Support Center > Search Results > SecureKnowledge Details
Check Point VPN License Guide Technical Level
Solution

Check Point offers the following licenses for VPN products:

  1. IPSec VPN (CPSB-VPN)
  2. Endpoint Security Remote Access VPN (CPSB-EP-VPN)
  3. Mobile Access (CPSB-MOB)
  4. Capsule Workspace (CP-CPSL-WORK or CP-CPSL-TOTAL)

IPSec VPN (CPSB-VPN)

The IPSec VPN Software Blade enables Check Point Security Gateways to allow encrypted traffic to traverse the enforcement point in general. This encrypted traffic passes over Site-to-Site VPN tunnels, as well as, over VPN tunnels established by SecuRemote.

Note: The IPSec VPN blade enables encrypted traffic to traverse the Security Gateway; this is not limited to IPSec VPN traffic. For exmaple, SSL traffic is also enabled. Additional licensing may still be required depending on the client license requirements as well. See below for more information.

Endpoint Security Remote Access VPN (CPSB-EP-VPN)

The Remote Access VPN Software Blade enables remote clients to connect to the network and to obtain an Office Mode IP address. The VPN clients enabled by this license include:

  1. Endpoint Security E80.x
  2. Endpoint Security VPN E75
  3. Endpoint Connect R73 (this product has officially reached end of life)
  4. SecureClient NGX R60 (this product has officially reached end of life)

This license is enforced based on installed endpoint clients. Both online (actively connected via VPN) and offline (not currently actively connected via VPN) endpoint clients require a license. An Endpoint is defined as a computer instance in the Check Point secured environment.

CPEP-C-1+1000 CPSB-EP-FW+1000 CPEP-PERP CPSB-SWB

The is the Endpoint firewall license that comes with EP-ACCESS. It would not allow VPN.

Mobile Access (CPSB-MOB)

The Mobile Access Software Blade enables both client and clientless remote users to connect to the network. These users may or may not receive an Office Mode IP address, and this depends on the type of connection that the user is making. The VPN connections permitted by this license include the following:

  1. Mobile Access (also known as SSL VPN, and formerly known as Connectra; not supported for use with the IPSO operating system)
  2. SSL Network Extender (also knows as SNX; 'Network Mode' provides an Office Mode IP address; 'Application Mode' does not offer an Office Mode IP address)
  3. Check Point Mobile for Windows

This license is enforced based on concurrent connections. Users connecting with one of these solutions will consume a license for the duration of the connection only; the license will be released for use by another user upon termination of the current connection.

CPSB-SSLVPN-5/10/50/U

This is the string that the MOB-x blade generates.

CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M

This is the license that allows SSL Network Extender. It generates from the MOB blade

Capsule Workspace (CP-CPSL-WORK or CP-CPSL-TOTAL)

The Mobile Enterprise Software Blades enables remote applications installed on SmartPhones and tablets to connect to a network and access limited network resources.

This license is enforced by user; each user can register up to 3 devices (for example, iPhone and iPad). Users connecting with this solution are issued a registration key for each device, which remain valid for a period of time determined by the Security Administrator.


Which license is required to allow L2TP VPN tunnels

Question: In order to allow L2TP VPN tunnels, if the customer already has the Endpoint VPN Remote Access Blade - is this enough, or is there a Mobile Access Blade license required? Meaning, for L2TP, do we need a Endpoint VPN Client license or a Mobile Access License?

Answer: In order to allow L2TP VPN tunnels, you would just need the IPSec VPN license on the Security Gateway. There is no need for the Mobile Access License.


More information about Office Mode

Mobile Access licenses are dependent on the client being used to connect to the Remote Access Gateway. There are 3 basic clients: SecuRemote, Check Point Mobile, and the Endpoint Security VPN client.

SecuRemote requires no additional license, but does not offer an Office Mode IP. It is not designed for a large number of users.

The Check Point Mobile client offers an Office Mode IP.

This client uses the Mobile Access blade license on the gateway itself. By default, a gateway comes with a license for 5 users. Then you can attach a larger blade if more users are required. The blades come in 3 sizes. 50, 200 or Unlimited.

You can attach 1 blade only. If more users are needed you have to trade in and go to next higher blade. For the MOB blade, each gateway needs its own blade. With a 50 blade attached, 55 concurrent users are supported. With a 200 blade attached, 205 concurrent users are allowed, and with Unlimited an Unlimited number are supported. The eval for this would be the "all in one" eval.

The third client is the Endpoint Security VPN client. It offers an Office Mode IP.

In order to use the Endpoint Security VPN client, an Endpoint Security VPN license is purchased. This license is applied to the Management server that manages the Remote Access gateways, and it creates a pool of licenses the Remote Access gateways share. This license is purchased based on the total number of endpoints. It is not a concurrent use license.

As a user connects, they are given an Office Mode IP valid for 30 days. The eval for this would be "Sandblast complete" eval. It is a 100 user eval and is additive.
For more information about Check Point VPN products, refer to sk67820 (Check Point Remote Access Solutions).

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment