CP E80.50 SecuRemote UpgradeGuide

Remote Access Clients
E80.50
Upgrading from
SecureClient/SecuRemote NGX
on R71 and Higher Gateways
27 August 2013
Classification: [Protected]
© 2013 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
(http://supportcontent.checkpoint.com/documentation_download?ID=24854)
To learn more, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
For more about this release, see the E80.50 home page
(http://supportcontent.checkpoint.com/solutions?id=sk92971).
Revision History
Date Description
27 August 2013 First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients E80.50
Upgrading from SecureClient/SecuRemote NGX on R71 and Higher Gateways ).
Contents
Important Information .............................................................................................3

Introduction to Remote Access Clients ................................................................5
Check Point Mobile for Windows ......................................................................... 5
SecuRemote client .............................................................................................. 5
Endpoint Security VPN ........................................................................................ 6
Why You Should Upgrade to Remote Access Clients .......................................... 6
Before Upgrading to Remote Access Clients ....................................................... 7
Supported Gateways and Servers .................................................................. 7
Features Overview .......................................................................................... 7
Connectivity Features in Detail ....................................................................... 8
Deployment Features.....................................................................................10
General Features ...........................................................................................10
SecureClient Features Supported in Remote Access Clients .........................10
SecureClient Features Not Yet Supported .....................................................12
Configuring Security Gateways to Support Remote Access Clients ................13
Preparing the Security Gateways .......................................................................13
Configuring Endpoint Security VPN and Check Point Mobile for Windows .........13
Choose a Firewall Policy to Enforce...............................................................18
Configuring SmartDashboard for SecuRemote client..........................................19
Supporting Endpoint Security VPN and SecureClient Simultaneously ................20
Troubleshooting Dual Support ............................................................................21
The Configuration File ..........................................................................................23
Editing the TTM File ...........................................................................................23
Centrally Managing the Configuration File ..........................................................23
Understanding the Configuration File .................................................................24
Configuration File Parameters .......................................................................25
Differences between SecureClient and Endpoint Security VPN CLI .................26
Chapter 1
Introduction to Remote Access
Clients
In This Chapter
Check Point Mobile for Windows 5
SecuRemote client 5
Endpoint Security VPN 6
Why You Should Upgrade to Remote Access Clients 6
Before Upgrading to Remote Access Clients 7
The Remote Access VPN Software Blade provides a simple and secure way for endpoints to connect
remotely to corporate resources over the Internet, through a VPN tunnel. Check Point offers multiple
enterprise-grade clients to fit a wide variety of organizational needs.
The clients offered in this release are:
 SmartEndpoint-managed Endpoint Security VPN - The Remote Access VPN blade as part of the
Endpoint Security Suite lets users connect securely from their Endpoint Security-protected computer to
corporate resources. The Compliance blade is managed from SmartEndpoint, and the Firewall can be
managed from SmartDashboard or SmartEndpoint. Other Endpoint Security Software Blades that can
be integrated include Media Encryption & Port Protection, Full Disk Encryption, Anti-Malware, and
WebCheck.
 SmartDashboard-managed clients:
 Endpoint Security VPN - Incorporates Remote Access VPN with Desktop Security in a single client.
It is recommended for managed endpoints that require a simple and transparent remote access
experience together with desktop firewall rules.
 Check Point Mobile for Windows - An easy to use IPsec VPN client to connect securely to
corporate resources. Together with the Check Point Mobile clients for iPhone and Android, and the
Check Point SSL VPN portal, this client offers a simple experience that is primarily targeted for non-
managed machines.
 SecuRemote client - A secure, yet limited-function IPsec VPN client, primarily targeted for small
organizations that require very few remote access clients.
For a detailed feature comparison, see the Remote Access Clients E80.50 Release Notes.
http://supportcontent.checkpoint.com/documentation_download?ID=24979
Check Point Mobile for Windows

 Enterprise Grade Remote Access Client.
 Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status
of antivirus, Windows updates, and other system components.
 Requires IPsec VPN and SSL VPN Software Blades on the gateway.
SecuRemote client
 Replaces the NGX SecuRemote client.
 Basic remote access functionality.
Remote Access Clients E80.50 Upgrading from SecureClient/SecuRemote NGX on R71 and Higher Gateways | 5
Introduction to Remote Access Clients
 Unlimited number of connections for Security Gateways with the IPsec VPN blade.
 Requires an IPsec VPN Software Blade on the gateway.
 It is a free client and does not require additional licenses.
Endpoint Security VPN

 Replaces SecureClient and Endpoint Connect.
 Enterprise Grade Remote Access Client with Desktop firewall and compliance checks.
 Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status
of Anti-Virus, Windows updates, and other system components.
 Integrated desktop firewall, centrally managed from Security Management Server.
 In-place upgrade from Endpoint Security VPN R75.
 In-place upgrade from Endpoint Connect R73.
 Requires the IPsec VPN Software Blade on the gateway, and an Endpoint Container license and
Endpoint VPN Software Blade on the Security Management Server.
Why You Should Upgrade to Remote Access Clients

Check Point recommends that all customers upgrade from SecureClient or Endpoint Connect to Remote
Access Clients as soon as possible, to have these enhancements.
 Automatic and transparent upgrades, with no administrator privileges required
 Uses less memory resources than SecureClient
 Automatic disconnect/reconnect as clients move in and out of the network
 Seamless connection experience while roaming
 Supports most existing SecureClient features, including Secondary Connect, Office Mode, Desktop
Firewall, Secure Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection.
 Supports many additional new features
 Does not require a Security Management Server upgrade
Note - Check Point ended its support for SecureClient in mid-2011.
Before Upgrading to Remote Access Clients

Before upgrading, consider these issues.
Supported Gateways and Servers

See the Remote Access Clients Release Notes for information about supported Security Gateway and
Security Management Server versions.
Features Overview
The Remote Access Clients are installed on the desktop or laptop of the user and have enhanced
connectivity, security, installation, and administration capabilities.
Main Capability Description
Full IPSec VPN Internet Key Exchange (version 1) support for secure authentication.
A Virtual Private Network (VPN) provides a secured, encrypted connection
over the Internet to your organization's network. The VPN tunnel gives
remote access users the same security that LAN users have. IPSec makes
the tunnel seem transparent because users can run any application or
service that you do not block for the VPN. (Compare to SSL VPN, which
works through web applications only.)
Location Awareness Remote Access Clients intelligently detects if it is in the VPN domain
(Enterprise LAN), and automatically connects or disconnects as required.
If the client senses that it is in the internal network, the VPN connection is
terminated. In Always-Connect mode, the VPN connection is established
whenever the client exits the internal network.
Proxy Detection Proxy servers between the client and the gateway are automatically
detected and authenticated to if necessary
Dead Gateway Detection If the client fails to receive an encrypted packet within a specified time
interval, it sends a tunnel test packet to the gateway. If the tunnel test
packet is acknowledged, the gateway is considered active. If several
consecutive tunnel test packets remain unacknowledged, the gateway is
considered inactive, or dead. You can configure this feature.
Multiple Entry Point Provides a gateway High Availability and Load Sharing solution for VPN
connections. For Remote Access Clients, in an environment with MEP,
more than one gateway protects and gives access to the same VPN
domain. MEP lets the Remote Access Clients connect to the VPN from
multiple gateways.
Secondary Connect Gives access to multiple VPN gateways at the same time, to transparently
connect users to distributed resources. Users log in once to a selected site
and get transparent access to resources on different gateways.
Visitor Mode If the firewall or network limits connections to ports 80 or 443, encrypted
(IPSec) traffic between the client and the > is tunneled through a regular
TCP connection.gateway.
NAT-T UDP Encapsulation of IPSec Traffic. Remote Access Clients can

connect seamlessly through devices that do not permit native IPSec traffic
(such as firewall and access points).
Main Capability Description
Hub Mode Increases security. It routes all traffic through the VPN and your gateway.
At the gateway, the traffic is inspected for malicious content before being
passed to the client, and you can control client connectivity.
VPN Tunneling Increases connectivity performance. Encrypts only traffic targeted to the
VPN tunnel, and let users go more easily to sites where security is not an
issue (such as public portals and search engines).
Desktop Firewall Endpoint Security VPN enforces a Desktop Firewall on SmartDashboard-

managed remote clients. The administrator defines the Desktop Security
Policy in the form of a Rule Base. Rules can be assigned to either specific
user groups or all users; this permits the definition of flexible policies.
SmartEndpoint-managed clients use the Endpoint Security Firewall blade.
Compliance Policy - Secure SCV monitors the configuration of remote computers, to confirm that the
Configuration Verification configuration complies with organization Security Policy, and the gateway
(SCV) blocks connectivity for computers that do not comply. It is available in
Endpoint Security VPN and Check Point Mobile for Windows.
In SmartEndpoint-managed clients, you can choose to use SCV or the
Endpoint Security Compliance blade.
Secure Domain Logon (SDL) Establishes a VPN tunnel before a user logs in.
Connectivity Features in Detail

Remote Access Clients support more connectivity features.
Feature Description
Automatic Connectivity If the IPsec VPN network connection is lost, the client seamlessly
Detection reconnects without user intervention.
Roaming If the IP address of a client changes, (for example, if the client on a wireless
connection physically connects to a LAN that is not part of the VPN
domain), interface roaming maintains the logical connection.
Multiple Sites Remote access users can define many gateways to connect to the VPN. If
you have multiple VPN gateways, users can try another gateway if the
previous one is down or overloaded.
Dialup Support Endpoint Security VPN supports dial-up connections, useful where a
network is not detected.
Hotspot Detection and Automatically detects hotspots that prevent the client system from
Registration establishing a VPN tunnel.
Opens a mini-browser to allow the user to register to the hotspot and
connect to the VPN gateway.
Office Mode Lets a remote client appear to the local network as if it is using a local IP
address. This is not supported on SecuRemote client
Extended DHCP Parameters When using Office Mode from a DHCP server, the Remote Access Clients
gateway sends data that it got from the client to the DHCP server in the
correct format - Hostname, FQDN, Vendor Class, and User Class.
Machine Idleness Disconnects the VPN tunnel if the machine becomes inactive (because of
lock or sleep) for a specified duration.
Feature Description
Keep-alive Send keep-alive messages from the client to the VPN gateway to maintain
the VPN tunnel.
VPN Connectivity to VPN-1 Terminate VPN tunnel at Check Point VSX gateways.
VSX
Split DNS Support multiple DNS servers.
DHCP Automatic Lease Automatically renew IP addresses obtained from DHCP servers
Renewal
Endpoint Security VPN comprises these features:

 Desktop Security
Endpoint Security VPN enforces a Desktop Security Policy on the remote client. The administrator
defines the Desktop Security Policy as a Rule Base. Rules can be assigned to user groups or to all
users. This permits flexibility in the definition of policies.
 Full IPSec VPN
A virtual private network (VPN) is a direct link, on existing infrastructure, between a user and the party
the user is contacting, usually a computer protected by an organization firewall. When transmission
between the two parties ends, the VPN is shut down. During the transmission (of data, or voice) the
VPN is sealed from third-party intrusion. Thus, a VPN is called a tunnel. Internet Key Change support for
secure authentication.
 (Compliance Check) Secure Configuration Verification (SCV)
SCV enables the administrator to monitor the configuration of remote computers, to confirm that the
configuration complies with organization Security Policy, and to block connectivity for computers that do
not comply.
 Strong authentication schemes
Endpoint Security VPN works with different strong authentication schemes, such as:
 User names and passwords (including cached passwords)
 SecurID - Two-factor authentication that uses a token and a variable passcode.
 Challenge-Response - This is an authentication protocol in which one party provides the first string
(the challenge), and the other party verifies it with the subsequent string (the response). To be
authenticated, the response must be validated. Security systems that rely on smart cards are based
on challenge-response.
 CAPI software and hardware tokens - Cryptographic Application Program Interface enables access
to a library of functions for security and encryption.
 Certificate enrollment, renewal, and auto Renewal
Enrollment refers to the process of application for, and receipt of, a certificate from a recognized
Certificate Authority (CA), in this case Check Point's Internal CA. In the enrollment process, your system
administrator creates a certificate and sends you its registration key. The client sends this key to
Security Gateway, and in return receives the certificate.
 Tunnel idleness Detection
Idle VPN tunnels are detected and shut down.
 Smart Card Removal Detection
If the Smart Card is removed from the PC, the VPN tunnel is closed.
Deployment Features
Feature Description
Automatic Client Upgrade Clients can automatically get an upgrade package when they connect to the
from the Gateway gateway. For SmartDashboard-managed clients only.
Pre-configured Client You can create a predefined client installation package for easy
Packaging provisioning.
Localization Supported languages:

 Chinese (simplified) - SmartDashboard-managed only
 English
 French
 German
 Italian - SmartDashboard-managed only
 Japanese
 Russian
 Spanish
General Features
Feature Description
Post Connect Scripts Run a script on client computers after a connection to the gateway is
established.
SecureClient Features Supported in Remote Access Clients

This table describes features in Remote Access Clients that existed in SecureClient, and on which Remote
Access Clients they are available.
Feature Description Endpoint Check R75 Secu-

Security Point Remote
VPN Mobile for client
Windows
Authentication  Username/Password
Methods  Certificate - CAPI/P12
 SecurID (passcode, softID, key fobs)
 Challenge Response
 SAA
Cached Credentials Cache credentials for user login
NAT-T and Visitor Let users connect from any location, such as
Mode a hotel, airport, or branch office
Multiple Entry Point Provides gateway High Availability and Load

(MEP) Sharing and lets the Remote Access Clients
connect to the VPN from multiple gateways.
Secondary Connect Gives access to multiple VPN gateways at the

same time, to transparently connect users to
distributed resources.
Pre-Configured Predefined client installation package with

Client Packaging configurations for easy provisioning

Windows
Office Mode Internal IP address for remote access VPN
users
Extended DHCP When using Office Mode from a DHCP server,

Parameters the gateway sends data that it got from the
client to the DHCP server in the correct format
- Hostname, FQDN, Vendor Class, and User
Class.
Compliance Policy - Verifies client system policy compliance

Secure before allowing remote access to internal
Configuration network
Verification (SCV)
Proxy Detection Detect proxy settings in client system web

browsers for seamless connectivity
Hub Mode Send all traffic from the client system through
the VPN gateway
Localization Supported languages:

 Chinese (simplified)
 English
 French
 German
 Hebrew
 Italian
 Japanese
 Russian
 Spanish
Certificate Automatic enrollment and renewal of
Enrollment and certificates issued by Check Point Internal CA
Renewal server
CLI and API Support Manage client with third party software
Tunnel Idleness Disconnect VPN if there is no traffic for a

Detection specified duration
Dialup Support dialup connections
Smart Card Detects when the Smart Card is removed and

Removal Detection closes the active VPN tunnel.
Re-authentication After specified duration, user is asked for re-

authentication
Keep-alive Send keep-alive messages from client to the

VPN gateway to maintain the VPN tunnel
Check Gateway Validate VPN gateway certificate in the CRL

Certificate in CRL list
Configuring Security Gateways to Support Remote Access Clients

Windows
Desktop Firewall Personal firewall integrated into the client,
managed with the SmartDashboard desktop
policy. Logs are shown in SmartView Tracker.
Configuration File Recover corrupted configuration files

Corruption Recovery
Secure Domain Establish VPN tunnel prior to user login

Logon (SDL)
End-user Prevent users from changing the client

Configuration Lock configuration
Update Dynamic Assign an internal IP address for remote

DNS with the Office access VPN users in the Dynamic DNS
Mode IP
SmartView Monitor Monitor VPN tunnel and user statistics with

SmartView Monitor
Post Connect Script Execute manual scripts before and after VPN
tunnel is established
Secure Integrate with third party authentication

Authentication API providers.
(SAA)
Split DNS Support multiple DNS servers
VPN Connectivity to Terminate VPN tunnel at Check Point VSX

VPN-1 VSX gateways
DHCP Automatic DHCP Automatic Lease Renewal

Lease Renewal
SecureClient Features Not Yet Supported

These features of SecureClient are not supported by Remote Access Clients. Many of these features are
expected to be supported in the next release.
Feature Description
Single Sign-on (SSO) One set of credentials to log in to both VPN and Windows
operating system
Entrust Entelligence Support Entrust Entelligence package providing multiple security layers,
strong authentication, digital signatures, and encryption
Diagnostic Tools Tools for viewing logs and alerts
"No Office Mode" Connect Mode Connect to the VPN gateway without requiring Office Mode
Pre-shared secret Authentication method that uses a pre-shared secret
Configuring Security Gateways to

Support Remote Access Clients
Preparing the Security Gateways
If you have R71.30 and higher or R75 and higher installed on a gateway, Security Management Server, or
Multi-Domain Server, it can support Remote Access Clients. It is not necessary to install a Hotfix. See the
System Requirements section of the Release Notes for exact details.
To use Secondary Connect, you might need to install the Secondary Connect Hotfix. For more about the
Secondary Connect Hotfix, see the Remote Access Clients E80.50 Release Notes.
Configuring Endpoint Security VPN and Check Point

Mobile for Windows
You manage Remote Access Clients through the SmartDashboard. This task explains how to set up the
SmartDashboard to access configurations required for Endpoint Security VPN and Check Point Mobile for
Windows. Before you begin, make sure you have a network for Office Mode allocation.
Note - The procedures in this section apply to multiple versions of Security Gateways.
The screenshots might not match your version.
To configure SmartDashboard for Endpoint Security VPN or Check Point Mobile for
Windows:
1. Set the Security Gateway to be a policy server:
a) In the Network Objects Tree, right-click the Security Gateway and select Edit.
The Check Point Gateway - General Properties window opens.
b) In Software Blades > Network Security, select IPSec VPN and Policy Server.
c) On R71.x Security Gateways, open Authentication.
On R75.x Security Gateways, open Legacy Authentication.
On R77 Security Gateways, open Other > Legacy Authentication.
d) In the Users drop-down, select a user group to be assigned to the policy.

2. Configure Visitor Mode:
a) On R71.x, R75.40, and R75.40VS Security Gateways, open IPSec VPN > Remote Access.
On R76 and R77 Security Gateways, open VPN Cilents > Remote Access.
b) Select Support Visitor Mode.

3. Configure Office Mode:
a) On R71.x, R75.40, and R75.40VS Security Gateways, open IPSec VPN > Office Mode.
On R76, and R77 Security Gateways, open VPN Clients > Office Mode.
b) Select Offer Office Mode to group.

c) In Office Mode Method, select Manual (using IP pool).
d) In Allocate IP addresses from network, select the network for Office Mode allocation.
4. Click OK.
5. Make sure that the Security Gateway is in the Remote Access community:
a) On R71.x and R75.40 Security Gateways, from the Manage menu select VPN Communities.
The VPN Communities window opens.
On R75.40VS, R76, and R77 Security Gateways, select the IPsec VPN > Communities.
b) Double-click RemoteAccess.
The Remote Access Community Properties window opens.
Open Participating Gateways.
c) If the Security Gateway is not already in the list of participating gateways: click Add, select the
Security Gateway from the list of gateways, and click OK.
d) Click OK.
e) Click Close.
6. For Endpoint Security VPN only, make sure that the desktop policy is configured correctly (Desktop
tab).
7. Install the policy (Policy menu > Install).
Choose a Firewall Policy to Enforce

In SmartDashboard-managed Endpoint Security VPN, the Firewall policy enforced is configured in the
Desktop Policy tab in SmartDashboard.
In SmartEndpoint-managed Endpoint Security VPN, the Endpoint Security Firewall Policy Rules configured
in SmartEndpoint are enforced by default. However, you can choose to use the Desktop Policy from
SmartDashboard, if, for example, your environment had Endpoint Security VPN and then was upgraded to
the complete Endpoint Security solution.
To configure which Firewall policy to enforce for SmartEndpoint-managed Endpoint
Security VPN:
1. In SmartEndpoint, go to Policy tab > Firewall Policy Rules.
2. Select a Firewall policy action:
Action Description
Enforce the above Firewall policy Use the Endpoint Security Firewall Policy Rules
Enforce Desktop Policy from Use the Desktop Policy from SmartDashboard
SmartDashboard
3. Install Policy.
4. Restart all computers included in the rule.
Configuring SmartDashboard for SecuRemote client

You manage SecuRemote client through the SmartDashboard. This task explains how to set up the
SmartDashboard to access Endpoint Security VPN configurations.
Note - If you already configured SmartDashboard for Endpoint Security VPN and
Check Point Mobile for Windows, these procedures are not necessary.
To configure SmartDashboard for SecuRemote client:

1. In the Network Objects Tree, right-click the Security Gateway and select Edit.
The Check Point Gateway - General Properties window opens.
2. Configure Visitor Mode:
a) On R71.x, R75.40, and R75.40VS Security Gateways, open IPSec VPN > Remote Access.
On R76 and R77 Security Gateways, open VPN Cilents > Remote Access.
3. Make sure that the office mode support is disabled, since it is not supported in SecuRemote client.
a) On R71.x, R75.40, and R75.40VS Security Gateways, open IPSec VPN > Office Mode.
On R76 and R77 Security Gateways, open VPN Cilents > Office Mode.
b) Select Do not offer Office Mode.
Note - If you select a different option, it is ignored for SecuRemote client.
4. Make sure that the Security Gateway is in the Remote Access community:
a) On R71.x and R75.40 Security Gateways, from the Manage menu select VPN Communities.
The VPN Communities window opens.
On R75.40VS, R76, and R77 Security Gateways, select the IPsec VPN > Communities.
b) Double-click RemoteAccess.
The Remote Access Community Properties window opens.
Open Participating Gateways.
c) If the Security Gateway is not already in the list of participating gateways: click Add, select the
Security Gateway from the list of gateways, and click OK.
d) Click OK.
e) Click Close.
5. Install the policy (Policy menu > Install).
Supporting Endpoint Security VPN and SecureClient

Simultaneously
To run Remote Access Clients along with SecureClient or NGX SecuRemote client on client systems, you
must configure the server and the gateways that will manage these remote access clients.
Before you start the configuration, make sure that the encryption domains of all of the gateways are the
same. Also make sure that all gateways give connectivity to the same resources.
To configure the gateways in SmartDashboard for management of Remote Access Clients
and NGX clients:
1. For Check Point Mobile for Windows and SecuRemote client start, with step 2.
For Endpoint Security VPN only, on the Desktop tab, add this rule to make sure that the Endpoint
Security VPN firewall does not block SecureClient. Allow outbound connections on:
 UDP 18231
 UDP 18233
 UDP 2746 for UDP Encapsulation
 UDP 500 for IKE
 TCP 500 for IKE over TCP
 TCP 264 for topology download
 UDP 259 for MEP configuration
 UDP 18234 for performing tunnel test when the client is inside the network
 UDP 4500 for IKE and IPSEC (NAT-T)
 TCP 18264 for ICA certificate registration
 TCP 443 for Visitor Mode
 TCP 80
2. On R71.x and R75.40 Security Gateways, from the Policy menu, select Global Properties.
On R75.40VS, R76, and R77 Security Gateways, click Edit Global Properties.
The Global Properties window opens.
3. Open Remote Access > VPN - Advanced.
4. Select Sent in clear.

5. Click OK.
6. Do Policy > Install.
Troubleshooting Dual Support

If SecureClient blocks Remote Access Clients traffic:
1. Make sure that you selected Remote Access > VPN - Advanced > Sent in clear.
2. Choose how you want to solve this issue.
 If users manage their own clients: they can delete the SecureClient site.
Note - It is not enough to disable the site. It must be deleted.
 To solve this issue for all clients, change the Desktop rule base. In the Outbound Rules, add these
rules above the rule that blocks the connection:
a) Allow traffic to the Endpoint Security VPN Security Gateway.

 Desktop = All Users
 Destination = Endpoint Security VPN Security Gateway
 Service = http, https, IKE_NAT_TRAVERSAL
 Action = Accept
b) Allow users to access the encryption domain.
 Desktop = All Users
 Destination = The encryption domain. In the example this is the FTP server.
 Service = The protocol necessary to reach the encryption domain. In the example this is FTP.
 Action = Accept
c) Install the policy.
To uninstall NGX Clients:
 If you install Remote Access Clients after SecureClient or NGX SecuRemote client, and you want to
uninstall the NGX client, you cannot do it from Add/Remove Programs. You must open the
Uninstall SecureClient or NGX SecuRemote client program from Start > Programs.
 To remotely uninstall SecureClient with a script, run: UninstallSecureClient.exe from the
SecureClient installation directory.
Chapter 2
The Configuration File
In This Chapter
Editing the TTM File 23
Centrally Managing the Configuration File 23
Understanding the Configuration File 24
Policy is defined on each gateway in the trac_client_1.ttm configuration file located in the $FWDIR/conf
directory.
Editing the TTM File

When the client connects to the gateway, the updated policy is downloaded to the client and written in the
trac.config file.
If you make changes in the trac_client_1.ttm file of a gateway, you must install the policy on each
changed gateway.
Note - When you edit the configuration file, do not use a DOS editor, such as WordPad or
Microsoft Word, which change the file formatting.
The TTM file must stay in UNIX format. If you do convert the file to DOS, you must convert it back to UNIX.
You can use the dos2unix command, or open it in an editor that can save it in a UNIX format.
To activate changes in the TTM file:

1. Edit and save the file.
2. Install the policy from SmartDashboard or the CLI of each gateway:
 In SmartDashboard, select Policy > Install and install Network Security on each changed
gateway.
 Run cpstop and cpstart from the CLI of each changed gateway.
Important - If you use Secondary Connect or MEP, make sure that the TTM files on all
gateways have the same settings.
Centrally Managing the Configuration File

If the configuration file on each gateway is identical, you can manage one copy of the configuration file on
the Security Management Server. This file is copied to the gateways when you install the policy.
Important - You must use the newest configuration file installed on the gateway for Remote
Access Clients. If you do not install the newest configuration file on the Security Management
Server, the server will have an outdated configuration file that does not support new features.
To centrally manage the configuration file on non-legacy gateways:

1. On the gateway, save a backup of $FWDIR/conf/trac_client_1.ttm.
2. From the gateway, copy trac_client_1.ttm to the server.
3. Open $FWDIR/conf/fwrl.conf and find the % SEGMENT FILTERLOAD section.
4. In the NAME section, add this line:
NAME = conf/trac_client_1.ttm;DST = conf/trac_client_1.ttm;
This copies the file to the Remote Access Clients gateways each time that you install the policy on the
gateways.
5. Save the file.
6. In SmartDashboard, install the policy on all gateways.
When clients download the new policy from the gateway, configuration changes are applied.
The procedure above does not apply to the legacy gateways managed with a compatibility pack. For
example, R71 managed by R75.
To centrally manage the configuration file on legacy gateways:
1. Open fwrl.conf in the relevant compatibility pack directory:
/opt/CP###CMP-$$$/conf/, where ### is the target gateway version, and $$$ is the current SMC
version.
For example, for an R77 gateway managed by an R75.20 SMC, the directory would be
/opt/CPR77CMP-R75.20.
2. Find the % SEGMENT FILTERLOAD section.
3. In the NAME section, add this line:
NAME = conf/trac_client_1.ttm;DST = conf/trac_client_1.ttm;
This copies the file to the Remote Access Clients gateways each time that you install the policy on the
gateways.
4. Save the file.
5. Create a symbolic link to the TTM file in $FWDIR/conf/ by running this command:
ln -s $FWDIR/conf/trac_client_1.ttm trac_client_1.ttm
6. Install the policy on the gateway
Understanding the Configuration File

The trac_client_1.ttm file contains sets that look like this:
:attribute (
:gateway (
:ext ()
:map ()
:default ()
)
 attribute - The name of the attribute on the client side. This is in trac.defaults on the client.
 gateway - The name of the attribute on the gateway side. This is in objects.c on the Security
Management Server. Look in the objects.c file to see what the defined behavior is on the gateway
side. The name of the attribute is only written here if it is different than the name on the client side. If
there is no value for gateway, the name of the attribute is the same in trac.defaults and
objects.c.
 ext - If present, it is a hard coded function that is defined and done on the gateway. Do not change it.
This function can be done in addition to the function defined for the attribute on the client or gateway
side.
 map - Contains the valid values this attribute can have.
 default - The value here is downloaded to the client if the gateway attribute was not found in
objects.c. If the value is client_decide, the value is defined on the client computer, either in the
GUI or in the trac.defaults file on each client.
The behavior for each attribute is decided in this way:
1. If the attribute is defined for the gateway in objects.c file on the Security Management Server, that
value is used.
2. If the attribute is NOT defined for a gateway in the objects.c file, the behavior for the attribute is
taken from the default value.
3. If the default value is client_decide or empty, the behavior is taken from the client.
 If the attribute is configured in the client GUI, it is taken from there.
 If the attribute is not configured in the client GUI, it is taken from the trac.defaults file on each
client.
Example:
:enable_password_caching (
:gateway ()
:default (client_decide)
)
enable_password_caching is the name of the attribute in trac.defaults and objects.c. Search

the objects.c file on the Security Management Server to see if it is defined for the gateway.
 If the attribute is defined for the gateway, that behavior is used.
 If the attribute is NOT defined for a gateway, the default value is used. Because the default value is
client_decide, the setting is taken from each client.
Configuration File Parameters

See sk75221 (http://supportcontent.checkpoint.com/solutions?id=sk75221) for an updated list of parameters
for the configuration file.
Chapter 3
Differences between SecureClient
and Endpoint Security VPN CLI
This table shows common tasks and how to perform them with SecureClient or Remote Access Clients
E80.50 command line. N/A indicates that the task cannot be performed with the CLI.
Task SecureClient Remote Access Clients E80.50
Asynchronous Connect connectwait <profilename> N/A
Change P12 Certificate N/A change_p12_pwd -f <filename> [ -o

Password <oldpassword> -n <newpassword> ]
Connect to Site connect [-p] <profilename> connect -s <sitename> [-u <username>

-p <password> | -d <dn> | -f <p12> | -
pin <PIN> -sn <serial>]
Create / Add Site add <sitename> create -s <sitename> [-a

<authentication method>]
Delete Site delete <sitename> delete -s <sitename>
Disconnect from Site disconnect disconnect
Display Connection Status status N/A
Enable / Disable Hotspot sethotspotreg <on | off> N/A

Registration
Enable / Disable Policy setpolicy [on | off] firewall -st [enable | disable]
Enroll ICA CAPI Certificate icacertenroll <site IP/name> enroll_capi -s <sitename> -r

<registration key> <file path> <registrationkey> [ -i <providerindex> -l
<password> <keylength> -sp <strongkeyprotection>
]
Enroll ICA P12 Certificate N/A enroll_p12 -s <sitename> -f <filename>

-p <password> -r <registrationkey> [ -l
<keylength> ]
Get Site Name / IP getsite <profilename> info [-s <sitename>]
List Profiles listprofiles info
List Domain Names Stored in N/A list

the CAPI
Print Log Messages N/A log
Renew CAPI Certificate N/A renew_capi -s <sitename> -d <dn> [ -l

<keylength> -sp <strongkeyprotection>
]
Differences between SecureClient and Endpoint Security VPN CLI
Task SecureClient Remote Access Clients E80.50
Renew P12 Certificate N/A renew_p12 -s <sitename> -f <filename>

-p <password> [ -l <keylength>]
Restart VPN Services restartsc N/A
Set Certificate File / Password passcert <password> See Connect to Site

<certificate>
Set Username / Password userpass <username> See Connect to Site

<password>
Show Number of Profiles numprofiles N/A
Show VPN Client Version version ver
Start VPN Client Services startsc start
Stop VPN Client Services stopsc stop
Suppress UI Dialog Messages suppressdialogs [on | off] N/A
Unset User Credentials erasecreds N/A
Update Topology update <profilename> N/A

CP E80.50 SecuRemote UpgradeGuide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CP E80.50 SecuRemote UpgradeGuide

Hochgeladen von

Copyright:

Verfügbare Formate

Remote Access Clients

27 August 2013 First release of this document

Important Information .............................................................................................3

Check Point Mobile for Windows

Endpoint Security VPN

Why You Should Upgrade to Remote Access Clients

Before Upgrading to Remote Access Clients

Supported Gateways and Servers

NAT-T UDP Encapsulation of IPSec Traffic. Remote Access Clients can

Main Capability Description

Desktop Firewall Endpoint Security VPN enforces a Desktop Firewall on SmartDashboard-

SmartEndpoint-managed clients use the Endpoint Security Firewall blade.

Connectivity Features in Detail

Split DNS Support multiple DNS servers.

Endpoint Security VPN comprises these features:

Localization Supported languages:

SecureClient Features Supported in Remote Access Clients

Feature Description Endpoint Check R75 Secu-

Multiple Entry Point Provides gateway High Availability and Load

Secondary Connect Gives access to multiple VPN gateways at the

Pre-Configured Predefined client installation package with

Feature Description Endpoint Check R75 Secu-

Extended DHCP When using Office Mode from a DHCP server,

Compliance Policy - Verifies client system policy compliance

Proxy Detection Detect proxy settings in client system web

Localization Supported languages:

Tunnel Idleness Disconnect VPN if there is no traffic for a

Dialup Support dialup connections

Smart Card Detects when the Smart Card is removed and

Re-authentication After specified duration, user is asked for re-

Keep-alive Send keep-alive messages from client to the

Check Gateway Validate VPN gateway certificate in the CRL

Feature Description Endpoint Check R75 Secu-

Configuration File Recover corrupted configuration files

Secure Domain Establish VPN tunnel prior to user login

End-user Prevent users from changing the client

Update Dynamic Assign an internal IP address for remote

SmartView Monitor Monitor VPN tunnel and user statistics with

Secure Integrate with third party authentication

Split DNS Support multiple DNS servers

VPN Connectivity to Terminate VPN tunnel at Check Point VSX

DHCP Automatic DHCP Automatic Lease Renewal

SecureClient Features Not Yet Supported

Diagnostic Tools Tools for viewing logs and alerts

Pre-shared secret Authentication method that uses a pre-shared secret

Configuring Security Gateways to

Configuring Endpoint Security VPN and Check Point

The Check Point Gateway - General Properties window opens.

On R77 Security Gateways, open Other > Legacy Authentication.

d) In the Users drop-down, select a user group to be assigned to the policy.

b) Select Support Visitor Mode.

b) Select Offer Office Mode to group.

Open Participating Gateways.

7. Install the policy (Policy menu > Install).

Choose a Firewall Policy to Enforce

Configuring SmartDashboard for SecuRemote client

To configure SmartDashboard for SecuRemote client:

Open Participating Gateways.

Supporting Endpoint Security VPN and SecureClient

4. Select Sent in clear.

Troubleshooting Dual Support

Note - It is not enough to disable the site. It must be deleted.

a) Allow traffic to the Endpoint Security VPN Security Gateway.

Editing the TTM File