nSA Licensing/Subscription
Licenses/subscriptions are added to your nSA by Ivanti.
The Subscriptions page displays the licenses/subscriptions that are active on your nSA. To access this page, click Administration > Subscriptions.
The Summary tab displays for each subscription/license:
- License/Subscription high-level details, including dates and usage metrics.
- One or more descriptions of the features in the license/subscription. Where there are multiple features, use Previous / Next to navigate.
When any defined limit on the license/subscription is met, a message appears:
- At 75% utilization of seats, an information message appears at the bottom of the screen. You can optionally click Close.
- At 90% utilization of seats, a modal message appears at login. Click Dismiss to clear the message.
- When 25% of the duration of the license/subscription remains, a modal message appears at login. Click Dismiss to clear the message.
The Users page lists users and their devices registered on nSA.
Named User Licensing Normalization
nSA named user licensing normalization feature allows a user to use different login formats - Domain\username, Common Name (CN), and User Principal Name (UPN) - from different devices, but consumes only one seat for the user. Single license is consumed instead of two through associating devices with users for Machine Cert Authentication and subsequent User Authentication. This feature is supported only for ICS 22.6R2 Gateway with ISAC 22.6R1 Client and later versions.
Device to User Normalization
When a device logs into an ICS Gateway, gateway checks if device entry exists in the local gateway cache.
•If device entry exists in gateway cache, device login is successful. Then request will not go through nSA, but will be handled in ICS Gateway.
•If device entry does not exist in gateway cache, gateway sends request to nSA to reserve a valid license.
•If this device login is for the first time, Device name and Device serial number are sent to nSA. This map is updated in nSA for reserving license for device first.
•If user login is from the registered device, nSA verifies Device serial number entry mapping and recognizes an existing map for that serial number with device.
- Device serial number map is done irrespective of any gateway that user tries to log in.
- User to device mapping from gateway is updated in nSA as part of normalization.
Summary information for the nSA licenses/subscriptions is displayed at the top of the page:
- Total number of seats.
- Total number of issued named user license seats. Each of these is listed in the table below the summary.
- The percentage of seats consumed.
For each named user, the following information is displayed:
- The name of the user.
- The gateways enrolled for that user.
- Updated time shows an N/A for ICS gateways.
- The status of the named user license seat of that user.
|
Login type |
Authentication type |
Subscription page User details |
|---|---|---|
|
L3 Login |
Machine Auth enabled with latest client 22.7R3-30227 |
Device details updated |
|
L3 Login |
Machine Auth not enabled |
Device details is blank |
|
L3 Login |
User Auth enabled |
Device details is blank |
|
L7 Login |
Machine Auth enabled with latest client 22.7R3-30227 |
Device details is blank |
|
L7 Login |
User Auth enabled |
Device details is blank |
You may need to remove users when there is any changes in the organization. To delete one or more named users, select the corresponding check boxes and click Delete.
You may want to automatically remove the license of users who have not logged-in in the last 30 days. To delete those users automatically, select the Auto Delete check box.
The counts in the Users page, and information in the Summary page get updated accordingly.
Grace Period Functionality for ICS Gateway
Grace period allows gateways to maintain connectivity for end users even when the nSA is temporarily unavailable. A grace period of 5 days is provided, during which new user logins can continue without interruption.
How it Works
New User Logins: Only new user license seat reservation requests are sent to the nSA.
Existing Users: Existing user sessions are managed using the local gateway cache, ensuring that they remain unaffected by nSA availability.
ICS Gateway versions prior to 22.7R2.2
The grace period is triggered based on the notification channel status:
Notification channel is Green: When the channel is reachable, the user license seat reservation request is sent to the nSA.
Notification channel is Red: When the channel is not reachable, the grace period is triggered to enable new user logins. During this time, no requests are sent to the nSA.
ICS Gateway versions 22.7R2.2 onwards
The grace period will now also be triggered if the user license seat reservation API fails. This ensures seamless operation even during temporary service disruptions, providing more robust support for user logins during such periods.