Remote Access Clients

for Windows 32-bit/64-bit

E75.20
Release Notes

15 September 2011

 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12321 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk65209).

Revision History
Date 15 September 2011 Description First release of this document

Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients for Windows 32-bit/64-bit E75.20 Release Notes).

Contents
Important Information .............................................................................................3 Introduction .............................................................................................................5 What's New ..............................................................................................................5 Secondary Connect ............................................................................................. 5 Third Party SCV Checks ...................................................................................... 6 Customized Initial Firewall Policy......................................................................... 6 Endpoint Security VPN for Unattended Machines ................................................ 6 Improved Remote Access Clients API ................................................................. 6 Remote Access Clients Comparison .....................................................................7 Upgrading from SecureClient ................................................................................9 System Requirements ..........................................................................................10 Client Requirements ...........................................................................................10 Management Server and Gateway Requirements ..............................................10 Additional Requirements ....................................................................................11 Build Numbers ....................................................................................................11 Installation .............................................................................................................12 Installing the Remote Access Clients Hotfix ........................................................12 Upgrading Clients to This Release .....................................................................12 Uninstalling a Hotfix ............................................................................................13 Known Limitations and Resolved Issues ............................................................14

Secondary Connect

Introduction
Remote Access Clients provide a simple and secure way for endpoints to connect remotely to corporate resources over the Internet, through a VPN tunnel. Check Point offers 3 enterprise-grade flavors of Remote Access to fit a wide variety of organizational needs. The clients offered in this release are: Endpoint Security VPN - Incorporates Remote Access VPN with Desktop Security in a single client. It is recommended for managed endpoints that require a simple and transparent remote access experience together with desktop firewall rules. Check Point Mobile for Windows - An easy to use IPsec VPN client to connect securely to corporate resources. Together with the Check Point Mobile clients for iPhone and Android, and the Check Point SSL VPN portal, this client offers a simple experience that is primarily targeted for non-managed machines. SecuRemote - A secure, yet limited-function IPsec VPN client, primarily targeted for small organizations that require very few remote access clients.

See Remote Access Clients Comparison (on page 7) for a detailed feature comparison. We recommend that you read this document before installing E75.20 Remote Access clients. Note - The E75 Remote Access Clients series was previously known as Endpoint Security VPN R75. Related Documentation: These documents are related to this release. All are available in sk65209 (http://supportcontent.checkpoint.com/solutions?id=sk65209): Remote Access Clients E75.20 Release Notes Remote Access Clients E75.20 Administration Guide Endpoint Security VPN E75.20 User Guide Check Point Mobile for Windows E75.20 User Guide SecuRemote E75.20 User Guide

What's New
This release includes the new features and functionality described below. For more about each item, see the Remote Access Clients E75.20 Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk65209).

Secondary Connect
This feature gives access to multiple VPN gateways at the same time, to transparently connect to distributed resources. Connections to Distributed Networks - Users can connect once and get transparent access to resources, regardless of their location. Tunnels are created dynamically as needed, based on the destination of actual traffic. Enhanced Network Performance - Traffic flows directly from the endpoint user to the gateway, without site-to-site communication. Network Simplification - VPN tunnels and routing parameters are automatically taken from the network topology and destination server IP address.

Introduction

Page 5

Third Party SCV Checks

Seamless Upgrade from SecureClient - This release is compatible with legacy SecureClient settings. This unique feature is available only with Check Point VPN.

In an environment with Secondary Connect, the gateway that the client first authenticates to is the Primary gateway. A gateway that the client connects to through a secondary VPN, is a Secondary gateway. To enable Secondary Connect, see the requirements in sk65312 (http://supportcontent.checkpoint.com/solutions?id=sk65312).

Third Party SCV Checks

This release supports SCV checks created by third party vendors using the Check Point OPSEC SCV API Specifications. After installation, you can use these SCV checks in your SCV policies. Before you download the SDK, we recommend that you read the Remote Access Client SCV SDK Guide (http://www.opsec.com/cp_products/90.htm).

Customized Initial Firewall Policy

A predefined desktop firewall policy can be attached to a client installation package. This policy is enforced when the client is installed.

Endpoint Security VPN for Unattended Machines

Endpoint Security VPN can be installed and managed locally on unattended machines, such as ATMs. Unattended clients are managed with CLI and API and do not have a User interface.

Improved Remote Access Clients API

The Remote Access Clients Public API was changed in this version. It includes many improvements and backward compatibility support for future releases. For more information, see Desktop OPSEC SDK Remote Access Clients E75 (http://www.opsec.com/cp_products/90.htm).

What's New

Page 6

Improved Remote Access Clients API

Remote Access Clients Comparison

Feature Endpoint Security VPN Secure connectivity with centrally managed desktop firewall & compliance checks Check Point Mobile for Windows Secure connectivity & compliance checks SecuRemote Description Client Purpose Basic secure connectivity

Replaces Client

SecureClient NGX Endpoint R60 Connect R73 Endpoint Connect R73

SecuRemote NGX R60

IPSEC VPN Tunnel Security Compliance Check (SCV)

All traffic travels through a secure VPN tunnel. Monitor remote computers to confirm that the configuration complies with organization's security policy. Integrated endpoint firewall centrally managed from a Security Management Server Encrypt only traffic targeted to the VPN tunnel. Pass all connections through the gateway. When NAT-T connectivity is not possible, automatically connect over TCP port 443 (HTTPS port). Client seamlessly connects to an alternative site when the primary site is not available. End-users can connect once and get transparent access to resources, regardless of their location. Each VPN client is assigned an IP from the internal office network.

Integrated Desktop Firewall

Split Tunneling

Hub Mode

Dynamic Optimization of Connection Method Multi Entry Point (MEP)

Secondary Connect

Office Mode IP

Remote Access Clients Comparison

Page 7

Improved Remote Access Clients API

Feature

Endpoint Security VPN

Check Point Mobile for Windows

SecuRemote

Description

Auto Connect and Location Awareness

Intelligently detect if the user is outside the internal office network, and automatically connect as required. If the client senses that it is inside the internal network, the VPN connection is terminated. Tunnel and connections remain active while roaming between networks. VPN connection is established whenever the client exits the internal network. VPN tunnel and domain connectivity is established as part of Windows login allowing GPO and install scripts to execute on remote machines. Resolves internal names with the SecuRemote DNS Server configuration. Makes it easier for users to find and register with hot spots to connect to the VPN through local portals (such as in hotels or airports). Allows third party-extensions to the standard authentication schemes. This includes 3factor and biometrics authentication. E75.20 On the Gateway: IPSec VPN Blade On the Management: Endpoint Container & Endpoint VPN Blade for all installed endpoints IPSec VPN Blade and Mobile Access Blade (based on concurrent connections) On the Gateway: IPSec VPN Blade for an unlimited number of connections

Roaming

Always Connected

Secure Domain Logon (SDL)

Split DNS

Hotspot Detection and Registration

Secure Authentication API (SAA)

Version Required Licenses

Remote Access Clients Comparison

Page 8

Improved Remote Access Clients API

Upgrading from SecureClient

Environments with SecureClient already deployed can be easily upgraded to Endpoint Security VPN or Check Point Mobile for Windows. Clients who had SecuRemote client can use the same steps to upgrade to SecuRemote E75.20. The SmartDashboard for different versions of management servers is different. Use the documentation for the SmartDashboard that you have. All guides are in sk65209 (http://supportcontent.checkpoint.com/solutions?id=sk65209). For NGX R65 SmartCenter Server, NGX R65.70 or higher, see Remote Access Clients E75.20 Upgrade Guide from SecureClient/SecuRemote NGX on NGX R65. For R70 Security Management Server, R70.40 or higher, see Remote Access Clients E75.20 Upgrade Guide from SecureClient/SecuRemote NGX on R70. For R71 Security Management Server, R71.30 or higher, or R75 Security Management Server, see Remote Access Clients E75.20 Upgrade Guide from SecureClient/SecuRemote NGX on R71 or R75.

Upgrading from SecureClient

Page 9

Client Requirements

System Requirements
Read all requirements carefully.

Client Requirements
Remote Access Clients E75.20 can be installed on these platforms: Microsoft Windows XP 32 bit SP3 Microsoft Windows Vista 32 bit and 64 bit, SP1 Microsoft Windows 7, all editions 32 bit and 64 bit, with and without SP1

Management Server and Gateway Requirements

Remote Access Clients requires a supported gateway version. If you use Automatic MEP, the Security Management Server or Multi-Domain Server must also be supported, with required hotfixes as needed. These Check Point versions support E75.20 Remote Access Clients: Check Point Version Version Supported for Endpoint Security VPN Version Supported for Check Point Mobile for Windows Version Supported for SecuRemote R65.70 and the Remote Access Clients Hotfix for your platform as shown in sk65209 (http://supportcontent.che ckpoint.com/solutions?id= sk65209). R70.40 and the Remote Access Clients Hotfix for your platform as shown in sk65209 (http://supportcontent.che ckpoint.com/solutions?id= sk65209). R70.50 (no Hotfix required) R71.40 R71.30 R71.40 R75.10 R75.20

Security Gateway NGX R65

R65.70 and the Remote Not Supported Access Clients Hotfix for your platform as shown in sk65209 (http://supportcontent.chec kpoint.com/solutions?id=s k65209). R70.40 and the Remote Not Supported Access Clients Hotfix for your platform as shown in sk65209 (http://supportcontent.chec kpoint.com/solutions?id=s k65209). R70.50 (no Hotfix required)

Security Gateway R70

Security Gateway R71

R71.30 R71.40 R75 R75.10 R75.20

Security Gateway R75

R75 + Hotfix from sk60940 R75.10 R75.20 Not Supported Not Supported

VSX R65 VSX R67

Not Supported R67.10

Not Supported R67.10

System Requirements

Page 10

Additional Requirements

Check Point Version

Version Supported for Endpoint Security VPN firmware 8.2.33

Version Supported for Check Point Mobile for Windows firmware 8.2.33

Version Supported for SecuRemote To be supported on firmware 8.3

UTM-1 Edge

Additional Requirements
To enable Secondary Connect, see the requirements in sk65312 (http://supportcontent.checkpoint.com/solutions?id=sk65312). To enable automatic, implicit MEP (Multiple Endpoint Connections), you must install the Remote Access Clients Hotfix on the Security Management Server and on all Security Gateways. This procedure is not necessary for manual MEP. The Security Management Server and Security Gateway can be installed on open servers or appliances. On UTM-1 appliances, you cannot use the WebUI to install Remote Access Clients. Remote Access Clients cannot be installed on the same device as Check Point Endpoint Security R73 or R80. If Zone Alarm is installed on a device, you can install Check Point Mobile for Windows and SecuRemote but not Endpoint Security VPN. All Security Gateways used as primary MEP connections must support this release, with the Remote Access Clients Hotfix installed. NGX R65.70 Security Gateways must be managed by NGX R65.70 Security Management Servers. The servers must also have the Remote Access Clients Hotfix installed. This release supports Windows XP SP3 and higher. Windows XP users must upgrade to SP3 or another supported Windows version before they download an automatic upgrade from the Security Gateway. To prevent users with SP2 from getting the update automatically from the gateway, change the automatic upgrade feature mode: a) Open Global Properties > Remote Access > Endpoint Connect. b) Set the Client upgrade mode to Do not upgrade or Ask user. c) If Ask User, users are asked if they want to upgrade. Tell end-users to select NO until after they upgrade their machine to SP3. If users with SP2 try to install the upgrade, they get this message: Check Point Endpoint Security can only be installed on XP Service Pack 3 or above. After they get this message, connection to the VPN will fail.

Build Numbers
The build number of the Remote Access Clients for E75.20 is B835016825. To see the build on your computer, right-click the client and select Help > About.

System Requirements

Page 11

Installing the Remote Access Clients Hotfix

Installation
Before you install this release, make sure that you have supported gateways and servers, and if necessary, required hotfixes. If Visitor mode is configured on port 443 and WebUI is enabled on the gateway, the WebUI must listen on a port other than 443. Otherwise, Remote Access Clients cannot connect.

Installing the Remote Access Clients Hotfix

The Remote Access Clients Hotfix enables NGX R65.70 and R70.40 gateways to support E75.20 Remote Access Clients. To use Implicit MEP, install this hotfix also on the NGX R65.70 and R70.40 Security Management Server. Note - In environments that require Implicit MEP functionality, the Security Gateways must be the same Check Point version as the Security Management Server, and they must all have the Remote Access Clients Hotfix installed. To use Implicit MEP in a Multi-Domain Security Management environment, install this hotfix also on the NGX R65.70 and R70.40 Multi-Domain Server.

Before you install the Hotfix:

This Hotfix has possible conflicts with other installed Hotfixes. If you can, it is safest to uninstall all Hotfixes installed on the Security Management Server or gateways. See Uninstalling a Hotfix (on page 13). If you cannot uninstall a Hotfix, contact Check Point Technical Support.

To install the Hotfix on a Security Gateway or Security Management Server:

1. Download the Remote Access Clients Hotfix from the sk65209 (http://supportcontent.checkpoint.com/solutions?id=sk65209). 2. Copy the Hotfix package to the Security Gateway or Security Management Server. 3. Run the Hotfix: On SecurePlatform, Disk-based IPSO, and Solaris: a) tar -zxvf <name_of_file>.tgz b) ./UnixInstallScript On Windows platforms: double-click the installation file and follow the instructions. 4. Reboot the Security Gateway or Security Management Server.

To install the Hotfix on a Multi-Domain Server:

1. On the Multi-Domain Server, run: mdsenv. 2. Download the Remote Access Clients Hotfix from sk65209 (http://supportcontent.checkpoint.com/solutions?id=sk65209) to the Multi-Domain Server. 3. Run the Hotfix on SecurePlatform and Solaris: a) tar -zxvf <name_of_file>.tgz b) ./UnixInstallScript 4. Follow the on-screen instructions. 5. Reboot the Multi-Domain Server.

Upgrading Clients to This Release

To automatically update clients to this release of Remote Access Clients or a future release, upgrade the client package on the gateway. Then all clients receive the new package when they next connect.
Installation Page 12

Uninstalling a Hotfix

If you have a gateway version that requires the Remote Access Clients Hotfix, make sure that the Hotfix is installed before you put an upgraded package on the gateway. If you have R71.x with SSL VPN enabled, put the TRAC.cab file in a different directory, as shown in the instructions. Users must have administrator privileges to install an upgrade with an MSI package. Administrative privileges are not required for automatic upgrades from the gateway.

Unattended (ATM) Clients

You cannot upgrade regular Remote Access Clients and unattended (ATM) Endpoint Security VPN clients from the same gateway. Important - If you download the Automatic Upgrade for ATM file, you get a file called TRAC_ATM.cab. You must rename it to TRAC.cab before you put it on the gateway.

To distribute the Remote Access Clients from the gateway:

1. On the gateway, in the $FWDIR/conf/extender/CSHELL directory, back up the TRAC.cab and trac_ver.txt files. For R71.x, back up the TRAC.cab file in: $CVPNDIR/htdocs/SNX/CSHELL 2. Download the Remote Access Clients E75.20 Automatic Upgrade file (http://supportcontent.checkpoint.com/solutions?id=sk65209). 3. Put the new TRAC.cab and ver.ini files in the same directory on the gateway: $FWDIR/conf/extender/CSHELL For R71.x, put the TRAC.cab file also in: $CVPNDIR/htdocs/SNX/CSHELL 4. On a non-Windows gateway, run: chmod 750 TRAC.cab 5. Edit the trac_ver.txt file in the directory and change the version number to the number in the new ver.ini. 6. Make sure the client upgrade mode is set: a) Open the SmartDashboard. b) Open Policy > Global Properties > Remote Access > Endpoint Connect. c) Set the Client upgrade mode to Ask user (to let user confirm upgrade) or Always upgrade (automatic upgrade). d) Click OK. 7. Install the policy. When the client connects to the gateway, the user is prompted for an automatic upgrade of the newer version. If users had Endpoint Security VPN R75, it keeps the existing settings. If users had Endpoint Connect R73, it automatically upgrades to Endpoint Security VPN.

Uninstalling a Hotfix
If you need to uninstall a Hotfix, use this procedure.

To uninstall a Hotfix from a gateway:

1. Go to the installation directory: cd /opt/CPsuite-version/ For example, the installation directory on an R70.40 gateway is: /opt/CPsuite-R70/ 2. Run: ./uninstall_<name_of_original_Hotfix_file> The name of the Hotfix is different for gateway version and for Hotfix functionality. 3. Enter y at the prompt. 4. Reboot the Security Gateway.

Installation

Page 13

Uninstalling a Hotfix

Known Limitations and Resolved Issues

Known limitations for this release are in sk65315 http://supportcontent.checkpoint.com/solutions?id=sk65315. Resolved issues for this release are in sk65317 http://supportcontent.checkpoint.com/solutions?id=sk65317.

Known Limitations and Resolved Issues

Page 14