Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACCESS LICENSING OVERVIEW sept 2011. 2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net AGENDA New cluster licensing SSLVPN Licensing review UAC.

Similar presentations


Presentation on theme: "ACCESS LICENSING OVERVIEW sept 2011. 2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net AGENDA New cluster licensing SSLVPN Licensing review UAC."— Presentation transcript:

1 ACCESS LICENSING OVERVIEW sept 2011

2 2 Copyright © 2009 Juniper Networks, Inc. AGENDA New cluster licensing SSLVPN Licensing review UAC Licensing review Central Licensing Leasing Licenses Surrendering Licenses Virtual Appliance Licensing New Secure Meeting Licensing Secure Meeting on Virtual Appliances ICE license, ICE maintenance and new 25% burst ICE license

3 3 Copyright © 2009 Juniper Networks, Inc. OLD CLUSTER LICENSING N-node cluster with concurrent users needs ADD-10000U licenses at one node – the license primary CL-10000U licenses at other N-1 nodes CL license at other N-1 nodes for IC Any feature licenses at primary node Cluster licensed for at least users under all circumstances Up to N-1 node failures cluster partitions Each partition licenses to support users If cluster is broken into standalone units One node with licenses to support users Rest of the nodes with no licensed capacity

4 4 Copyright © 2009 Juniper Networks, Inc. NEW CLUSTER LICENSING Introduced with SSLVPN 7.0 and UAC 4.1 No CL licenses needed If already present, used in a backward compatible way Any license can be installed at any node Total concurrent user capacity = sum total of all user count licenses Licenses on unreachable nodes stop contributing towards total cluster capacity if they stay unreachable for longer than the cluster grace period (5 days) Unless sufficient CL licenses are present Starting 7.1r2 grace period increased to 10 days Customers encouraged to distribute ADD user count licenses evenly across the cluster A node removed from a cluster takes its licenses with it Feature licenses need be present at only one node No change from current behavior ICE Licenses need be present on all nodes you want to use in case of emergency 2 ICE licenses required for a 2-node cluster

5 5 Copyright © 2009 Juniper Networks, Inc. CLUSTER LICENSED CAPACITY Each node computes cluster licensed capacity independently Session capacity computed separately for each feature Base Concurrent Users, EES, RDP Licenses installed on all reachable nodes are always counted towards the total cluster capacity If the computing node has X user count licenses installed, it can count up to X licenses from each unreachable nodes towards total cluster capacity for a cluster grace period of 5 days System keeps track of which has been unreachable for how long Cluster grace period expiry information displayed at the Admin UI Licensing page If the computing node has Y –CL licenses, it can count up to a sum total of Y licenses from the unreachable nodes towards total cluster capacity for an indefinite period

6 6 Copyright © 2009 Juniper Networks, Inc. CLUSTER UPGRADED FROM A PERVIOUS RELEASE Two node cluster Node A with 1000 user count licenses Node B with 1000 CL licenses Cluster capacity as seen by node A 1000 A = 1000 Cluster capacity as seen by node B Min(1000 B-CL, 1000 A ) = 1000 CL licenses are not bound by cluster grace period No change in effective cluster capacity in most cases No upgraded cluster will ever see a drop in licensed capacity No unqualified nodes

7 7 Copyright © 2009 Juniper Networks, Inc. CLUSTER CAPACITY EXAMPLE – GOOD Two node cluster Node A with 500 user count licenses Node B with 500 user count licenses Cluster capacity as seen by node A Connected cluster 500 A B = 1000 Disconnected Cluster Within grace period of 5 days: 500 A + min(500 A, 500 B ) = 1000 Past grace period: 500 A = 500 Customer has 5 days to diagnose/remedy the problem Even license distribution Desirable system behavior during cluster disconnects

8 8 Copyright © 2009 Juniper Networks, Inc. CLUSTER CAPACITY EXAMPLE – NOT RECOMMENDED Two node cluster Node A with 250 user count licenses Node B with 750 user count licenses Cluster capacity as seen by node A Connected cluster 250 A B = 1000 Disconnected Cluster Within grace period of 5 days: 250 A + min(250 A, 750 B ) = 500 Past grace period: 250 A = 250 Uneven license distribution Undesirable drop in licensed capacity during cluster disconnects

9 9 Copyright © 2009 Juniper Networks, Inc. CLUSTER CAPACITY EXAMPLE – CONVOLUTED Two node cluster Node A with 250 user count and 500 CL licenses Node B with 750 user count licenses Cluster capacity as seen by node A Connected cluster 250 A B = 1000 Disconnected Cluster Within grace period of 5 days –250 A + min(250 A, 750 B ) + min(500 A-CL, 750 B – 250) = 1000 Past grace period –250 A + min(500 A-CL, 750 B ) = 750

10 10 Copyright © 2009 Juniper Networks, Inc. SA2000/4000/6000 Old cluster licensing SAx000-ADD-xxU and –CL still valid. New cluster licensing SAx000-ADD-xxU on both nodes starting software 7.0. Remarl: 7.1 is last release to be supported on SAx000 SA2500/4500/6500 Old cluster licensing SAx500-ADD-xxU and -CL still valid. New cluster licensing SAx500-ADD-xxU on both nodes starting software 7.0. MAG Requires ACCESS-X600 licenses. Licenses have dual personality, SA/IC depending on MAG deployment. Licensing based on new cluster licensing, no –CL licenses available. Minimale software release voor MAG is 7.1 voor SSL en 4.1 voor UAC. SSLVPN Licensing Review

11 11 Copyright © 2009 Juniper Networks, Inc. IC4000/6000 Old cluster licensing ICx000-ADD-xxE and ICx000–CL still valid. New cluster licensing ICx000-ADD-xxE on both nodes starting software 4.1. IC4500/6500 Old cluster Iicensing ICx500-ADD-xxE and ICx500–CL / ICx500-CL-250E still valid. New cluster licensing ICx500-ADD-xxE on nodes starting software 4.1. MAG Requires ACCESS-X600 licenses. Licenses have dual personality, SA/IC depending on MAG deployment. Licensing based on new cluster licensing, no –CL licenses available. Minimale software release voor MAG is 7.1 voor SSL en 4.1 voor UAC. UAC Licensing Review

12 12 Copyright © 2009 Juniper Networks, Inc. Central Licensing Server SAx000/SAx500/ICx000/ICx500/MAG with a ACCESS-LICENSE-SERVER Server maintenance: -L version (lowest user count) Starting software 7.0 (go to 7.1 where possible) or 4.1 Appliance(s) leasing from the server MBR license on the appliance SAx000-LICENSE-MBR ; SAx500-LICENSE-MBR ICx000-LICENSE-MBR ; ICx500-LICENSE-MBR MAG2600-LICENSE-MBR ; MAG4610-LICENSE-MBR SM160-LICENSE-MBR ; SM360-LICENSE-MBR ACCESS-X500 licenses on the server for SAx500/ICx500 appliance ACCESS-X600 licenses on the server for MAG appliance Maintenance: choose maintenance corresponding to the expected user count on the appliances Example: A license server is deployed with 50K licenses along with 10 SA6500s. Since the average count across each of the SA6500s is 5K concurrent users, that places each appliance in the –H pricing range: SVC-ND-SA6.5K-H, Juniper Care NextDay Support for SA6.5K-H (5000U+) Central Licensing / Leasing licenses

13 13 Copyright © 2009 Juniper Networks, Inc. A client cluster retrieving his licenses from a license server: The license server can lease licenses to standalone client and clustered client. Each cluster member must have the –LICENSE-MBR license installed. Only one cluster member, identified by the SA/UAC software, makes the lease requests on behalf of all cluster members. This member can query, renew, and increment licenses for other cluster members when the members are connected to the cluster. When setting up the cluster license information, it is not necessary to enter the cluster configuration at the license server. This information is retrieved dynamically as each client reports its own cluster affiliation. The initial communication between the cluster to the license server retrieves the reserved counts for all cluster members registered with the license server. Incremental requests are the sum of all members in the cluster that are not at their maximum configured capacity. Central Licensing – cluster licensing

14 14 Copyright © 2009 Juniper Networks, Inc. NO DYNAMIC ALLOCATION OF LICENSES The license server does not offer dynamic allocation of licenses. Licenses are allocated ahead of time by the administrator and are then tied to each appliance for a minimum of 24 hours. Each member can be configured to allocate a base number of licenses and instructed to increase the number of allocated licenses from the central server in case of need. Greatly aids in service resilience as a single license server can be deployed and scales without concern that even a basic route failure in the network might prevent users from being able to log in.

15 15 Copyright © 2009 Juniper Networks, Inc. Can the license server itself be clustered ? No plans… heres why: The license server is not a single point of failure such that if it goes offline the service is impacted. Even if it goes down for days at a time, the virtual appliances will continue to run. All the license server is there for is to assign the licenses to each virtual appliance. The design has enough resiliency that even a network outage at any point between the client virtual appliance and the license server will not impact any business. And if a license server goes down completely, such as an RMA, they can quickly bring a backup SA device online and restore the entire configuration from their last scheduled backup. The MTBF of a single box that will not support anything but the license server features is so low that adding all of the overhead of clustering and load balancing could actually be a loss rather than a gain, especially since the recovery procedure is as simple as bringing a backup box online and restoring the system and user configuration backup files and then working with JTAC to make the license move to the new hardware ID permanent, which is all part of a standard RMA process. Some customers that want the highest MTBF are looking to build their license server on fully configured SA6500s (redundant power supplies and hard drives with an MTBF of 98,000 hours). Central Licensing: clustered license server

16 16 Copyright © 2009 Juniper Networks, Inc. Central Licensing: surrendering licenses A license member can surrender his concurrent user licenses to the license server. Surrendered licenses can be leased to other license members Only permanent non-subscription concurrent user licenses can be surrendered: ADD New MTG (7.2 onwards on MAG) No subscription licenses can be surrendered from any appliance. Any license that has a duration cannot be surrendered, e.g. LAB, EVAL, ACCESS subscription… The following licenses CANNOT be surrendered: ICE, MTG, EES, PRM, RDP, IVS

17 17 Copyright © 2009 Juniper Networks, Inc. License Server Required ! SAx000/SAx500/ICx000/ICx500/MAG with a ACCESS-LICENSE-SERVER Server maintenance: -L version (lowest user count) Starting software 7.0 (go to 7.1 where possible) or 4.1 Virtual Appliance MBR license per VA (*) ACCESS-xxx-zYR subscription licenses on license server only subscription licenses, no perpetual licenses for VA model Maintenance covered by the subscription license. * Currently issue in the 7.1 code that does not allow MBR license validation. Open customer care case to request–MBR license. Starting 7.2 –MBR licenses will be available in the pricing list again. Virtual Appliance Licensing

18 18 Copyright © 2009 Juniper Networks, Inc. NEW SECURE MEETING LICENSING ON MAG From 7.1r2 onwards MAG Secure Meeting will follow a concurrent user model license ; opposed to SAx500/SAx000 Secure Meeting platform licenses Licenses based on total number of concurrent meeting users Meeting user count is separate from SSLVPN user count User count includes all types of users (hosts, attendees, internal, external) SKUs not tied to the platforms ; limited max meeting users per platform MAG2600 : support up to 50 concurrent meeting users MAG4610 : support up to 100 concurrent meeting users MAG-SM160 blade : up to 100 concurrent meeting users MAG-SM360 blade : up to 250 concurrent meeting users ACCESSX600-MTG-25UAdd 25 simultaneous Secure Meeting users to X600 Series Appliances ACCESSX600-MTG-50UAdd 50 simultaneous Secure Meeting users to X600 Series Appliances ACCESSX600-MTG-100UAdd 100 simultaneous Secure Meeting users to X600 Series Appliances ACCESSX600-MTG-250UAdd 250 simultaneous Secure Meeting users to X600 Series Appliances

19 19 Copyright © 2009 Juniper Networks, Inc. NEW SECURE MEETING LICENSING ON MAG Clustering is supported under the new clustering model Total number of concurrent user support in a cluster cannot exceed 2 * (the maximum user limit of the cluster platform). The new licenses are additive up to the maximum limit supported on a given platform. For e.g. on a single MAG2600, customer can startwith a 25 user license and then add another 25 users to support up to 50 concurrent meeting users (max limit) on that platform Licenses are supported on the MAG series Junos Pulse Gateway platforms only. Customers on old SA X500 platform will need to purchase the old platform based meeting licenses The new licenses can be installed and leased from a "License Server". A COR support license must be purchased separately for support coverage SVC-COR-SA-MTG Juniper Care Core Support for feature SA-MTG & MAG-MTG

20 20 Copyright © 2009 Juniper Networks, Inc. SECURE MEETING ON VIRTUAL APPLIANCES Each VA includes 50 users/ 25 meetings No license required Platform license

21 21 Copyright © 2009 Juniper Networks, Inc. IN CASE OF EMERGENCY In Case of Emergency is a platform license, cannot be leased MAGX600-ICE: Full Capacity ICE New 25% burst ICE option: ACCESS-ICE-25PC Available in 7.1R2, May Pricelist Allows ACCESS appliances to burst to 25% of installed license count Example: ACCESSX600-ADD-5000U license would go to 6,250 users during the ICE activation period. Supported on MAG and SA ICE maintenance (eg SVC-COR-MAG4610-ICE) are only there for situations where a customer has only deployed ICE licenses on the appliances and nothing else. The typical use case for this would be a disaster recovery site where they have installed only the hardware with some ICE licenses.

22 22 Copyright © 2009 Juniper Networks, Inc. MAG2600 Max Capacity: 100 Concurrent Users License SKUs Description ACCESSX600-ADD-10UAdd 10 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-25UAdd 25 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-50UAdd 50 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-100UAdd 100 simultaneous users to Junos Pulse Gateway X600 Series Appliances MAG2600-LICENSE-MBRAllows Junos Pulse Gateway 2600 appliance to participate in leased licensing Hardware SKUs Description MAG2600Junos Pulse Gateway 2600 Base System, Fixed Config, Secure Access/Access Control Services

23 23 Copyright © 2009 Juniper Networks, Inc. MAG4610 License SKUs Description ACCESSX600-ADD-10UAdd 10 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-25UAdd 25 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-50UAdd 50 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-100UAdd 100 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-250UAdd 250 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-500UAdd 500 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-1000UAdd 1000 simultaneous users to Junos Pulse Gateway X600 Series Appliances MAG4610-LICENSE-MBRAllows Junos Pulse Gateway 4610 appliance-blade to participate in leased licensing Hardware SKUs Description MAG4610Junos Pulse Gateway 4610 Base System, Fixed Config, Secure Access/Access Control Services Max Capacity: 1,000 Concurrent Users

24 24 Copyright © 2009 Juniper Networks, Inc. MAG6610 & MAG6611 Hardware SKUs Description MAG6610Junos Pulse Gateway 6610 Base System, Chassis + AC PS MAG6611Junos Pulse Gateway 6611 Base System, Chassis + AC PS MAG-SM160Junos Pulse Gateway Application Blade 160, Secure Access/Access Control Service MAG-SM360Junos Pulse Gateway Application Blade 360, Secure Access/Access Control Service Max Capacity: 1,000 Concurrent Users (Per SM160 Blade) 10,000 Concurrent Users (Per SM360 Blade)

25 25 Copyright © 2009 Juniper Networks, Inc. MAG6610 & MAG6611 (LICENSING) License SKUs Description ACCESSX600-ADD-10UAdd 10 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-25UAdd 25 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-50UAdd 50 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-100UAdd 100 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-250UAdd 250 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-500UAdd 500 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-1000UAdd 1000 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-2000UAdd 2000 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-2500UAdd 2500 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-5000UAdd 5000 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-7500UAdd 7500 simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-10KUAdd simultaneous users to Junos Pulse Gateway X600 Series Appliances SM160-LICENSE-MBRAllows Junos Pulse Gateway SM160 appliance-blade to participate in leased licensing SM360-LICENSE-MBRAllows Junos Pulse Gateway SM360 SA/IC appliance-blade to participate in leased licensing

26 26 Copyright © 2009 Juniper Networks, Inc. ENTERPRISE LICENSE SERVER Server License SKU Description ACCESS-LICENSE-SVREnables enterprise access appliance as a license server Lease Enablement SKUs Description MAG2600-LICENSE-MBRAllows Junos Pulse Gateway 2600 appliance to participate in leased licensing MAG4610-LICENSE-MBRAllows Junos Pulse Gateway 4610 appliance-blade to participate in leased licensing SM160-LICENSE-MBRAllows Junos Pulse Gateway SM160 appliance-blade to participate in leased licensing SM360-LICENSE-MBRAllows Junos Pulse Gateway SM360 SA/IC appliance-blade to participate in leased licensing High Scale License SKUs Description Stackable licenses above and beyond what a single Junos Pulse Gateway can achieve on its own ACCESSX600-ADD-15KUAdd simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-20KUAdd simultaneous users to Junos Pulse Gateway X600 Series Appliances ACCESSX600-ADD-25KUAdd simultaneous users to Junos Pulse Gateway X600 Series Appliances

27 27 Copyright © 2009 Juniper Networks, Inc. RESOURCES License Management Guide 7.1-licensemgmt.pdf Juniper Forums


Download ppt "ACCESS LICENSING OVERVIEW sept 2011. 2 Copyright © 2009 Juniper Networks, Inc. www.juniper.net AGENDA New cluster licensing SSLVPN Licensing review UAC."

Similar presentations


Ads by Google