Control Licenses to Apply Full Isolation to Browser Sessions
When the Full Isolation mode of browser isolation is applied, the number of licenses that enable users to apply this mode to their browser sessions is limited and controlled under Skyhigh Security Service Edge.
The licenses that are available to users for applying the Full Isolation mode are referred to as seats. When a user requests a Full Isolation browser session, the web protection functions that are implemented under SSE verify if a seat is available for this user.
Availability of seats is tracked and controlled globally by these functions using GPS and other facilities. Information about seats is distributed to the local datacenters known as Points of Presence (POPs), where instances of SSE are hosted and can be accessed by users.
When a user is no longer active on a session, the occupied seat is freed up to ensure an ever changing group of users can be supported. Some over-usage is tolerated regarding seat usage, which means that it can actually go up to 115% of the normal scope.
Seats allotted to users are entered in three buckets to record seat usage over particular periods in time. Usage occurring during the last twelve hours is recorded in the first bucket. For the twelve hours preceding the last twelve, it is recorded in the second bucket, and in the third for another twelve hours back.
When a user requests a Full Isolation browser session, former seat usage is checked for this user, beginning with the first bucket. If a user has been using a seat during the last twelve hours, the check is positive, and further usage is allowed.
Otherwise checking continues with the second and third buckets. A user who was active on a seat during one of the twelve-hour intervals recorded in these buckets is moved up to the first bucket.
A user who cannot be found in any of the three buckets is entered in the first bucket if the overall seat limit has not been reached yet. Otherwise, no free seat is available, which means the user's request to start another Full Isolation browser session is rejected.
When a bucket rollover happens, the third bucket expires. Users who were only recorded as using a seat in this bucket have their entries dropped. A new bucket is then created to serve as the first, while the other two buckets each go down by one position.
This approach ensures that a user who is active on a seat at least once a day has this seat permanently available.
Because a rollover happens only every twelve hours, it can take up to twelve hours until a seat is actually freed up after a user has ceased to be active on it.
A user can be awarded VIP user status and entered in a VIP list. VIP users have seats reserved for their requests to apply Full lsolation to their browser sessions.
Seats cannot be reserved for all VIP users on the list if their number is higher than the total number of available seats or if a user is added to the VIP list while all available seats are occupied by VIP and other users.
Using a VIP list can impact other users who might not be able to apply Full Isolation to their browser sessions even if free seats are available, but reserved for VIP users.
Access for support
To retrieve information and run support workflows, the license control system can be accessed using internal support tools.