Gateway Licensing

The ICS Gateway supports the following sample SKUs:

SKU	Sample SKUs
ICS Perpetual	ICS-ADD-1000U
ICS Subscription	ICS-SVC-GLD-1000U-1YR ICS-SVC-PLN-1000U-1YR ICS-PAR-GLD-1000U-1YR ICS-PAR-PLN-1000U-1YR
Eval License	ICS-EVAL-1W ICS-EVAL-2W ICS-EVAL-4W ICS-EVAL-8W
Lab license	ISA-LAB
Member License	ISA-LICENSE-MBR
ICE License	ISA4K-ICE-GLD-1YR ISA6K-ICE-GLD-1YR ISA4K-ICE-PLN-1YR ISA6K-ICE-PLN-1YR
ICS Core License	ISA4000V-1YR ISA6000-VAZ-1YR ISA8000-VAWS-1YR ISA4000V-GCP-1YR ISA4000V-GCP-3YR ISA4000V-GCP-5YR

Obtaining and Installing License Keys

You can install licenses directly on the ICS Gateway by obtaining authentication code via email and then download and install licenses. You can also lease licenses from the ICS 9.1R13.1 License Server or 22.2R1 license server and later.

•Installing licenses on a Standalone Gateway

•Leasing license through License server

Installing License on a Standalone Gateway

An admin obtains an authentication code for his entitlement externally via e-mail. The admin must enter the authentication code in the license server download page to validate and fetch license keys. If validation is successful, the admin receives the license keys in return.

To obtain license keys:

1.Go to System > Configuration > Download Licenses.

2.Under On demand license downloads, enter the authentication code in the text box.

3.Click on Download and Install.

4.Now, go to the License Summary tab to view a list of licenses installed.

5.To delete one or more licenses, select the corresponding check box(es) and click Delete

Leasing license through License Server

About License Servers

If you choose to use license servers, the license server software can be run on any ISA/ISA-V devices and gateways running the Connect Secure personality. Once you configure a device to be a license server, that appliance/VA ceases to be anything except a license server; it will no longer accept end-user client connections.

You can configure more than one license server, but each client can be associated with only one license server. A device cannot be both a license server and a license client at the same time.

Note the following about license servers:

•Only administrators can log in to a license server.

•A license server cannot lease licenses from another license server.

•The license server manages and leases licenses associated with a user count, such as basic concurrent user licenses, and RDP (remote desktop) licenses.

•License servers must have either an ACCESS-LICENSE-SVR or an ACCESS-SUB-SVR license installed for managing license members.

To lease license from license server:

•Configure and add 22.x or 9.x license client on the license server

•Configuring ICS/IPS 22.x VM as a License Client on License Server.

•Configuring ICS/IPS 9.x VM as License Client on License Server

•Configure License Client to lease the licenses from License Server.

About License Clients

Clients are configured to communicate with a particular license server. The client then requests the licenses (over HTTPS) that are allocated to it. An optional LICENSE-MBR license must be installed when clients need to access capacity from non-subscription licenses or if an administrator wants to surrender a client's licenses to the license server. If you are not using a license server, all your devices are still configured as license clients. However, the steps to set up communication with the license server are not needed.

Configuring ICS/IPS 22.x VM as a License Client on License Server

You can configure an ICS/IPS VM as a license client. As a prerequisite, you need ICS 9.1R13.1 License Server and above releases. You can also use 22.x and above releases for leasing licenses to clients.

Prerequisite

Install ICS-SVC or IPS-SVC and the ISA-CORE license to lease licenses to 22.x clients.

Following are sample SKU's:

•ICS-SVC-GLD-1000U-1YR-Ivanti Connect Secure License (VPN remote Access)1000 Concurrent Sessions

•IPS-SVC-GLD-1000U-1YR-Ivanti Policy Secure License 1000 Concurrent Sessions

•ISA-CORE-100C-1YR - Enables leasing of 100 core license on Ivanti (ISA or ISA-V) licensing Server

Install License on License Server

1.In the admin console of the license server, choose System > Configuration > Licensing > Licensing Summary.

2.Click on the license agreement link. Read the license agreement and, if you agree to the terms, continue to the next step.

3.Enter your license key(s) and click Add.

4.Click the Configure Clients tab.

The following figure depicts the Configured License Server with no core licenses installed.

The following figure depicts the Platform page on License server with no core licenses

The following figure depicts the License Summary Page - Core Leased Information for ISA-8000V

After successful leasing of cores, Platform Model is updated.

The following figure depicts the Platform page on License Client after leasing Cores for ISA8000-V.

To configure an ICS/IPS VM as a License Client on License Server:

1.In the admin console of the license server, choose System > Configuration > Licensing > Configure Clients.

2.Click New Client.

3.Enter the Client ID. The ID is defined on the client Gateway under System > Configuration > Licensing > Configure Server.

4.Enter the client password and confirm it. The password is defined on the client Gateway under System > Configuration > Licensing > Configure Server.

5.(optional) Enter the client configuration Expiration date.

6.Select the client’s platform as ISA Virtual Platform.

7.Select the product type to be configured to Connect Secure.

8.Select the Virtual Platform from the drop-down list, example: ISA-V. Virtual Platform can be one of ISA4000-V, ISA6000-V, and ISA8000-V based on requirement

9.For each feature you want to lease to this client, enter:

•Reserved Count— the number of licenses to reserve for this client. The reserve count must be less than the available amount displayed.

•Incremental Count— the incremental number of licenses to grant when the client requests more licenses. If the number of licenses on the client plus this incremental value is greater than the maximum count, no additional licenses are granted.

•Maximum Count— the maximum number of licenses a client can receive for this feature. This value must be equal to or greater than the reserved count.

Available counts are updated as you configure the client.

10. Click Save Changes.

The License clients table displays the client information you entered.

Configuring ICS/IPS 9.x VM as a License Client on License Server

Prerequisite:

Install CONSEC or POLSEC and the PS-CORE license to lease licenses to 9.x clients.

Following are sample SKU's:

•CONSEC-PLN-7500U-5YR-Pulse Connect Secure License (VPN remote access) 7500 Concurrent Sessions

•POLSEC-1000NU-1YR-Pulse Policy Secure License 1000 Named Users

•PS-CORE-100C-1YR-Enables leasing of 100 core license on Pulse Secure (PSA or VA) licensing Server

To configure a ICS/IPS VM as a license client:

1.In the admin console of the license server, choose System > Configuration > Licensing > Configure Clients.

2.Click New Client.

3.Enter the Client ID. The ID is defined on the client Gateway under System > Configuration > Licensing > Configure Server.

4.Enter the client password and confirm it. The password is defined on the client Gateway under System > Configuration > Licensing > Configure Server.

5.(optional) Enter the client configuration Expiration date.

6.Select the client’s platform as Virtual Platform.

7.Select the product type to be configured to Connect Secure.

8.Select the Virtual Platform from the drop-down list, example: PSA-V.Virtual Platform can be one of PSA3000-V, PSA5000-V, and PSA7000-V based on requirement

9.For each feature you want to lease to this client, enter:

•Reserved Count— the number of licenses to reserve for this client. The reserve count must be less than the available amount displayed.

•Maximum Count— the maximum number of licenses a client can receive for this feature. This value must be equal to or greater than the reserved count.

Available counts are updated as you configure the client.

10. Click Save Changes.

The License clients table displays the client information you entered.

Configuring a License Client to lease the licenses from License Server

22.x and later release supports leasing licenses through license server to 22.x and 9.x clients.

To configure this device as a license server client:

1.In the admin console, choose System > Configuration > Licensing > Configure Server.

2.Enter the name of the license server. You can specify the IP address (IPv4/IPv6) or hostname.

3. Enter a unique ID for this client. This ID is used to communicate and verify this client with the license server.

IDs can contain alphanumeric characters. There is no restriction on the number of characters.

You will need to enter this ID on the license server when adding clients.

4.Enter and confirm a password for this client.

You will need to enter this password on the license server when adding clients.

5.Select the network to communicate with the license server from the Preferred Network menu.

If the preferred network is configured correctly and enabled, it is used. Otherwise, the internal network is used.

6.Select the Verify SSL Certificate checkbox if you want the client to verify the server’s SSL certificate when establishing communication with it.

7.Click Save Changes.

If this client is part of a cluster, you can change configuration information for this node or any node within the same cluster by selecting the node name from the pull-down menu. You can also select Enter cluster to update general cluster configuration information.

Licensing Details

ISA hardware or ISA-V running 22.1 and above can act as a licensing server, 22.x and later release supports leasing licenses through License Server to 22.x and 9.x clients.

•For a virtual license server deployment, a platform / core license is not required. Only a “license server” license is required. If the licensing server is deployed as part of a cluster, then only a single node requires the “license server” license.

• Licensing server with software versions 22.x and above release supports leasing licenses through License Server to 22.x and 9.x clients.

•Only a single node on the Licensing Server requires the concurrent users or feature licenses. If a node fails on the Licensing Server cluster, grace period is 20 days for which the other node can lease licenses both concurrent user and feature licenses.

Grace period duration

Platform	Pulse Cloud Licensing Service (PCLS)	Licensing Server (LS)	Neurons Secure Access licensing mode	Grace period duration
ISA-V / PSA-V with subscription licenses	Lost connectivity to PCLS	NA	NA	24
ISA-V / PSA-V / ISA / PSA	NA	Lost connectivity to LS	NA	10
ISA / ISA-V	NA	NA	Lost connectivity to Neurons Secure Access platform	Existing Users continue to login. New Users cannot login. No Grace Period.

Platform

Pulse Cloud Licensing Service (PCLS)

Licensing Server (LS)

Neurons Secure Access licensing mode

Grace period duration

ISA-V / PSA-V with subscription licenses

Lost connectivity to PCLS

ISA-V / PSA-V / ISA / PSA

Lost connectivity to LS

ISA / ISA-V

Lost connectivity to Neurons Secure Access platform

*Existing Users continue to login.

* New Users cannot login. No Grace Period.

Heartbeat duration to Cloud / SaaS services

Platform	Heartbeat to Licensing server	Heartbeat duration to PCLS	Heartbeat duration to Neurons for Secure Access
ISA-V / PSA-V with subscription licenses	NA	Every 8 Hours	NA
ISA / ISA-V	License Clients renews their leased license counts every 60 minutes.	NA	NA

Platform

Heartbeat to Licensing server

Heartbeat duration to PCLS

Heartbeat duration to Neurons for Secure Access

ISA-V / PSA-V with subscription licenses

Every 8 Hours

ISA / ISA-V

License Clients renews their leased license counts every 60 minutes.

Cluster grace period duration

Ivanti recommends using standalone nodes or clusters of a maximum of 2 nodes behind a load balancer.

Ivanti Security Appliance (ISA)/ISA-V does not support clusters containing more than two nodes for ICS.

Platform	Cluster grace period	Feature license	Grace period
ISA / PSA / ISA-V / PSA-V	When a node fails what is the grace period for Concurrent Users	When a node fails what is the grace period for Concurrent Users	10 days
ISA / ISA-V	.NA	NA	10 days

Platform

Cluster grace period

Feature license

Grace period

ISA / PSA / ISA-V / PSA-V

When a node fails what is the grace period for Concurrent Users

10 days

ISA / ISA-V

.NA

10 days

Secure Access platform grace period

Platform - SaaS Secure Access Platform	License expired / Grace period
ZTA subscription license	No grace period
PCS / ICS add-on license	31 days for ICS concurrent users