27 January 2011
Upgrading to R75 Remote Access Clients
for Windows 32-bit/64-bit
On R70.40 Security Management
R75 HFA1 EA
© 2011 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11814
For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date Description
27 January 2011 Initial version
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Upgrading to R75 Remote Access Clients for Windows 32-bit/64-bit R75 HFA1 EA ).
Contents
Important Information .............................................................................................. 3 Introduction to R75 Remote Access Clients .......................................................... 5
Overview of R75 Remote Access Clients............................................................... 5 Endpoint Security VPN ...................................................................................... 5 Check Point Mobile for Windows ....................................................................... 5 R75 SecuRemote client ..................................................................................... 6
Using Different Management Servers .................................................................... 6 Why You Should Upgrade to R75 Remote Access Clients .................................... 6 Before Upgrading to R75 Remote Access Clients ................................................. 6
System Requirements ....................................................................................... 7 New R75 Remote Access Clients Features ...................................................... 7 SecureClient Features Supported in Endpoint Security VPN ............................ 8 SecureClient Features Not Yet Supported ...................................................... 10
Configuring Security Gateways to Support R75 Remote Access Clients ......... 11 Installing Hotfix on Gateways ............................................................................... 11 Configuring SmartDashboard for Endpoint Security VPN and Check Point Mobile for Windows ............................................................................................................... 12 Configuring SmartDashboard for R75 SecuRemote client ................................... 16 Supporting Endpoint Security VPN and SecureClient Simultaneously ................ 18 Troubleshooting Dual Support ............................................................................. 21
Installing and Configuring R75 Remote Access Clients on Client Systems ..... 22 Installing R75 Remote Access Clients on Client Systems ................................... 22 Using the Packaging Tool .................................................................................... 23
Preparing the Client Installation Package ........................................................ 24 Client Icon ............................................................................................................ 25 Helping Users Create a Site ................................................................................. 26 Connecting to a Site ............................................................................................. 26 Pre-Configuring Proxy Settings ............................................................................ 26 Pre-Configuring Always Connect ......................................................................... 27
The Configuration File ............................................................................................ 28 Configuration File Overview ................................................................................. 28 Customized Settings ............................................................................................ 28 Centrally Managing the Configuration File ........................................................... 28 Parameters in the Configuration File .................................................................... 30 Migrating Secure Configuration Verification ......................................................... 31
Multiple Entry Point (MEP) ..................................................................................... 32 Configuring Entry Point Choice ............................................................................ 32 Defining MEP Method .......................................................................................... 33 Implicit MEP ......................................................................................................... 33
Configuring Implicit First to Respond ............................................................... 33 Configuring Implicit Primary-Backup ............................................................... 34 Configuring Implicit Load Distribution .............................................................. 35
Manual MEP ......................................................................................................... 36 Making a Desktop Rule for MEP .......................................................................... 36
Differences Between SecureClient and Endpoint Security VPN CLI ................. 37
Page 5
Chapter 1
Introduction to R75 Remote Access Clients
In This Chapter
Overview of R75 Remote Access Clients 5
Using Different Management Servers 6
Why You Should Upgrade to R75 Remote Access Clients 6
Before Upgrading to R75 Remote Access Clients 6
Overview of R75 Remote Access Clients R75 Remote Access Clients are lightweight remote access clients for seamless, secure IPSec VPN connectivity to remote resources. They authenticate the parties and encrypt the data that passes between them.
R75 Remote Access Clients are intended to replace the current Check Point remote access clients: SecureClient, Endpoint Connect, and NGX SecuRemote client.
The clients offered in this release are:
Endpoint Security VPN - Replaces SecureClient and Endpoint Connect.
Check Point Mobile for Windows - New Remote Access Client.
R75 SecuRemote client - Replaces R75 SecuRemote client.
Endpoint Security VPN Replaces SecureClient and Endpoint Connect.
Enterprise Grade Remote Access Client with Desktop firewall and compliance checks.
Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status of antivirus, Windows updates, and other system components.
Integrated desktop firewall, centrally managed from Security Management server.
In-place upgrade from Endpoint Security VPN R75.
Requires Endpoint Container and Endpoint VPN Software Blade.
Check Point Mobile for Windows New Enterprise Grade Remote Access Client.
Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status of antivirus, Windows updates, and other system components.
In-place upgrade from Endpoint Connect.
Requires SSL VPN Software Blade on the Security Gateway.
Using Different Management Servers
Introduction to R75 Remote Access Clients Page 6
R75 SecuRemote client Replaces NGX SecuRemote client.
Basic remote access functionality.
Unlimited number of connections for Security Gateways with the IPsec VPN blade.
Does not require a license.
Using Different Management Servers Environments with SecureClient or NGX SecuRemote client already deployed can be easily upgraded to Endpoint Security VPN. The SmartDashboard for different versions of management servers is different. Use the documentation for the SmartDashboard that you have.
This guide is for the R70.40 Security Management server.
If you have NGX R65 SmartCenter server, see Upgrading to R75 Remote Access Clients to on an NGX R65 SmartCenter server. (http://supportcontent.checkpoint.com/documentation_download?ID=11813)
If you have the R71 Security Management server, see Upgrading to R75 Remote Access Clients on R71 Security Management (http://supportcontent.checkpoint.com/documentation_download?ID=11815).
Why You Should Upgrade to R75 Remote Access Clients
Check Point recommends that all customers upgrade from SecureClient or Endpoint Connect to R75 Remote Access Clients as soon as possible, to have these enhancements.
Automatic and transparent upgrades, with no administrator privileges required
Supports 32-bit and 64-bit, Windows Vista and Windows 7
Uses less memory resources than SecureClient
Automatic disconnect/reconnect as clients move in and out of the network
Seamless connection experience while roaming
Supports most existing SecureClient features, including Office Mode, Desktop Firewall, Secure Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection
Supports many additional new features
Does not require a Security Management server upgrade
Endpoint Security VPN and SecureClient can coexist on client systems during the upgrade period.
Check Point Mobile for Windows and SecureClient can coexist on client systems during the upgrade period.
Check Point Mobile for Windows and Endpoint Connect can coexist on client systems during the upgrade period.
R75 SecuRemote client and NGX SecuRemote client can coexist on client systems during the upgrade period.
Note - Check Point will end its support for SecureClient in mid-2011.
Before Upgrading to R75 Remote Access Clients
Before upgrading, consider these issues.
Before Upgrading to R75 Remote Access Clients
Introduction to R75 Remote Access Clients Page 7
System Requirements R75 Remote Access Clients requires a supported gateway version.
Management Server and Gateway:
These Check Point versions support R75 Remote Access Clients:
All supported platforms NGX R65 HFA 70 (R65.70) with NGX R66 Management plug-in - Requires R75 Remote Access Clients gateway hotfix.
All supported platforms for R70.40 - Requires R75 Remote Access Clients gateway hotfix.
All supported platforms for R71.30 - Does not require R75 Remote Access Clients gateway hotfix.
See the Release Notes of the specific Check Point version for the supported platforms.
Notes -
R75 Remote Access Clients support VPN gateway redundancy with Multiple Entry Point (MEP).
You can install the R75 Remote Access Clients package on multiple gateways and must install it
on the server to enable MEP.
The server and gateway can be installed on open servers or appliances. On UTM-1 appliances,
you cannot use the WebUI to install Endpoint Security VPN.
Clients:
R75 Remote Access Clients can be installed on these platforms:
Microsoft Windows XP 32 bit SP2, SP3
Microsoft Windows Vista 32 bit and 64 bit SP1
Microsoft Windows 7, all editions 32 bit and 64 bit
New R75 Remote Access Clients Features This table describes new features in R75 Remote Access Clients and on which R75 Remote Access Clients they are available.
Feature Description Endpoint Security VPN
Check Point Mobile for Windows
R75 Secu- Remote client
Hotspot Detection and Registration (Exclusion for Policy)
Automatically detects hotspots that prevent
the client system from establishing a VPN
tunnel
Opens a mini-browser to allow the user to
register to the hotspot and connect to the
VPN gateway
Firewall support for hotspots
Yes Yes No
Automatic Connectivity Detection
Automatically detects whether the client is connected to the Internet or LAN
Yes Yes No
Automatic Certificate Renewal in CLI Mode
Supports automatic certificate renewal, including in CLI mode
Yes Yes Yes
Location Awareness
Automatically determines if client is inside or outside the enterprise network
Yes Yes No
Roaming Maintains VPN tunnel if client disconnects and reconnects using different network interfaces
Yes Yes No
Before Upgrading to R75 Remote Access Clients
Introduction to R75 Remote Access Clients Page 8
Feature Description Endpoint Security VPN
Check Point Mobile for Windows
R75 Secu- Remote client
Automatic and Transparent Upgrade Without Administrator Privileges
Updates the client system securely and without user intervention
Yes Yes Yes
Windows Vista / Windows 7 64 Bit Support
Supports the latest 32-bit and 64-bit Windows operating systems
Yes Yes Yes
Automatic Site Detection
During first time configuration, the client detects the VPN site automatically
Note: This requires DNS configuration and is only supported when configuring the client within the internal network.
Yes Yes Yes
Geo Clusters Connect client system to the closest VPN gateway based on location
For more information on geo clusters, see sk43107 (ttp://supportcontent.checkpoint.com/solutions?id=sk43107).
Yes Yes Yes
Machine Idleness Disconnect VPN tunnel if the machine becomes inactive (because of lock or sleep) for a specified duration.
Yes Yes Yes
Flush DNS Cache Remove previous DNS entries from the DNS cache when creating VPN tunnel
Yes Yes Yes
SecureClient Features Supported in Endpoint Security VPN
This table describes new features in R75 Remote Access Clients and on which R75 Remote Access Clients they are available.
Feature Description Endpoint Security VPN
Check Point Mobile for Windows
R75 Secu- Remote client
Authentication Methods
Username/Password
Certificate
SecurID (passcode, softID, key fobs)
Challenge Response
Yes Yes Yes
Cached Credentials Cache credentials for user login Yes Yes Yes
NAT-T/Visitor Mode Let users connect from any location, such as a hotel, airport, or branch office
Yes Yes Yes
Multiple Entry Point (MEP)
VPN gateway redundancy. Endpoint Security VPN MEP gateways can be in different VPN domains (see Appendix A).
Yes Yes Yes
Pre-Configured Client Packaging
Predefined client installation package with configurations for easy provisioning
Yes Yes Yes
Before Upgrading to R75 Remote Access Clients
Introduction to R75 Remote Access Clients Page 9
Feature Description Endpoint Security VPN
Check Point Mobile for Windows
R75 Secu- Remote client
Office Mode Internal IP address for remote access VPN users
Yes Yes No
Compliance Policy - Secure Configuration Verification (SCV)
Verifies client system policy compliance before allowing remote access to internal network
Yes Yes No
Proxy Detect / Replace
Detect proxy settings in client system web browsers for seamless connectivity
Yes Yes Yes
Hub Mode (Route All Traffic)
Send all traffic from the client system through the VPN gateway
Yes Yes No
Localization Supported languages:
Chinese (simplified)
English
French
German
Hebrew
Italian
Japanese
Russian
Spanish
Yes Yes Yes
Certificate Enrollment / Renewal
Automatic enrollment and renewal of certificates issued by Check Point Internal CA server
Yes Yes Yes
CLI and API Support Manage client with third party software Yes Yes Yes
Tunnel Idleness Disconnect VPN if there is no traffic for a specified duration
Yes Yes Yes
Dialup Support dialup connections Yes Yes Yes
Disconnect On Smart Card Removal
Disconnect VPN if a Smart Card is removed from the client system
Yes Yes Yes
Re-authentication After specified duration, user is asked for re-authentication
Yes Yes Yes
Keep-alive Send keep-alive messages from client to the VPN gateway to maintain the VPN tunnel
Yes Yes Yes
Check Gateway Certificate in CRL
Validate VPN gateway certificate in the CRL list
Yes Yes Yes
Desktop Firewall Configured from SmartDashboard Desktop Policy
Personal firewall integrated into client, managed with the SmartDashboard desktop policy
Yes No No
Configuration File Corruption Recovery
Recover corrupted configuration files Yes Yes Yes
Before Upgrading to R75 Remote Access Clients
Introduction to R75 Remote Access Clients Page 10
Feature Description Endpoint Security VPN
Check Point Mobile for Windows
R75 Secu- Remote client
Secure Domain Logon (SDL)
Establish VPN tunnel prior to user login Yes Yes Yes
Desktop Firewall Logs in SmartView Tracker
Desktop firewall logs are displayed in SmartView Tracker
Yes No No
End-user Configuration Lock
Prevent users from changing the client configuration
Yes Yes Yes
Update Dynamic DNS with the Office Mode IP
Assign an internal IP address for remote access VPN users in the Dynamic DNS
Yes Yes No
SmartView Monitor Monitor VPN tunnel and user statistics with SmartView Monitor
Yes Yes Yes
Post Connect Script Execute manual scripts before and after VPN tunnel is established
Yes Yes Yes
Secure Authentication API (SAA)
Integrate with third party authentication providers.
Yes Yes Yes
SecureClient Features Not Yet Supported Currently, these features of SecureClient are not supported by Endpoint Security VPN. Many of these features are expected to be supported in the next release.
Feature Description
Single Sign-on (SSO) One set of credentials to log in to both VPN and Windows operating system
Entrust Entelligence Support Entrust Entelligence package providing multiple security layers, strong authentication, digital signatures, and encryption
Diagnostic Tools Tools for viewing logs and alerts
VPN Connectivity to VPN-1 VSX Terminate VPN tunnel at Check Point VSX gateways
DNS Splitting Support multiple DNS servers
"No Office Mode" Connect Mode Connect to the VPN gateway without requiring Office Mode
Pre-shared secret Authentication method that uses a pre-shared secret
Link Selection Multiple interface support with redundancy
Secondary Connect (Including Fast Failover)
Connect to multiple VPN gateways simultaneously and establish VPN tunnels to all resources located behind each VPN gateway
DHCP Automatic Lease Renewal Automatically renew IP addresses obtained from DHCP servers
Page 11
Chapter 2
Configuring Security Gateways to Support R75 Remote Access Clients
In This Chapter
Installing Hotfix on Gateways 11
Configuring SmartDashboard for Endpoint Security VPN and Check Point Mobile for Windows 12
Configuring SmartDashboard for R75 SecuRemote client 16
Supporting Endpoint Security VPN and SecureClient Simultaneously 18
Troubleshooting Dual Support 21
Installing Hotfix on Gateways To upgrade from SecureClient or NGX SecuRemote client install the hotfix on production gateways or on a standalone, self-managed gateway. During the upgrade you can run R75 Remote Access Clients on client systems along with SecureClient or NGX SecuRemote client.
If you already installed the Endpoint Security VPN R75 Hotfix on gateways, you do not have to install a new hotfix to use the new features of the R75 Remote Access Clients.
To use the Implicit MEP feature, you must install the hotfix on the Security Management server. If you do not require this feature, the hotfix does not have to be installed on the server (only on the gateways).
Important: Before You Begin
If you choose to install the hotfix on a new dedicated gateway in the production environment, managed by the same management server as the rest of the Remote Access gateways, this gateway will also be added to the topology used by SecureClient clients. This causes them to connect to the new gateway. Thus, you must make sure the configuration is valid and that resources set by the encryption domain on this gateway are accessible.
If you have clients that use a pre-shared secret to authenticate, you must give the users a different authentication - one that is supported by R75 Remote Access Clients.
To install the hotfix on a Security Gateway:
1. Download the hotfix from the Check Point Support Center (http://supportcenter.checkpoint.com).
2. Copy the hotfix package to the gateway.
3. Run the hotfix:
On SecurePlatform, Disk-based IPSO, and Solaris:
[admin@gateway ~/hf]$ tar -zxvf hotfix_file.tgz
[admin@gateway ~/hf]$ ./fw1_HOTFIX_FLO_HFA_EVE2_HF_553_
Do you want to proceed with installation of Check Point fw1 R70
Support FLO_HFA_EVE2 for Check Point VPN-1 Power/UTM NGX R65 on
this computer?
If you choose to proceed, installation will perform CPSTOP.
(y-yes, else no):y
Configuring SmartDashboard for Endpoint Security VPN and Check Point Mobile for Windows
Configuring Security Gateways to Support R75 Remote Access Clients Page 12
On Windows platforms, double-click the installation file and follow the instructions.
If WebUI is enabled on the gateway, it must listen on a port other than 443. Otherwise, Endpoint Security VPN will not be able to connect.
4. Reboot the Security Gateway.
Configuring SmartDashboard for Endpoint Security VPN and Check Point Mobile for Windows
You manage R75 Remote Access Clients through the SmartDashboard. This task explains how to set up the SmartDashboard to access configurations required for Endpoint Security VPN and Check Point Mobile for Windows. Before you begin, make sure you have a network for Office Mode allocation.
To configure SmartDashboard for Endpoint Security VPN or Check Point Mobile for Windows:
1. Set the Security Gateway to be a policy server:
a) In the Network Objects Tree, right click the Security Gateway and select Edit.
Configuring SmartDashboard for Endpoint Security VPN and Check Point Mobile for Windows
Configuring Security Gateways to Support R75 Remote Access Clients Page 13
The Check Point Gateway - General Properties window opens.
b) In Software Blades > Network Security, select IPSec VPN > Policy Server.
Configuring SmartDashboard for Endpoint Security VPN and Check Point Mobile for Windows
Configuring Security Gateways to Support R75 Remote Access Clients Page 14
c) Open Authentication.
d) In Policy Server, select an existing user group, or create a new user group, to be assigned to the
policy.
2. Configure Visitor Mode:
a) Open Remote Access.
b) In Visitor Mode configuration, select Support Visitor Mode.
3. Configure Office Mode:
Note - Office Mode is not available for R75 SecuRemote client.
Configuring SmartDashboard for Endpoint Security VPN and Check Point Mobile for Windows
Configuring Security Gateways to Support R75 Remote Access Clients Page 15
a) Open Remote Access > Office Mode.
b) In Office Mode Method, select Manual (using IP pool).
c) In Allocate IP addresses from network, select the network for Office Mode allocation.
4. Click OK.
5. Make sure that the Security Gateway is in the Remote Access community:
a) Select Manage > VPN Communities.
The VPN Communities window opens.
b) Double-click RemoteAccess.
The Remote Access Community Properties window opens.
Configuring SmartDashboard for R75 SecuRemote client
Configuring Security Gateways to Support R75 Remote Access Clients Page 16
c) Open Participating Gateways.
d) If the Security Gateway is not already in the list of participating gateways: click Add, select the
Security Gateway from the list of gateways, and click OK.
e) Click OK.
f) Click Close.
6. For Endpoint Security VPN only, make sure that the desktop policy is configured correctly (Desktop tab).
7. Install the policy: Policy menu > Install.
Configuring SmartDashboard for R75 SecuRemote client
You manage R75 SecuRemote client through the SmartDashboard. This task explains how to set up the SmartDashboard to access R75 SecuRemote client configurations.
To configure SmartDashboard for R75 SecuRemote client:
1. On the gateway, configure Visitor Mode:
Configuring SmartDashboard for R75 SecuRemote client
Configuring Security Gateways to Support R75 Remote Access Clients Page 17
a) Open Remote Access.
b) In Visitor Mode configuration, select Support Visitor Mode.
2. Office mode is not supported in R75 SecuRemote client. On the Remote Access > Office Mode page, you can select Do not offer Office Mode. If you select a different option, it is ignored for R75 SecuRemote client.
3. Make sure that the Security Gateway is in the Remote Access community:
a) Select Manage > VPN Communities.
The VPN Communities window opens.
b) Double-click RemoteAccess.
The Remote Access Community Properties window opens.
Supporting Endpoint Security VPN and SecureClient Simultaneously
Configuring Security Gateways to Support R75 Remote Access Clients Page 18
c) Open Participating Gateways.
d) If the Security Gateway is not already in the list of participating gateways: click Add, select the
Security Gateway from the list of gateways, and click OK.
e) Click OK.
f) Click Close.
4. Install the policy: Policy menu > Install.
Supporting Endpoint Security VPN and SecureClient Simultaneously
To run R75 Remote Access Clients along with SecureClient or NGX SecuRemote client on client systems, you must configure the server and the gateways that will manage these remote access clients.
Before you begin, make sure that the encryption domains on these gateways fully match the encryption domains of all other gateways. Make sure that all gateways give connectivity to the same resources.
To configure the gateways in SmartDashboard for management of R75 Remote Access Clients and NGX clients:
1. For Check Point Mobile for Windows and R75 SecuRemote client start with step 2.
For Endpoint Security VPN only, on the Desktop tab, add this rule to make sure that the Endpoint Security VPN firewall does not block SecureClient. Allow outbound connections on:
Supporting Endpoint Security VPN and SecureClient Simultaneously
Configuring Security Gateways to Support R75 Remote Access Clients Page 19
UDP 18231
UDP 18233
UDP 2746 for UDP Encapsulation
UDP 500 for IKE
TCP 500 for IKE over TCP
TCP 264 for topology download
UDP 259 for MEP configuration
UDP 18234 for performing tunnel test when the client is inside the network
UDP 4500 for IKE and IPSEC (NAT-T)
TCP 18264 for ICA certificate registration
TCP 443 for Visitor Mode
TCP 80
2. Open Policy menu > Global Properties.
The Global Properties window opens.
3. Open Remote Access > VPN - Advanced.
4. Select Sent in clear.
5. If secure configuration verification (SCV) is configured, add an exception for Endpoint Security VPN.
a) Open Remote Access > Secure Configuration Verification (SCV).
Supporting Endpoint Security VPN and SecureClient Simultaneously
Configuring Security Gateways to Support R75 Remote Access Clients Page 20
b) Select Apply Secure Configuration Verification on Simplified mode.
c) Click Exceptions.
The Secure Configuration Verification Exceptions window opens.
d) Select Do not apply Secure Configuration Verification on SSL clients connections.
e) Click OK.
6. Click OK.
7. Do Policy > Install.
Troubleshooting Dual Support
Configuring Security Gateways to Support R75 Remote Access Clients Page 21
Troubleshooting Dual Support If SecureClient blocks R75 Remote Access Clients traffic:
1. Make sure that you selected Remote Access > VPN - Advanced > Sent in clear.
2. Choose how you want to solve this issue.
Users manage their own clients: users delete the SecureClient site.
Note - It is not enough to disable the site. It must be deleted.
You solve this issue for all clients: change the Desktop rule base.
a) In the Outbound Rules, add this rule above the last rule. (The last rule should be Any Any Block.)
Destination = Endpoint Security VPN Security Gateway
Service = http, https, IKE_NAT_TRAVERSAL
Action = Accept
b) Install the policy.
To uninstall NGX Clients:
If you install R75 Remote Access Clients after SecureClient or NGX SecuRemote client, and you want to uninstall the NGX client, you cannot do it from Add/Remove Programs. You must open the Uninstall SecureClient or NGX SecuRemote client program from Start > Programs.
To remotely uninstall SecureClient with a script, run: UninstallSecureClient.exe from the SecureClient installation directory.
Page 22
Chapter 3
Installing and Configuring R75 Remote Access Clients on Client Systems
In This Chapter
Installing R75 Remote Access Clients on Client Systems 22
Using the Packaging Tool 23
Client Icon 25
Helping Users Create a Site 26
Connecting to a Site 26
Pre-Configuring Proxy Settings 26
Pre-Configuring Always Connect 27
Installing R75 Remote Access Clients on Client Systems
The R75 Remote Access Clients installation package is a self-installing executable that you can download from the Check Point Download Center.
If you uninstall a client to install or upgrade R75 Remote Access Clients, you must restart the client when prompted.
If you set up an upgrade from the gateway (see Upgrading Clients from the Gateway in the R75 Remote Access Clients Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11816)):
If users had Endpoint Security VPN R75, it keeps the existing settings.
If users had Endpoint Connect R73, it automatically upgrades to Check Point Mobile for Windows.
Using the Packaging Tool
Installing and Configuring R75 Remote Access Clients on Client Systems Page 23
When you use the packaging tool to give users an MSI for a manual upgrade, you can select which VPN client is in the package.
If you do not select a VPN client as part of the MSI:
If users already had Endpoint Security VPN R75, it keeps the existing settings.
If users do not already have Endpoint Security VPN R75, they can select a VPN client when they install the MSI.
If users had the Endpoint Connect R73 client, they can select a VPN client when they install the MSI.
Using the Packaging Tool You can create packages of the R75 Remote Access Clients with pre-defined settings, such as which client to install, a VPN site and authentication methods. When you deploy the package to users, it is easier for them to connect quickly.
R75 Remote Access Clients Administration mode lets you create pre-configured packages. You open one instance of the client, configure all settings, and save the client MSI.
Decide if you want to pre-configure the client package, and with which features. Then deploy the MSI package.
Some examples of client deployment options are:
Give each user a link to the default MSI file. Make sure that users have the gateway IP address.
Give each user a pre-defined MSI. The user runs the MSI and can connect as soon as installation is done.
For all installation types, make sure users have whatever is needed for authentication. For example, if users authenticate with certificates, make sure they have the certificate file before connection. Make sure they know that they must not delete this file.
You can distribute MSI files to users in different ways:
You can send an MSI file with GPO updates.
You can email a URL link to the client installation file on the gateway.
Using the Packaging Tool
Installing and Configuring R75 Remote Access Clients on Client Systems Page 24
If any of the required features are disabled on the client in Administration mode, change the configuration of the gateways.
Preparing the Client Installation Package To create a pre-configured package:
1. Download the R75 HFA1 Remote Access Client Package MSI
2. Use the MSI to install a client on your computer.
3. Open the client in Administration mode:
32-bit systems - C:\Program Files\CheckPoint\Endpoint Connect\AdminMode.bat
64-bit systems - C:\Program Files(x86)\CheckPoint\Endpoint Connect\AdminMode.bat
4. Right-click the client icon and select VPN Options.
The Options window opens, with the Administration tab.
5. On the Sites tab, define the site you want clients to connect to.
6. Select the site and click Properties > Settings.
7. Select VPN options:
Always-Connect - Let the client connect automatically to the active site.
VPN tunneling - Make sure the client connects to the VPN for all outbound traffic. Enable Hub Mode for the gateway.
Authentication
8. Click OK.
9. Open the Advanced tab and select relevant settings.
Client Icon
Installing and Configuring R75 Remote Access Clients on Client Systems Page 25
10. Open the Administration tab.
a) Input MSI Package Path - Select the input MSI package file.
b) Replace user's configuration when upgrading - If you clear this, users keep their configuration after the upgrade. If you select this, the new configuration is merged with the old configuration. Users do not have to apply for new credentials to a site that they have been using.
a) Select a product that users will install: Endpoint Security VPN, Check Point Mobile for Windows, or R75 SecuRemote client.
If you do not select a product, users can choose.
b) Click Generate to create the MSI package.
A window opens to select a location to save the generated package.
11. Distribute this package to R75 Remote Access Clients users.
12. Users will double-click the MSI file and follow the on-screen instructions.
Note - On Windows Vista and Windows 7, there may be a prompt to allow access, depending on the UAC settings.
Client Icon The Client icon in the system tray notification area shows the status of R75 Remote Access Clients.
Icon Status
Disconnected
Connecting
Connected
Encryption (encrypted data is being sent or received on the VPN)
Helping Users Create a Site
Installing and Configuring R75 Remote Access Clients on Client Systems Page 26
Icon Status
Error. The error might be that a computer is not compliant based on compliance checks.
You can also hover your mouse on the icon to show the client status.
Helping Users Create a Site Each client must have at least one site defined. The site is the VPN gateway. If you did not pre-configure the client for a default site, make sure your users have:
The gateway fingerprint.
The gateway IP address or domain name.
The authentication method you want them to use.
Authentication materials (username, password, certificate file, RSA SecurID, or access to HelpDesk for challenge/response authentication).
Connecting to a Site You might have to help users connect to the VPN. The R75 Remote Access Clients let users connect to sites - where the site is the VPN gateway.
To connect to a site:
1. Right-click the client icon and select Connect or Connect to.
A site connection window opens.
This window has authentication fields according to the selected authentication method.
If you selected Connect to, you can select the site to which you would like to connect.
2. Enter credentials, and click Connect.
A connection progress window opens. Wait until the connection is made.
Pre-Configuring Proxy Settings
Note - Remote-location proxy-server settings are usually detected automatically.
If a user is at a remote site that has a proxy server, the R75 Remote Access Clients must be configured to pass through the proxy server to reach the gateway.
If you know that this will be an issue, you can configure this option when you prepare the client MSI file. Otherwise, you can help your user configure the proxy server when the issue comes up.
To configure proxy settings on the client:
1. In the Options > Advanced tab, click Proxy Settings.
Pre-Configuring Always Connect
Installing and Configuring R75 Remote Access Clients on Client Systems Page 27
The Proxy Settings window opens.
2. Select an option.
No Proxy - Make a direct connection to the VPN.
Detect proxy from Internet Explorer settings - Take the proxy settings from Internet Explorer > Tools > Internet options > Connections > LAN Settings.
Manually define proxy - Enter the IP address and port number of the proxy. If necessary, enter a valid user name and password for the proxy.
3. Click OK.
Pre-Configuring Always Connect You can help users set the Always Connect option. This lets the client connect automatically to the active site. In a default package, this option is available for users to change.
To configure Always Connect in the client:
1. Right-click the client icon and select VPN Options.
The Options window opens.
2. On the Sites tab, select the VPN gateway, and click Properties.
The Properties window for the site opens.
3. Open the Settings tab.
4. Click Enable Always-Connect.
5. Click OK.
Page 28
Chapter 4
The Configuration File
In This Chapter
Configuration File Overview 28
Customized Settings 28
Centrally Managing the Configuration File 28
Parameters in the Configuration File 30
Migrating Secure Configuration Verification 31
Configuration File Overview The gateways save configuration parameters in the $FWDIR/conf/trac_client_1.ttm configuration file.
After you edit and save the file, install the policy.
Note - When editing the configuration file, do not use a DOS editor, such as Microsoft Word, which adds formatting codes to the file.
Customized Settings If you customized the trac_client_1.ttm in a previous installation, you can restore your settings to the new $FWDIR/conf/trac_client_1.ttm file. Do not do this procedure if you did not change this file from its default settings - the new defaults, in the new file, are recommended for this installation.
You must not overwrite the new trac_client_1.ttm with the old one. The new file has added parameters that are necessary for R75 Remote Access Clients operations.
To bring over customized settings:
1. See the difference in parameter values between the customized file and the new trac_client_1.ttm file.
Important - When copying settings from the backup TTM file, make sure not to copy the connect_timeout parameter.
If you do, the clients cannot connect.
2. For parameters that are common to the two files, you can copy the value from the customized file, to the new trac_client_1.ttm.
Important - Beware that you do not copy parameters or values that you did not manually change. The new file has changed, added, and deleted parameters that are necessary.
3. Save the file.
4. Install the policy.
Centrally Managing the Configuration File If the configuration file on each gateway is identical, you can manage one copy of the configuration file on the Security Management server. This file is copied to the Security Gateways when you install the policy.
Centrally Managing the Configuration File
The Configuration File Page 29
Important - You must use the newest configuration file installed on the gateway for R75 Remote Access Clients. This is important, because if you do not install R75 Remote Access Clients on the Security Management server, the server will have an outdated configuration file that does not support new features.
To centrally manage the configuration file:
1. On the gateway, save a backup of $FWDIR/conf/trac_client_1.ttm.
2. From the gateway, copy trac_client_1.ttm to the server.
3. Open $FWDIR/conf/fwrl.conf and find the % SEGMENT FILTERLOAD section.
4. Within this section, add this line:
NAME = conf/trac_client_1.ttm;DST = conf/trac_client_1.ttm;
This copies the file to the Endpoint Security VPN gateways whenever you run Install Policy.
5. Save the file and install the policy.
When clients download the new policy from the gateway, configuration changes are applied.
Parameters in the Configuration File
The Configuration File Page 30
Parameters in the Configuration File This table shows some of the parameters of the TTM file. The default value is the recommended value.
Parameter Description Default
allow_disable_firewall Enable/disable menu option for user to disable desktop firewall.
Applied only if enable_firewall is true or client_decide.
false
certificate_key_length
certificate_strong_protection
certificate_provider
internal_ca_site
internal_ca_dn
Certificate enrollment settings. 1024
true
"Microsoft Enhanced Cryptographic Provider v1.0"
none
none
default_authentication_method Default authentication method. none
disconnect_on_smartcard_removal Enable/disable client disconnection when Smart Card with current certificate is removed.
false
do_proxy_replacement Enable/disable proxy replacement. true
enable_capi Enable/disable CAPI authentication. true
enable_firewall Enable/disable desktop firewall true, false, or client_decide.
true
enable_gw_resolving Enable/disable DNS resolution on each connection.
Used for MEP.
true
flush_dns_cache Enable/disable flushing the DNS cache while connecting.
false
hotspot_detection_enabled Enable/disable automatic hotspot detection. true
automatic_mep_topology Enable/disable the implicit (automatic) MEP method.
False - manual MEP method.
true
ips_of_gws_in_mep Security Gateway IP addresses for clients to connect to. Applied only if automatic_mep_topology is false.
Addresses are separated by "&#", and the list is terminated by a final "&#":
NNN.NNN.NNN.NNN&#MMM.MMM.MMM.MMM&#
none
Migrating Secure Configuration Verification
The Configuration File Page 31
Parameter Description Default
mep_mode MEP mode, priority of Security Gateways defined in ips_of_gws_in_mep. Applied only if automatic_mep_topology is false. Valid values:
dns_based
first_to_respond
primary_backup
load_sharing
dns_based
predefined_sites_only Enable/disable user ability to create or modify sites.
false
send_client_logs Email addresses to which debug logs are sent. none
suspend_tunnel_while_locked Enable/disable traffic suspension if the machine becomes inactive (due to lock or sleep) for a specified duration.
false
tunnel_idleness_ignore_icmp Enable/disable monitor of ICMP packets to see if a tunnel is active.
true
tunnel_idleness_ignored_tcp_ports TCP ports that are not monitored to determine if a tunnel is active.
none
tunnel_idleness_ignored_udp_ports UDP ports that are not monitored to determine if a tunnel is active.
53‰Š&#
tunnel_idleness_timeout Time, in minutes, after which a client will close an inactive tunnel.
Zero (0) - the feature is disabled. The VPN tunnel will never close due to inactivity.
0
Note - sk42850 (http://supportcontent.checkpoint.com/solutions?id=sk42850) explains the complete file contents and syntax.
Migrating Secure Configuration Verification SecureClient uses SCV compliance checks, and so do Endpoint Security VPN and Check Point Mobile for Windows. Some features of SecureClient compliance are ignored by the Endpoint Security VPN client and Check Point Mobile for Windows.
user_policy_scv - This SCV check sets the compliance status of a client after a user disables the Desktop security policy. (SecureClient users can disable the firewall.) If the value of this check in local.scv is true, the SecureClient client is still compliant, if the SecureClient user disables the firewall. If the value is false and the user disables the firewall, the SecureClient client is not compliant.
To let Endpoint Security VPN or Check Point Mobile for Windows users disable the Desktop security
policy and keep compliance for the client, configure the $FWDIR/conf/trac_client_1.ttm file: find
allow_disable_firewall and set :default(true).
sc_ver_scv - This SCV check tests for the version of SecureClient. Currently, there is no SCV check for the version of Endpoint Security VPN or Check Point Mobile for Windows.
ckp_scv - This SCV check is obsolete.
Page 32
Appendix A
Multiple Entry Point (MEP) Multiple Entry Point (MEP) gives high availability and load sharing to VPN connections. A Security Gateway is one point of entry to the internal network. If the Security Gateway becomes unavailable, the internal network is also unavailable. A Check Point MEP environment has two or more Security Gateways for the same VPN domain to give remote users uninterrupted access. R75 Remote Access Clients automatically detect and use MEP topology.
MEP topology gives High Availability and load sharing with these characteristics:
There is no physical restriction on the location of MEP Security Gateways. They can be geographically separated and not directly connected.
MEP Security Gateways can be managed by different management servers.
There is no state synchronization in MEP. If a Security Gateway fails, the current connection falls and one of the auxiliary Security Gateways picks up the next connection.
Remote clients, not the gateways, find the Security Gateway to use.
To enable MEP, you must install the Hotfix on the Security Management server and on each Security Gateway.
In This Appendix
Configuring Entry Point Choice 32
Defining MEP Method 33
Implicit MEP 33
Manual MEP 36
Making a Desktop Rule for MEP 36
Configuring Entry Point Choice Configure how the client will choose a gateway from the multiple list of entry points.
First to Respond - The first Security Gateway to reply is chosen and the VPN tunnel is between that gateway and the client. The client asks for a response for each connection.
Recommendation: If you have multiple gateways that are geographically distant. For example, an organization has three gateways: London, Sundsvall, and Paris. Usually, the London Security Gateway responds first to clients in England and is their entry point to the internal network. If the London gateway goes down, these users access the network through the Paris or Sundsvall gateway that responds first.
Primary-Backup - One or multiple auxiliary Security Gateways give high availability for a primary Security Gateway. R75 Remote Access Clients are configured to connect with the primary Security Gateway, but switch to a Backup Security Gateway if the Primary goes down.
Recommendation: If you have multiple gateways, and one is stronger or connects faster. Set the stronger machine as the primary. Clients use the backup if the primary is unavailable.
Load Distribution - R75 Remote Access Clients randomly select a Security Gateway.
Recommendation: f you have multiple gateways of equal performance. The traffic of R75 Remote Access Clients is shared between the gateways. Each client creates a tunnel with a random, available gateway.
Geo-Cluster Name Resolution - By default, R75 Remote Access Clients resolves Security Gateway DNS names for all connections. Optionally, you can keep IP addresses in a cache. This prevents repetitive DNS name resolution and can make your performance better.
Defining MEP Method
Multiple Entry Point (MEP) Page 33
To enable DNS IP address cache:
1. On the Security Gateway, open $FWDIR/conf/trac_client_1.ttm.
2. Change the :default attribute, located in the :enable_gw_resolving attribute, to false.
:enable_gw_resolving (
:Security Gateway (
:map (
:false (false)
:true (true)
:client_decide (client_decide)
)
:default (false) )
)
3. Save the file.
4. Install the policy.
Defining MEP Method MEP configuration can be implicit or manual.
Implicit - MEP methods and gateway identities are taken from the topology and configuration of gateways that are in fully overlapping encryption domains or that have Primary-Backup gateways.
Manual - You can edit the list of MEP Security Gateways in the R75 Remote Access Clients TTM file.
Whichever you choose, you must set the R75 Remote Access Clients configuration file to identify the configuration.
To define MEP topology:
1. Open the $FWDIR/conf/trac_client_1.ttm configuration file.
2. Make sure that enable_gw_resolving is true.
3. Set the value of automatic_mep_topology
true - implicit configuration
false - manual configuration
4. Save the file.
5. Install the policy.
Implicit MEP With Implicit MEP, the configurations of the gateways are used to make the VPN connections. Gateways are configured differently for each MEP method.
Before you begin, make sure that $FWDIR/conf/trac_client_1.ttm has:
enable_gw_resolving (true)
automatic_mep_topology (true)
Configuring Implicit First to Respond When more than one Security Gateway leads to the same (overlapping) VPN domain, they are in a MEP configuration. The first Security Gateway to respond is chosen. To configure first to respond, define that part of the network that is shared by all the Security Gateways into a single group and assign that group as the VPN domain.
To configure First to Respond MEP:
1. Open SmartDashboard > Global Properties.
2. Open Remote Access > VPN Basic.
Implicit MEP
Multiple Entry Point (MEP) Page 34
3. Make sure that Load Distribution is not selected.
4. Click OK.
5. For each gateway, open the properties window > Topology.
6. In the VPN Domain section, click Manually Defined and select the same VPN Domain for all Security Gateways.
7. Click OK.
8. Install the policy.
Configuring Implicit Primary-Backup Configure the VPN Domain that includes the Primary Security Gateway and another domain that includes only the backup gateways. Configure each gateway as either the Primary gateway or a backup gateway.
To configure the primary gateway:
1. Open Global Properties window > VPN > Advanced, select Enable Backup Gateway.
2. In the network objects tree, Groups section, create a group of Security Gateways to act as backup
Security Gateways.
3. Open the VPN properties of the Primary Security Gateway:
NGX R65 and R70: gateway properties > VPN
R71 and higher: gateway properties >IPSec VPN
Implicit MEP
Multiple Entry Point (MEP) Page 35
4. Select Use Backup Gateways, and select the group of backup Security Gateways.
This Security Gateway is the primary Security Gateway for this VPN domain.
5. For each backup Security Gateway, make a VPN domain that does not include IP addresses that are in the Primary VPN domain or the other backup domains.
If the backup gateway already has a VPN domain, you must make sure that its IP addresses do not overlap with the other VPN domains.
a) Create a group of IP addresses not in the other domains, or a group that consists of only the backup gateway.
b) On the Properties window of the backup network object > Topology > VPN Domain section, select Manually defined.
c) Select the group.
6. Click OK.
7. Install the policy.
Configuring Implicit Load Distribution To configure implicit MEP for random gateway selection:
1. Open SmartDashboard > Global Properties.
2. Open Remote Access > VPN Basic.
3. Select Enable load distribution for Multiple Entry Point configurations.
4. Click OK.
5. For each gateway, open the properties window > Topology.
6. In the VPN Domain section, click Manually Defined and select the same VPN Domain for all Security Gateways.
7. Click OK.
8. Install the policy.
Manual MEP
Multiple Entry Point (MEP) Page 36
Manual MEP For SecureClient, the gateways have to belong to the same VPN domain for MEP to function. For R75 Remote Access Clients, the gateways do not have to belong to the same VPN domain. The gateways are configured in the TTM file.
To configure the Security Gateways for MEP:
1. On a Security Gateway, open $FWDIR/conf/trac_client_1.ttm.
2. Search for the enable_gw_resolving attribute:
:enable_gw_resolving (
:gateway (
:default (true)
)
)
3. Make sure the attribute is set to its default value: true.
4. Search for the automatic_mep_topology attribute, and make sure its value is false.
5. Manually add the mep_mode attribute:
:mep_mode (
:gateway (
:default (xxx)
)
)
Where xxx is a valid value:
dns_base
first_to_respond
primary_backup
load_sharing
6. Manually add the ips_of_gws_in_mep attribute:
:ips_of_gws_in_mep (
:gateway (
:default (192.168.53.220À.168.53.133&#)
)
)
These are the IP addresses the client should try.
IP addresses are separated by an ampersand and hash symbol (&#)
The last IP address in the list has a final &#.
7. Save the file.
8. Install the policy.
Making a Desktop Rule for MEP To use MEP, traffic to multiple sites in the encryption domain must be allowed. But the Desktop Policy sets the main site as the default Destination for outbound traffic. You must make sure that your policy allows traffic to the gateways in the encryption domain.
To add the MEP Rule:
1. In SmartDashboard, open the Desktop tab.
2. In Outbound rules, add a new rule:
Destination - a Group network object that contains all gateways in the encryption domain.
Service - the Visitor Mode service (default is 443), the NAT-T port (default is 4500 UDP), and HTTP.
Action - Allow.
Page 37
Appendix B
Differences Between SecureClient and Endpoint Security VPN CLI
This table shows common tasks and how to perform them with SecureClient or R75 VPN Endpoint Security VPN command line. N/A indicates that the task cannot be performed with the CLI.
Task SecureClient Endpoint Security VPN
Asynchronous Connect connectwait <profilename> N/A
Change P12 Certificate Password
N/A change_p12_pwd -f <filename> [ -o <oldpassword> -n <newpassword> ]
Connect to Site connect [-p] <profilename> connect -s <sitename> [-u <username> -p <password> | -d <dn> | -f <p12> | -pin <PIN> -sn <serial>]
Create / Add Site add <sitename> create -s <sitename> [-a <authentication method>]
Delete Site delete <sitename> delete -s <sitename>
Disconnect from Site disconnect disconnect
Display Connection Status status N/A
Enable / Disable Hotspot Registration
sethotspotreg <on | off> N/A
Enable / Disable Policy setpolicy [on | off] N/A
Enroll ICA CAPI Certificate icacertenroll <site IP/name> <registration key> <file path> <password>
enroll_capi -s <sitename> -r <registrationkey> [ -i <providerindex> -l <keylength> -sp <strongkeyprotection> ]
Enroll ICA P12 Certificate N/A enroll_p12 -s <sitename> -f <filename> -p <password> -r <registrationkey> [ -l <keylength> ]
Get Site Name / IP getsite <profilename> info [-s <sitename>]
List Profiles listprofiles N/A
List Domain Names Stored in the CAPI
N/A list
Print Log Messages N/A log
Renew CAPI Certificate N/A renew_capi -s <sitename> -d <dn> [ -l <keylength> -sp <strongkeyprotection> ]
Making a Desktop Rule for MEP
Differences Between SecureClient and Endpoint Security VPN CLI Page 38
Task SecureClient Endpoint Security VPN
Renew P12 Certificate N/A renew_p12 -s <sitename> -f <filename> -p <password> [ -l <keylength>]
Restart VPN Services restartsc N/A
Set Certificate File / Password passcert <password> <certificate>
See Connect to Site
Set Username / Password userpass <username> <password>
See Connect to Site
Show Number of Profiles numprofiles N/A
Show VPN Client Version version ver
Start VPN Client Services startsc start
Stop VPN Client Services stopsc stop
Suppress UI Dialog Messages suppressdialogs [on | off] N/A
Unset User Credentials erasecreds N/A
Update Topology update <profilename> N/A