License Management Overview
License Management
Ivanti Connect Secure software and Ivanti Policy Secure software include a Ivanti Licensing and Software Download Center @ https://my.pulsesecure.net, that lets you configure the Ivanti Connect Secure device as a license server to allow administrators to view all configured systems and move those licenses as needed. Other devices on the network lease licenses from the central license server.
Alternatively, you can install and manage licenses directly on each device and eliminate the license server entirely. Your company’s needs and requirements dictate which configuration is best for you.
The following are the various types of licenses:
|
|
|
|
|
|
|
|
|
|
|
|
End User License Agreement (EULA) acceptance is mandatory and you are entitled to use the features of the software that you have licensed within the limits of your Proof of Entitlement. Contact your sales representative for more information.
From 9.1Rx release, Pulse MAG Series Appliances that support Ivanti Connect Secure and Ivanti Policy Secure have all been announced as End of Life (EOL). Existing users can refer to the 8.3Rx 8.3R3 ICS and 5.4R3 IPS License Management Guide for MAG appliances and licensing related information.
License Servers
If you choose to use license servers, the license server software can be run on the Ivanti Hardware Platforms and all Hardware Appliances-V Platforms models running the Ivanti Connect Secure personality. Once you configure a device to be a license server, that appliance ceases to be anything except a license server; it will no longer accept end-user client connections. You can configure more than one license server, but each client can be associated with only one license server. A device cannot be both a license server and a license client at the same time.
Note the following about license servers:
•Only administrators can log in to a license server.
•ICS 8.3R1 has added VMWare-based Virtual License Server (VLS) capability. Ivanti extended the support for other Virtual Platforms from 9.0R1 onwards.
•A license server cannot lease licenses from another license server.
•The license server manages, and leases licenses associated with a user count, such as basic concurrent user licenses, RDP (remote desktop) licenses, Cloud Secure license from 9.0R2 release and Core licenses from 9.0R3 release. It also leases concurrent meeting user licenses and Advanced Mobile Licenses – Onboarding.
The following figure is a List of Configured Clients and Licenses Leased by Them
•Hardware license servers must have either an ACCESS-LICENSE-SVR or an ACCESS-SUB-SVR-ZYR license (for example, ACCESS-SUB-SVR-1YR) in order to be recognized as a license server.
Disabled Features
Only administrators can log in to the device configured as a license server. An error message is displayed to non-administrator users attempting to log in to the license server. All existing end-user sessions are terminated when a device is configured as a license server.
Some Ivanti Connect Secure features and windows are disabled on the license server’s administration console.
License Server High Availability Cluster Functionality
A high availability (HA) deployment of two Hardware appliances can provide uninterrupted operation in any transaction.
A license can be installed on a standalone ICS appliance and a node that is part of an active/passive cluster or an active/active cluster. Installing a license will fail if any node in the cluster has an MBR license, or if any node in the cluster is registered with a server.
The cluster can switch from active/passive to active/active and vice versa.
Unlike other licenses which need to be installed on both the nodes, this license is required only on one node in the cluster.
License Server High Availability in Active/Passive Cluster
With one appliance configured as the active node and the other as the passive node, the active node accepts connections and manages servers while the passive node monitors the primary. If, for any reason, the active node is unable to accept connections, the passive node takes over.
The passive node monitors the primary by sending periodic messages (often called heartbeat messages or health checks) to determine whether the active node is accepting connections. If a health check fails, the passive node retries the connection for a specified period, after which it determines that the active node is not functioning normally. The passive node then takes over for the active (a process called failover).
After a failover, the virtual IP is transferred to the passive node and all clients begin to re-establish their connections to the managed servers, but the session persistence rules are maintained as they were before the failover. When the passive node becomes active, it will be able to use all of the licenses for a 20-day grace period until the failed node rejoins the cluster.
Configuring a High Availability Cluster
After you download or receive your license keys by using email:
In the admin console of the license server, choose System > Configuration > Licensing > Licensing Summary.
1.Click on the license agreement link. Read the license agreement and, if you agree to the terms, continue to the next step.
2.Enter your license key(s) and click Add.
3.Click the Configure Clients tab.
4.Select the Enable Licensing server check box.
5.Click Save Changes.
6.Under System > Clustering, create cluster. For details, refer to the Clustering section in the ICS Administration Guide.
7.Under the System > Clustering > Cluster Properties page, select Active/Passive configuration.
8.Configure another appliance into the cluster.
While configuring the license client, the server's virtual IP is used as the license server IP/Host name.
License Server High Availability in Active/Active Cluster and Over WAN
License Server works in active/active mode where every node will serve the clients individually and at the same time. The active/active cluster across the WAN mitigates disaster and provides high availability of Licensing server to its clients.
The active/active cluster is connected through internal port. If the cluster is deployed across the sites, the internal ports must be reachable for the active/active cluster to work. If the nodes are not reachable, the cluster split occurs. In case of any cluster split, until the failed node rejoins the cluster, the cluster license is available on both the nodes for 20 days. After the 20-day grace period, cluster license will fall back to the individual node's license capacity.
- Active/Active cluster does not support named users remote repo mode.
- Latency between the two nodes should be less than 100 milliseconds.
- In active/active mode, you have the option of using an external load balancer with a cluster. If you do use a load balancer, all the nodes actively handle user requests sent by the load balancer or round-robin DNS.
Configuring a High Availability Cluster
After you download or receive your license keys by using email:
1.In the admin console of the license server, choose System > Configuration > Licensing > Licensing Summary.
2.Click on the license agreement link. Read the license agreement and, if you agree to the terms, continue to the next step.
3.Enter your license key(s) and click Add.
4.Click the Configure Clients tab.
5.Select the Enable Licensing server check box.
6.Click Save Changes.
7.Under System > Clustering, create cluster. For details, refer to the Clustering section in ICS Administration Guide.
8.Under the System > Clustering > Cluster Properties page, select Active/Active configuration.
9.Configure another appliance into the cluster.
Active/Active cluster supports only two-node cluster.
Supported Platforms
The following platforms support the license server high availability cluster functionality:
Virtual Platforms: Active/passive clustering of license servers are supported on all virtual platforms that support VLS and are supported for the 9.0 release onwards:
•ESXi
•Hyper-V
•KVM
•Cloud Platforms (MS Azure, AWS, OpenStack, AliCloud) – only for Active/Active Cluster.
Physical Platforms: Active/passive clustering of license servers are supported on the following physical platforms that are supported for the 9.0 release onwards:
•PSA3000, PSA5000 and PSA 7000 for HLS
License Clients
License clients (ICS or IPS) are configured to communicate with a particular license server. The client then requests the licenses (over HTTPS) that are allocated to it.
A License Member license (for example, PSA/ISA-LICENSE-MBR) must be installed when an administrator wants to surrender a client's perpetual licenses to the license server.
Leasing Licenses from a License Server
If the concurrent user count is greater than its leased license limit, a license client requests the license server to increase its capacity, in quanta of incremental count, until the maximum user count (MUC) is met.
When the license server receives license lease requests, it first verifies that the client has been allocated the licenses it is requesting. The license server then checks that it has sufficient licenses before granting the request.
Reserved licenses are leased for 10 days at a time. Clients will renew their licenses based on lease renewal interval as configured in the license server. The reply sent by the license server includes a new lease expiration date, which is the minimum of the current time plus the incremental lease time and the license allocation expiration date. If a client does not renew a license before the lease expires, the license server reclaims the license. The renewal interval can be one hour to a maximum of IncrementalLeaseDuration/2.
A minimum lease interval of 24 hours is built-in. Once a client acquires an incremental license lease, it is kept for at least 24 hours even if the load diminishes on the client.
The following figure depicts the Flow Diagram for Leasing Licenses from a License Server
|
Leasable to |
ISA (ICS), ISA-V (ICS) *VA-SPE (ICS) |
Leasable to |
ISA (IPS), ISA-V (IPS) *VA-SPE (IPS) |
|
Leasable to |
ISA (ICS), ISA-V (ICS) |
|
Leasable to |
ISA (IPS), ISA-V (IPS) |
|
Leasable to |
ISA (ICS), ISA-V (ICS) *VA-SPE (ICS) |
|
Leasable to |
ISA (IPS), ISA-V (IPS) *VA-SPE (IPS) |
|
Leasable to |
ISA (ICS), ISA-V (ICS) |
|
Leasable to |
ISA (IPS), ISA-V (IPS) |
|
Leasable to |
ISA (ICS/IPS), ISA-V (ICS/IPS) *VA-SPE (ICS/IPS) |
Ivanti still supports leasing of licenses from 9.0Rx license servers to pre-9.0Rx license clients (VA-SPE).
Auto-Leasing
If a license client is unable to contact the license server because of network interruptions or license server maintenance, the license client can still increase its user count lease with the auto-leasing feature.
Auto-leasing feature is automatically enabled on a license server based on the number of extra licenses available and the current allocation of those licenses amongst the license server’s clients.
Auto-leasing applies only to subscription or user capacity licenses, and not to licenses tied to a specific platform or platform family. For example, auto-leasing can be enabled for the CONSEC-1000U-1YR license because the CONSEC-1000U-1YR license is not platform or platform family specific.
Even though the ACCESS-RDP licenses are applicable only to the Ivanti Connect Secure, auto-leasing is enabled for RDP users because this license is applicable to all platforms within the Ivanti Connect Secure system.
Auto-leasing is automatically enabled for a user capacity feature when the average available count over 24 hours for that feature is greater than 30% of the unallocated maximum capacity.
For example, assume the following scenario:
•A license server has a CONSEC-1000U-1YR concurrent user license installed.
•The server has 10 clients each configured with a reserved count of 50, an incremental count of 10 and a maximum count of 100.
•Each client has currently leased 60 user counts.
•The average available count over the past 24 hours is 400.
The unallocated maximum capacity is 10 clients * (100 maximum count - 60 leased) or 400. 30% of 400 is 120. Since the average available count over the past 24 hours is 400 and is greater than 30% of the unallocated maximum capacity (120), auto-leasing is enabled.
If, however, the maximum count on each client is 200, then the unallocated maximum capacity changes to 10 clients * (200 maximum count - 60 leased) or 1400. 30% of 1400 is 420. Since the average available count over the past 24 hours is 400 and is now less than 30% of the unallocated maximum count (420), auto-leasing is now disabled.
For clusters, the cluster lease leader performs the auto-increments for all connected cluster nodes.
During any one continuous disconnected state, auto-leasing can be used till the reserved leases expire or for 10 days.
The auto leasing feature automatically disables if the client is unable to communicate with the license server for more than 10 days.
When a disconnected client re-establishes connection to the license server, information is passed to the license server to reconcile capacity allocations for the duration of the automated lease increments and “normal” leasing rules are in effect. If the license server is unable to reconcile the client’s auto-lease usage, the license server turns off auto-leasing for all features for the next 5 days. All clients that connect to that license server during these 5 days cannot auto-lease until the 5-day penalty period expires. If new user count subscription license (such as RDP or concurrent users) are added to the license server, the penalty period expires immediately.
Updating Client Configuration
Administrators can change a client configuration (at the license server) at any time. This change is communicated to the client the next time it contacts the license server for the next renewal. You can also click the Pull State from Server button in the client’s admin console to register any changes immediately.
If you reduce the maximum user count (MUC) value for a feature at a client, the current leased count is reduced immediately without waiting for the client to contact the server. An increase to the reserved user count (RUC) or MUC value does not impact the current leased count until after the client contacts the license server. Once the client connects to the license server, licenses are relinquished. Optionally, you can delete the client configuration from the license server for the license capacity to become available.
Surrendering Licenses
An administrator can surrender perpetual user count licenses installed on a client to a license server so that they can be shared by other appliances of the same family. When surrendering licenses, the entire license is removed; you cannot surrender portions of a license. You surrender a license only to the license server to which the client is registered. Once a license is surrendered, the license server will treat the licenses as if they were installed directly on the server.
The following figure depicts the Flow Diagram for Surrendering Licenses to a License Server
|
can be surrendered by |
ISA (ICS) |
Leasable to |
ISA (ICS), ISA-V (ICS) *VA-SPE (ICS) |
can be surrendered by |
ISA (IPS) |
Leasable to |
ISA (IPS), ISA-V (IPS) *VA-SPE (IPS) |
|
can be surrendered by |
ISA (ICS) |
Leasable to |
ISA (ICS), ISA-V (ICS) |
|
can be surrendered by |
ISA(IPS) |
Leasable to |
ISA (IPS), ISA-V (IPS) |
- Ivanti Connect Secure still supports leasing of licenses from 9.0Rx license servers to pre-9.0Rx license clients (VA-SPE).
- You can surrender only perpetual concurrent user licenses (for example, CONSEC-ADD-xU) and perpetual meeting user licenses (for example, PSA-MTG-xU). You cannot surrender feature licenses (for example, IPS-RADIUS-SERVER) and duration-based licenses (for example, CONSEC-1000U-1YR) licenses.
When licenses are surrendered to the license server, it will have an expiration date set to 10 days. The client automatically contacts the license server every 4 hours to extend the transfer by resetting the expiration date. If the client loses communication with the server for more than 10 days, the server can no longer lease these licenses. However, these licenses are not automatically returned to the client; they are returned only with the recall function.
In a cluster, each node surrenders and recalls its licenses independently of the other nodes. There is no concept of a surrender leader. However, an administrator can log in to a cluster node and surrender or recall licenses for that node or any node within that cluster.
For the license surrendering procedure, see “Surrendering and Recalling Licenses”.
Recalling Licenses
An administrator can recall licenses surrendered to a license server at any time. The recall operation can be done only at the client where the licenses were surrendered. Recalled licenses are available immediately at the client regardless of whether the client can communicate with the license server.
If the license server/client communication is down at the time of the recall, the client continues to contact the license server. When communication is again established, the server stops leasing those licenses.
If the license server had already leased those licenses at the time of the recall operation, those leased licenses are valid until the client renews its leases. If licenses are unavailable, the client is not assigned any capacity. The license server does not recall the licenses it already granted.
For the license recalling procedure, see “Surrendering and Recalling Licenses”.
Downloading License Keys Automatically
Administrators are given the option to automatically download license keys from the Ivanti Connect Secure Licensing and Software Download Center at https://my.pulsesecure.net. This feature is applicable for all license keys (subscription-based, capacity-based, and so forth.) Communication is done via https.
The automated download process uses the following schedule for contacting the Ivanti Licensing and Software Download Center at https://my.pulsesecure.net.
•Once every 3 months if there are no expiring licenses.
•Once a month if a license is expiring within the next 3 months
•Once a week if a license is expiring within the next 2 weeks
•Once a day if a license grace period is expiring within the next week
For the automatic downloading procedure, see “Configuring the Automated Downloading of License Keys”.
Licensing Virtual Appliances
ICS 8.3R1 has added VMWare-based Virtual License Server (VLS) capability. Ivanti extended the support for other Virtual Platforms from 9.0R1 onwards.
Named User Licenses
While a concurrent user license allows group of people to share a license, a named user license is individualized. Named user licensing (NUL) provides an option to administrator to license ICS and IPS individually using named users. Also, administrators have an option to lease named users license across ICS and IPS from license server that would be centrally accounted in a licensing server rather than on individuals point products or clusters.
The named users feature will enable in the following ways:
Installation of a Named User License freezes all other licenses: When a new named users license is installed on an appliance, any other licenses are “frozen” – they cease to have effect until the named user license is removed. Any concurrent user licenses from perpetual and subscription, CONSEC, and POLSEC are frozen when named user licenses are enforced. All concurrent user licenses will be marked inactive and be shown as such (greyed out) in the UI. After installing named user license, the system shows max concurrent users as platform limit.
Named User Licenses work for unique user identities: When a user logs in, the login code will use the login name to identify if the user has licensing permissions to log in. If a unique user identity cannot be established (example: device certs), then a single user license will be consumed.
Consumed on a first-come-first-serve basis: A standalone or cluster wide queue of unique users will be maintained.
Maximum 5 sessions per user identity: With named user licenses, the products will allow a max of 5 sessions for any single user identity, per user. When the same user logs in to two different realms simultaneously, then the named user consumes only one license.
Appliances continue to have a max number of sessions: Appliances continue to have a max number of sessions they can support. A warning will be thrown when the appliance is close to thresholds for sessions and for Named users. Warnings in the user access logs will indicate the maximum concurrent user limit is near or has been reached. The named user limit has a 10% overage.
CONSEC and POLSEC named user licenses can be installed on the license server. Administrator can install named user licenses on each of their appliances and point them to a license server. Administrator can also install named user licenses on license server and lease them to any of the following deployments:
•Hardware ICS on-premise – standalone or cluster
•Virtual ICS on-premise – standalone or cluster
•Hardware IPS on-premise – standalone or cluster
•Virtual IPS on-premise – standalone or cluster
•Cloud ICS and IPS deployments with a route to an on-premise license server
The ISA license server/VLS can act as central coordinator and aggregator for all named user related operations. For detailed steps to enable named user Remote Repository mode on license server, see Enabling Remote Repository Mode for Central Management of Named Users.
Enabling Remote Repository Mode for Central Management of Named Users
To configure named user settings, do the following on the license server:
1.Select System > Configuration > Licensing > Configure Clients.
2.In the Named User settings, select the Enable Named User Remote Repository Mode for ICS or Enable Named User Remote Repository Mode for IPS check boxes. This will allow the PCS or PPS client to operate in named user remote repository mode.
The following figure depicts the Named User Remote Repository Mode
3.Click Save Changes.
4.To view number of registered users and total number of licenses:
5.Select System > Status > Named Users ICS.
The following figure depicts Number of Registered Users and Licenses
6.Administrator can delete a named user entry from this table. This operation will be permitted only from the license server.
Information about the deleted user will be propagated to the license clients through a periodic poll, initiated by the client.
- When an end-user logs in from license client, which is configured to lease named user licenses from license server cluster in named user Remote Repository mode, all the fields in named user database on license server are populated on active node only. Only User field is synced to passive node of license server cluster. In case active node goes down and VIP fails over, all fields in the named user records are not retained except the user field.
- When unique end-user logs in for first time from license client which is configured to lease from license server in Remote Repository mode, only User field gets populated in named user database on license client. All other fields start populating from subsequent logins.
Importing/Exporting Named User from/to an XML File
To import/export named users from/to an XML file from a license server:
Select System > Status > Named User Repository > Import/Export. The active license server node will be the only node that allows import/export.
The following figure depicts Import/Export Named Users
When the administrator is in the named user remote repository mode:
•Administrator can delete named users from the license server only.
•Administrator can import named users into the license server using XML.
- In case of a license server cluster, the above two operations are allowed from the Active node only.
- Deletion of named users are not allowed from the client deployments.
- XML Import of named users should not be done from a client deployment when operating in named user remote repository mode.
- XML Import of named users overwrites the existing named users.