You are on page 1of 13

Endpoint Security VPN

R75
User Guide

7 October 2010

Important Information Latest Version The latest version of this document is at: http://supportcontent.com/documentation_download?ID=11604 For additional technical information. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint. .checkpoint. visit the Check Point Support Center (http://supportcenter.com).com?subject=Feedback on Endpoint Security VPN R75 User Guide).checkpoint. Revision History Date Description 6 October 2010 Added Microsoft Windows Editions to supported Client Platforms ("Introduction to Endpoint Security VPN" on page 4) 28 September 2010 Updated feature lists Feedback Check Point is engaged in a continuous effort to improve its documentation.

......................................................................................................................................................... 4 The Installation Process ................................................................................. 4 Getting Started .........12 SecurID................................................................................... 9 Configuring VPN ......13 Collecting Logs ...........................................................................................................10 Importing a Certificate in the CAPI Store................................................................4 Client Platforms ................................................ 9 Changing the Site Authentication Scheme........................................................................................................12 Authenticating with Certificate File ............. 8 Client Icon ....................................... Contents Important Information ......................................................................5 Defining a Site .....2 Introduction to Endpoint Security VPN .........................................................................................................................................................................................................................................................................................................13 Secure Domain Logon ..............................................................................................................................................................................................................9 Configuring Proxy Settings .........................................................................10 Certificate Enrollment and Renewal ..................................................12 Challenge-Response ...... 8 Setting up Endpoint Security VPN ......................................................................13 ........... 7 Connect Window ............................................................................................................................................... 5 Basic Operations .........................................................................................

In This Chapter Client Platforms 4 The Installation Process 4 Client Platforms You can install Endpoint Security VPN on several Windows platforms. Get the installation package from your system administrator. the Endpoint Security VPN client icon appears in the system tray.On Windows Vista and Windows 7. Endpoint Security VPN is intended to replace the current Check Point remote access client: SecureClient. 4.  Microsoft Windows XP 32 bit SP2. 2. SP3  Microsoft Windows Vista 32 bit and 64 bit SP1  Microsoft Windows 7 Home Edition 32 bit and 64 bit  Microsoft Windows 7 Home Premium 32 bit and 64 bit  Microsoft Windows 7 Pro 32 bit and 64 bit  Microsoft Windows 7 Ultimate 32 bit and 64 bit  Microsoft Windows 7 Enterprise 32 bit and 64 bit The Installation Process Important .To install Endpoint Security VPN on any version of Windows. Double-click the Endpoint Security VPN icon. there may be a prompt to allow access. After installation. Follow the installation wizard. you need Administrator permissions. Page 4 . depending on the UAC settings. It authenticates the parties and encrypts the data that passes between them. and double-click the installation package. To install the Endpoint Security VPN client: 1. make a site with the IP address that your system administrator gave you.Chapter 1 Introduction to Endpoint Security VPN Endpoint Security VPN is a lightweight remote access client for seamless. Log in to Windows with a user name that has Administrator permissions. Consult with your system administrator. 3. Note . If you are prompted to define a site. secure IPSec VPN connectivity to remote resources.

you can connect to the VPN site immediately. Also. certificate file. to verify that the client is connecting to the correct gateway. Page 5 . Right-click the client icon and select VPN Options. To define a site: 1. no sites are listed. The Options window opens. If not.Chapter 2 Getting Started In This Chapter Defining a Site 5 Basic Operations 7 Connect Window 8 Client Icon 8 Defining a Site You need at least one site to connect to a VPN. or whatever the system administrator says you need). The first time you open the window. you must define the site. Before you begin. On the Sites tab. 2. click New. You should get this from your system administrator. you may need the gateway fingerprint. make sure you know how you will authenticate to the VPN and that you have the credentials (password. If your system administrator pre-configured the client package.

Defining a Site The Site Wizard opens. the following possible security risks were discovered: Ask your system administrator for the fingerprint of the server. 4. Enter the name or IP address of the Security Gateway and click Next. After resolving the site. Getting Started Page 6 . Otherwise. you can click Trust and Continue. consult with your system administrator. 3. Click Next. It may take a few minutes for Endpoint Security VPN to identify the site name. If the server fingerprint matches the fingerprint in the warning message. a security warning may open: The site's security certificate is not trusted! While verifying the site's certificate.

the client immediately connects to the selected site. double-click the tray icon. and if not. Click Yes to connect to the site. If you authenticate with a certificate. Show Client Open the Endpoint Security VPN client. open a Hotspot browser. the desktop firewall still enforces the security policy. 6. and collect logs. Select an authentication method according to your system administrator's instructions. Show Compliance See if your computer is compliant with the Security Policy. It will open to the hotspot registration page. Click Next and follow the instructions to enter your authentication materials. Register to Lets you bypass the firewall to register to a hotspot. Click Finish. or No to save the site details and connect later. right-click the tray icon and select an option. with the last active site selected. VPN Options Opens the Options window to set a proxy server. After you click this option. choose interface language. To access other basic operations. The client offers to connect you to the newly created site. 8. Basic Operations Right-click the client icon in the system tray to access basic operations. 5. why not and how Report to fix the issue.) To quick connect to last active site. 7. Getting Started Page 7 . Option Function Connect Opens the main connection window. Connect to Opens the main connection window. Shutdown Client Closes Endpoint Security VPN and the VPN connection. enable Secure Domain Logon. (Not all options appear for every client status and configuration. Basic Operations The Authentication Method window opens. If you close Endpoint Security VPN.

copy it. Client Icon The client tray icon shows the status of Endpoint Security VPN. Getting Started Page 8 . Connect Window Connect Window In the Connect window. provide the first key. provides the response. enter your PIN or passcode.  If you use Challenge Response. When the challenge comes. Icon Status Disconnected Connecting Connected Encryption (encrypted data is being sent or received on the VPN) Error You can also hover your mouse on the icon to show the client status. If you get a key in response. enter your username and password. you provide authentication to connect to the VPN  If you have a Certificate. browse to the certificate file and provide the password.  If you use SecurID.  If you use Username and Password.

Make a direct connection to the VPN.  Manually define proxy . This is more secure. 2. Right-click the Endpoint Security VPN icon and select VPN Options. Page 9 . To configure VPN Tunneling: 1. 4. 2. Configuring VPN You may have the option to go through the VPN for all your Internet traffic. The Options window opens. Right-click the client icon and select VPN Options. Select an option.Take the proxy settings from Internet Explorer > Tools > Internet options > Connections > LAN Settings. On the Sites tab. If not.Chapter 3 Setting up Endpoint Security VPN In This Chapter Configuring Proxy Settings 9 Configuring VPN 9 Changing the Site Authentication Scheme 10 Configuring Proxy Settings If you are at a remote site which has a proxy server. Find out if the proxy needs a user name and password. Open the Advanced tab.  Detect proxy from Internet Explorer settings . The Proxy Settings window opens.  No Proxy .Enter the IP address port number of the proxy. you can configure it. enter a valid user name and password for the proxy. To configure proxy settings: 1. get the IP address of the proxy server from the local system administrator. and click Properties. The Options window opens. If required. Click Proxy Settings. The Properties window for the site opens. Click OK. select the site to which you want to connect. the Endpoint Security VPN client must be configured to pass through the proxy server. Before you begin. Usually Endpoint Security VPN can detect proxy settings automatically. 3. 5.

Changing the Site Authentication Scheme 3. On the Settings tab. In VPN tunneling.PinPad  SecurID – Software Token  Challenge Response Certificate Enrollment and Renewal You can import a certificate to the CAPI store or save it to a folder of your choice. The Properties window for the site opens.P12  SecurID . Right-click the client icon and select VPN Options. click Encrypt all traffic and route to gateway.  Username and password  Certificate . Ask the system administrator whether you should use CAPI (if so. 4.KeyFob  SecurID . consult your system administrator. select the relevant site and click Properties. If the this option is disabled. ask for the provider name) or P12. 5. To change the client authentication scheme for a specific site: 1.CAPI  Certificate . you can change the way that you authenticate to the VPN. The Options window opens 2. make sure you have the registration key from the system administrator. Click OK. Changing the Site Authentication Scheme If you have the option from your system administrator. select the appropriate Authentication Scheme drop-down menu option. Open the Settings tab. Setting up Endpoint Security VPN Page 10 . Before you enroll a certificate. On the Site tab.

Setting up Endpoint Security VPN Page 11 . On the Sites tab. select the site from which you want to enroll a certificate and click Properties.  P12: browse to the P12 file and enter the password. or you see a message that the certificate expired. The site Properties window opens.P12).P12. enter a new password for the certificate and confirm it. Click Enroll. 2.  P12: In the window that opens. 4. Right-click the client icon in the system tray. select either Certificate . In the Settings tab > Method. Select the Settings tab. select your certificate type:  CAPI: select the certificate from the list. Click Renew. Changing the Site Authentication Scheme To enroll a certificate: 1.CAPI or Certificate . To renew a certificate: 1. 2. Your system administrator may tell you to renew your certificate. Enter the Registration Key that your administrator sent you. and click Enroll. select the provider. 3. 6.CAPI or Certificate . In the window that opens. and select VPN Options. Choose an Authentication Method (Certificate .  CAPI: In the window that opens. 5.

 the name of the site (each certificate is valid for one site). (Otherwise. 5.  SoftID operates the same way as a passcode device. Note . Endpoint Security VPN asks for the certificate password if a secure connection is lost. On the Sites tab. import it to the CAPI store. Changing the Site Authentication Scheme 3. Click Import.) To import a certificate file to the CAPI store: 1. you can set the authentication method to SecurID Software Token. browse to the P12 file. you enter a personal identification number (PIN). Endpoint Security VPN uses both the PIN and tokencode. Connect to the site. SecurID RSA SecurID authentication uses hardware (Key Fob or PINPad) or software (softID) that generates an authentication code at fixed intervals (usually one minute). Click Connect.If Always-Connect is on. and select VPN Options. 2. In the Certificate File area. Enter the certificate password. 6. Right-click the client tray icon.  When the token does not have a PINPad. Click Renew. usually a Key Fob or PINPad. 7. You can use it as a simple Key Fob and copy the token code. Setting up Endpoint Security VPN Page 12 . 3. Browse to the P12 file. Importing a Certificate in the CAPI Store Before you can use the certificate to authenticate your computer. Make sure you get the password. Configure the client to use Certificate – P12 for authentication.CAPI is selected in the Method list. 2. 3. Or.  The most common form of SecurID token is the hand-held device. Make sure that Certificate . the administrator will give you the certificate file on a USB or other removable media. Open the Settings tab. 4.  With PINPad. with a built-in clock and an encoded random key. but consists only of software that sits on the desktop. to generate a passcode that you can use in Endpoint Security VPN. to authenticate to the Security Gateway. you must get:  the certificate file.  the password for the file. browse to the P12 file to authenticate. The connection dialog opens. or just the passcode. A tokencode is the changing number displayed on the Key Fob. you enter the PIN and the tokencode separately. To authenticate with a P12 file: 1. Authenticating with Certificate File If Certificate – P12 is used. Enter the certificate password and click Import. select the gateway and click Properties. 4. If the system administrator said to save the certificate on the computer. 5. and Endpoint Security VPN will take the token code automatically. You do not have to browse to the certificate file again. If Key Fob is the authentication method. a tokencode is displayed.

Click Collect Logs. To enable SDL on Endpoint Security VPN: 1.cab. Collecting Logs Page 13 . 2. and the other party verifies it with the next string (the response). 4. 3. If you need to locate this folder. Right-click the client tray icon and select VPN Options. In Options > Advanced.The logs are saved to %TEMP%\trac\trlogs_timestamp. This folder is sometimes hidden. 2. It opens after the logs are collected. Right-click the Endpoint Security VPN icon and select VPN Options. select Show hidden files and folders. select Enable Secure Domain Logon (SDL). Note . Restart the computer and log in. you can configure your client. Changing the Site Authentication Scheme Challenge-Response Challenge-response is an authentication protocol in which one party provides the first string (the challenge). Secure Domain Logon If the system administrator says that you should use SDL. Click Enable Logging. 4. 3. Collecting Logs If your system administrator or help desk asks for logs to troubleshoot issues. To collect logs: 1. Security systems that rely on smart cards are based on challenge-response. For authentication to take place. you can collect the logs from your client. in Control panel > Folder Options > View. the response is validated. Open the Advanced tab. Click OK.