Air gapped licensing

Post your feature requests here
Post Reply
Gregory
Posts: 2
Joined: Sun Dec 16, 2018 2:15 pm

Sun Dec 16, 2018 2:23 pm

Hello,

I have previously seen a similar request, but I would like to re-emphasis on this request.

We have some environments where we work in air-gap mode, which means, our network is totally isolated. For example, in highly-secure networks, some zones are running critical workloads but do not have the possibility to reach a resource outside of the zone.

I would be grateful if could add a licensing exception to work fully offline, as I do have a use-case where I would be highly interested. I understand this requires modifying the licensing portion and thinking about how you protect your product IP/interests but I also assume that many environments are subject to restriction to reach license server, especially for a critical asset, such as a configuration management asset.

This would be a big plus for highly secure networks and I personally would like to see that feature, even if that means I need to do manual exchange of license file from my servers to yours to validate changes. I am also willing to loose some functionalities, so long it can backup the configurations on a daily basis.

Thanks,
Gregory
User avatar
Tomas
Posts: 695
Joined: Sat Jun 25, 2016 12:33 pm

Sun Dec 16, 2018 3:14 pm

Hi,

There were a few requests in this topic previously:
viewtopic.php?f=10&t=251

Considerations which made us implement licensing the way it is:
- the licensing server is used for synchronization when using Unimus in HA mode
all instances of Unimus using the same license key are automatically switched into HA mode, and sync through the license server
this is done so HA with Unimus is super simple - you just use the same licensing key and HA just works
this would have to be completely disabled, and we would have to implement alternative instance syncing
- the licensing module is a central part of Unimus, so it would require A LOT of work to support offline mode
this includes work in Unimus, on the licensing server, and on the Customer Portal
- finally the most obvious - software piracy and IP protection
I think this point is fairly obvious

As for why we don't currently support offline licensing at all:
Over the years, we had maybe 10 people ask (this includes the forums and emails we received) for full offline, so only a very small minority of the community is currently asking for this.
Considering the small demand and the amount of work to integrate this, I hope it is understandable why we don't support this.

What we recommend to customers with tight security:
Unimus requires licensing communication only once every 2 days (or when new devices are being added).
Licensing is a single HTTPS request to https://licensing.unimus.net, and we do support proxying the licensing communication over HTTP(S) proxies. This means that the outbound connections from Unimus can be restricted to HTTPS communication to the proxy, and the proxy can restrict the connection to only HTTPS to licensing.unimus.net.
In this way, the Unimus server does not have outbound communication at all, only to the internal HTTPS proxy, and the proxy can only allow proper licensing requests.

Of course this is still not fully airgapped, and in networks which are fully airgapped this is not possible.
Sadly, currently we do not (and are not planning to due to reasons described above) support fully airgapped deployments.
Post Reply