Page 1 of 1

[Implemented] Air gapped licensing

Posted: Sun Dec 16, 2018 2:23 pm
by Gregory
Hello,

I have previously seen a similar request, but I would like to re-emphasis on this request.

We have some environments where we work in air-gap mode, which means, our network is totally isolated. For example, in highly-secure networks, some zones are running critical workloads but do not have the possibility to reach a resource outside of the zone.

I would be grateful if could add a licensing exception to work fully offline, as I do have a use-case where I would be highly interested. I understand this requires modifying the licensing portion and thinking about how you protect your product IP/interests but I also assume that many environments are subject to restriction to reach license server, especially for a critical asset, such as a configuration management asset.

This would be a big plus for highly secure networks and I personally would like to see that feature, even if that means I need to do manual exchange of license file from my servers to yours to validate changes. I am also willing to loose some functionalities, so long it can backup the configurations on a daily basis.

Thanks,
Gregory

Re: Air gapped licensing

Posted: Sun Dec 16, 2018 3:14 pm
by Tomas
Hi,

There were a few requests in this topic previously:
viewtopic.php?f=10&t=251

Considerations which made us implement licensing the way it is:
1) the licensing server is used for synchronization when using Unimus in HA mode
All instances of Unimus using the same license key are automatically switched into HA mode, and sync through the license server. This is done so HA with Unimus is super simple - you just use the same licensing key and HA just works. This would have to be completely disabled, and we would have to implement alternative instance syncing.

2) the licensing module is a central part of Unimus, so it would require A LOT of work to support offline mode
This includes work in Unimus, on the licensing server, and on the Customer Portal. We would basically have to completely rewrite the existing license handling, as well as integrate the new "offline" handling. As you can imagine, this is a large code change, and it would require a rewrite of all associated tests and QA procedures, as well are requiring new tests and QA (acceptance testing) scenarios.

3) finally the most obvious - software piracy and IP protection
I hope this point is fairly obvious.

As for why we don't currently support offline licensing at all:
Over the years, we had maybe 10 people ask (this includes the forums and emails we received) for full offline, so only a very small minority of the community is currently asking for this. Considering the small demand and the large amount of work (as described above) to integrate this, we hope it is understandable why we don't support this.

What we recommend to customers with tight security:
Unimus requires licensing communication only once every 2 days (or when new devices are being added). Licensing is a single HTTPS request to https://licensing.unimus.net, and we do support proxying the licensing communication over HTTP(S) proxies. This means that the outbound connections from Unimus can be restricted to HTTPS communication to the proxy, and the proxy can restrict the connection to only HTTPS to licensing.unimus.net. In this way, the Unimus server does not have outbound communication at all, only to the internal HTTPS proxy, and the proxy can only allow proper licensing requests.

Of course this is still not fully airgapped, and in networks which are fully airgapped this is not possible.
Sadly, currently we do not (and are not planning to due to reasons described above) support fully airgapped deployments.

Re: Air gapped licensing

Posted: Fri Dec 09, 2022 2:07 pm
by Vik@Unimus
We have a new Unimus version 2.3.0-Beta1 live now, which features new Offline Mode licensing. You can find more information in our Beta branch thread

viewtopic.php?f=4&t=1599

If you are interested in the testing of this feature, please reach out to us to get you started.

Note, as mentioned in our recent post

viewtopic.php?p=3869#p3869

offline licensing will be available only to customers with the unlimited license.