These examples are from an PSA -MAG 360-node A/A cluster (running 8.x).
What is Pulse Secure ICE license?
ICE (In Case of Emergency) is a Pulse Connect Secure VPN-based solution that allows customers to achieve immediate response for any potential dramatic increase for secure remote employee and partner access. Examples include Pandemic (Swine Flu, SARS), natural disasters (hurricanes, earthquakes, snow storms), terror attacks, and transportation strikes.
The common theme to all of these is the increase in the need for secure remote access. PCS provides secure remote access for large user communities that originate from managed and unmanaged devices and require various levels of granular access. ICE license allows customers to achieve that in a cost-effective manner; ICE provides licenses for a large number of additional users on a PCS device for a limited time.
Can you create and operate a cluster with only ICE licenses?
Yes; this scenario is for the Disaster Recovery scenario. Licenses in the cluster nodes will be at the maximum device capacity.
Ref Image :PSA 7000
Are ICE licenses required on all nodes in the cluster?
Starting with 7.2, it is required to install an ICE license on all nodes. If ICE license is only installed on one device, the user count will not increase when enabled.
Do you enable and disable ICE on the secondary node from Primary?
Yes. Provided both node should have ICE licenses installed . Starting with 7.2, when enabling ICE on the primary node, it will automatically be enabled on the secondary node.When only ICE license is installed on one node in a cluster , and other node doesn't have ICE license , Effectively enabling on one node will not come to effect ( number of license) displaing status as enabled.
What happens if I have a cluster and the Primary node has a permanent user license, ICE license, and the secondary node has only a user license; can I use the secondary node, without enabling the ICE in the primary node?
Yes, The effective number of user count will be user license used in secondary node. The cluster status of the secondary node will be enabled state.
In the above example for a PSA 7000 , when ICE is disabled, the number of users for the primary is only 1000
( 1000 user concurrent license) with the secondary having 100 ( 100 user concurrent license )
. When ICE is enabled, on both primary and secondary node ICE will be enalbed and the number is changed to the maximum for the device (45000
); along with the main license of 500, whereas the secondary receives only the maximum. Refer to the following image:
When the ICE license is disabled , then node specific user license will be effective of the customer. There is no way to disable ICE on one node only. In the below example , the effective user license number is 100 from the secondary node.
If there are 1000 user license on primary node and no user license on Secodary node and both having ICE license disabled , the effective user license will be 1000 user only.
Additional behavior with regards to having an EVAL license in the main node:
- If the node has an EVAL license, ICE will not display it with enable/disable links and it will be in the Inactive status.
- Removing the EVAL license will then display ICE enable/disable links and you can enable/disable it on demand.
Which platforms are supported by the ICE licenses?
SA4500, SA4500 FIPS, SA6500, SA6500 FIPS, MAG 2600, MAG 4610, MAG-SM160 and MAG-SM360,
PSA 300 ,PSA3000, PSA 5000,PSA 7000.
How can I activate or deactivate the additional capacity? And what can it be used for?
After the ICE license is installed on the PCS device, you can activate (or deactivate) the additional capacity on the licensing page of the Admin UI (in total, you can activate the additional capacity for up to 8 weeks. Each time you deactivate ICE, the timer will freeze and start from the same point, the next time you activate it; which is counted in 5 minute increments).
This feature allows you to have the device in the warm backup status; where all you need to do is to to logon to the device and enable the additional capacity, without any configuration changes. This also allows you to test the device in the following cases:
- When you first deploy it
- When you want to test a new software release
- When you go through a periodic drill to test disaster preparedness
Can the ICE license work on dedicated hardware?
Yes; there is no need to have permanent licenses on the same device as the ICE license. Using a dedicated device for the ICE license is recommended in the following cases:
- When you have a different configuration (more groups of users, more resources, different policies) in case of emergency.
- Scaling - when desired scalability cannot be achieved with the same hardware.
- When you want a dedicated environment for ease of management, changes, and testing.
- When there is a need for a separate physical location.
- If existing HW is at or near the maximum user count license already, it makes more sense to place ICE licenses on new or unloaded HW. This way you maximize your return on the ICE investment.
- If and when the need for SSL licenses becomes permanent, you can buy new permanent SSL VPN licenses and install them on top of the ICE license to allow for a smooth transition to permanent use.
Can the ICE license work on the same platform as other permanent licenses?
Yes; there are two scenarios, in which this is useful:
You can use the ICE license on top of the permanent licenses that are used for everyday remote access (existing PCS customers can install the ICE license on top of their existing licenses).
- If and when the need for SSL licenses becomes permanent, you can buy new permanent PCS licenses and install them on top of the ICE license to allow for a smooth transition to permanent use.
- Using the same device for the ICE license and for everyday use is recommended in the following cases:
- When the two use cases have similar configuration and requirements (similar groups, users, and resources).
- When you want the emergency device to be always up and running with limited number of users.
- When scalability needs for both cases can be achieved with the same device.
What is the length of the ICE license?
The ICE license can be activated for up to 8 weeks. Most companies state that they require 2-4 weeks of immediate support, before they will know whether the need becomes permanent.
The ICE license goes beyond customer requirements and provides a total of 8 weeks to allow for testing and processing of a new purchase order for permanent licenses, if and when the need becomes real.
What happens when the ICE license expires? Can I buy a permanent license or another ICE license?
When the ICE license expires, you will no longer be able to use the functionality that is enabled by the license (as a best practice, like any other deployment, it is recommended to backup your configuration). If you already have permanent licenses on the same device, they will continue to be operational, after the ICE license expires.
The ICE license was designed to have 8 weeks. A deactivation option, which stops the timer, is available to provide enough time for customers to understand whether the need becomes permanent and to process a new purchase order for additional licenses. You can either buy new permanent licenses (same as you would do for a new device; no special discount) or a new ICE license to extend the time (the ICE licenses are additive in time).
What else should I consider when planning for an emergency?
Every scenario is different; but keep in mind that ICE is applicable to the PCS deployment and acts as an enabler for more concurrent users. ICE planning is a general concept and should include complete network evaluation to determine proper ICE planning.