Академический Документы
Профессиональный Документы
Культура Документы
E75.20
Upgrading from
SecureClient/SecuRemote NGX on
R70.40 Security Management
13 September 2011
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=12326
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
For more about this release, see the home page at the Check Point Support Center
(http://supportcontent.checkpoint.com/solutions?id=sk65209).
Revision History
Date
Description
13 September 2011
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients E75.20
Upgrading from SecureClient/SecuRemote NGX on R70.40 Security Management ).
Contents
Important Information .............................................................................................3
Introduction to Remote Access Clients ................................................................5
Overview of Remote Access Clients .................................................................... 5
Endpoint Security VPN ................................................................................... 5
Check Point Mobile for Windows .................................................................... 5
SecuRemote client .......................................................................................... 6
Upgrading on Different Management Servers R70 .............................................. 6
Why You Should Upgrade to Remote Access Clients .......................................... 6
Before Upgrading to Remote Access Clients ....................................................... 7
Supported Gateways and Servers .................................................................. 7
New Remote Access Clients Features ............................................................ 7
SecureClient Features Supported in Remote Access Clients .......................... 8
SecureClient Features Not Yet Supported .....................................................10
Configuring Security Gateways to Support Remote Access Clients ................11
Installing the Remote Access Clients Hotfix ........................................................11
Configuring Endpoint Security VPN and Check Point Mobile for Windows .........11
Configuring SmartDashboard for SecuRemote client..........................................15
Supporting Endpoint Security VPN and SecureClient Simultaneously ................17
Troubleshooting Dual Support ............................................................................19
The Configuration File ..........................................................................................20
Editing the TTM File ...........................................................................................20
Customized Settings...........................................................................................20
Centrally Managing the Configuration File ..........................................................21
Understanding the Configuration File .................................................................21
Configuration File Parameters .......................................................................22
Migrating Secure Configuration Verification ........................................................24
Differences between SecureClient and Endpoint Security VPN CLI .................25
Chapter 1
Introduction to Remote Access
Clients
In This Chapter
Overview of Remote Access Clients
Upgrading on Different Management Servers R70
Why You Should Upgrade to Remote Access Clients
Before Upgrading to Remote Access Clients
5
6
6
7
Endpoint Security VPN - Incorporates Remote Access VPN with Desktop Security in a single client. It
is recommended for managed endpoints that require a simple and transparent remote access
experience together with desktop firewall rules.
Check Point Mobile for Windows - An easy to use IPsec VPN client to connect securely to corporate
resources. Together with the Check Point Mobile clients for iPhone and Android, and the Check Point
SSL VPN portal, this client offers a simple experience that is primarily targeted for non-managed
machines.
SecuRemote client - A secure, yet limited-function IPsec VPN client, primarily targeted for small
organizations that require very few remote access clients.
For complete information about deploying and using Remote Access Clients, see the Remote Access
Clients E75.20 Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk65209).
Enterprise Grade Remote Access Client with Desktop firewall and compliance checks.
Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status
of Anti-virus, Windows updates, and other system components.
Requires the IPSec VPN Software Blade on the gateway, and an Endpoint Container license and
Endpoint VPN Software Blade on the Security Management server.
Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status
of antivirus, Windows updates, and other system components.
Requires IPSec VPN and SSL VPN Software Blades on the gateway.
SecuRemote client
Unlimited number of connections for Security Gateways with the IPsec VPN blade.
For R71 Security Management server, R71.30 or higher, or R75 Security Management server, see
Remote Access Clients E75.20 Upgrade Guide from SecureClient/SecuRemote NGX on R71 or R75.
For NGX R65 SmartCenter Server, NGX R65.70 or higher, see Remote Access Clients E75.20 Upgrade
Guide from SecureClient/SecuRemote NGX on NGX R65.
Supports most existing SecureClient features, including Secondary Connect, Office Mode, Desktop
Firewall, Secure Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection.
Remote Access Clients can coexist with SecureClient and NGX SecuRemote client NGX on client
systems during the upgrade period.
Note - Check Point will end its support for SecureClient in mid-2011.
Page 6
Hotspot Detection
and Registration
Description
Endpoint
Security
VPN
Automatic
Connectivity
Detection
Automatic
Certificate
Renewal in CLI
Mode
Location
Awareness
Roaming
Automatic and
Transparent
Upgrade Without
Administrator
Privileges
Windows Vista /
Windows 7 64 Bit
Support
Automatic Site
Detection
Check
Point
Mobile for
Windows
SecuRemote
client
Page 7
Feature
Description
Endpoint
Security
VPN
Geo Clusters
Machine Idleness
Dead Gateway
Detection
Automatic
Connectivity
Detection
Check
Point
Mobile for
Windows
SecuRemote
client
Authentication
Methods
Description
Username/Password
Certificate - CAPI/P12
Challenge Response
SAA
Endpoint
Security
VPN
Cached Credentials
Secondary Connect
Pre-Configured
Client Packaging
Office Mode
Check
R75 SecuPoint
Remote
Mobile for client
Windows
Page 8
Feature
Description
Extended DHCP
Parameters
Proxy Detection
Hub Mode
Localization
Supported languages:
Certificate
Enrollment and
Renewal
Chinese (simplified)
English
French
German
Hebrew
Italian
Japanese
Russian
Spanish
Endpoint
Security
VPN
Check
R75 SecuPoint
Remote
Mobile for client
Windows
CLI and API Support Manage client with third party software
Tunnel Idleness
Detection
Dialup
Smart Card
Removal Detection
Re-authentication
Keep-alive
Check Gateway
Certificate in CRL
Desktop Firewall
Page 9
Feature
Description
Endpoint
Security
VPN
Check
R75 SecuPoint
Remote
Mobile for client
Windows
Configuration File
Recover corrupted configuration files
Corruption Recovery
Secure Domain
Logon (SDL)
End-user
Configuration Lock
Update Dynamic
DNS with the Office
Mode IP
SmartView Monitor
Secure
Authentication API
(SAA)
Split DNS
VPN Connectivity to
VPN-1 VSX
DHCP Automatic
Lease Renewal
Description
Diagnostic Tools
Pre-shared secret
Link Selection
Page 10
Chapter 2
Configuring Security Gateways to
Support Remote Access Clients
In This Chapter
Installing the Remote Access Clients Hotfix
Configuring Endpoint Security VPN and Check Point Mobile for Windows
Configuring SmartDashboard for SecuRemote client
Supporting Endpoint Security VPN and SecureClient Simultaneously
Troubleshooting Dual Support
11
11
15
17
19
To configure SmartDashboard for Endpoint Security VPN or Check Point Mobile for
Windows:
1. Set the Security Gateway to be a policy server:
a) In the Network Objects Tree, right click the Security Gateway and select Edit.
Page 11
Configuring Endpoint Security VPN and Check Point Mobile for Windows
b) In Software Blades > Network Security, select IPSec VPN > Policy Server.
Page 12
Configuring Endpoint Security VPN and Check Point Mobile for Windows
c) Open Authentication.
d) In Policy Server, select an existing user group, or create a new user group, to be assigned to the
policy.
2. Configure Visitor Mode:
a) Open Remote Access.
Page 13
Configuring Endpoint Security VPN and Check Point Mobile for Windows
Page 14
d) If the Security Gateway is not already in the list of participating gateways: click Add, select the
Security Gateway from the list of gateways, and click OK.
e) Click OK.
f)
Click Close.
6. For Endpoint Security VPN only, make sure that the desktop policy is configured correctly (Desktop
tab).
7. Install the policy: Policy menu > Install.
Page 15
Page 16
d) If the Security Gateway is not already in the list of participating gateways: click Add, select the
Security Gateway from the list of gateways, and click OK.
e) Click OK.
f)
Click Close.
Page 17
UDP 18231
UDP 18233
UDP 18234 for performing tunnel test when the client is inside the network
TCP 80
Page 18
If users manage their own clients: they can delete the SecureClient site.
Note - It is not enough to disable the site. It must be deleted.
To solve this issue for all clients, change the Desktop rule base. In the Outbound Rules, add these
rules above the rule that blocks the connection:
If you install Remote Access Clients after SecureClient or NGX SecuRemote client, and you want to
uninstall the NGX client, you cannot do it from Add/Remove Programs. You must open the
Uninstall SecureClient or NGX SecuRemote client program from Start > Programs.
Page 19
Chapter 3
The Configuration File
Policy is defined on each gateway in the trac_client_1.ttm configuration file located in the $FWDIR/conf
directory.
In This Chapter
Editing the TTM File
Customized Settings
Centrally Managing the Configuration File
Understanding the Configuration File
Migrating Secure Configuration Verification
20
20
21
21
24
In SmartDashboard, select Policy > Install and install Network Security on each changed
gateway.
Run cpstop and cpstart from the CLI of each changed gateway.
Important - If you use Secondary Connect or MEP, make sure that the TTM files on all
gateways have the same settings.
Customized Settings
If you customized the trac_client_1.ttm in a previous installation, you can restore your settings to the
new $FWDIR/conf/trac_client_1.ttm file. Do not do this procedure if you did not change this file from
its default settings. The new defaults, in the new file, are recommended for this installation.
You must not overwrite the new trac_client_1.ttm with the old one. The new file has added
parameters that are necessary for Remote Access Clients operations.
Page 20
Important - When copying settings from the backup TTM file, make sure not to copy the
connect_timeout parameter.
If you do copy it, the clients cannot connect.
2. For parameters that are in both files, you can copy the value from the customized file, to the new
trac_client_1.ttm.
Important - Make sure that you do not copy parameters or values that you did not manually
change. The new file has changed, added, and deleted parameters that are necessary.
3. Save the file.
4. Install the policy on each changed gateway.
attribute - The name of the attribute on the client side. This is in trac.defaults on the client.
gateway - The name of the attribute on the gateway side. This is in objects.c on the Security
Management server. Look in the objects.c file to see what the defined behavior is on the gateway
side. The name of the attribute is only written here if it is different than the name on the client side. If
there is no value for gateway, the name of the attribute is the same in trac.defaults and
objects.c.
ext - If present, it is a hard coded function that is defined and done on the gateway. Do not change it.
This function can be done in addition to the function defined for the attribute on the client or gateway
side.
Page 21
default - The value here is downloaded to the client if the gateway attribute was not found in
objects.c. If the value is client_decide, the value is defined on the client computer, either in the
GUI or in the trac.defaults file on each client.
If the attribute is not configured in the client GUI, it is taken from the trac.defaults file on each
client.
Example:
:enable_password_caching (
:gateway ()
:default (client_decide)
)
enable_password_caching is the name of the attribute in trac.defaults and objects.c. Search
the objects.c file on the Security Management server to see if it is defined for the gateway.
If the attribute is NOT defined for a gateway, the default value is used. Because the default value is
client_decide, the setting is taken from each client.
Description
Recommended
value for :default
()
allow_disable_firewall
certificate_key_length
1024
certificate_strong_protection
true
certificate_provider
"Microsoft
Enhanced
Cryptographic
Provider v1.0"
internal_ca_site
none
internal_ca_dn
none
default_authentication_method
none
disconnect_on_smartcard_removal
false
Page 22
Parameter
Description
Recommended
value for :default
()
do_proxy_replacement
true
enable_capi
true
enable_firewall
true
enable_gw_resolving
true
false
hotspot_detection_enabled
true
automatic_mep_topology
true
none
dns_based
first_to_respond
primary_backup
load_sharing
dns_based
predefined_sites_only
false
send_client_logs
none
suspend_tunnel_while_locked
false
tunnel_idleness_ignore_icmp
tunnel_idleness_ignored_tcp_ports
none
53‰Š&#
Page 23
Parameter
Description
Recommended
value for :default
()
tunnel_idleness_timeout
user_policy_scv - This SCV Check tests if SecureClient is logged in to a Policy Server. Endpoint
Security VPN and Check Point Mobile for Windows do not log in to policy server, so this check is not
necessary.
sc_ver_scv - This SCV Check tests for the version of SecureClient. Currently, there is no SCV check
for the version of Endpoint Security VPN or Check Point Mobile for Windows.
ckp_scv - This SCV Check is not supported for Endpoint Security VPN or Check Point Mobile for
Windows.
Page 24
Chapter 4
Differences between SecureClient
and Endpoint Security VPN CLI
This table shows common tasks and how to perform them with SecureClient or Remote Access Clients
E75.20 command line. N/A indicates that the task cannot be performed with the CLI.
Task
SecureClient
Asynchronous Connect
connectwait <profilename>
N/A
N/A
change_p12_pwd -f <filename> [ -o
<oldpassword> -n <newpassword> ]
Connect to Site
add <sitename>
Delete Site
delete <sitename>
delete -s <sitename>
disconnect
disconnect
status
N/A
N/A
N/A
enroll_capi -s <sitename> -r
<registrationkey> [ -i <providerindex> -l
<keylength> -sp <strongkeyprotection>
]
N/A
getsite <profilename>
List Profiles
listprofiles
N/A
N/A
list
N/A
log
N/A
Page 25
Task
SecureClient
N/A
restartsc
N/A
passcert <password>
<certificate>
userpass <username>
<password>
numprofiles
N/A
version
ver
startsc
start
stopsc
stop
N/A
erasecreds
N/A
Update Topology
update <profilename>
N/A
Page 26