CP_E75.20_NGX_R65_UpgradeGuide.pdf

13 September 2011

Remote Access Clients E75.20

Upgrading from SecureClient/SecuRemote NGX on

NGX R65 SmartCenter Server

© 2011 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12325

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk65209).

Revision History

Date Description

13 September 2011 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Remote Access Clients E75.20 Upgrading from SecureClient/SecuRemote NGX on NGX R65 SmartCenter Server ).

http://supportcontent.checkpoint.com/documentation_download?ID=12325

http://supportcenter.checkpoint.com/

http://supportcontent.checkpoint.com/solutions?id=sk65209

mailto:[email protected]?subject=Feedback%20on%20Remote%20Access%20Clients%20E75.20%20Upgrading%20from%20SecureClient/SecuRemote%20NGX%20%20on%20NGX%20R65%20SmartCenter%20Server

mailto:[email protected]?subject=Feedback%20on%20Remote%20Access%20Clients%20E75.20%20Upgrading%20from%20SecureClient/SecuRemote%20NGX%20%20on%20NGX%20R65%20SmartCenter%20Server

Contents

Important Information ............................................................................................. 3 Introduction to Remote Access Clients ................................................................ 5

Overview of Remote Access Clients .................................................................... 5 Endpoint Security VPN ................................................................................... 5 Check Point Mobile for Windows .................................................................... 5 SecuRemote client .......................................................................................... 6

Upgrading on Different Management Servers ...................................................... 6 Why You Should Upgrade to Remote Access Clients .......................................... 6 Before Upgrading to Remote Access Clients ....................................................... 7

Supported Gateways and Servers .................................................................. 7 New Remote Access Clients Features ............................................................ 7 SecureClient Features Supported in Remote Access Clients .......................... 8 SecureClient Features Not Yet Supported .....................................................10

Configuring Gateways to Support Remote Access Clients ............................... 11 Installing the Remote Access Clients Hotfix ........................................................11 Configuring for Endpoint Security VPN and Check Point Mobile for Windows ....11 Configuring SmartDashboard for SecuRemote client ..........................................15 Supporting Endpoint Security VPN and SecureClient Simultaneously ................17 Troubleshooting Dual Support ............................................................................19

The Configuration File .......................................................................................... 20 Editing the TTM File ...........................................................................................20 Customized Settings ...........................................................................................20 Centrally Managing the Configuration File ..........................................................21 Understanding the Configuration File .................................................................21

Configuration File Parameters .......................................................................22 Migrating Secure Configuration Verification ........................................................24

Differences between SecureClient and Endpoint Security VPN CLI ................. 25

Page 5

Chapter 1

Introduction to Remote Access Clients

In This Chapter

Overview of Remote Access Clients 5

Upgrading on Different Management Servers 6

Why You Should Upgrade to Remote Access Clients 6

Before Upgrading to Remote Access Clients 7

Overview of Remote Access Clients Remote Access Clients provide a simple and secure way for endpoints to connect remotely to corporate resources over the Internet, through a VPN tunnel. Check Point offers 3 enterprise-grade flavors of Remote Access to fit a wide variety of organizational needs.

The clients offered in this release are:

Endpoint Security VPN - Incorporates Remote Access VPN with Desktop Security in a single client. It is recommended for managed endpoints that require a simple and transparent remote access experience together with desktop firewall rules.

Check Point Mobile for Windows - An easy to use IPsec VPN client to connect securely to corporate resources. Together with the Check Point Mobile clients for iPhone and Android, and the Check Point SSL VPN portal, this client offers a simple experience that is primarily targeted for non-managed machines.

SecuRemote client - A secure, yet limited-function IPsec VPN client, primarily targeted for small organizations that require very few remote access clients.

For complete information about deploying and using Remote Access Clients, see the Remote Access Clients E75.20 Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk65209).

Endpoint Security VPN Replaces SecureClient and Endpoint Connect.

Enterprise Grade Remote Access Client with Desktop firewall and compliance checks.

Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status of Anti-virus, Windows updates, and other system components.

Integrated desktop firewall, centrally managed from SmartCenter server.

In-place upgrade from Endpoint Security VPN R75.

In-place upgrade from Endpoint Connect R73.

Requires the IPSec VPN Software Blade on the gateway, and an Endpoint Container license and Endpoint VPN Software Blade on the SmartCenter server.

Check Point Mobile for Windows New Enterprise Grade Remote Access Client.


Upgrading on Different Management Servers

Introduction to Remote Access Clients Page 6

Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status of antivirus, Windows updates, and other system components.

Requires IPSec VPN and SSL VPN Software Blades on the gateway.

SecuRemote client Replaces the NGX SecuRemote client.

Basic remote access functionality.

Unlimited number of connections for Security Gateways with the IPsec VPN blade.

Requires an IPSec VPN Software Blade on the gateway.

It is a free client and does not require additional licenses.

Upgrading on Different Management Servers

Environments with SecureClient or NGX SecuRemote client already deployed can be easily upgraded to Remote Access Clients. The SmartDashboard for different versions of management servers is different. Use the documentation for the SmartDashboard that you have.

This guide is for the NGX R65 SmartCenter server, NGX R65.70 or higher. Guides for other management servers are available at sk65209 (http://supportcontent.checkpoint.com/solutions?id=sk65209).

For R70 SmartCenter server, R70.40 or higher, see Remote Access Clients E75.20 Upgrade Guide from SecureClient/SecuRemote NGX on R70.

For R71 SmartCenter server, R71.30 or higher, or R75 SmartCenter server, see Remote Access Clients E75.20 Upgrade Guide from SecureClient/SecuRemote NGX on R71 or R75.

Why You Should Upgrade to Remote Access Clients

Check Point recommends that all customers upgrade from SecureClient or Endpoint Connect to Remote Access Clients as soon as possible, to have these enhancements.

Automatic and transparent upgrades, with no administrator privileges required

Supports 32-bit and 64-bit, Windows Vista and Windows 7

Uses less memory resources than SecureClient

Automatic disconnect/reconnect as clients move in and out of the network

Seamless connection experience while roaming

Supports most existing SecureClient features, including Secondary Connect, Office Mode, Desktop Firewall, Secure Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection.

Supports many additional new features

Does not require a SmartCenter server upgrade

Remote Access Clients can coexist with SecureClient and NGX SecuRemote client NGX on client systems during the upgrade period.

Note - Check Point will end its support for SecureClient in mid-2011.


Before Upgrading to Remote Access Clients



Before upgrading, consider these issues.

Supported Gateways and Servers See the Remote Access Clients Release Notes for information about supported Gateway and SmartCenter server versions.

New Remote Access Clients Features This table describes new features in Remote Access Clients and on which Remote Access Clients they are available.

Feature Description Endpoint Security VPN

Check Point Mobile for Windows

Secu- Remote client

Hotspot Detection and Registration

Automatically detects hotspots that prevent

the client system from establishing a VPN

tunnel

Opens a mini-browser to allow the user to

register to the hotspot and connect to the

VPN gateway

Firewall support for hotspots

Automatic Connectivity Detection

Automatically detects whether the client is connected to the Internet or LAN

Automatic Certificate Renewal in CLI Mode

Supports automatic certificate renewal, including in CLI mode

Location Awareness

Automatically determines if client is inside or outside the enterprise network

Roaming Maintains VPN tunnel if client disconnects and reconnects using different network interfaces

Automatic and Transparent Upgrade Without Administrator Privileges

Updates the client system securely and without user intervention

Windows Vista / Windows 7 64 Bit Support

Supports the latest 32-bit and 64-bit Windows operating systems

Automatic Site Detection

During first time configuration, the client detects the VPN site automatically

Note: This requires DNS configuration and is only supported when configuring the client within the internal network.





Secu- Remote client

Geo Clusters Connect client system to the closest VPN gateway based on location.

Machine Idleness Disconnect VPN tunnel if the machine becomes inactive (because of lock or sleep) for a specified duration.

Flush DNS Cache Remove previous DNS entries from the DNS cache when creating VPN tunnel

Dead Gateway Detection

Tests that the Security Gateway is active by sending tunnel test packets.

Automatic Connectivity Detection

Automatically detects whether the client is connected to the Internet or LAN. If the network connection is lost, the client seamlessly reconnects without user intervention.

SecureClient Features Supported in Remote Access Clients

This table describes features in Remote Access Clients that existed in SecureClient, and on which Remote Access Clients they are available.



R75 Secu- Remote client

Authentication Methods

Username/Password

Certificate - CAPI/P12

SecurID (passcode, softID, key fobs)

Challenge Response

SAA

Cached Credentials Cache credentials for user login

NAT-T and Visitor Mode

Let users connect from any location, such as a hotel, airport, or branch office

Multiple Entry Point (MEP)

Provides gateway High Availability and Load Sharing and lets the Remote Access Clients connect to the VPN from multiple gateways.

Secondary Connect Gives access to multiple VPN gateways at the same time, to transparently connect users to distributed resources.

Pre-Configured Client Packaging

Predefined client installation package with configurations for easy provisioning

Office Mode Internal IP address for remote access VPN users






Extended DHCP Parameters

When using Office Mode from a DHCP server, the gateway sends data that it got from the client to the DHCP server in the correct format - Hostname, FQDN, Vendor Class, and User Class.

Compliance Policy - Secure Configuration Verification (SCV)

Verifies client system policy compliance before allowing remote access to internal network

Proxy Detection Detect proxy settings in client system web browsers for seamless connectivity

Hub Mode Send all traffic from the client system through the VPN gateway

Localization Supported languages:

Chinese (simplified)

English

French

German

Hebrew

Italian

Japanese

Russian

Spanish

Certificate Enrollment and Renewal

Automatic enrollment and renewal of certificates issued by Check Point Internal CA server

CLI and API Support Manage client with third party software

Tunnel Idleness Detection

Disconnect VPN if there is no traffic for a specified duration

Dialup Support dialup connections

Smart Card Removal Detection

Detects when the Smart Card is removed and closes the active VPN tunnel.

Re-authentication After specified duration, user is asked for re-authentication

Keep-alive Send keep-alive messages from client to the VPN gateway to maintain the VPN tunnel

Check Gateway Certificate in CRL

Validate VPN gateway certificate in the CRL list

Desktop Firewall Personal firewall integrated into the client, managed with the SmartDashboard desktop policy. Logs are shown in SmartView Tracker.






Configuration File Corruption Recovery

Recover corrupted configuration files

Secure Domain Logon (SDL)

Establish VPN tunnel prior to user login

End-user Configuration Lock

Prevent users from changing the client configuration

Update Dynamic DNS with the Office Mode IP

Assign an internal IP address for remote access VPN users in the Dynamic DNS

SmartView Monitor Monitor VPN tunnel and user statistics with SmartView Monitor

Post Connect Script Execute manual scripts before and after VPN tunnel is established

Secure Authentication API (SAA)

Integrate with third party authentication providers.

Split DNS Support multiple DNS servers

VPN Connectivity to VPN-1 VSX

Terminate VPN tunnel at Check Point VSX gateways

DHCP Automatic Lease Renewal

DHCP Automatic Lease Renewal

SecureClient Features Not Yet Supported These features of SecureClient are not supported by Remote Access Clients. Many of these features are expected to be supported in the next release.

Feature Description

Single Sign-on (SSO) One set of credentials to log in to both VPN and Windows operating system

Entrust Entelligence Support Entrust Entelligence package providing multiple security layers, strong authentication, digital signatures, and encryption

Diagnostic Tools Tools for viewing logs and alerts

"No Office Mode" Connect Mode Connect to the VPN gateway without requiring Office Mode

Pre-shared secret Authentication method that uses a pre-shared secret

Link Selection Multiple interface support with redundancy

Page 11

Chapter 2

Configuring Gateways to Support Remote Access Clients

In This Chapter

Installing the Remote Access Clients Hotfix 11

Configuring for Endpoint Security VPN and Check Point Mobile for Windows 11

Configuring SmartDashboard for SecuRemote client 15

Supporting Endpoint Security VPN and SecureClient Simultaneously 17

Troubleshooting Dual Support 19

Installing the Remote Access Clients Hotfix To learn how to install the Remote Access Clients Hotfix on gateways, see the Remote Access Clients E75.20 Administration Guide.

Configuring for Endpoint Security VPN and Check Point Mobile for Windows

You manage Remote Access Clients through the SmartDashboard. This task explains how to set up the SmartDashboard to access configurations required for Endpoint Security VPN and Check Point Mobile for Windows. Before you begin, make sure you have a network for Office Mode allocation.

To configure SmartDashboard for Endpoint Security VPN or Check Point Mobile for Windows:

1. Set the Gateway to be a policy server:

a) In the Network Objects Tree, right click the Gateway and select Edit.


Configuring Gateways to Support Remote Access Clients Page 12

The Check Point Gateway - General Properties window opens.

b) In Check Point Products, select SecureClient Policy Server.

c) Open Authentication.



d) In Policy Server, select an existing user group, or create a new user group, to be assigned to the policy.

2. Configure Visitor Mode:

a) Open Remote Access.

b) In Visitor Mode configuration, select Support Visitor Mode.

3. Configure Office Mode:

Note - Office Mode is not available for SecuRemote client.



a) Open Remote Access > Office Mode.

b) In Office Mode Method, select Manual (using IP pool).

If you have a gateway cluster, allocate IP addresses for each cluster member. Do this in Gateway Cluster Properties. For each cluster:

(i) Click Edit.

(ii) In the VPN tab, select Offer Manual Office Mode and then select IP Addresses.

c) In Allocate IP addresses from network, select the network for Office Mode allocation.

4. Click OK.

5. Make sure that the Gateway is in the Remote Access community:

a) Select Manage > VPN Communities.

The VPN Communities window opens.

b) Double-click RemoteAccess.

The Remote Access Community Properties window opens.

Configuring SmartDashboard for SecuRemote client


c) Open Participating Gateways.

d) If the Gateway is not already in the list of participating gateways: click Add, select the Gateway from

the list of gateways, and click OK.

e) Click OK.

f) Click Close.

6. For Endpoint Security VPN only, make sure that the desktop policy is configured correctly (Desktop tab).

7. Install the policy (Policy menu > Install).


You manage SecuRemote client through the SmartDashboard. This task explains how to set up the SmartDashboard to access SecuRemote client configurations.

Note - If you already configured SmartDashboard for Endpoint Security VPN and Check Point Mobile for Windows, these procedures are not necessary.

To configure SmartDashboard for Endpoint Security VPN:

1. On the gateway, configure Visitor Mode, if it is not already configured:



a) In the left navigation tree, select Remote Access.

The Remote Access window opens.

b) In Visitor Mode configuration, select Support Visitor Mode.

2. Office mode is not supported in SecuRemote client. On the Remote Access > Office Mode page, you can select Do not offer Office Mode. If you select a different option, it is ignored for SecuRemote client.

3. Make sure that the Gateway is in the Remote Access community:

a) Select Manage > VPN Communities.

The VPN Communities window opens.

b) Double-click RemoteAccess.

The Remote Access Community Properties window opens.

Supporting Endpoint Security VPN and SecureClient Simultaneously


In the left navigation tree, select Participating Gateways.

c) If the Gateway is not already in the list of participating gateways: click Add, select the Gateway from

the list of gateways, and click OK.

d) Click OK.

e) Click Close.

4. Install the policy.


To run Remote Access Clients along with SecureClient or NGX SecuRemote client on client systems, you must configure the server and the gateways that will manage these remote access clients.

Before you start the configuration, make sure that the encryption domains of all of the gateways are the same. Also make sure that all gateways give connectivity to the same resources.

To configure the gateways in SmartDashboard for management of Remote Access Clients and NGX clients:

1. For Check Point Mobile for Windows and SecuRemote client start, with step 2.

For Endpoint Security VPN only, on the Desktop tab, add this rule to make sure that the Endpoint Security VPN firewall does not block SecureClient. Allow outbound connections on:



UDP 18231

UDP 18233

UDP 2746 for UDP Encapsulation

UDP 500 for IKE

TCP 500 for IKE over TCP

TCP 264 for topology download

UDP 259 for MEP configuration

UDP 18234 for performing tunnel test when the client is inside the network

UDP 4500 for IKE and IPSEC (NAT-T)

TCP 18264 for ICA certificate registration

TCP 443 for Visitor Mode

TCP 80

2. Open Policy menu > Global Properties.

The Global Properties window opens.

3. Open Remote Access > VPN - Advanced.

4. Select Sent in clear.

5. Click OK.

6. Select Policy > Install.

Troubleshooting Dual Support


Troubleshooting Dual Support If SecureClient blocks Remote Access Clients traffic:

1. Make sure that you selected Remote Access > VPN - Advanced > Sent in clear.

2. Choose how you want to solve this issue.

If users manage their own clients: they can delete the SecureClient site.

Note - It is not enough to disable the site. It must be deleted.

To solve this issue for all clients, change the Desktop rule base. In the Outbound Rules, add these rules above the rule that blocks the connection:

a) Allow traffic to the Endpoint Security VPN Gateway.

Desktop = All Users

Destination = Endpoint Security VPN Gateway

Service = http, https, IKE_NAT_TRAVERSAL

Action = Accept

b) Allow users to access the encryption domain.

Desktop = All Users

Destination = The encryption domain. In the example this is the FTP server.

Service = The protocol necessary to reach the encryption domain. In the example this is FTP.

Action = Accept

c) Install the policy.

To uninstall NGX Clients:

If you install Remote Access Clients after SecureClient or NGX SecuRemote client, and you want to uninstall the NGX client, you cannot do it from Add/Remove Programs. You must open the Uninstall SecureClient or NGX SecuRemote client program from Start > Programs.

To remotely uninstall SecureClient with a script, run: UninstallSecureClient.exe from the SecureClient installation directory.

Page 20

Chapter 3

The Configuration File Policy is defined on each gateway in the trac_client_1.ttm configuration file located in the $FWDIR/conf directory.

In This Chapter

Editing the TTM File 20

Customized Settings 20

Centrally Managing the Configuration File 21

Understanding the Configuration File 21

Migrating Secure Configuration Verification 24

Editing the TTM File When the client connects to the gateway, the updated policy is downloaded to the client and written in the

trac.config file.

If you make changes in the trac_client_1.ttm file of a gateway, you must install the policy on each

changed gateway.

Note - When you edit the configuration file, do not use a DOS editor, such as WordPad or Microsoft Word, which change the file formatting.

The TTM file must stay in UNIX format. If you do convert the file to DOS, you must convert it back to UNIX. You can use the dos2unix command, or open it in an editor that can save it in a UNIX format.

To activate changes in the TTM file:

1. Edit and save the file.

2. Install the policy from SmartDashboard or the CLI of each gateway:

In SmartDashboard, select Policy > Install and install Network Security on each changed gateway.

Run cpstop and cpstart from the CLI of each changed gateway.

Important - If you use Secondary Connect or MEP, make sure that the TTM files on all gateways have the same settings.

Customized Settings If you customized the trac_client_1.ttm in a previous installation, you can restore your settings to the

new $FWDIR/conf/trac_client_1.ttm file. Do not do this procedure if you did not change this file from

its default settings. The new defaults, in the new file, are recommended for this installation.

You must not overwrite the new trac_client_1.ttm with the old one. The new file has added

parameters that are necessary for Remote Access Clients operations.

To move customized settings to an upgraded gateway:

1. See the difference in parameter values between the customized file and the new trac_client_1.ttm

file.

Centrally Managing the Configuration File

The Configuration File Page 21

Important - When copying settings from the backup TTM file, make sure not to copy the

connect_timeout parameter.

If you do copy it, the clients cannot connect.

2. For parameters that are in both files, you can copy the value from the customized file, to the new

trac_client_1.ttm.

Important - Make sure that you do not copy parameters or values that you did not manually change. The new file has changed, added, and deleted parameters that are necessary.

3. Save the file.

4. Install the policy on each changed gateway.

Centrally Managing the Configuration File If the configuration file on each gateway is identical, you can manage one copy of the configuration file on the SmartCenter server. This file is copied to the gateways when you install the policy.

Important - You must use the newest configuration file installed on the gateway for Remote Access Clients. If you do not install the newest configuration file on the SmartCenter server, the server will have an outdated configuration file that does not support new features.

To centrally manage the configuration file:

1. On the gateway, save a backup of $FWDIR/conf/trac_client_1.ttm.

2. From the gateway, copy trac_client_1.ttm to the server.

3. Open $FWDIR/conf/fwrl.conf and find the % SEGMENT FILTERLOAD section.

4. In the NAME section, add this line:

NAME = conf/trac_client_1.ttm;DST = conf/trac_client_1.ttm;

This copies the file to the Remote Access Clients gateways each time that you install the Policy on the gateways.

5. Save the file.

6. In SmartDashboard, install the policy on all gateways.

When clients download the new policy from the gateway, configuration changes are applied.

Understanding the Configuration File The trac_client_1.ttm file contains sets that look like this:

:attribute (

:gateway (

:ext ()

:map ()

:default ()

)

attribute - The name of the attribute on the client side. This is in trac.defaults on the client.

gateway - The name of the attribute on the gateway side. This is in objects.c on the SmartCenter

server. Look in the objects.c file to see what the defined behavior is on the gateway side. The name

of the attribute is only written here if it is different than the name on the client side. If there is no value for

gateway, the name of the attribute is the same in trac.defaults and objects.c.

ext - If present, it is a hard coded function that is defined and done on the gateway. Do not change it. This function can be done in addition to the function defined for the attribute on the client or gateway side.

map - Contains the valid values this attribute can have.

Understanding the Configuration File


default - The value here is downloaded to the client if the gateway attribute was not found in

objects.c. If the value is client_decide, the value is defined on the client computer, either in the

GUI or in the trac.defaults file on each client.

The behavior for each attribute is decided in this way:

1. If the attribute is defined for the gateway in objects.c file on the SmartCenter server, that value is

used.

2. If the attribute is NOT defined for a gateway in the objects.c file, the behavior for the attribute is

taken from the default value.

3. If the default value is client_decide or empty, the behavior is taken from the client.

If the attribute is configured in the client GUI, it is taken from there.

If the attribute is not configured in the client GUI, it is taken from the trac.defaults file on each

client.

Example:

:enable_password_caching (

:gateway ()

:default (client_decide)

)

enable_password_caching is the name of the attribute in trac.defaults and objects.c. Search

the objects.c file on the SmartCenter server to see if it is defined for the gateway.

If the attribute is defined for the gateway, that behavior is used.

If the attribute is NOT defined for a gateway, the default value is used. Because the default value is

client_decide, the setting is taken from each client.

Configuration File Parameters This table shows some of the parameters of the TTM file.

Parameter Description Recommended value for :default ()

allow_disable_firewall Show a menu option for user to enable or disable the desktop firewall.

Applied only if enable_firewall is true or client_decide.

false

certificate_key_length Certificate enrollment settings. 1024

certificate_strong_protection Certificate enrollment settings. true

certificate_provider Certificate enrollment settings. "Microsoft Enhanced Cryptographic Provider v1.0"

internal_ca_site Certificate enrollment settings. none

internal_ca_dn Certificate enrollment settings. none

default_authentication_method Default authentication method. If this value exists, users do not select an authentication method when they create sites.

none

disconnect_on_smartcard_removal Enable/disable client disconnection when Smart Card with current certificate is removed.

false

Understanding the Configuration File



do_proxy_replacement Enable/disable proxy replacement. true

enable_capi Enable/disable CAPI authentication. true

enable_firewall Enable/disable desktop firewall true, false, or client_decide.

true

enable_gw_resolving Enable/disable DNS resolution on each connection.

Used for MEP.

true

flush_dns_cache Enable/disable flushing the DNS cache while connecting.

false

hotspot_detection_enabled Enable/disable automatic hotspot detection. true

automatic_mep_topology Enable/disable the implicit (automatic) MEP method.

False - manual MEP method.

true

ips_of_gws_in_mep gateway IP addresses for clients to connect to. Applied only if automatic_mep_topology is false.

Addresses are separated by "&#", and the list is terminated by a final "&#":

NNN.NNN.NNN.NNN&#MMM.MMM.MMM.MMM&#

none

mep_mode MEP mode, priority of gateways defined in ips_of_gws_in_mep. Applied only if automatic_mep_topology is false. Valid values:

dns_based

first_to_respond

primary_backup

load_sharing

dns_based

predefined_sites_only Enable/disable user ability to create or modify sites.

false

send_client_logs Email addresses to which debug logs are sent. none

suspend_tunnel_while_locked Enable/disable traffic suspension if the machine becomes inactive (due to lock or sleep) for a specified duration.

false

tunnel_idleness_ignore_icmp Enable/disable monitor of ICMP packets to see if a tunnel is active.

true

tunnel_idleness_ignored_tcp_ports TCP ports that are not monitored to determine if a tunnel is active.

none

tunnel_idleness_ignored_udp_ports UDP ports that are not monitored to determine if a tunnel is active.

53&#137&#138&#

Migrating Secure Configuration Verification



tunnel_idleness_timeout Time, in minutes, after which a client will close an inactive tunnel.

Zero (0) - the feature is disabled. The VPN tunnel will never close due to inactivity.

0

Migrating Secure Configuration Verification SecureClient uses SCV compliance checks, as do Endpoint Security VPN and Check Point Mobile for Windows. These features of SecureClient compliance are ignored by the Endpoint Security VPN client and Check Point Mobile for Windows:

user_policy_scv - This SCV Check tests if SecureClient is logged in to a Policy Server. Endpoint Security VPN and Check Point Mobile for Windows do not log in to policy server, so this check is not necessary.

sc_ver_scv - This SCV Check tests for the version of SecureClient. Currently, there is no SCV check for the version of Endpoint Security VPN or Check Point Mobile for Windows.

ckp_scv - This SCV Check is not supported for Endpoint Security VPN or Check Point Mobile for Windows.

Page 25

Chapter 4

Differences between SecureClient and Endpoint Security VPN CLI

This table shows common tasks and how to perform them with SecureClient or Remote Access Clients E75.20 command line. N/A indicates that the task cannot be performed with the CLI.

Task SecureClient Remote Access Clients E75.20

Asynchronous Connect connectwait <profilename> N/A

Change P12 Certificate Password

N/A change_p12_pwd -f <filename> [ -o <oldpassword> -n <newpassword> ]

Connect to Site connect [-p] <profilename> connect -s <sitename> [-u <username> -p <password> | -d <dn> | -f <p12> | -pin <PIN> -sn <serial>]

Create / Add Site add <sitename> create -s <sitename> [-a <authentication method>]

Delete Site delete <sitename> delete -s <sitename>

Disconnect from Site disconnect disconnect

Display Connection Status status N/A

Enable / Disable Hotspot Registration

sethotspotreg <on | off> N/A

Enable / Disable Policy setpolicy [on | off] N/A

Enroll ICA CAPI Certificate icacertenroll <site IP/name> <registration key> <file path> <password>

enroll_capi -s <sitename> -r <registrationkey> [ -i <providerindex> -l <keylength> -sp <strongkeyprotection> ]

Enroll ICA P12 Certificate N/A enroll_p12 -s <sitename> -f <filename> -p <password> -r <registrationkey> [ -l <keylength> ]

Get Site Name / IP getsite <profilename> info [-s <sitename>]

List Profiles listprofiles N/A

List Domain Names Stored in the CAPI

N/A list

Print Log Messages N/A log

Renew CAPI Certificate N/A renew_capi -s <sitename> -d <dn> [ -l <keylength> -sp <strongkeyprotection> ]

Migrating Secure Configuration Verification

Differences between SecureClient and Endpoint Security VPN CLI Page 26

Task SecureClient Remote Access Clients E75.20

Renew P12 Certificate N/A renew_p12 -s <sitename> -f <filename> -p <password> [ -l <keylength>]

Restart VPN Services restartsc N/A

Set Certificate File / Password passcert <password> <certificate>

See Connect to Site

Set Username / Password userpass <username> <password>

See Connect to Site

Show Number of Profiles numprofiles N/A

Show VPN Client Version version ver

Start VPN Client Services startsc start

Stop VPN Client Services stopsc stop

Suppress UI Dialog Messages suppressdialogs [on | off] N/A

Unset User Credentials erasecreds N/A

Update Topology update <profilename> N/A

CP_E75.20_NGX_R65_UpgradeGuide.pdf

Documents

check point mobile

remote access clients

document feedback check

latest documentation

copyright page http

secureclientsecuremote

related documentation

recent software release