Licensing flaw...

rated by 0 users
Not Answered This post has 0 verified answers | 15 Replies | 5 Followers

Not Ranked
3 Posts
EMelloul posted on 3 Nov 2010 2:13 PM


I am running into an issue that I have been trying to work with support as well as our sales team on getting resolved to no avail.  Here is the issue.... I bought 150 licenses for our ~130-135 nodes on our network.  About 30% of our users are laptop users.

Following best practices, our wired network, private WiFi and public WiFi are all on separate VLAN's - thus, separate IP ranges.  Here is where I run into a problem with Websense due to a design flaw in the licensing (which makes absolutely no sense at all...).

Let's say I am plugged into our wired network and I get the IP  Then I get on the WiFi and I get  I have two IP addresses, but it is still a single user with a single "seat" or piece of hardware.  So effectively, I have doubled the amount of licenses that I would consume which is a little ridiculous.

This poses a problem for us with users who take their laptops to meetings and still need to be able to access the Internet.  Is there a solution to this??



All Replies

Top 10 Contributor
986 Posts
Trusted Users (MVP)


While all of this is great... Websense doens't take into account how easy it is to completely defeat their licensing model.  Any junior level network admin would be able to create a NAT with a policy map that allows your network to function properly then NAT all outside traffic behind a virtual interface before it hits your edge device (thus double nat'ing) and essentially funnel all traffic down to one IP with a single MAC - nothing a few commands on EIGRP/OSPF couldn't alleviate.

Wouldn't that be nice?

No it wouldn't be nice, unless you're in such a homogenous environment that you can filter every person and machine in your environment with the same Websense policy and you don't need internet usage logs of any of the,  At that point you might as well have used OpenDNS for free...


I could do it on a 6500 in about 5 minutes... and it would also keep all reporting fully intact with AD authentication, etc.  While I'm sure that would be in violation of the license guideline, requiring me to buy a "subscription" because I designed a network properly is completely absurd.

No it wouldn't.  Websense is not designed for multiple users on a single IP (except if you're using Citrix plugin), so it will filter them all by the same policy and constantly require reauthentication.


The way to fix this is as suggested with either a client on the desktop, or to actually query machines out of AD with an LDAP query - very simple fix.  For Mac/Linux there are other solutions out there; but, being that my background is Cisco/Microsoft maybe a client wouldn't be half bad.  You could even do a simple WMI query and gather GUID information with aging that expires if you're using DC Agent's - which I assume most people are.

Clients are a big no no in many environments, including mine.  There's already enough other clients on a corporate desktop that kill performance (AV, firewall, encryption, inventory management, etc etc).

Also, just because it's possible to license based on username instead of IP doesn't mean every vendor wants to.  Look around at most other security vendors -- a large percent charge you per device secured, not per user.  In the end you're paying to protect your network and the devices on it, so why wouldn't it be licensed that way?  Laptops that roam between different networks and eating multiple licenses is one issue, but as I and others have said that can be discussed with your Sales rep to be addressed.

Page 2 of 2 (16 items) < Previous 1 2