Beruflich Dokumente
Kultur Dokumente
E75.20
Release Notes
15 September 2011
2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12321 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk65209).
Revision History
Date 15 September 2011 Description First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients for Windows 32-bit/64-bit E75.20 Release Notes).
Contents
Important Information .............................................................................................3 Introduction .............................................................................................................5 What's New ..............................................................................................................5 Secondary Connect ............................................................................................. 5 Third Party SCV Checks ...................................................................................... 6 Customized Initial Firewall Policy......................................................................... 6 Endpoint Security VPN for Unattended Machines ................................................ 6 Improved Remote Access Clients API ................................................................. 6 Remote Access Clients Comparison .....................................................................7 Upgrading from SecureClient ................................................................................9 System Requirements ..........................................................................................10 Client Requirements ...........................................................................................10 Management Server and Gateway Requirements ..............................................10 Additional Requirements ....................................................................................11 Build Numbers ....................................................................................................11 Installation .............................................................................................................12 Installing the Remote Access Clients Hotfix ........................................................12 Upgrading Clients to This Release .....................................................................12 Uninstalling a Hotfix ............................................................................................13 Known Limitations and Resolved Issues ............................................................14
Secondary Connect
Introduction
Remote Access Clients provide a simple and secure way for endpoints to connect remotely to corporate resources over the Internet, through a VPN tunnel. Check Point offers 3 enterprise-grade flavors of Remote Access to fit a wide variety of organizational needs. The clients offered in this release are: Endpoint Security VPN - Incorporates Remote Access VPN with Desktop Security in a single client. It is recommended for managed endpoints that require a simple and transparent remote access experience together with desktop firewall rules. Check Point Mobile for Windows - An easy to use IPsec VPN client to connect securely to corporate resources. Together with the Check Point Mobile clients for iPhone and Android, and the Check Point SSL VPN portal, this client offers a simple experience that is primarily targeted for non-managed machines. SecuRemote - A secure, yet limited-function IPsec VPN client, primarily targeted for small organizations that require very few remote access clients.
See Remote Access Clients Comparison (on page 7) for a detailed feature comparison. We recommend that you read this document before installing E75.20 Remote Access clients. Note - The E75 Remote Access Clients series was previously known as Endpoint Security VPN R75. Related Documentation: These documents are related to this release. All are available in sk65209 (http://supportcontent.checkpoint.com/solutions?id=sk65209): Remote Access Clients E75.20 Release Notes Remote Access Clients E75.20 Administration Guide Endpoint Security VPN E75.20 User Guide Check Point Mobile for Windows E75.20 User Guide SecuRemote E75.20 User Guide
What's New
This release includes the new features and functionality described below. For more about each item, see the Remote Access Clients E75.20 Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk65209).
Secondary Connect
This feature gives access to multiple VPN gateways at the same time, to transparently connect to distributed resources. Connections to Distributed Networks - Users can connect once and get transparent access to resources, regardless of their location. Tunnels are created dynamically as needed, based on the destination of actual traffic. Enhanced Network Performance - Traffic flows directly from the endpoint user to the gateway, without site-to-site communication. Network Simplification - VPN tunnels and routing parameters are automatically taken from the network topology and destination server IP address.
Introduction
Page 5
Seamless Upgrade from SecureClient - This release is compatible with legacy SecureClient settings. This unique feature is available only with Check Point VPN.
In an environment with Secondary Connect, the gateway that the client first authenticates to is the Primary gateway. A gateway that the client connects to through a secondary VPN, is a Secondary gateway. To enable Secondary Connect, see the requirements in sk65312 (http://supportcontent.checkpoint.com/solutions?id=sk65312).
What's New
Page 6
Replaces Client
All traffic travels through a secure VPN tunnel. Monitor remote computers to confirm that the configuration complies with organization's security policy. Integrated endpoint firewall centrally managed from a Security Management Server Encrypt only traffic targeted to the VPN tunnel. Pass all connections through the gateway. When NAT-T connectivity is not possible, automatically connect over TCP port 443 (HTTPS port). Client seamlessly connects to an alternative site when the primary site is not available. End-users can connect once and get transparent access to resources, regardless of their location. Each VPN client is assigned an IP from the internal office network.
Split Tunneling
Hub Mode
Secondary Connect
Office Mode IP
Page 7
Feature
SecuRemote
Description
Intelligently detect if the user is outside the internal office network, and automatically connect as required. If the client senses that it is inside the internal network, the VPN connection is terminated. Tunnel and connections remain active while roaming between networks. VPN connection is established whenever the client exits the internal network. VPN tunnel and domain connectivity is established as part of Windows login allowing GPO and install scripts to execute on remote machines. Resolves internal names with the SecuRemote DNS Server configuration. Makes it easier for users to find and register with hot spots to connect to the VPN through local portals (such as in hotels or airports). Allows third party-extensions to the standard authentication schemes. This includes 3factor and biometrics authentication. E75.20 On the Gateway: IPSec VPN Blade On the Management: Endpoint Container & Endpoint VPN Blade for all installed endpoints IPSec VPN Blade and Mobile Access Blade (based on concurrent connections) On the Gateway: IPSec VPN Blade for an unlimited number of connections
Roaming
Always Connected
Split DNS
Page 8
Page 9
Client Requirements
System Requirements
Read all requirements carefully.
Client Requirements
Remote Access Clients E75.20 can be installed on these platforms: Microsoft Windows XP 32 bit SP3 Microsoft Windows Vista 32 bit and 64 bit, SP1 Microsoft Windows 7, all editions 32 bit and 64 bit, with and without SP1
R65.70 and the Remote Not Supported Access Clients Hotfix for your platform as shown in sk65209 (http://supportcontent.chec kpoint.com/solutions?id=s k65209). R70.40 and the Remote Not Supported Access Clients Hotfix for your platform as shown in sk65209 (http://supportcontent.chec kpoint.com/solutions?id=s k65209). R70.50 (no Hotfix required)
R75 + Hotfix from sk60940 R75.10 R75.20 Not Supported Not Supported
System Requirements
Page 10
Additional Requirements
Version Supported for Check Point Mobile for Windows firmware 8.2.33
UTM-1 Edge
Additional Requirements
To enable Secondary Connect, see the requirements in sk65312 (http://supportcontent.checkpoint.com/solutions?id=sk65312). To enable automatic, implicit MEP (Multiple Endpoint Connections), you must install the Remote Access Clients Hotfix on the Security Management Server and on all Security Gateways. This procedure is not necessary for manual MEP. The Security Management Server and Security Gateway can be installed on open servers or appliances. On UTM-1 appliances, you cannot use the WebUI to install Remote Access Clients. Remote Access Clients cannot be installed on the same device as Check Point Endpoint Security R73 or R80. If Zone Alarm is installed on a device, you can install Check Point Mobile for Windows and SecuRemote but not Endpoint Security VPN. All Security Gateways used as primary MEP connections must support this release, with the Remote Access Clients Hotfix installed. NGX R65.70 Security Gateways must be managed by NGX R65.70 Security Management Servers. The servers must also have the Remote Access Clients Hotfix installed. This release supports Windows XP SP3 and higher. Windows XP users must upgrade to SP3 or another supported Windows version before they download an automatic upgrade from the Security Gateway. To prevent users with SP2 from getting the update automatically from the gateway, change the automatic upgrade feature mode: a) Open Global Properties > Remote Access > Endpoint Connect. b) Set the Client upgrade mode to Do not upgrade or Ask user. c) If Ask User, users are asked if they want to upgrade. Tell end-users to select NO until after they upgrade their machine to SP3. If users with SP2 try to install the upgrade, they get this message: Check Point Endpoint Security can only be installed on XP Service Pack 3 or above. After they get this message, connection to the VPN will fail.
Build Numbers
The build number of the Remote Access Clients for E75.20 is B835016825. To see the build on your computer, right-click the client and select Help > About.
System Requirements
Page 11
Installation
Before you install this release, make sure that you have supported gateways and servers, and if necessary, required hotfixes. If Visitor mode is configured on port 443 and WebUI is enabled on the gateway, the WebUI must listen on a port other than 443. Otherwise, Remote Access Clients cannot connect.
Uninstalling a Hotfix
If you have a gateway version that requires the Remote Access Clients Hotfix, make sure that the Hotfix is installed before you put an upgraded package on the gateway. If you have R71.x with SSL VPN enabled, put the TRAC.cab file in a different directory, as shown in the instructions. Users must have administrator privileges to install an upgrade with an MSI package. Administrative privileges are not required for automatic upgrades from the gateway.
Uninstalling a Hotfix
If you need to uninstall a Hotfix, use this procedure.
Installation
Page 13
Uninstalling a Hotfix
Page 14