Sunteți pe pagina 1din 34
Upgrading SecureClient to Endpoint Security VPN R75 on NGX R65 SmartCenter Server 20 October 2010

Upgrading SecureClient to Endpoint Security VPN R75

on NGX R65 SmartCenter Server

20 October 2010

Upgrading SecureClient to Endpoint Security VPN R75 on NGX R65 SmartCenter Server 20 October 2010

© 2010 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR

52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information

Latest Documentation

The latest version of this document is at:

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date

Description

20

October 2010

Added procedure for restoring the TTM file with customizations ("Restoring Settings" on page 25).

14

October 2010

Added Desktop rule to allow MEP traffic ("Making a Desktop Rule for MEP" on page 32).

 

The connect_timeout parameter was removed from the list of commonly changed configuration file parameters, because it must not be used in this installation.

10

October 2010

To reflect the easy process of moving from SecureClient to Endpoint Security VPN, migration is changed to upgrading.

 

Updated Microsoft Windows 7 Editions and fixed client version number in Supported Platforms ("System Requirements" on page 6).

28

September 2010

Updated features lists ("Before Upgrading to Endpoint Security VPN" on page 6)

13

September 2010

Window pictures added, different versions of document released for different versions of SmartDashboard

June, 2010

Initial version

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Contents

Important Information

3

Introduction to Endpoint Security VPN

5

Using Different Management Servers

5

Why You Should Upgrade to Endpoint Security VPN

5

Before Upgrading to Endpoint Security VPN

6

System Requirements

6

New Endpoint Security VPN Features

6

SecureClient Features Supported in Endpoint Security VPN

7

SecureClient Features Not Yet Supported

9

Configuring Gateways to Support Endpoint Security VPN

10

Installing Hotfix on Gateways

10

Configuring SmartDashboard

11

Supporting Endpoint Security VPN and SecureClient Simultaneously

14

Troubleshooting Dual Support

17

Installing and Configuring Endpoint Security VPN on Client Systems

18

Installing Endpoint Security VPN on Client Systems

18

Client Icon

18

Helping Users Create a Site

18

Preparing the Gateway Fingerprint

19

Using the Site Wizard

20

Opening the Site Wizard Again

21

Connecting to a Site

22

Pre-Configuring Proxy Settings

22

Pre-Configuring Always Connect

23

Using the Packaging Tool

23

The Configuration File

25

Configuration File Overview

25

Restoring Settings

25

Centrally Managing the Configuration File

25

Parameters in the Configuration File

26

Migrating Secure Configuration Verification

27

Multiple Entry Point (MEP)

28

MEP or Roaming

28

Configuring Entry Point Choice

28

Defining MEP Method

29

Implicit MEP

30

Configuring Implicit First to Respond

30

Configuring Implicit Primary-Backup

30

Configuring Implicit

Load Distribution

31

Manual MEP

32

Making a Desktop Rule for MEP

32

Differences between SecureClient and Endpoint Security VPN CLI

33

Chapter 1

Introduction to Endpoint Security VPN

Endpoint Security VPN is a lightweight remote access client for seamless, secure IPSec VPN connectivity to remote resources. It authenticates the parties and encrypts the data that passes between them.

Endpoint Security VPN is intended to replace the current Check Point remote access client: SecureClient.

the current Check Point remote access client: SecureClient. Note - You can install Endpoint Security VPN

Note - You can install Endpoint Security VPN on several Linux/Unix-based platforms as well as Microsoft Windows platforms. The procedures included in this document use the Linux/Unix environment variable convention ($FWDIR).

If you are using a Windows platform, substitute %FWDIR% for the environment variable in the applicable procedures.

In This Chapter

Using Different Management Servers

5

Why You Should Upgrade to Endpoint Security VPN

5

Before Upgrading to Endpoint Security VPN

6

Using Different Management Servers

Environments with SecureClient already deployed can be easily upgraded to Endpoint Security VPN. The SmartDashboard for different versions of management servers is different. Use the documentation for the SmartDashboard that you have.

This guide is for the NGX R65 SmartCenter server.

If you have the R70.40 SmartCenter server, see Upgrading SecureClient to Endpoint Security VPN R75 on R70.40 Security Management

If you have the R71 SmartCenter server, see Upgrading SecureClient to Endpoint Security VPN R75 on R71 Security Management (http://supportcontent.checkpoint.com/documentation_download?ID=11132).

Why You Should Upgrade to Endpoint Security VPN

Check Point recommends that all customers upgrade from SecureClient to Endpoint Security VPN as soon as possible, to have these enhancements.

Automatic and transparent upgrades, with no administrator privileges required

Supports 32-bit and 64-bit, Windows Vista and Windows 7

Uses less memory resources than SecureClient

Automatic disconnect/reconnect as clients move in and out of the network

Seamless connection experience while roaming

Before Upgrading to Endpoint Security VPN

Supports most existing SecureClient features, including Office Mode, Desktop Firewall, Secure Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection

Supports many additional new features

Does not require a SmartCenter server upgrade

Endpoint Security VPN and SecureClient can coexist on client systems during the upgrade period

Note - Check Point will end its support for SecureClient in mid-2011. - Check Point will end its support for SecureClient in mid-2011.

Before Upgrading to Endpoint Security VPN

Before upgrading, consider these issues.

System Requirements

Management Server and Gateway:

Note - See the Release Notes of the specific Check Point version for supported versions of - See the Release Notes of the specific Check Point version for supported versions of different platforms.

All supported platforms NGX R65 HFA 70 (R65.70) with NGX R66 Management plug-in.

All supported platforms for R70.40.

Notes - Endpoint Security VPN supports VPN gateway redundancy with Multiple Entry Point (MEP). You can - Endpoint Security VPN supports VPN gateway redundancy with Multiple Entry Point (MEP). You can install the Endpoint Security VPN package on multiple gateways and must install it on the server to enable MEP.

The server and gateway can be installed on open servers or appliances. On UTM-1 appliances, you cannot use the WebUI to install Endpoint Security VPN.

Support for R71 gateways will be released in a future HFA for Endpoint Security VPN.

Clients: Endpoint Security VPN R75 can be installed on these platforms:

Microsoft Windows XP 32 bit SP2, SP3

Microsoft Windows Vista 32 bit and 64 bit SP1

Microsoft Windows 7 Home Edition 32 bit and 64 bit

Microsoft Windows 7 Home Premium 32 bit and 64 bit

Microsoft Windows 7 Pro 32 bit and 64 bit

Microsoft Windows 7 Ultimate 32 bit and 64 bit

Microsoft Windows 7 Enterprise 32 bit and 64 bit

New Endpoint Security VPN Features

Feature

Description

Hotspot Detection and Registration (Exclusion for Policy)

Automatically detects hotspots that prevent the client system from establishing a VPN tunnel

Opens a mini-browser to allow the user to register to the hotspot and connect to the VPN gateway

 

Firewall support for hotspots

Before Upgrading to Endpoint Security VPN

Feature

Description

Automatic Connectivity Detection

Automatically detects whether the client is connected to the Internet or LAN

Automatic Certificate Renewal in CLI Mode

Supports automatic certificate renewal, including in CLI mode

Location Awareness

Automatically determines if client is inside or outside the enterprise network

Roaming

Maintains VPN tunnel if client disconnects and reconnects using different network interfaces

Automatic and Transparent Upgrade Without Administrator Privileges

Updates the client system securely and without user intervention

Windows Vista / Windows 7 64 Bit Support

Supports the latest 32-bit and 64-bit Windows operating systems

Automatic Site Detection

During first time configuration, the client detects the VPN site automatically

Note: This requires DNS configuration and is only supported when configuring the client within the internal network.

Geo Clusters

Connect client system to the closest VPN gateway based on location

For more information on geo clusters, see sk43107

Machine Idleness

Disconnect VPN tunnel if the machine becomes inactive (because of lock or sleep) for a specified duration.

Flush DNS Cache

Remove previous DNS entries from the DNS cache when creating VPN tunnel

SecureClient Features Supported in Endpoint Security VPN

Feature

Description

Authentication Methods

Username/Password

Certificate

 

SecurID (passcode, softID, key fobs)

Challenge Response

Cached Credentials

Cache credentials for user login

NAT-T/Visitor Mode

Let users connect from any location, such as a hotel, airport, or branch office

Multiple Entry Point (MEP)

VPN gateway redundancy. Endpoint Security VPN MEP gateways can be in different VPN domains (see Appendix A).

Pre-Configured Client Packaging

Predefined client installation package with configurations for easy provisioning

Office Mode

Internal IP address for remote access VPN users

Before Upgrading to Endpoint Security VPN

Feature

Description

Compliance Policy - Secure Configuration Verification (SCV)

Verifies client system policy compliance before allowing remote access to internal network

Proxy Detect / Replace

Detect proxy settings in client system web browsers for seamless connectivity

Route All Traffic

Send all traffic from the client system through the VPN gateway

Localization

Supported languages:

Chinese (simplified)

English

French

German

Hebrew

Italian

Japanese

Russian

Spanish

Certificate Enrollment / Renewal

Automatic enrollment and renewal of certificates issued by Check Point Internal CA server

CLI and API Support

Manage client with third party software

Tunnel Idleness

Disconnect VPN if there is no traffic for a specified duration

Dialup

Support dialup connections

Disconnect On Smart Card Removal

Disconnect VPN if a Smart Card is removed from the client system

Re-authentication

After specified duration, user is asked for re-authentication

Keep-alive

Send keep-alive messages from client to the VPN gateway to maintain the VPN tunnel

Check Gateway Certificate in CRL

Validate VPN gateway certificate in the CRL list

Desktop Firewall Configured from SmartDashboard Desktop Policy

Personal firewall integrated into client, managed with the SmartDashboard desktop policy

Configuration File Corruption Recovery

Recover corrupted configuration files

Secure Domain Logon (SDL)

Establish VPN tunnel prior to user login

Desktop Firewall Logs in SmartView Tracker

Desktop firewall logs are displayed in SmartView Tracker

End-user Configuration Lock

Prevent users from changing the client configuration

Update Dynamic DNS with the Office Mode IP

Assign an internal IP address for remote access VPN users in the Dynamic DNS

Secure Authentication API (SAA)

Integrate with third party authentication providers

Before Upgrading to Endpoint Security VPN

Feature

Description

SmartView Monitor

Monitor VPN tunnel and user statistics with SmartView Monitor

Post Connect Script

Execute manual scripts before and after VPN tunnel is established

SecureClient Features Not Yet Supported

Currently, these features of SecureClient are not supported by Endpoint Security VPN. Many of these features are expected to be supported in the next release.

Feature

Description

Single Sign-on (SSO)

One set of credentials to log in to both VPN and Windows operating system

“Suggest Connect” Mode (Auto Connect)

Create VPN tunnel when the client generates traffic to the VPN domain resources

Entrust Entelligence Support

Entrust Entelligence package providing multiple security layers, strong authentication, digital signatures, and encryption

Diagnostic Tools

Tools for viewing logs and alerts

Compression

Compress IPSec traffic

VPN Connectivity to VPN-1 VSX

Terminate VPN tunnel at Check Point VSX gateways

DNS Splitting

Support multiple DNS servers

"No Office Mode" Connect Mode

Connect to the VPN gateway without requiring Office Mode

Pre-shared secret

Authentication method that uses a pre-shared secret

Link Selection

Multiple interface support with redundancy

Secondary Connect (Including Fast Failover)

Connect to multiple VPN gateways simultaneously and establish VPN tunnels to all resources located behind each VPN gateway

DHCP Automatic Lease Renewal

Automatically renew IP addresses obtained from DHCP servers

Chapter 2

Configuring Gateways to Support Endpoint Security VPN

In This Chapter

Installing Hotfix on Gateways

10

Configuring SmartDashboard

11

Supporting Endpoint Security VPN and SecureClient Simultaneously

14

Troubleshooting Dual Support

17

Installing Hotfix on Gateways

To run Endpoint Security VPN and SecureClient simultaneously on client systems, install the hotfix on production gateways or on a standalone, self-managed gateway.

To use the Implicit MEP feature, you must install the hotfix on the SmartCenter server. If you do not need this feature, the hotfix does not have to be installed on the server (only on the gateways).

have to be installed on the server (only on the gateways). Important: Before You Begin -

Important: Before You Begin -

If you choose to install the hotfix on a new dedicated gateway in the production environment, managed by the same management server as the rest of the RA gateways, this gateway will also be added to the topology used by SecureClient clients. This may cause them to connect to the new gateway. Thus, you must make sure the configuration is valid and that resources set by the encryption domain on this gateway are indeed accessible.

If you have clients that use a pre-shared secret to authenticate, you must give the users a different authentication - one that is supported by Endpoint Security VPN.

To install the hotfix on a Gateway:

1. Download the hotfix from the Check Point Support Center (http://supportcenter.checkpoint.com).

2. Copy the hotfix package to the gateway.

3. Run the hotfix:

On SecurePlatform:

[admin@gateway ~/hf]$ tar -zxvf hotfix_file.tgz

[admin@gateway ~/hf]$ ./fw1_HOTFIX_ENFI_HFA_EVE2_620631013_1

Do you want to proceed with installation of Check Point fw1 NGX R65 Support ENFI_HFA_EVE2 for Check Point VPN-1 Power/UTM NGX R65 on this computer?

If you choose to proceed, installation will perform CPSTOP.

(y-yes, else no):y

On Windows, double-click the installation file and follow the instructions.

4. If WebUI is enabled on the gateway, it must listen on a port other than 443. Otherwise, Endpoint Security VPN will not be able to connect.

5. Reboot the Gateway.

Configuring SmartDashboard

Configuring SmartDashboard

You manage Endpoint Security VPN through the SmartDashboard. This task explains how to set up the SmartDashboard to access Endpoint Security VPN configurations. Before you begin, make sure you have a network for Office Mode allocation. If you do not have such a network set up, create it now.

To configure SmartDashboard for Endpoint Security VPN:

1. Set the Gateway to be a policy server:

a) In the Network Objects Tree, right click the Gateway and select Edit.

The Check Point Gateway - General Properties window opens.

The Check Point Gateway - General Properties window opens. b) In Check Point Products , select

b) In Check Point Products, select SecureClient Policy Server.

Configuring SmartDashboard

c) Open Authentication.

Configuring SmartDashboard c) Open Authentication . d) In Policy Server , select an existing user group,

d) In Policy Server, select an existing user group, or create a new user group, to be assigned to the policy.

2. Configure Visitor Mode:

a) Open Remote Access.

policy. 2. Configure Visitor Mode: a) Open Remote Access . b) In Visitor Mode configuration ,

b) In Visitor Mode configuration, select Support Visitor Mode.

3. Configure Office Mode:

Configuring SmartDashboard

a) Open Remote Access > Office Mode.

SmartDashboard a) Open Remote Access > Office Mode . b) In Office Mode Method , select

b) In Office Mode Method, select Manual (using IP pool).

c) In Allocate IP addresses from network, select the network for Office Mode allocation.

4. Click OK.

5. Make sure that the Gateway is in the Remote Access community:

a) Select Manage > VPN Communities.

The VPN Communities window opens.

b) Double-click RemoteAccess.

The Remote Access Community Properties window opens.

Supporting Endpoint Security VPN and SecureClient Simultaneously

c) Open Participating Gateways.

Simultaneously c) Open Participating Gateways . d) If the Gateway is not already in the list

d) If the Gateway is not already in the list of participating gateways: click Add, select the Gateway from the list of gateways, and click OK.

e) Click OK.

f) Click Close.

6. Make sure that the desktop policy is configured correctly (Desktop tab).

7. Install the policy (Policy menu > Install).

Supporting Endpoint Security VPN and SecureClient Simultaneously

To run both Endpoint Security VPN and SecureClient on client systems, you must configure the server and the gateways that will handle these remote access clients.

Before you begin, make sure that the encryption domains on these gateways fully overlap with the encryption domains of all other gateways and that all gateways provide connectivity to the same resources.

To configure gateways to manage both clients:

1. On the Desktop tab, add this rule to ensure that the Endpoint Security VPN firewall does not block SecureClient. Allow outbound connections on:

UDP 18231

Supporting Endpoint Security VPN and SecureClient Simultaneously

UDP 18233

UDP 2746 for UDP Encapsulation

UDP 500 for IKE

TCP 500 for IKE over TCP

TCP 264 for topology download

UDP 259 for MEP configuration

UDP 18234 for performing tunnel test when the client is inside the network

UDP 4500 for IKE and IPSEC (NAT-T)

TCP 18264 for ICA certificate registration

TCP 443 for Visitor Mode

TCP 80

registration  TCP 443 for Visitor Mode  TCP 80 2. Open Policy menu > Global

2. Open Policy menu > Global Properties. The Global Properties window opens.

3. Open Remote Access > VPN - Advanced.

opens. 3. Open Remote Access > VPN - Advanced . 4. Select Sent in clear .

4. Select Sent in clear.

5. If secure configuration verification (SCV) is configured, add an exception for Endpoint Security VPN.

a) Open Remote Access > Secure Configuration Verification (SCV).

Supporting Endpoint Security VPN and SecureClient Simultaneously

b) Select Apply Secure Configuration Verification on Simplified mode.

Apply Secure Configuration Verification on Simplified mode . c) Click Exceptions . The Secure Configuration

c) Click Exceptions.

The Secure Configuration Verification Exceptions window opens.

Secure Configuration Verification Exceptions window opens. d) Select Do not apply Secure Configuration Verification on

d) Select Do not apply Secure Configuration Verification on SSL clients connections.

e) Click OK.

6. Click OK.

7. Do Policy > Install.

Troubleshooting Dual Support

Suggest Connect Mode:

Users can disable the Suggest Connect option in SecureClient clients. If enabled, it might interfere with Endpoint Security VPN connectivity.

Troubleshooting Dual Support

If SecureClient blocks Endpoint Security VPN traffic:

1. Make sure that you selected Remote Access > VPN - Advanced > Sent in clear.

2. Choose how you want to solve this issue. Users manage their own clients: users delete the SecureClient site.

their own clients : users delete the SecureClient site. Note - It is not enough to

Note - It is not enough to disable the site. It must be deleted.

You solve this issue for all clients: change the Desktop rule base.

a) In the Outbound Rules, add this rule above the last rule. (The last rule should be Any Any Block.)

Destination = Endpoint Security VPN Gateway

Service = http, https, IKE_NAT_TRAVERSAL

Action = Accept

= http, https, IKE_NAT_TRAVERSAL  Action = Accept b) Install the policy. To uninstall SecureClient: 

b) Install the policy.

To uninstall SecureClient:

If you install Endpoint Security VPN after SecureClient, and you want to uninstall SecureClient, you cannot do it from Add/Remove Programs. You must open the Uninstall SecureClient program from Start > Programs.

To remotely uninstall SecureClient with a script, run: UninstallSecureClient.exe from the SecureClient installation directory.

Chapter 3

Installing and Configuring Endpoint Security VPN on Client Systems

In This Chapter

Installing Endpoint Security VPN on Client Systems

18

Client Icon

18

Helping Users Create a Site

18

Connecting to a Site

22

Pre-Configuring Proxy Settings

22

Pre-Configuring Always Connect

23

Using the Packaging Tool

23

Installing Endpoint Security VPN on Client Systems

The Endpoint Security VPN installation package is a self-installing executable that you can download from the Check Point Download Center.

If you uninstall a client to install or upgrade Endpoint Security VPN, you must restart the client when prompted.

Client Icon

The client tray icon shows the status of Endpoint Security VPN.

Icon

Status

Disconnected

Disconnected

Connecting

Connecting

Connected

Connected

Encryption (encrypted data is being sent or received on the VPN)

Encryption (encrypted data is being sent or received on the VPN)

Error

Error

You can also hover your mouse on the icon to show the client status.

Helping Users Create a Site

Each client must have at least one site defined. The site is the VPN gateway. If you did not pre-configure the client for a default site, make sure your users have:

Helping Users Create a Site

The gateway fingerprint.

The gateway IP address or domain name.

The authentication method you want them to use.

Authentication materials (username, password, certificate file, RSA SecurID, or access to HelpDesk for challenge/response authentication).

Preparing the Gateway Fingerprint

Before users define a site leading to the gateway, prepare the fingerprint of the gateway. Users may get a warning that the client cannot identify the gateway and that they should verify the fingerprint.

the gateway and that they should verify the fingerprint. Give the users the fingerprint to compare

Give the users the fingerprint to compare with their client installation and site definition.

To prepare the gateway fingerprint:

1. In SmartDashboard, click Manage menu > Servers and OPSEC Applications.

2. In the Servers and OPSEC Applications window, select the Certificate Authority and click Edit.

3. Open the Local Security Management Server or OPSEC PKI tab and click View.

4. In the Certificate Authority Certificate View window, copy the SHA-1 Fingerprint.

Certificate View window, copy the SHA-1 Fingerprint. Installing and Configuring Endpoint Security VPN on Client

Helping Users Create a Site

5. Send the fingerprint to users before they install the client.

Using the Site Wizard

When the user first double-clicks the Endpoint Security VPN icon, a message appears:

No site is configured. Would you like to configure a new site?

If the user clicks No, the message closes. The user cannot connect to a VPN until a site is defined.

If the user clicks Yes, the Site Wizard opens.

 If the user clicks Yes , the Site Wizard opens. To configure the first site

To configure the first site of a client:

1. The user clicks Next.

2. The user enters the IP address or name of the VPN gateway.

The user enters the IP address or name of the VPN gateway. The wizard shows the

The wizard shows the progress while the Endpoint Security VPN client resolves the site name or address to the actual gateway. This step in the wizard notifies the user that:

This may take several minutes, depending on the speed of your network connection.

If the user see the certificate warning, make sure they check the fingerprint of the gateway:

a) Compare the site fingerprint with the SIC fingerprint on the gateway.

b) Click Details to see additional warnings.

c) If site details are correct, click Trust and Continue. The fingerprint is stored in the Windows registry and the security warning is not opened again for the site, even if the client is upgraded.

Helping Users Create a Site

The wizard displays the authentication method step.

a Site The wizard displays the authentication method step. 3. Give your users the authentication materials

3. Give your users the authentication materials they need.

4. The user selects the correct method and clicks Next.

If Certificate, the user selects PKCS#12 or CAPI (make sure the user knows which to select), and clicks Next.

If SecurID, the user selects the type, and clicks Next.

5. The user clicks Finish, and a message appears: Would you like to connect? If the user clicks Yes, the client connects to the gateway and a VPN tunnel is created.

Opening the Site Wizard Again

Although the Site wizard opens automatically the first time a client is opened, you can also open it at any time.

To create a new site on the client at any time:

1. Right-click the client icon and select VPN Options. The Options window opens.

icon and select VPN Options. The Options window opens. 2. On the Sites tab, click New

2. On the Sites tab, click New. The Site Wizard opens.

Connecting to a Site

OR

1.

Right-click the client icon and select Connect to.

1. Right-click the client icon and select Connect to . 2. In the Site drop-down, select

2.

In the Site drop-down, select New Site.

The Site Wizard opens.

Connecting to a Site

You might have to help users connect to the VPN. The Endpoint Security VPN client lets users connect to sites - where the site is the VPN gateway.

To connect to a site:

1. Right-click the client icon and select Connect or Connect to.

A site connection window opens.

This window has authentication fields according to the selected authentication method.

If you selected Connect to, you can select the site to which you would like to connect.

2. Enter credentials, and click Connect.

A connection progress window opens. Wait until the connection is made.

Pre-Configuring Proxy Settings

until the connection is made. Pre-Configuring Proxy Settings Note - Remote-location proxy-server settings are usually

Note - Remote-location proxy-server settings are usually detected automatically.

If a user is at a remote site that has a proxy server, the Endpoint Security VPN client must be configured to pass through the proxy server to reach the gateway.

If you know that this will be an issue, you can configure this option when you prepare the client MSI file. Otherwise, you can help your user configure the proxy server when the issue comes up.

To configure proxy settings on the client:

1.

In the Options > Advanced tab, click Proxy Settings.

Pre-Configuring Always Connect

The Proxy Settings window opens.

Always Connect The Proxy Settings window opens. 2. Select an option.  No Proxy - Make

2. Select an option.

No Proxy - Make a direct connection to the VPN.

Detect proxy from Internet Explorer settings - Take the proxy settings from Internet Explorer > Tools > Internet options > Connections > LAN Settings.

Manually define proxy - Enter the IP address and port number of the proxy. If necessary, enter a valid user name and password for the proxy.

3. Click OK.

Pre-Configuring Always Connect

You can help users set the Always Connect option. This lets the client connect automatically to the active site. In a default package, this option is available for users to change.

To configure Always Connect in the client:

1. Right-click the client icon and select VPN Options. The Options window opens.

2. On the Sites tab, select the VPN gateway, and click Properties. The Properties window for the site opens.

3. Open the Settings tab.

4. Click Enable Always-Connect.

5. Click OK.

Using the Packaging Tool

You can create a package of the Endpoint Security VPN client with pre-defined settings, such as a VPN site and authentication methods. When you deploy the package to users, it is easier for them to connect quickly.

Endpoint Security VPN Administration mode lets you create pre-configured packages. You open one instance of the client, configure all settings, and save the client MSI.

If any of these features are disabled on the client in Administration mode, change the configuration of the gateways.

Using the Packaging Tool

To create a pre-configured package:

1. Open the client in Administration mode:

32-bit systems - C:\Program Files\CheckPoint\Endpoint Connect\AdminMode.bat

64-bit systems - C:\Program Files(x86)\CheckPoint\Endpoint Connect\AdminMode.bat

2. Right-click the client icon and select VPN Options. The Options window opens, with the Administration tab.

3. On the Sites tab, define the site you want clients.

4. Select the site and click Properties > Settings.

4. Select the site and click Properties > Settings . 5. Select VPN options:  Always-Connect

5. Select VPN options:

Always-Connect - Let the client connect automatically to the active site.

VPN tunneling - Make sure the client connects to the VPN for all outbound traffic. Enable Hub Mode for the gateway.

Authentication

6. Click OK.

7. Open the Advanced tab and select relevant settings.

8. Open the Administration tab.

select relevant settings. 8. Open the Administration tab. a) Input MSI Package Path - Select the

a) Input MSI Package Path - Select the input MSI package file.

b) Replace user's configuration when upgrading - Decide whether to keep the user configuration on upgrade (clear the checkbox) or to merge the new configuration with existing configuration, including client authentication. If you select this checkbox, users do not have to apply for new credentials to a site they have been using.

c) Click Generate to create the MSI package.

A window opens to prompt for a location to save the generated package.

9. Distribute this package to Endpoint Security VPN users.

Chapter 4

The Configuration File

In This Chapter

Configuration File Overview

25

Restoring Settings

25

Centrally Managing the Configuration File

25

Parameters in the Configuration File

26

Migrating Secure Configuration Verification

27

Configuration File Overview

The gateways save configuration parameters in the $FWDIR/conf/trac_client_1.ttm configuration file.

After you edit and save the file, install the policy.

Note - When editing the configuration file, do not use a DOS editor, such as Microsoft - When editing the configuration file, do not use a DOS editor, such as Microsoft Word, which adds formatting codes to the file.

Restoring Settings

If you customized the trac_client_1.ttm in a previous installation, you can restore your settings to the new $FWDIR/conf/trac_client_1.ttm file. Do not do this procedure if you did not change this file from its default settings - the new defaults, in the new file, are recommended for this installation.

To restore settings:

1. See the difference in parameter values between the backup and new trac_client_1.ttm file.

values between the backup and new trac_client_1.ttm file. Important - When copying settings from the backup

Important - When copying settings from the backup TTM file, make sure not to copy the connect_timeout parameter.

If you do, the clients cannot connect.

2. Copy the values from the backup that you want to restore, to the new trac_client_1.ttm.

3. Save the file.

4. Install the policy.

Centrally Managing the Configuration File

If the configuration file on each gateway is identical, you can manage one copy of the configuration file on the SmartCenter server. This file is copied to the Gateways when you install the policy.

Important - You must use the newest configuration file installed on the gateway for Endpoint Security - You must use the newest configuration file installed on the gateway for Endpoint Security VPN. This is important, because if you do not install Endpoint Security VPN on the SmartCenter server, the server will have an outdated configuration file that does not support new features.

To centrally manage the configuration file:

1. On the gateway, save a backup of $FWDIR/conf/trac_client_1.ttm.

Parameters in the Configuration File

2. From the gateway, copy trac_client_1.ttm to the server.

3. Open $FWDIR/conf/fwrl.conf and find the % SEGMENT FILTERLOAD section.

4. Within this section, add this line:

NAME = conf/trac_client_1.ttm;DST = conf/trac_client_1.ttm;

This copies the file to the Endpoint Security VPN gateways whenever you run Install Policy.

5. Save the file and install the policy. When clients download the new policy from the gateway, configuration changes are applied.

Parameters in the Configuration File

This table shows some of the parameters of the TTM file. The default value is the recommended value.

Parameter

Description

Default

allow_disable_firewall

Enable/disable menu option for user to disable desktop firewall.

false

Applied only if enable_firewall is true or client_decide.

certificate_key_length

Certificate enrollment settings.

1024

certificate_strong_protection

true

certificate_provider

"Microsoft

Enhanced

internal_ca_site

Cryptographic

internal_ca_dn

Provider v1.0"

none

none

default_authentication_method

Default authentication method.

none

disconnect_on_smartcard_removal

Enable/disable client disconnection when Smart Card with current certificate is removed.

false

do_proxy_replacement

Enable/disable proxy replacement.

true

enable_capi

Enable/disable CAPI authentication.

true

enable_firewall

Enable/disable desktop firewall true, false, or client_decide.

true

enable_gw_resolving

Enable/disable DNS resolution on each connection.

true

Used for MEP.

flush_dns_cache

Enable/disable flushing the DNS cache while connecting.

false

hotspot_detection_enabled

Enable/disable automatic hotspot detection.

true

automatic_mep_topology

Enable/disable the implicit (automatic) MEP method.

true

False - manual MEP method.

Migrating Secure Configuration Verification

Parameter

Description

Default

ips_of_gws_in_mep

Gateway IP addresses for clients to connect to. Applied only if automatic_mep_topology is false.

none

Addresses are separated by "&#", and the list is terminated by a final "&#":

NNN.NNN.NNN.NNN&#MMM.MMM.MMM.MMM&#

mep_mode

MEP mode, priority of Gateways defined in ips_of_gws_in_mep. Applied only if automatic_mep_topology is false. Valid values:

dns_based

dns_based

first_to_respond

primary_backup

load_sharing

predefined_sites_only

Enable/disable user ability to create or modify sites.

false

send_client_logs

Email addresses to which debug logs are sent.

none

suspend_tunnel_while_locked

Enable/disable traffic suspension if the machine becomes inactive (due to lock or sleep) for a specified duration.

false

tunnel_idleness_ignore_icmp

Enable/disable monitor of ICMP packets to see if

true

a

tunnel is active.

tunnel_idleness_ignored_tcp_ports

TCP ports that are not monitored to determine if

none

a

tunnel is active.

tunnel_idleness_ignored_udp_ports

UDP ports that are not monitored to determine if

53&#137&#138&#

a

tunnel is active.

tunnel_idleness_timeout

Time, in minutes, after which a client will close an inactive tunnel.

0

Zero (0) - the feature is disabled. The VPN tunnel will never close due to inactivity.

disabled. The VPN tunnel will never close due to inactivity. Note - sk42850 (

Note - sk42850 (http://supportcontent.checkpoint.com/solutions?id=sk42850) explains the complete file contents and syntax.

Migrating Secure Configuration Verification

SecureClient uses SCV compliance checks, and so does Endpoint Security VPN. Some features of SecureClient compliance are ignored by the Endpoint Security VPN client.

user_policy_scv - This SCV check sets the compliance status of a client after a user disables the Desktop security policy. (SecureClient users can disable the firewall.) If the value of this check in local.scv is true, the SecureClient client is still compliant, if the SecureClient user disables the firewall. If the value is false and the user disables the firewall, the SecureClient client is not compliant. To let Endpoint Security VPN users disable the Desktop security policy and keep compliance for the client, configure the $FWDIR/conf/trac_client_1.ttm file: find allow_disable_firewall and set :default(true).

sc_ver_scv - This SCV check tests for the version of SecureClient. Currently, there is no SCV check for the version of Endpoint Security VPN.

ckp_scv - This SCV check is obsolete.

MEP or Roaming

Appendix A

Multiple Entry Point (MEP)

Multiple Entry Point (MEP) gives high availability and load sharing to VPN connections. A Gateway is one point of entry to the internal network. If the Gateway becomes unavailable, the internal network is also unavailable. A Check Point MEP environment has two or more Gateways for the same VPN domain to give remote users uninterrupted access. Endpoint Security VPN automatically detects and uses MEP topology.

MEP topology gives High Availability and load sharing with these characteristics:

There is no physical restriction on the location of MEP Gateways. They can be geographically separated and not directly connected.

MEP Gateways can be managed by different management servers.

There is no state synchronization in MEP. If a Gateway fails, the current connection falls and one of the auxiliary Gateways picks up the next connection.

Remote clients, not the gateways, find the Gateway to use.

To enable MEP, you must install the Hotfix on the SmartCenter server and on each Gateway.

In This Appendix

MEP or Roaming

28

Configuring Entry Point Choice

28

Defining MEP Method

29

Implicit MEP

30

Manual MEP

32

Making a Desktop Rule for MEP

32

MEP or Roaming

For MEP to work with Endpoint Security VPN, you must disable or limit the Roaming feature. If a gateway connection fails, Roaming maintains the connection to the current gateway, while MEP finds a new gateway to connect to. If these two features were enabled at the same time, they would conflict with each other.

To limit roaming (and enable MEP):

1. Open SmartDashboard > Global Properties.

2. Open Remote Access > Endpoint Connect.

3. Set Disconnect when connectivity to network is lost to Yes.

4. Click OK.

5. Open GuiDBedit.

6. Find endpoint_vpn_implicit_disconnect_timeout and set it to 1.

7. Click Save.

8. Install the policy.

Configuring Entry Point Choice

Configure how the client will choose a gateway from the multiple list of entry points.

First to Respond - The first Gateway to reply is chosen and the VPN tunnel is between that gateway and the client. The client asks for a response for each connection.

Defining MEP Method

Recommendation: If you have multiple gateways that are geographically distant. For example, an organization has three gateways: London, Sundsvall, and Paris. Usually, the London Gateway responds first to clients in England and is their entry point to the internal network. If the London gateway goes down, these users access the network through the Paris or Sundsvall gateway that responds first.

Primary-Backup - One or multiple auxiliary Gateways give high availability for a primary Gateway. Endpoint Security VPN is configured to connect with the primary Gateway, but switches to a Backup Gateway if the Primary goes down. Recommendation: If you have multiple gateways, and one is stronger or connects faster. Set the stronger machine as the primary. Clients use the backup if the primary is unavailable.

Load Distribution - Endpoint Security VPN randomly selects a Gateway. Recommendation: If you have multiple gateways of equal performance. The traffic of Endpoint Security VPN clients is shared between the gateways. Each client creates a tunnel with a random, available gateway.

Geo-Cluster Name Resolution - By default, Endpoint Security VPN resolves Gateway DNS names for all connections. Optionally, you can store IP addresses in a cache. This can improve performance by preventing repetitive DNS name resolution.

To enable DNS IP address cache:

1. On the Gateway, open $FWDIR/conf/trac_client_1.ttm.

2. Change the :default attribute, located in the :enable_gw_resolving attribute, to false.

:enable_gw_resolving ( :Gateway ( :map ( :false (false) :true (true) :client_decide (client_decide)

)

:default (false)

)

)

3. Save the file.

4. Install the policy.

Defining MEP Method

MEP configuration can be implicit or manual.

Implicit - MEP methods and gateway identities are taken from the topology and configuration of gateways that are in fully overlapping encryption domains or that have Primary-Backup gateways.

Manual - You can edit the list of MEP Gateways in the Endpoint Security VPN TTM file.

Whichever you choose, you must set the Endpoint Security VPN configuration file to identify the configuration.

To define MEP topology:

1. Open the $FWDIR/conf/trac_client_1.ttm configuration file.

2. Make sure that enable_gw_resolving is true.

3. Set the value of automatic_mep_topology

true - implicit configuration

false - manual configuration

4. Save the file.

5. Install the policy.

Implicit MEP

Implicit MEP

With Implicit MEP, the configurations of the gateways are used to make the VPN connections. Gateways are configured differently for each MEP method.

Before you begin, make sure that $FWDIR/conf/trac_client_1.ttm has:

enable_gw_resolving (true)

automatic_mep_topology (true)

Configuring Implicit First to Respond

When more than one Gateway leads to the same (overlapping) VPN domain, they are in a MEP configuration. The first Gateway to respond is chosen. To configure first to respond, define that part of the network that is shared by all the Gateways into a single group and assign that group as the VPN domain.

To configure First to Respond MEP:

1. Open SmartDashboard > Global Properties.

2. Open Remote Access > VPN Basic.

3. Make sure that Load Distribution is not selected.

. 3. Make sure that Load Distribution is not selected. 4. Click OK . 5. For

4. Click OK.

5. For each gateway, open the properties window > Topology.

6. In the VPN Domain section, click Manually Defined and select the same VPN Domain for all Gateways.

7. Click OK.

8. Install the policy.

Configuring Implicit Primary-Backup

Configure the VPN Domain that includes the Primary Gateway and another domain that includes only the backup gateways. Configure each gateway as either the Primary gateway or a backup gateway.

To configure the primary gateway:

1. Open Global Properties window > VPN > Advanced, select Enable Backup Gateway.

> VPN > Advanced , select Enable Backup Gateway . 2. In the network objects tree,

2. In the network objects tree, Groups section, create a group of Gateways to act as backup Gateways.

3. Open the VPN properties of the Primary Gateway:

NGX R65 and R70: gateway properties > VPN

R71: gateway properties >IPSec VPN

Implicit MEP

4. Select Use Backup Gateways, and select the group of backup Gateways.

Backup Gateways , and select the group of backup Gateways. This Gateway is the primary Gateway

This Gateway is the primary Gateway for this VPN domain.

5. For each backup Gateway, make a VPN domain that does not include IP addresses that are in the Primary VPN domain or the other backup domains. If the backup gateway already has a VPN domain, you must make sure that its IP addresses do not overlap with the other VPN domains.

a) Create a group of IP addresses not in the other domains, or a group that consists of only the backup gateway.

b) On the Properties window of the backup network object > Topology > VPN Domain section, select Manually defined.

c) Select the group.

6. Click OK.

7. Install the policy.

Configuring Implicit Load Distribution

To configure implicit MEP for random gateway selection:

1. Open SmartDashboard > Global Properties.

2. Open Remote Access > VPN Basic.

3. Select Enable load distribution for Multiple Entry Point configurations.

4. Click OK.

5. For each gateway, open the properties window > Topology.

6. In the VPN Domain section, click Manually Defined and select the same VPN Domain for all Gateways.

7. Click OK.

8. Install the policy.

Manual MEP

Manual MEP

For SecureClient, the gateways have to belong to the same VPN domain for MEP to function. For Endpoint Security VPN, the gateways do not have to belong to the same VPN domain. The gateways are configured in the TTM file.

To configure the Gateways for MEP:

1. On a Gateway, open $FWDIR/conf/trac_client_1.ttm.

2. Search for the enable_gw_resolving attribute:

:enable_gw_resolving ( :gateway ( :default (true)

)

)

3. Make sure the attribute is set to its default value: true.

4. Search for the automatic_mep_topology attribute, and make sure its value is false.

5. Manually add the mep_mode attribute:

:mep_mode (

:gateway ( :default (xxx)

)

)

Where xxx is a valid value:

dns_base

first_to_respond

primary_backup

load_sharing

6. Manually add the ips_of_gws_in_mep attribute:

:ips_of_gws_in_mep ( :gateway ( :default (192.168.53.220&#192.168.53.133&#)

)

)

These are the IP addresses the client should try.

IP addresses are separated by an ampersand and hash symbol (&#)

The last IP address in the list has a final &#.

7. Save the file.

8. Install the policy.

Making a Desktop Rule for MEP

To use MEP, traffic to multiple sites in the encryption domain must be allowed. But the Desktop Policy sets the main site as the default Destination for outbound traffic. You must make sure that your policy allows traffic to the gateways in the encryption domain.

To add the MEP Rule:

1. In SmartDashboard, open the Desktop tab.

2. In Outbound rules, add a new rule:

Destination - a Group network object that contains all gateways in the encryption domain.

Service - the Visitor Mode service (default is 443), the NAT-T port (default is 4500 UDP), and HTTP.

Action - Allow.

Appendix B

Differences between SecureClient and Endpoint Security VPN CLI

This table shows common tasks and how to perform them with SecureClient or Endpoint Security VPN command line. N/A indicates that the task cannot be performed with the CLI.

Task

SecureClient

Endpoint Security VPN

Asynchronous Connect

connectwait <profilename>

N/A

Change P12 Certificate Password

N/A

change_p12_pwd -f <filename> [ -o <oldpassword> -n <newpassword> ]

Connect to Site

connect [-p] <profilename>

connect -s <sitename> [-u <username> -p <password> | -d <dn> | -f <p12> | - pin <PIN> -sn <serial>]

Create / Add Site

add <sitename>

create -s <sitename> [-a <authentication method>]

Delete Site

delete <sitename>

delete -s <sitename>

Disconnect from Site

disconnect

disconnect

Display Connection Status

status

N/A

Enable / Disable Hotspot Registration

sethotspotreg <on | off>

N/A

Enable / Disable Policy

setpolicy [on | off]

N/A

Enroll ICA CAPI Certificate

icacertenroll <site IP/name> <registration key> <file path> <password>

enroll_capi -s <sitename> -r <registrationkey> [ -i <providerindex> -l <keylength> -sp <strongkeyprotection>

]

Enroll ICA P12 Certificate

N/A

enroll_p12 -s <sitename> -f <filename> -p <password> -r <registrationkey> [ -l <keylength> ]

Get Site Name / IP

getsite <profilename>

info [-s <sitename>]

List Profiles

listprofiles

N/A

List Domain Names Stored in the CAPI

N/A

list

Print Log Messages

N/A

log

Renew CAPI Certificate

N/A

renew_capi -s <sitename> -d <dn> [ -l <keylength> -sp <strongkeyprotection>

]

Making a Desktop Rule for MEP

Task

SecureClient

Endpoint Security VPN

Renew P12 Certificate

N/A

renew_p12 -s <sitename> -f <filename> -p <password> [ -l <keylength>]

Restart VPN Services

restartsc

N/A

Set Certificate File / Password

passcert <password> <certificate>

See Connect to Site

Set Username / Password

userpass <username> <password>

See Connect to Site

Show Number of Profiles

numprofiles

N/A

Show VPN Client Version

version

ver

Start VPN Client Services

startsc

start

Stop VPN Client Services

stopsc

stop

Suppress UI Dialog Messages

suppressdialogs [on | off]

N/A

Unset User Credentials

erasecreds

N/A

Update Topology

update <profilename>

N/A