features is so low that adding all of the overhead of clustering and load balancing could actually be a loss rather than a gain, especially since the recovery procedure is as simple as bringing a backup box online and restoring the system and user configuration backup files and then working with JTAC to make the license move to the new hardware ID permanent, which is all part of a standard RMA process.  Some customers that want the highest MTBF are looking to build their license server on fully configured SA6500s (redundant power supplies and hard drives with an MTBF of 98,000 hours).

  16. Central Licensing: surrendering licenses A license member can surrender his concurrent user licenses to the license server. Surrendered licenses can be leased to other license members Only permanent non-subscription concurrent user licenses can be surrendered: ADD New MTG (7.2 onwards on MAG) No subscription licenses can be surrendered from any appliance. Any license that has a duration cannot be surrendered, e.g. LAB, EVAL, ACCESS subscription… The following licenses CANNOT be surrendered: ICE, MTG, EES, PRM, RDP, IVS

  17. Virtual Appliance Licensing • License Server • Required ! • SAx000/SAx500/ICx000/ICx500/MAG with a ACCESS-LICENSE-SERVER • Server maintenance: ‘-L’ version (lowest user count) • Starting software 7.0 (go to 7.1 where possible) or 4.1 • Virtual Appliance • MBR license per VA (*) • ACCESS-xxx-zYR subscription licenses on license server • only subscription licenses, no perpetual licenses for VA model • Maintenance covered by the subscription license. • * Currently issue in the 7.1 code that does not allow MBR license validation. • Open customer care case to request–MBR license. • Starting 7.2 –MBR licenses will be available in the pricing list again.

  18. NEW SECURE MEETING LICENSING ON MAG • From 7.1r2 onwards MAG Secure Meeting will follow a concurrent user model license ; opposed to SAx500/SAx000 Secure Meeting platform licenses • Licenses based on total number of concurrent “meeting” users • Meeting user count is separate from SSLVPN user count • User count includes all types of users (hosts, attendees, internal, external) • SKUs not tied to the platforms ; limited max meeting users per platform • MAG2600 : support up to 50 concurrent meeting users • MAG4610 : support up to 100 concurrent meeting users • MAG-SM160 blade : up to 100 concurrent meeting users • MAG-SM360 blade : up to 250 concurrent meeting users

  19. NEW SECURE MEETING LICENSING ON MAG • Clustering is supported under the new clustering modelTotal number of concurrent user support in a cluster cannot exceed 2 * (the maximum user limit of the cluster platform). • The new licenses are additive up to the maximum limit supported on a given platform. For e.g. on a single MAG2600, customer can startwith a 25 user license and then add another 25 users to support up to 50 concurrent meeting users (max limit) on that platform • Licenses are supported on the MAG series Junos Pulse Gateway platforms only. Customers on old “SA X500 platform will need to purchase the old platform based meeting licenses • The new licenses can be installed and leased from a "License Server". • A COR support license must be purchased separately for support coverage • SVC-COR-SA-MTG  Juniper Care Core Support for feature SA-MTG & MAG-MTG

  20. SECURE MEETING ON VIRTUAL APPLIANCES • Each VA includes 50 users/ 25 meetings • No license required • Platform license

  21. IN CASE OF EMERGENCY • In Case of Emergency is a platform license, cannot be leased • MAGX600-ICE: Full Capacity ICE • New 25% burst ICE option: ACCESS-ICE-25PC • Available in 7.1R2, May Pricelist • Allows ACCESS appliances to burst to 25% of installed license count • Example: ACCESSX600-ADD-5000U license would go to 6,250 users during the ICE activation period. • Supported on MAG and SA • ICE maintenance(egSVC-COR-MAG4610-ICE) are only there for situations where a customer has only deployed ICE licenses on the appliances and nothing else. • The typical use case for this would be a disaster recovery site where they have installed only the hardware with some ICE licenses. 

  22. MAG2600 Max Capacity: 100 Concurrent Users

  23. MAG4610 Max Capacity: 1,000 Concurrent Users

  24. MAG6610 & MAG6611 Max Capacity: 1,000 Concurrent Users (Per SM160 Blade) 10,000 Concurrent Users (Per SM360 Blade) + SSL Acceleration

  25. MAG6610 & MAg6611 (Licensing)

  26. Enterprise license server

  27. Resources License Management Guide http://www.juniper.net/techpubs/software/ive/guides/j-sa-sslvpn-7.1-licensemgmt.pdf Juniper Forums http://forums.juniper.net/t5/SSL-VPN/bd-p/SSL_VPN

More Related