NSA Named User Licensing

The NSA Named User Licensing mode is introduced in 21.x release as part of the larger suite user licensing effort.

Supports different platforms and SKUs: The software supports the following platforms: ISA4000-V, ISA6000-V, and ISA8000-V, with different vCPUs, memory, and license capacity. The software also supports ICS SKUs and NSA Named User SKUs, which enable a certain number of named users on NSA.

Unified Access License (UAL): The Unified Access License offers benefits such as no need for core or MBR licenses, global license sharing, and built-in disaster recovery. It operates on a Named User basis, allowing connection from up to five devices with no limit on the number of gateways. It is a subscription model that includes software support and offers a good alternative to suites, providing dynamic elasticity, and aligning with SaaS transformation goals for VPN deployments.

Includes

•VPN

•ZTA

•NSA

• Virtual Appliances

•Connect from up to 5 Devices

Not needed in this model

•License Server

•ICE licenses

•MBR license

New User Login Case

When a new user tries to log in to a VPN gateway, then:

1.Gateway queries NSA to check if this user has a valid license.

2.If this user already has an assigned license in NSA then it responds back to gateway to allow the user to log in.

3.If this user new to NSA as well, then NSA checks if there are free licenses and assigns a free license to this user and responds back to gateway to allow user to log in.

4.If this user new to NSA as well and NSA has no free licenses, then user is not allowed to log in.

Existing User Login Case

1. If this user has already signed-in this gateway, then user is allowed as gateway caches the user from previous login.
2. Gateway reconciles with NSA to get all the valid users.

The benefits of Named User Licenses include:

•Promotes seamless ZTNA migration/adoption.

•Investment protection.

•No sizing challenges with respect to users.

•Reduces the number of appliances to manage (removes License server cluster).

•Improves operational efficiency with a single SKU vs many SKUs in a PO.

•A good alternative to Suites.

•Dynamic elasticity.

•Aligns with SaaS transformation goals for VPN deployments.

In UAL for VPN deployments, every user gets a reserved license seat in NSA, managed by Neurons. User licenses are not directly installed on Gateways, removing the need for an additional License server or Platform/Core licenses for Virtual Appliances. It supports both PSA (9.X) and ISA (22.X) gateways. Connect Secure gateways check with Neurons for licenses before allowing a user to connect, with gateway-side caching for all subsequent logins.

To handle user logins at scale, license seat reservation is made asynchronous to allow a seamless user login experience. If a new user logs in and NSA has no free licenses, the login will be allowed but tracks the over usage. The NSA Named User model supports asynchronous license seat reservation.

UAL Licensing also offers the following features:

•Allows automatic deletion of users if they have not logged in last 30 days.

•Optimizes license usage.

•Normalize different user formats – Domain\Username, UPN, CN-User etc.

Named User Licensing Normalization

NSA named user licensing normalization feature allows a user to use different login formats - Domain\username, Common Name (CN), and User Principal Name (UPN) - from different devices, but consumes only one seat for the user. Single license is consumed instead of two through associating devices with users for Machine Cert Authentication and subsequent User Authentication. This feature is supported only for ICS 22.6R2 Gateway with ISAC 22.6R1 Client and later versions.

Device to User Normalization

When a device logs into an ICS Gateway, gateway checks if device entry exists in the local gateway cache.

•If device entry exists in gateway cache, device login is successful. Then request will not go through NSA, but will be handled in ICS Gateway.

•If device entry does not exist in gateway cache, gateway sends request to NSA to reserve a valid license.

•If this device login is for the first time, Device name and Device serial number are sent to NSA. This map is updated in NSA for reserving license for device first.

•If user login is from the registered device, NSA verifies Device serial number entry mapping and recognizes an existing map for that serial number with device.

- Device serial number map is done irrespective of any gateway that user tries to log in.
- User to device mapping from gateway is updated in NSA as part of normalization.

Differences Between Unified Access License and License Server

Unified Access License and License Server have several differences.

For example:

Unified Access License	License Server
Any number of virtual appliances can be deployed without the need for core licenses.	Additional core licenses are required per device.
MBR licenses are not required.	MBR licenses are required with License Server.
Licenses are shared globally across all devices.	Licenses must be allocated/leased per device.
UAL offers consolidated analytical data to reduce risks and implement actions based on risk scores.	License server does not offer consolidated analytical data.