Licensing¶
The EnforceGate engine requires a valid license to operate. The license is bound to the host's machine identifier and validated against the Exosys Control Server (CS) at engine boot.
Editions¶
EnforceGate vX is sold in three editions — Lite, Pro, and Enterprise — and an optional capacity add-on for editions that allow it (5 additional connector sessions per engine; contact sales for availability). Each license is per-engine: a high-availability pair or a horizontally scaled deployment is one license per engine.
| Lite | Pro | Enterprise | |
|---|---|---|---|
| Bundled connector sessions (per engine) | 10 | 25 | 50 |
| Engine + URL match engine | ✓ | ✓ | ✓ |
egctl / egpolicy / learning mode / test-policy-uri |
✓ | ✓ | ✓ |
| Captive portal (block, warn, AUP — anonymous) | ✓ | ✓ | ✓ |
| Operator Web UI | — | ✓ | ✓ |
| Identity-aware portal — Active Directory | — | ✓ | ✓ |
| Identity-aware portal — RADIUS | — | — | ✓ |
| Operator SSO / SAML federation | — | — | ✓ |
| Bundled support | Direct | Direct | Premium |
| Extended support — paid add-on | — | ✓ | already at top |
Availability today
Phase 1 of the EnforceGate vX rollout ships the Lite edition only. The Pro edition (operator Web UI + Active Directory identity in the captive portal + Extended support eligibility) is scheduled for Q4 2026. The Enterprise edition (RADIUS identity + operator SSO + bundled Premium support) is scheduled for Q2 2027. Capacity add-ons ship alongside the editions that allow them.
Customers running Lite today who outgrow it can migrate to Pro or Enterprise once those editions ship — replace the license file, no re-deploy required.
The engine reads the edition at start-up and enables the corresponding feature surface. Operators size their renewal against the connector sessions they actually use (visible in eghost status) rather than against bandwidth or per-endpoint metering. See Sizing for the workstation and server-traffic deployment patterns.
Upgrading your edition¶
Migrating between editions — Lite → Pro or Pro → Enterprise — is a license-replacement, not a re-deploy. Contact support to obtain the new license credentials, update the values in your bundle's .env (ENGINE_LICENSE_SERIAL, ENGINE_LICENSE_USERNAME, ENGINE_LICENSE_PASSWORD), then restart the engine container:
On the next boot the engine re-activates against the Exosys Control Server with the new credentials and enables the upgraded feature surface. Operator state — engine.conf overrides, policy versions, audit logs, the captive-portal leaf cert, and the bump CA — is preserved across the upgrade because all four named volumes survive container removal. See persistence for the volume model.
Purchasing additional connector add-on bundles follows the same workflow — new license credentials, .env update, engine restart. The engine reads the new total-session ceiling on its next start and accepts neighbour sessions up to that limit. Contact sales for add-on availability against your current edition.
Laws & regulation¶
The software elements within our products include capabilities — such as strong cryptographic algorithms — that may fall under regional regulatory constraints. It is the purchaser's responsibility to verify that the use of such elements is permissible in their jurisdiction before completing a license purchase.
EnforceGate vX also includes SSL/TLS inspection capabilities (peek and bump modes — see SSL inspection) that intercept and, in bump mode, decrypt traffic the end user's browser treats as end-to-end private. Activating these modes can have direct legal consequences under employee-privacy law, GDPR and equivalent data-protection regimes, sector-specific obligations (telecom, banking, healthcare), and wiretap or interception statutes — all of which vary by jurisdiction and deployment context (employees vs. guests vs. customers). The Licensee is solely responsible for confirming that enabling inspection — and the user-notice or consent that may be required to accompany it — is lawful in their environment. The product ships with inspection disabled by default and requires an explicit binding acknowledgement (EULA § 3) before bump mode can be activated.
Activation flow¶
Valid license required
The EnforceGate engine refuses to start without all three license credentials configured (serial, username, password). The connector, captive portal, and TLS terminator do not require a license and operate without restrictions.
Strong cryptography
To protect our software against tampering, unauthorised copies, and modifications, we employ sophisticated, dynamically evolving protection mechanisms that rely on strong cryptographic algorithms.
License credentials are supplied to the engine through three environment variables in the bundle's .env file (an .env.example is shipped alongside docker-compose.yml):
ENGINE_LICENSE_SERIAL=EXEGT-0000-0000-0000-0 # replace with your serial
ENGINE_LICENSE_USERNAME=acme-prod
ENGINE_LICENSE_PASSWORD=<your account password>
The container forwards these variables into the engine's [license] section of /etc/enforcegate/engine.conf before startup. The serial and username are echoed on the boot card (a [ WARN ] line) so operators can confirm the right tenant is active; the password is silenced (length-only) to keep it out of docker logs.
License files¶
After activation, the engine stores license-bound state under /etc/enforcegate/license/. These files are managed by the engine and the Control Server — operators do not edit them. Activation survives container removal and image upgrades because the enforcegate-config volume preserves the whole /etc/enforcegate/ tree.
If you need to migrate the deployment to different hardware (different machine ID), contact support to coordinate re-activation against the Control Server.
File-permission enforcement¶
For production hardening, set enforce_permissions = true in the [license] section of engine.conf. The shipped Docker bundle already does this. With the option enabled, the engine refuses to start if the license files' permissions don't match the expected secure defaults — it exits with reason = "apm.permissions.failed" in the diagnostic file. See troubleshooting for recovery.
Serial format¶
EnforceGate product serials are 22 visible characters in the pattern:
Five hyphen-separated groups in a 5–4–4–4–1 block layout. The digits 0, 1 and letters I, O are excluded from the alphabet to avoid 0/O and 1/I confusion when reading the serial off a label or over the phone. The last character is a check digit that catches typos — genuine-issuance is proven by the Control Server at activation time, not by the format itself.
Online activation¶
Activation is performed by the engine itself at startup against the Exosys licensing infrastructure. The host requires outbound HTTPS connectivity for the first boot; once the license is bound, an internet connection is not required again until the license expires and the engine needs to re-activate.
For firewall coordination (specific endpoint and port range to allow), contact customer support. For air-gapped or restricted environments, the same contact handles the offline-activation procedure.
License files corresponding to your active subscription plan can be downloaded directly from your account dashboard. For activation troubleshooting, the APM diagnostic reason table maps each failure code to a remediation step.