Q: What is a Pulse Secure ICE license?
A: In an emergency situation it may be necessary to increase the number of available licenses installed on the device to allow a large number of users to connect simultaneously for several days or weeks at a time. An ICE (In Case of Emergency) license is a Pulse Connect Secure license that can be activated on a device to increase the licenses to match the number of maximum connections that the hardware supports + 10%. This allows customers to provide an immediate response to a sudden demand of concurrent users for emergencies, such as:
- Pandemic (COVID-19, Swine Flu, SARS)
- Natural disaster (hurricanes, earthquakes, snow storms)
- Terror attack
- Transportation strike
Q. What is the length of the ICE license?
An ICE license can remain enabled for 8 weeks at one time, or can be used in intervals. Once enabled, it can be disabled at any time prior to the 8 week expiration date and this will stop the timer. The timer will restart again once the license is re-enabled. The timer is calculated in 5 minute intervals. This allows the PCS admin to:
- Enable the license for users to test access features.
- Run periodic drills to test disaster preparedness.
- To support an increase in users while new hardware is being purchased, installed and tested.
Q. Which platforms support the ICE licenses?
- SA4500, SA4500 FIPS, SA6500, SA6500 FIPS
- MAG2600, MAG4610, MAG-SM160 and MAG-SM360
- PSA300 ,PSA3000, PSA5000,PSA7000 and PSA7000c (both PPS and PCS personalities)
- PSA-V Appliance.
Q. Can an ICE license be used with an EVAL license?
A. No. If any node has an EVAL license installed the ICE license cannot be enabled. The link to enable the ICE license will be disabled. To enable the ICE license, it will be necessary to remove the EVAL license from the device. (The EVAL license can be reinstalled with the license keys once the ICE license is disabled. It is recommended to save the license keys in a text file that can be used later to reinstall the license.)
Can the ICE license be combined with permanent or subscription licenses already installed on the device?
Yes. ICE licenses can be combined with permanent licenses or subscription licenses already installed on a device, without impacting the existing licenses in any way. A subscription license will continue to countdown its timer while an ICE license is enabled.
Q: Can a device or cluster operate with ICE licenses only?
A: Yes. This is a common use case where a standby cluster would be used for Disaster Recovery only and would be licensed with ICE licenses as per the example in the screenshot below:
Additional reasons to use ICE licenses on dedicated hardware include:
- When scalability needs exceed current hardware and new hardware has been purchased and shipped but permanent licenses have not yet been purchased.
- To have a dedicated environment to test new features or existing features in new software releases.
- When there is a need to have additional hardware as a backup in the case of an RMA.
- If and when the need for SSL licenses becomes permanent, you can buy new permanent SSL VPN licenses and install them on top of the ICE license to allow for a smooth transition to permanent use.
Q: When ICE licenses are enabled on an A/A cluster, why don't the number of users mentioned for each node total the maximum concurrent users allowed for the cluster?
A: Each node will display the number of available licenses for that node, however, the cluster limits will still apply, so the Maximum Concurrent User count reflects the number of concurrent connections allowed for the entire cluster.
In the example shown below, a pair of PSA7000c's are clustered in an A/A cluster running PCS OS 8.3 with ICE licenses enabled. ICE license has provided 30000 user licenses for each node and this has been added to the permanent licenses already installed on the device, however, the Maximum Concurrent User count of 45000 is the number of users supported by the cluster.
Refer to the following KB articles for details on the number of concurrent connections supported by various hardware/software models:
KB16892 - What is the maximum number of concurrent connections for Pulse Connect Secure (PCS) or Pulse Policy Secure (PPS) devices in Active/Active (A/A) cluster configurations?
KB40057 - Maximum license limit for PSA hardware platform in different software releases
(Note: There is also a 10% overage allowed once the maximum number of user licenses are consumed. When logging in, users will see a warning that the concurrent number users exceeds the allowed licenses but they will be able to authenticate. The 10% overage is implied and does not get calculated into the Maximum Concurrent Users count displayed in the Licensing page from the Admin GUI.)
Q: For A/P and A/A clusters, is it necessary to purchase an ICE license for every node?
A: Yes, it is required that all nodes in both A/P or A/A cluster have an ICE license installed. If an ICE license is installed on one device in the cluster but not the other, the user count will not increase to the device maximum capacity when the license is enabled, as per the screenshot below.
(In the above example, even though the ICE license is enabled on node 1, the user count for node 1 is '0' because there is no ICE license or permanent license installed on node-2. The cluster is, therefore, using the 100 Concurrent Sessions - Perpetual license from node 2-- bringing the the Maximum Concurrent User count for the cluster to '100'.)
Q: Is it necessary to manually enable the ICE license on every node in the cluster?
A: No. When enabling the ICE license on one node in the cluster, it will automatically be enabled on the other node(s). This also applies when disabling an ICE license in a cluster.
Q: What happens when the ICE license expires? Is there a grace period?
A. When the ICE license expires, the functionality enabled by the license will no longer be available. There is no grace period that extends an ICE license once it expires. If there are no other licenses installed on the device then users will not be able to login once the ICE license expires. If the device does have existing licenses installed then these licenses will continue to be operational without any interruption in service.
