Remote Access Clients E75.20: Upgrading From Secureclient/Securemote NGX On NGX R65 Smartcenter Server

Remote Access Clients
E75.20
Upgrading from
SecureClient/SecuRemote NGX on
NGX R65 SmartCenter Server
13 September 2011
2011 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=12325
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
For more about this release, see the home page at the Check Point Support Center
(http://supportcontent.checkpoint.com/solutions?id=sk65209).
Revision History
Date
Description
13 September 2011
First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients E75.20
Upgrading from SecureClient/SecuRemote NGX on NGX R65 SmartCenter Server ).
Contents
Important Information .............................................................................................3
Introduction to Remote Access Clients ................................................................5
Overview of Remote Access Clients .................................................................... 5
Endpoint Security VPN ................................................................................... 5
Check Point Mobile for Windows .................................................................... 5
SecuRemote client .......................................................................................... 6
Upgrading on Different Management Servers ...................................................... 6
Why You Should Upgrade to Remote Access Clients .......................................... 6
Before Upgrading to Remote Access Clients ....................................................... 7
Supported Gateways and Servers .................................................................. 7
New Remote Access Clients Features ............................................................ 7
SecureClient Features Supported in Remote Access Clients .......................... 8
SecureClient Features Not Yet Supported .....................................................10
Configuring Gateways to Support Remote Access Clients ...............................11
Installing the Remote Access Clients Hotfix ........................................................11
Configuring for Endpoint Security VPN and Check Point Mobile for Windows ....11
Configuring SmartDashboard for SecuRemote client..........................................15
Supporting Endpoint Security VPN and SecureClient Simultaneously ................17
Troubleshooting Dual Support ............................................................................19
The Configuration File ..........................................................................................20
Editing the TTM File ...........................................................................................20
Customized Settings...........................................................................................20
Centrally Managing the Configuration File ..........................................................21
Understanding the Configuration File .................................................................21
Configuration File Parameters .......................................................................22
Migrating Secure Configuration Verification ........................................................24
Differences between SecureClient and Endpoint Security VPN CLI .................25
Chapter 1
Introduction to Remote Access
Clients
In This Chapter
Overview of Remote Access Clients
Upgrading on Different Management Servers
Why You Should Upgrade to Remote Access Clients
Before Upgrading to Remote Access Clients
5
6
6
7
Overview of Remote Access Clients

Remote Access Clients provide a simple and secure way for endpoints to connect remotely to corporate
resources over the Internet, through a VPN tunnel. Check Point offers 3 enterprise-grade flavors of Remote
Access to fit a wide variety of organizational needs.
The clients offered in this release are:
Endpoint Security VPN - Incorporates Remote Access VPN with Desktop Security in a single client. It
is recommended for managed endpoints that require a simple and transparent remote access
experience together with desktop firewall rules.
Check Point Mobile for Windows - An easy to use IPsec VPN client to connect securely to corporate
resources. Together with the Check Point Mobile clients for iPhone and Android, and the Check Point
SSL VPN portal, this client offers a simple experience that is primarily targeted for non-managed
machines.
SecuRemote client - A secure, yet limited-function IPsec VPN client, primarily targeted for small
organizations that require very few remote access clients.
For complete information about deploying and using Remote Access Clients, see the Remote Access
Clients E75.20 Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk65209).
Endpoint Security VPN
Replaces SecureClient and Endpoint Connect.
Enterprise Grade Remote Access Client with Desktop firewall and compliance checks.
Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status
of Anti-virus, Windows updates, and other system components.
Integrated desktop firewall, centrally managed from SmartCenter server.
In-place upgrade from Endpoint Security VPN R75.
In-place upgrade from Endpoint Connect R73.
Requires the IPSec VPN Software Blade on the gateway, and an Endpoint Container license and
Endpoint VPN Software Blade on the SmartCenter server.
Check Point Mobile for Windows
New Enterprise Grade Remote Access Client.

Page 5
Upgrading on Different Management Servers
Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status
of antivirus, Windows updates, and other system components.
Requires IPSec VPN and SSL VPN Software Blades on the gateway.
SecuRemote client
Replaces the NGX SecuRemote client.
Basic remote access functionality.
Unlimited number of connections for Security Gateways with the IPsec VPN blade.
Requires an IPSec VPN Software Blade on the gateway.
It is a free client and does not require additional licenses.
Upgrading on Different Management

Servers
Environments with SecureClient or NGX SecuRemote client already deployed can be easily upgraded to
Remote Access Clients. The SmartDashboard for different versions of management servers is different. Use
the documentation for the SmartDashboard that you have.
This guide is for the NGX R65 SmartCenter server, NGX R65.70 or higher. Guides for other management
servers are available at sk65209 (http://supportcontent.checkpoint.com/solutions?id=sk65209).
For R70 SmartCenter server, R70.40 or higher, see Remote Access Clients E75.20 Upgrade Guide from
SecureClient/SecuRemote NGX on R70.
For R71 SmartCenter server, R71.30 or higher, or R75 SmartCenter server, see Remote Access Clients
E75.20 Upgrade Guide from SecureClient/SecuRemote NGX on R71 or R75.
Why You Should Upgrade to Remote

Access Clients
Check Point recommends that all customers upgrade from SecureClient or Endpoint Connect to Remote
Access Clients as soon as possible, to have these enhancements.
Automatic and transparent upgrades, with no administrator privileges required
Supports 32-bit and 64-bit, Windows Vista and Windows 7
Uses less memory resources than SecureClient
Automatic disconnect/reconnect as clients move in and out of the network
Seamless connection experience while roaming
Supports most existing SecureClient features, including Secondary Connect, Office Mode, Desktop
Firewall, Secure Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection.
Supports many additional new features
Does not require a SmartCenter server upgrade
Remote Access Clients can coexist with SecureClient and NGX SecuRemote client NGX on client
systems during the upgrade period.
Note - Check Point will end its support for SecureClient in mid-2011.
Introduction to Remote Access Clients
Page 6
Before Upgrading to Remote Access

Clients
Before upgrading, consider these issues.
Supported Gateways and Servers

See the Remote Access Clients Release Notes for information about supported Gateway and SmartCenter
server versions.
New Remote Access Clients Features

This table describes new features in Remote Access Clients and on which Remote Access Clients they are
available.
Feature
Hotspot Detection
and Registration
Description
Automatically detects hotspots that prevent

the client system from establishing a VPN
tunnel
Opens a mini-browser to allow the user to

register to the hotspot and connect to the
VPN gateway
Firewall support for hotspots
Endpoint
Security
VPN
Automatic
Connectivity
Detection
Automatically detects whether the client is

connected to the Internet or LAN
Automatic
Certificate
Renewal in CLI
Mode
Supports automatic certificate renewal, including in

CLI mode
Location
Awareness
Automatically determines if client is inside or outside

the enterprise network
Roaming
Maintains VPN tunnel if client disconnects and

reconnects using different network interfaces
Automatic and
Transparent
Upgrade Without
Administrator
Privileges
Updates the client system securely and without user

intervention
Windows Vista /
Windows 7 64 Bit
Support
Supports the latest 32-bit and 64-bit Windows

operating systems
Automatic Site
Detection
During first time configuration, the client detects the

VPN site automatically
Check
Point
Mobile for
Windows
SecuRemote
client
Note: This requires DNS configuration and is only

supported when configuring the client within the
internal network.
Page 7
Feature
Description
Endpoint
Security
VPN
Geo Clusters
Connect client system to the closest VPN gateway

based on location.
Machine Idleness
Disconnect VPN tunnel if the machine becomes

inactive (because of lock or sleep) for a specified
duration.
Flush DNS Cache
Remove previous DNS entries from the DNS cache

when creating VPN tunnel
Dead Gateway
Detection
Tests that the Security Gateway is active by sending

tunnel test packets.
Automatic
Connectivity
Detection
Automatically detects whether the client is

connected to the Internet or LAN. If the network
connection is lost, the client seamlessly reconnects
without user intervention.
Check
Point
Mobile for
Windows
SecuRemote
client
SecureClient Features Supported in Remote Access

Clients
This table describes features in Remote Access Clients that existed in SecureClient, and on which Remote
Access Clients they are available.
Feature
Authentication
Methods
Description
Username/Password
Certificate - CAPI/P12
SecurID (passcode, softID, key fobs)
Challenge Response
SAA
Endpoint
Security
VPN
Cached Credentials
Cache credentials for user login
NAT-T and Visitor

Mode
Let users connect from any location, such as

a hotel, airport, or branch office
Multiple Entry Point

(MEP)
Provides gateway High Availability and Load

Sharing and lets the Remote Access Clients
connect to the VPN from multiple gateways.
Secondary Connect
Gives access to multiple VPN gateways at the

same time, to transparently connect users to
distributed resources.
Pre-Configured
Client Packaging
Predefined client installation package with

configurations for easy provisioning
Office Mode
Internal IP address for remote access VPN

users
Check
R75 SecuPoint
Remote
Mobile for client
Windows
Page 8
Feature
Description
Extended DHCP
Parameters
When using Office Mode from a DHCP server,

the gateway sends data that it got from the
client to the DHCP server in the correct format
- Hostname, FQDN, Vendor Class, and User
Class.
Compliance Policy Secure

Configuration
Verification (SCV)
Verifies client system policy compliance

before allowing remote access to internal
network
Proxy Detection
Detect proxy settings in client system web

browsers for seamless connectivity
Hub Mode
Send all traffic from the client system through

the VPN gateway
Localization
Supported languages:
Certificate
Enrollment and
Renewal
Chinese (simplified)
English
French
German
Hebrew
Italian
Japanese
Russian
Spanish
Endpoint
Security
VPN
Check
R75 SecuPoint
Remote
Mobile for client
Windows
Automatic enrollment and renewal of

certificates issued by Check Point Internal CA
server
CLI and API Support Manage client with third party software
Tunnel Idleness
Detection
Disconnect VPN if there is no traffic for a

specified duration
Dialup
Support dialup connections
Smart Card
Removal Detection
Detects when the Smart Card is removed and

closes the active VPN tunnel.
Re-authentication
After specified duration, user is asked for reauthentication
Keep-alive
Send keep-alive messages from client to the

VPN gateway to maintain the VPN tunnel
Check Gateway
Certificate in CRL
Validate VPN gateway certificate in the CRL

list
Desktop Firewall
Personal firewall integrated into the client,

managed with the SmartDashboard desktop
policy. Logs are shown in SmartView Tracker.
Page 9
Feature
Description
Endpoint
Security
VPN
Check
R75 SecuPoint
Remote
Mobile for client
Windows
Configuration File
Recover corrupted configuration files
Corruption Recovery
Secure Domain
Logon (SDL)
Establish VPN tunnel prior to user login
End-user
Configuration Lock
Prevent users from changing the client

configuration
Update Dynamic
DNS with the Office
Mode IP
Assign an internal IP address for remote

access VPN users in the Dynamic DNS
SmartView Monitor
Monitor VPN tunnel and user statistics with

SmartView Monitor
Post Connect Script
Execute manual scripts before and after VPN

tunnel is established
Secure
Authentication API
(SAA)
Integrate with third party authentication

providers.
Split DNS
Support multiple DNS servers
VPN Connectivity to
VPN-1 VSX
Terminate VPN tunnel at Check Point VSX

gateways
DHCP Automatic
Lease Renewal
DHCP Automatic Lease Renewal
SecureClient Features Not Yet Supported

These features of SecureClient are not supported by Remote Access Clients. Many of these features are
expected to be supported in the next release.
Feature
Description
Single Sign-on (SSO)
One set of credentials to log in to both VPN and Windows

operating system
Entrust Entelligence Support
Entrust Entelligence package providing multiple security layers,

strong authentication, digital signatures, and encryption
Diagnostic Tools
Tools for viewing logs and alerts
"No Office Mode" Connect Mode
Connect to the VPN gateway without requiring Office Mode
Pre-shared secret
Authentication method that uses a pre-shared secret
Link Selection
Multiple interface support with redundancy
Page 10
Chapter 2
Configuring Gateways to Support
Remote Access Clients
In This Chapter
Installing the Remote Access Clients Hotfix
Configuring for Endpoint Security VPN and Check Point Mobile for Windows
Configuring SmartDashboard for SecuRemote client
Supporting Endpoint Security VPN and SecureClient Simultaneously
Troubleshooting Dual Support
11
11
15
17
19
Installing the Remote Access Clients Hotfix

To learn how to install the Remote Access Clients Hotfix on gateways, see the Remote Access Clients
E75.20 Administration Guide.
Configuring for Endpoint Security VPN and

Check Point Mobile for Windows
You manage Remote Access Clients through the SmartDashboard. This task explains how to set up the
SmartDashboard to access configurations required for Endpoint Security VPN and Check Point Mobile for
Windows. Before you begin, make sure you have a network for Office Mode allocation.
To configure SmartDashboard for Endpoint Security VPN or Check Point Mobile for
Windows:
1. Set the Gateway to be a policy server:
a) In the Network Objects Tree, right click the Gateway and select Edit.
Page 11
The Check Point Gateway - General Properties window opens.
b) In Check Point Products, select SecureClient Policy Server.

c) Open Authentication.
Configuring Gateways to Support Remote Access Clients
Page 12
d) In Policy Server, select an existing user group, or create a new user group, to be assigned to the
policy.
2. Configure Visitor Mode:
a) Open Remote Access.
b) In Visitor Mode configuration, select Support Visitor Mode.

3. Configure Office Mode:
Note - Office Mode is not available for SecuRemote client.
Page 13
a) Open Remote Access > Office Mode.
b) In Office Mode Method, select Manual (using IP pool).

If you have a gateway cluster, allocate IP addresses for each cluster member. Do this in Gateway
Cluster Properties. For each cluster:
(i) Click Edit.
(ii) In the VPN tab, select Offer Manual Office Mode and then select IP Addresses.
c) In Allocate IP addresses from network, select the network for Office Mode allocation.
4. Click OK.
5. Make sure that the Gateway is in the Remote Access community:
a) Select Manage > VPN Communities.
The VPN Communities window opens.
b) Double-click RemoteAccess.
The Remote Access Community Properties window opens.
Page 14
c) Open Participating Gateways.
d) If the Gateway is not already in the list of participating gateways: click Add, select the Gateway from
the list of gateways, and click OK.
e) Click OK.
f)
Click Close.
6. For Endpoint Security VPN only, make sure that the desktop policy is configured correctly (Desktop
tab).
7. Install the policy (Policy menu > Install).
Configuring SmartDashboard for

SecuRemote client
You manage SecuRemote client through the SmartDashboard. This task explains how to set up the
SmartDashboard to access SecuRemote client configurations.
Note - If you already configured SmartDashboard for Endpoint Security VPN and
Check Point Mobile for Windows, these procedures are not necessary.
To configure SmartDashboard for Endpoint Security VPN:

1. On the gateway, configure Visitor Mode, if it is not already configured:
Page 15
a) In the left navigation tree, select Remote Access.

The Remote Access window opens.
b) In Visitor Mode configuration, select Support Visitor Mode.

2. Office mode is not supported in SecuRemote client. On the Remote Access > Office Mode page, you
can select Do not offer Office Mode. If you select a different option, it is ignored for SecuRemote client.
3. Make sure that the Gateway is in the Remote Access community:
a) Select Manage > VPN Communities.
The VPN Communities window opens.
b) Double-click RemoteAccess.
The Remote Access Community Properties window opens.
Page 16
In the left navigation tree, select Participating Gateways.
c) If the Gateway is not already in the list of participating gateways: click Add, select the Gateway from
the list of gateways, and click OK.
d) Click OK.
e) Click Close.
4. Install the policy.
Supporting Endpoint Security VPN and

SecureClient Simultaneously
To run Remote Access Clients along with SecureClient or NGX SecuRemote client on client systems, you
must configure the server and the gateways that will manage these remote access clients.
Before you start the configuration, make sure that the encryption domains of all of the gateways are the
same. Also make sure that all gateways give connectivity to the same resources.
To configure the gateways in SmartDashboard for management of Remote Access Clients

and NGX clients:
1. For Check Point Mobile for Windows and SecuRemote client start, with step 2.
For Endpoint Security VPN only, on the Desktop tab, add this rule to make sure that the Endpoint
Security VPN firewall does not block SecureClient. Allow outbound connections on:
Page 17
UDP 18231
UDP 18233
UDP 2746 for UDP Encapsulation
UDP 500 for IKE
TCP 500 for IKE over TCP
TCP 264 for topology download
UDP 259 for MEP configuration
UDP 18234 for performing tunnel test when the client is inside the network
UDP 4500 for IKE and IPSEC (NAT-T)
TCP 18264 for ICA certificate registration
TCP 443 for Visitor Mode
TCP 80
2. Open Policy menu > Global Properties.

The Global Properties window opens.
3. Open Remote Access > VPN - Advanced.
4. Select Sent in clear.

5. Click OK.
6. Select Policy > Install.
Page 18

If SecureClient blocks Remote Access Clients traffic:
1. Make sure that you selected Remote Access > VPN - Advanced > Sent in clear.
2. Choose how you want to solve this issue.
If users manage their own clients: they can delete the SecureClient site.
Note - It is not enough to disable the site. It must be deleted.
To solve this issue for all clients, change the Desktop rule base. In the Outbound Rules, add these
rules above the rule that blocks the connection:
a) Allow traffic to the Endpoint Security VPN Gateway.
Desktop = All Users

Destination = Endpoint Security VPN Gateway
Service = http, https, IKE_NAT_TRAVERSAL
Action = Accept
b) Allow users to access the encryption domain.
Desktop = All Users

Destination = The encryption domain. In the example this is the FTP server.
Service = The protocol necessary to reach the encryption domain. In the example this is FTP.
Action = Accept
c) Install the policy.
To uninstall NGX Clients:
If you install Remote Access Clients after SecureClient or NGX SecuRemote client, and you want to
uninstall the NGX client, you cannot do it from Add/Remove Programs. You must open the
Uninstall SecureClient or NGX SecuRemote client program from Start > Programs.
To remotely uninstall SecureClient with a script, run: UninstallSecureClient.exe from the

SecureClient installation directory.
Page 19
Chapter 3
The Configuration File
Policy is defined on each gateway in the trac_client_1.ttm configuration file located in the $FWDIR/conf
directory.
In This Chapter
Editing the TTM File
Customized Settings
Centrally Managing the Configuration File
Understanding the Configuration File
Migrating Secure Configuration Verification
20
20
21
21
24
Editing the TTM File

When the client connects to the gateway, the updated policy is downloaded to the client and written in the
trac.config file.
If you make changes in the trac_client_1.ttm file of a gateway, you must install the policy on each
changed gateway.
Note - When you edit the configuration file, do not use a DOS editor, such as WordPad or
Microsoft Word, which change the file formatting.
The TTM file must stay in UNIX format. If you do convert the file to DOS, you must convert it back to UNIX.
You can use the dos2unix command, or open it in an editor that can save it in a UNIX format.
To activate changes in the TTM file:

1. Edit and save the file.
2. Install the policy from SmartDashboard or the CLI of each gateway:
In SmartDashboard, select Policy > Install and install Network Security on each changed
gateway.
Run cpstop and cpstart from the CLI of each changed gateway.
Important - If you use Secondary Connect or MEP, make sure that the TTM files on all
gateways have the same settings.
Customized Settings
If you customized the trac_client_1.ttm in a previous installation, you can restore your settings to the
new $FWDIR/conf/trac_client_1.ttm file. Do not do this procedure if you did not change this file from
its default settings. The new defaults, in the new file, are recommended for this installation.
You must not overwrite the new trac_client_1.ttm with the old one. The new file has added
parameters that are necessary for Remote Access Clients operations.
To move customized settings to an upgraded gateway:

1. See the difference in parameter values between the customized file and the new trac_client_1.ttm
file.
Page 20
Important - When copying settings from the backup TTM file, make sure not to copy the
connect_timeout parameter.
If you do copy it, the clients cannot connect.
2. For parameters that are in both files, you can copy the value from the customized file, to the new
trac_client_1.ttm.
Important - Make sure that you do not copy parameters or values that you did not manually
change. The new file has changed, added, and deleted parameters that are necessary.
3. Save the file.
4. Install the policy on each changed gateway.

If the configuration file on each gateway is identical, you can manage one copy of the configuration file on
the SmartCenter server. This file is copied to the gateways when you install the policy.
Important - You must use the newest configuration file installed on the gateway for Remote
Access Clients. If you do not install the newest configuration file on the SmartCenter server,
the server will have an outdated configuration file that does not support new features.
To centrally manage the configuration file:

1. On the gateway, save a backup of $FWDIR/conf/trac_client_1.ttm.
2. From the gateway, copy trac_client_1.ttm to the server.
3. Open $FWDIR/conf/fwrl.conf and find the % SEGMENT FILTERLOAD section.
4. In the NAME section, add this line:
NAME = conf/trac_client_1.ttm;DST = conf/trac_client_1.ttm;
This copies the file to the Remote Access Clients gateways each time that you install the Policy on the
gateways.
5. Save the file.
6. In SmartDashboard, install the policy on all gateways.
When clients download the new policy from the gateway, configuration changes are applied.

The trac_client_1.ttm file contains sets that look like this:
:attribute (
:gateway (
:ext ()
:map ()
:default ()
)
attribute - The name of the attribute on the client side. This is in trac.defaults on the client.
gateway - The name of the attribute on the gateway side. This is in objects.c on the SmartCenter
server. Look in the objects.c file to see what the defined behavior is on the gateway side. The name
of the attribute is only written here if it is different than the name on the client side. If there is no value for
gateway, the name of the attribute is the same in trac.defaults and objects.c.
ext - If present, it is a hard coded function that is defined and done on the gateway. Do not change it.
This function can be done in addition to the function defined for the attribute on the client or gateway
side.
map - Contains the valid values this attribute can have.
Page 21
default - The value here is downloaded to the client if the gateway attribute was not found in
objects.c. If the value is client_decide, the value is defined on the client computer, either in the
GUI or in the trac.defaults file on each client.
The behavior for each attribute is decided in this way:

1. If the attribute is defined for the gateway in objects.c file on the SmartCenter server, that value is
used.
2. If the attribute is NOT defined for a gateway in the objects.c file, the behavior for the attribute is
taken from the default value.
3. If the default value is client_decide or empty, the behavior is taken from the client.
If the attribute is configured in the client GUI, it is taken from there.
If the attribute is not configured in the client GUI, it is taken from the trac.defaults file on each
client.
Example:
:enable_password_caching (
:gateway ()
:default (client_decide)
)
enable_password_caching is the name of the attribute in trac.defaults and objects.c. Search
the objects.c file on the SmartCenter server to see if it is defined for the gateway.
If the attribute is defined for the gateway, that behavior is used.
If the attribute is NOT defined for a gateway, the default value is used. Because the default value is
client_decide, the setting is taken from each client.
Configuration File Parameters

This table shows some of the parameters of the TTM file.
Parameter
Description
Recommended
value for :default
()
allow_disable_firewall
Show a menu option for user to enable or disable false

the desktop firewall.
Applied only if enable_firewall is true or
client_decide.
certificate_key_length
Certificate enrollment settings.
1024
certificate_strong_protection
true
certificate_provider
"Microsoft
Enhanced
Cryptographic
Provider v1.0"
internal_ca_site
none
internal_ca_dn
none
default_authentication_method
Default authentication method. If this value

exists, users do not select an authentication
method when they create sites.
none
disconnect_on_smartcard_removal
Enable/disable client disconnection when Smart

Card with current certificate is removed.
false
Page 22
Parameter
Description
Recommended
value for :default
()
do_proxy_replacement
Enable/disable proxy replacement.
true
enable_capi
Enable/disable CAPI authentication.
true
enable_firewall
Enable/disable desktop firewall

true, false, or client_decide.
true
enable_gw_resolving
Enable/disable DNS resolution on each

connection.
true
Used for MEP.

flush_dns_cache
Enable/disable flushing the DNS cache while

connecting.
false
hotspot_detection_enabled
Enable/disable automatic hotspot detection.
true
automatic_mep_topology
Enable/disable the implicit (automatic) MEP

method.
true
False - manual MEP method.

ips_of_gws_in_mep
gateway IP addresses for clients to connect to.

Applied only if automatic_mep_topology is
false.
none
Addresses are separated by "&#", and the list is

terminated by a final "&#":
NNN.NNN.NNN.NNN&#MMM.MMM.MMM.MMM&#
mep_mode
MEP mode, priority of gateways defined in

ips_of_gws_in_mep. Applied only if
automatic_mep_topology is false.
Valid values:
dns_based
first_to_respond
primary_backup
load_sharing
dns_based
predefined_sites_only
Enable/disable user ability to create or modify

sites.
false
send_client_logs
Email addresses to which debug logs are sent.
none
suspend_tunnel_while_locked
Enable/disable traffic suspension if the machine

becomes inactive (due to lock or sleep) for a
specified duration.
false
tunnel_idleness_ignore_icmp
Enable/disable monitor of ICMP packets to see if true

a tunnel is active.
tunnel_idleness_ignored_tcp_ports
TCP ports that are not monitored to determine if

a tunnel is active.
tunnel_idleness_ignored_udp_ports UDP ports that are not monitored to determine if

a tunnel is active.
none
53&#137&#138&#
Page 23
Parameter
Description
Recommended
value for :default
()
tunnel_idleness_timeout
Time, in minutes, after which a client will close an 0

inactive tunnel.
Zero (0) - the feature is disabled. The VPN tunnel
will never close due to inactivity.

SecureClient uses SCV compliance checks, as do Endpoint Security VPN and Check Point Mobile for
Windows. These features of SecureClient compliance are ignored by the Endpoint Security VPN client and
Check Point Mobile for Windows:
user_policy_scv - This SCV Check tests if SecureClient is logged in to a Policy Server. Endpoint
Security VPN and Check Point Mobile for Windows do not log in to policy server, so this check is not
necessary.
sc_ver_scv - This SCV Check tests for the version of SecureClient. Currently, there is no SCV check
for the version of Endpoint Security VPN or Check Point Mobile for Windows.
ckp_scv - This SCV Check is not supported for Endpoint Security VPN or Check Point Mobile for
Windows.
Page 24
Chapter 4
Differences between SecureClient
and Endpoint Security VPN CLI
This table shows common tasks and how to perform them with SecureClient or Remote Access Clients
E75.20 command line. N/A indicates that the task cannot be performed with the CLI.
Task
SecureClient
Remote Access Clients E75.20
Asynchronous Connect
connectwait <profilename>
N/A
Change P12 Certificate

Password
N/A
change_p12_pwd -f <filename> [ -o
<oldpassword> -n <newpassword> ]
Connect to Site
connect [-p] <profilename>
connect -s <sitename> [-u <username>

-p <password> | -d <dn> | -f <p12> | pin <PIN> -sn <serial>]
Create / Add Site
add <sitename>
create -s <sitename> [-a

<authentication method>]
Delete Site
delete <sitename>
delete -s <sitename>
Disconnect from Site
disconnect
disconnect
Display Connection Status
status
N/A
Enable / Disable Hotspot

Registration
sethotspotreg <on | off>
N/A
Enable / Disable Policy
setpolicy [on | off]
N/A
Enroll ICA CAPI Certificate
icacertenroll <site IP/name>

<registration key> <file path>
<password>
enroll_capi -s <sitename> -r
<registrationkey> [ -i <providerindex> -l
<keylength> -sp <strongkeyprotection>
]
Enroll ICA P12 Certificate
N/A
enroll_p12 -s <sitename> -f <filename>

-p <password> -r <registrationkey> [ -l
<keylength> ]
Get Site Name / IP
getsite <profilename>
info [-s <sitename>]
List Profiles
listprofiles
N/A
List Domain Names Stored in

the CAPI
N/A
list
Print Log Messages
N/A
log
Renew CAPI Certificate
N/A
renew_capi -s <sitename> -d <dn> [ -l

<keylength> -sp <strongkeyprotection>
]
Page 25
Task
SecureClient
Remote Access Clients E75.20
Renew P12 Certificate
N/A
renew_p12 -s <sitename> -f <filename>

-p <password> [ -l <keylength>]
Restart VPN Services
restartsc
N/A
Set Certificate File / Password
passcert <password>
<certificate>
See Connect to Site
Set Username / Password
userpass <username>
<password>
See Connect to Site
Show Number of Profiles
numprofiles
N/A
Show VPN Client Version
version
ver
Start VPN Client Services
startsc
start
Stop VPN Client Services
stopsc
stop
Suppress UI Dialog Messages suppressdialogs [on | off]
N/A
Unset User Credentials
erasecreds
N/A
Update Topology
update <profilename>
N/A
Differences between SecureClient and Endpoint Security VPN CLI
Page 26

Remote Access Clients E75.20: Upgrading From Secureclient/Securemote NGX On NGX R65 Smartcenter Server

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Remote Access Clients E75.20: Upgrading From Secureclient/Securemote NGX On NGX R65 Smartcenter Server

Încărcat de

Drepturi de autor:

Formate disponibile

Remote Access Clients

2011 Check Point Software Technologies Ltd.

First release of this document

Overview of Remote Access Clients

Endpoint Security VPN

Replaces SecureClient and Endpoint Connect.

Integrated desktop firewall, centrally managed from SmartCenter server.

In-place upgrade from Endpoint Security VPN R75.

In-place upgrade from Endpoint Connect R73.

Check Point Mobile for Windows

New Enterprise Grade Remote Access Client.

Upgrading on Different Management Servers

Replaces the NGX SecuRemote client.

Basic remote access functionality.

Requires an IPSec VPN Software Blade on the gateway.

It is a free client and does not require additional licenses.

Upgrading on Different Management

Why You Should Upgrade to Remote

Automatic and transparent upgrades, with no administrator privileges required

Supports 32-bit and 64-bit, Windows Vista and Windows 7

Uses less memory resources than SecureClient

Automatic disconnect/reconnect as clients move in and out of the network

Seamless connection experience while roaming

Supports many additional new features

Does not require a SmartCenter server upgrade

Introduction to Remote Access Clients

Before Upgrading to Remote Access Clients

Before Upgrading to Remote Access

Supported Gateways and Servers

New Remote Access Clients Features

Automatically detects hotspots that prevent

Opens a mini-browser to allow the user to

Firewall support for hotspots

Automatically detects whether the client is

Supports automatic certificate renewal, including in

Automatically determines if client is inside or outside

Maintains VPN tunnel if client disconnects and

Updates the client system securely and without user

Supports the latest 32-bit and 64-bit Windows

During first time configuration, the client detects the

Note: This requires DNS configuration and is only

Introduction to Remote Access Clients

Before Upgrading to Remote Access Clients

Connect client system to the closest VPN gateway

Disconnect VPN tunnel if the machine becomes

Flush DNS Cache

Remove previous DNS entries from the DNS cache

Tests that the Security Gateway is active by sending

Automatically detects whether the client is

SecureClient Features Supported in Remote Access

SecurID (passcode, softID, key fobs)

Cache credentials for user login

NAT-T and Visitor

Let users connect from any location, such as

Multiple Entry Point

Provides gateway High Availability and Load

Gives access to multiple VPN gateways at the

Predefined client installation package with

Internal IP address for remote access VPN

Introduction to Remote Access Clients

Before Upgrading to Remote Access Clients

When using Office Mode from a DHCP server,