10 April 2012

How To Upgrade SecureClient to E75

Remote Access Clients for Windows

© 2012 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=15008

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

4/10/2012 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Upgrade SecureClient to E75 Remote Access Clients for Windows ).

Contents

Important Information ............................................................................................. 3 How To Upgrade SecureClient to E75 Remote Access Clients for Windows ..... 5 Objective ................................................................................................................. 5

Supported Versions ............................................................................................. 5 Supported Operating Systems ............................................................................. 5 Supported Appliances ......................................................................................... 5

Before You Start ..................................................................................................... 6 Related Documents and Assumed Knowledge .................................................... 6

Upgrading SecureClient to E75 Remote Access Clients for Windows ............... 6 Completing the Process ....................................................................................... 12 Verifying ................................................................................................................ 13 Index ...................................................................................................................... 15

How To Upgrade SecureClient to E75 Remote Access Clients for Windows

How To Upgrade SecureClient to E75 Remote Access Clients for Windows | 5

How To Upgrade SecureClient to E75 Remote Access Clients for Windows

Objective This document explains how to upgrade, or migrate SecureClient to E75 Remote Access Client.

Supported Versions These Check Point versions support E75 Remote Access Clients:

All supported platforms for Check Point NGX R65 HFA 70 (R65.70), with NGX R66 Management plug-in, require R75 Remote Access Clients gateway hotfix.

All supported platforms for Check Point R70.40 require R75 Remote Access Clients gateway hotfix.

All supported platforms for Check Point R71.30.

All supported platforms for Check Point R75.

Supported Operating Systems Management Server and Gateways:

SecurePlatform 2.4 and 2.6

IPSO 4.2 and 6.2

Windows

Clients:

Microsoft Windows XP 32 bit SP2, SP3

Microsoft Windows Vista 32 bit and 64 bit SP1

Microsoft Windows 7 Home Edition 32 bit and 64 bit

Microsoft Windows 7 Home Premium 32 bit and 64 bit

Microsoft Windows 7 Pro 32 bit and 64 bit

Microsoft Windows 7 Ultimate 32 bit and 64 bit

Microsoft Windows 7 Enterprise 32 bit and 64 bit

Supported Appliances Any

Before You Start

How To Upgrade SecureClient to E75 Remote Access Clients for Windows | 6

Before You Start

Related Documents and Assumed Knowledge Before you start any migration, it is mandatory for you to understand the environment and previously

used features.

Refer to R75 (http://dl3.checkpoint.com/paid/aa/CP_R75_ReleaseNotes.pdf?HashKey=1332933762_daced514b208dc644b585ac0fd8170be&xtn=.pdf) and E75.10 (http://dl3.checkpoint.com/paid/de/CP_E75.10_Remote_Access_Clients_ReleaseNotes.pdf?HashKey=1332933932_504cdb7717191323ccf5c1a5c1363d1e&xtn=.pdf) Release Notes to see Known limitations

Endpoint Security VPN R75 HFA1 Administration Guide (http://dl3.checkpoint.com/paid/80/CP_R75_HFA1_EPS_VPN_Admin_Guide.pdf?HashKey=1332932332_4d73a783998ab664fea47aa5d789c970&xtn=.pdf)

Endpoint Security VPN R75 HFA 1 User Guide for Windows 32-bit/64-bit

R75 (http://dl3.checkpoint.com/paid/e3/CP_R75_VPN_AdminGuide.pdf?HashKey=1332933076_83759987121de6ca776d322185315c97&xtn=.pdf)/R71 (http://dl3.checkpoint.com/paid/c0/CP_R71_VPN_AdminGuide.pdf?HashKey=1332933256_468173de4b1d528e374a5d9211f6081c&xtn=.pdf)/R70 (http://dl3.checkpoint.com/paid/9d/CP_R70_VPN_AdminGuide.pdf?HashKey=1332933339_169590013de7ea94e84551ebc08f75fa&xtn=.pdf)/NGX R65 (http://dl3.checkpoint.com/paid/17/CheckPoint_R65_VPN_AdminGuide.pdf?HashKey=1332933411_e9fa0c00c02a13da6833553261e1b998&xtn=.pdf) VPN Administration Guide

Upgrading to Remote Access Clients R75 HFA1 on R71 Upgrade Guide (http://dl3.checkpoint.com/paid/4f/CP_R75_HFA1_EPSVPN_R71_UpgradeGuide.pdf?HashKey=1332932625_aa663b454a8a00aad1bb1974448146e5&xtn=.pdf)

Upgrading to Remote Access Clients R75 HFA1 on R70 Upgrade Guide (http://dl3.checkpoint.com/paid/9a/CP_R75_HFA1_EPSVPN_R70_UpgradeGuide.pdf?HashKey=1332932791_5aa8da656eb68baa2bb4d1d8ab987292&xtn=.pdf)

Upgrading to Remote Access Clients R75 HFA1 on NGX R65 Upgrade Guide (http://dl3.checkpoint.com/paid/20/CP_R75_HFA1_EPSVPN_NGX_R65_UpgradeGuide.pdf?HashKey=1332932857_b5b0f95ebb4d37afb9b38b2b5ff18be1&xtn=.pdf)

SecureClient Feature Support in Endpoint Security VPN R75 (SecureClient Next Generation) - sk56580 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk56580&js_peid=P-114a7bc3b09-10006&partition=General&product=Endpoint).

After migrating SecureClient to Endpoint Security VPN, Endpoint Security VPN stays in no compliant state - sk61825.

After migrating SecureClient to Endpoint Security VPN, Office Mode assignment does not work as expected - sk61866 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk61866&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Endpoint).

Upgrading SecureClient to E75 Remote Access Clients for Windows

List the Actual Features You Use

This is one of the most important tasks to do before you start the migration. R75 and E75.10 have several limitations which you need to deal with during the migration.

Some actual limitations can introduce environment modifications or require a new technical approach:

Upgrading SecureClient to E75 Remote Access Clients for Windows

How To Upgrade SecureClient to E75 Remote Access Clients for Windows | 7

Secondary Connect: Not supported yet by E75 and E75.10 client. To work around this limitation:

a) Define multiple sites. Connect to the desired site and access the resource, as required.

b) Define site to site VPN.

c) Combine the site encryption domains so that you can access the same resources through different sites.

SCV checks:

Third party dll is not supported.

The SCV HotfixMonitor check is not supported on Windows Vista and Windows 7.

The SCV RegMonitor check only checks keys under HKEY_LOCAL_MACHINE

The SCV user_policy_scv check is not supported. We recommend that you disable user_policy_scv

in $FWDIR/conf/local.scv

R75 client requires Office Mode whereas SecureClient can run without this feature.

To Activate Connectra plugin on Management Server (for R65 HFA70):

1. Download the Connectra_NGX_R66_Management_CD2 from the Check Point Support Center (https://supportcenter.checkpoint.com).

2. Mount the CDROM

3. Browse to /mnt/cdrom/linux/connectra_plugin

4. Run the rpm installation

5. On Provider-1 environment, you also need to activate the PlconR66-R65 plugin to the relevant CMAs.

To Install Hotfix (if your gateway version requires it):

1. Download the hotfix from the Check Point Support Center (https://supportcenter.checkpoint.com).

2. Copy the hotfix package to the gateway.

3. Run the hotfix on SecurePlatform and IPSO with:

[admin@gateway ~/hf]$ tar -zxvf hotfix_file.tgz

and

[admin@gateway ~/hf]$ ./fw1_HOTFIX_ENFI_HFA_EVE2_620631013_1

This message appears:

Do you want to proceed with installation of Check Point fw1 NGX R65 Support ENFI_HFA_EVE2 for Check Point VPN-1 Power/UTM NGX R65 on this computer?

(y-yes, else no):y

If you choose to proceed, the installation performs CPSTOP.

Upgrading SecureClient to E75 Remote Access Clients for Windows

How To Upgrade SecureClient to E75 Remote Access Clients for Windows | 8

On Windows, double click the installation file and follow the instructions.

4. Reboot the gateway.

Note - As E75 Remote Access Client uses Visitor Mode as a connection method, if the WebUI is enabled on the gateway, it must listen on a port other than 443. Otherwise, Endpoint Security VPN cannot connect.

To Configure the Policy Server:

1. From the SmartDashboard tree view, double click the Policy Server gateway. The Check Point Gateway-General Properties window opens (in the window, in the Network Security tab, you can make sure if the Policy check box is selected to make sure the gateway is a Policy Server).

2. In the tree view, click Authentication. The Authentication window opens.

3. Below Policy Server, make sure a specific group is selected from the Users drop down list. That is the group, to which, the Policy Server is available.

To Enable Visitor Mode:

By default visitor mode uses HTTPS (port 443) for encapsulation. However, it is possible to use any other port.

1. In the tree view, click Remote Access. The Remote Access window opens.

2. Below Visitor Mode Configuration, check what is selected from the Service drop down list. If it is http (port 80, in which, clients can encapsulate NAT-T), Disable Hotspot Detection.

Upgrading SecureClient to E75 Remote Access Clients for Windows

How To Upgrade SecureClient to E75 Remote Access Clients for Windows | 9

To disable Hotspot Detection, in the trac_client_1.ttm file on the relevant gateway(s), find

hostpot_detection_enabled, and change the default setting to false.

If you modify the default port for visitor mode, use the @IP:port_number syntax when you create a

site.

To Enable Office Mode (if not enabled on SecureClient):

1. In the gateway window tree view, click Office Mode. The Office Mode window opens.

2. Select the Using one of the following methods check box, and select Manual (using IP pool), or Automatic (using DHCP).

A predefined Office Mode pool exists in the CP_default_Office_Mode_addresses_pool (IP address: 172.16.10.0/24).

Upgrading SecureClient to E75 Remote Access Clients for Windows

How To Upgrade SecureClient to E75 Remote Access Clients for Windows | 10

3. Below Office Mode, select either Offer Office Mode to group, or Allow Office Mode to all Users.

4. You can assign a dedicated IP address to a specific client:

In the VPN-1 gateway: in the \FWDIR\conf directory, edit the ipassignment.conf text file. The

gateway uses these Office Mode settings and not those defined for the object in SmartCenter server. Ipassigment.conf file

In a DHCP server: in the Office Mode window, select Automatic (using DHCP), and from the MAC address for DHCP allocation drop down list, select Unique per user or Unique per machine, and click OK.

Note - regarding DHCP allocation unique per machine.

In E75, the MAC address that is sent to Gateway differs from the MAC address of VNA. This improvement is due to VNA MAC address collisions in SecureClient.

The new mechanism randomly generates VPN MAC address on every reboot.

To link between VPN client installation and OM IP with DHCP server, use

cpmsi_tool to generate a new installation which defines a permanent MAC

address for OM configuration (separate from the VNA MAC address).

Upgrading SecureClient to E75 Remote Access Clients for Windows

How To Upgrade SecureClient to E75 Remote Access Clients for Windows | 11

To Configure Global Policy:

1. To force SecureClient to not encrypt packets originated from client side while disconnected, from the SmartDashboard menu bar, click Policy, and select Global Properties. The Global Properties window opens.

2. In the tree view, collapse Remote Access, click VPN-Advanced, and below When disconnected, traffic to the encryption domain, will be, select Sent in clear.

3. Click OK.

To Add Desktop FireWall Policy:

1. To allow client connectivity, in the SmartDashboard Desktop tab, below Outbound Rules, right click a rule line number, and select Add Rule > Above. A new rule line opens.

2. To select, take the cursor to each box, a + icon appears. Click the +, and select from the drop down list.

In Destination, select the gateway configured during this process.

In Service, select the SecureClient services.

This rule is used by both clients during dual support.

When a customer has a Clean-Up rule, there could be a problem to access the encryption domain.

Example for a Clean-Up rule

The problem comes from the fact one client drops all packets sent to the encryption domain by the other client.

Drops seen in SecureClient Diagnostic Tool:

Drops seen in Endpoint Security VPN fwpktlog file:

To resolve this problem, two options are available:

Disable the Security Policy on the client side:

Completing the Process

How To Upgrade SecureClient to E75 Remote Access Clients for Windows | 12

To disable Desktop FireWall policy on SecureClient, right click the SecureClient icon, select Tools > Disable Security Policy.

Add a rule in Desktop FireWall Policy:

If the client needs to access encryption domain with http, ssh, and ping (rule 4), you need to add another rule. One for All_Users to allow the same services to reach the same networks (rule 5).

Each client needs to reconnect to the gateway to download the new Desktop FireWall Policy.

3. Install the policy on the relevant gateway.

Completing the Process To Download the Modified Policy:

1. Connect with SecureClient to download the modified Desktop FireWall Policy. Once the FireWall policy is updated, disconnect from the gateway.

2. Connect with Endpoint Security VPN E75 client to the gateway.

3. Try to access the resources located in the encryption domain.

When Endpoint Security VPN R75 client is operational in the customer environment, you can uninstall SecureClient.

To uninstall SecureClient:

If you install Endpoint Security VPN after SecureClient, and you want to uninstall SecureClient, you cannot do it with Add/Remove Programs. You must open the Uninstall SecureClient program. Go to Start > Programs.

To remotely uninstall SecureClient with a script, from the SecureClient installation directory

run: UninstallSecureClient.exe

Verifying

How To Upgrade SecureClient to E75 Remote Access Clients for Windows | 13

Verifying To displays the OM IP address assigned to the client when connected, From the Start menu command

shell, run: Ipconfig /all

See if the client can reach the resources inside the encryption domain.

When you access the internal resources and the traffic is encrypted, the endpoint icon looks like:

Fw monitor output shows visitor mode or NAT-T traffic that reaches the gateway.

In this output, port 80 is the port used by visitor mode.

Index B

Before You Start • 6

C

Completing the Process • 12

H

How To Upgrade SecureClient to E75 Remote Access Clients for Windows • 5

I

Important Information • 3

O

Objective • 5

R

Related Documents and Assumed Knowledge • 6

S

Supported Appliances • 5 Supported Operating Systems • 5 Supported Versions • 5

U

Upgrading SecureClient to E75 Remote Access Clients for Windows • 6

V

Verifying • 13