VPN SSL licenses an limitations

BeauBeau
edited January 13 in Firebox - VPN Mobile User

Hello,

We currently use the Watchguard VPN Ipsec client for VPN connections and I have a VPN server to manage licenses for each user. They are tied to the user computer and must unbind them on the VPN license server if the license needs to be assigned to another user.

I am wondering, do I need to purchase licenses for each user and activate them if we switch to SSL VPN? Are they tied to each user the same way? I am wondering if we have a certain amount of licenses and users start to connect the licenses are used and if we run out of licenses users will not be allowed to connect unless another user disconnects to free up a license.

Can someone explain how licenses are handled when using SSL VPN? Are there any limitations when using SSL VPN over IPSEC? We have users connect to a terminal server and using DFS shares.

Thank you.

Beau

Best Answer

  • PhilT_VITPhilT_VIT
    edited January 13 Answer ✓

    @Beau said:

    I am wondering, do I need to purchase licenses for each user and activate them if we switch to SSL VPN? Are they tied to each user the same way?

    My understanding is that SSL VPN does not have specific licensing other than the (licensed) capacity limit of your firewall, which is number of concurrent (VPN) connections.
    ie. no separate licensing applies to the SSL VPN client.

    To find the limit(s) applicable to your Firebox, look at the feature key installed (see https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/general/vpn_licensing_c.html for detail)

    Can someone explain how licenses are handled when using SSL VPN? Are there any limitations when using SSL VPN over IPSEC? We have users connect to a terminal server and using DFS shares.

    SSL VPN doesn't use IPsec but actually uses the OpenVPN setup - which in turn uses SSL/TLS (hence the name).
    One main thing if you have multiple IPsec profiles is that you would need to migrate these to individual policies which can take a bit of planning.

    See https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_about_c.html for more detail

Answers

  • Bruce_BriggsBruce_Briggs

    No.
    The client VPN limit is for concurrent access, not per user.

  • BeauBeau

    Thank you for clarifying and the references.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    There's two different licenses here.

    The IPSec Client is licensed separately, and is per machine. Other IPSec clients may work, but the only one we specifically support for IPSec/IKE is the one provided by NPC.

    The firewall also has licensing that dictates how many users can concurrently connect. You'll see that in your feature key like:

    Feature: L2TP_USER#75
    Feature: MUVPN_USER#75
    Feature: SSLVPN_USER#75

    This means that the following number of users can concurrently be connected:
    -75 users can connect via L2TP
    -75 users can connect via IPSec/IKEv1/IKEv2
    -75 users can connect via SSLVPN

    -IPSec/IKEv1/IKEv2 are generally more performant. The IPSec/IKEv1 VPN can allow multiple connection profiles, which some businesses find important.
    -L2TP is generally used for clients that can't support IKEv2
    -SSLVPN is generally the easiest VPN for people to use, but can be slower for some tasks (SMB file shares and Database access being the two I hear about the most.)

    If you're interested in trying one of the other VPNs, the firewall can handle multiple running at once. I'd suggest setting one up and trying it.

    -James Carson
    WatchGuard Customer Support

  • BeauBeau

    Hi James,

    Thank you for the explanation. This helps.

    Beau

Sign In to comment.