Professional Documents
Culture Documents
20 October 2010
© 2010 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=11130
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date Description
20 October 2010 Added procedure for restoring the TTM file with customizations
("Restoring Settings" on page 25).
14 October 2010 Added Desktop rule to allow MEP traffic ("Making a Desktop Rule for
MEP" on page 32).
The connect_timeout parameter was removed from the list of commonly
changed configuration file parameters, because it must not be used in
this installation.
10 October 2010 To reflect the easy process of moving from SecureClient to Endpoint
Security VPN, migration is changed to upgrading.
Updated Microsoft Windows 7 Editions and fixed client version number
in Supported Platforms ("System Requirements" on page 6).
28 September 2010 Updated features lists ("Before Upgrading to Endpoint Security VPN" on
page 6)
13 September 2010 Window pictures added, different versions of document released for
different versions of SmartDashboard
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Upgrading SecureClient to Endpoint
Security VPN R75 on NGX R65 SmartCenter Server ).
Contents
Note - You can install Endpoint Security VPN on several Linux/Unix-based platforms as well as
Microsoft Windows platforms. The procedures included in this document use the Linux/Unix
environment variable convention ($FWDIR).
If you are using a Windows platform, substitute %FWDIR% for the environment variable in the
applicable procedures.
In This Chapter
Page 5
Before Upgrading to Endpoint Security VPN
Supports most existing SecureClient features, including Office Mode, Desktop Firewall, Secure
Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection
Supports many additional new features
Does not require a SmartCenter server upgrade
Endpoint Security VPN and SecureClient can coexist on client systems during the upgrade period
Note - Check Point will end its support for SecureClient in mid-2011.
System Requirements
Management Server and Gateway:
Note - See the Release Notes of the specific Check Point version for supported versions of
different platforms.
All supported platforms NGX R65 HFA 70 (R65.70) with NGX R66 Management plug-in.
All supported platforms for R70.40.
Notes -
Endpoint Security VPN supports VPN gateway redundancy with Multiple Entry Point (MEP). You
can install the Endpoint Security VPN package on multiple gateways and must install it on the
server to enable MEP.
The server and gateway can be installed on open servers or appliances. On UTM-1 appliances,
you cannot use the WebUI to install Endpoint Security VPN.
Support for R71 gateways will be released in a future HFA for Endpoint Security VPN.
Feature Description
Hotspot Detection and Automatically detects hotspots that prevent the client system from
Registration (Exclusion for establishing a VPN tunnel
Policy) Opens a mini-browser to allow the user to register to the hotspot and
connect to the VPN gateway
Firewall support for hotspots
Feature Description
Automatic Connectivity Automatically detects whether the client is connected to the Internet or LAN
Detection
Automatic Certificate Renewal Supports automatic certificate renewal, including in CLI mode
in CLI Mode
Location Awareness Automatically determines if client is inside or outside the enterprise network
Roaming Maintains VPN tunnel if client disconnects and reconnects using different
network interfaces
Automatic and Transparent Updates the client system securely and without user intervention
Upgrade Without Administrator
Privileges
Windows Vista / Windows 7 64 Supports the latest 32-bit and 64-bit Windows operating systems
Bit Support
Automatic Site Detection During first time configuration, the client detects the VPN site automatically
Note: This requires DNS configuration and is only supported when
configuring the client within the internal network.
Geo Clusters Connect client system to the closest VPN gateway based on location
For more information on geo clusters, see sk43107
(ttp://supportcontent.checkpoint.com/solutions?id=sk43107).
Machine Idleness Disconnect VPN tunnel if the machine becomes inactive (because of lock or
sleep) for a specified duration.
Flush DNS Cache Remove previous DNS entries from the DNS cache when creating VPN
tunnel
NAT-T/Visitor Mode Let users connect from any location, such as a hotel, airport, or branch
office
Pre-Configured Client Predefined client installation package with configurations for easy
Packaging provisioning
Feature Description
Compliance Policy - Secure Verifies client system policy compliance before allowing remote access to
Configuration Verification internal network
(SCV)
Proxy Detect / Replace Detect proxy settings in client system web browsers for seamless
connectivity
Route All Traffic Send all traffic from the client system through the VPN gateway
CLI and API Support Manage client with third party software
Disconnect On Smart Card Disconnect VPN if a Smart Card is removed from the client system
Removal
Keep-alive Send keep-alive messages from client to the VPN gateway to maintain the
VPN tunnel
Check Gateway Certificate in Validate VPN gateway certificate in the CRL list
CRL
Desktop Firewall Configured Personal firewall integrated into client, managed with the SmartDashboard
from SmartDashboard desktop policy
Desktop Policy
Secure Domain Logon (SDL) Establish VPN tunnel prior to user login
Desktop Firewall Logs in Desktop firewall logs are displayed in SmartView Tracker
SmartView Tracker
End-user Configuration Lock Prevent users from changing the client configuration
Update Dynamic DNS with the Assign an internal IP address for remote access VPN users in the
Office Mode IP Dynamic DNS
Feature Description
SmartView Monitor Monitor VPN tunnel and user statistics with SmartView Monitor
Post Connect Script Execute manual scripts before and after VPN tunnel is established
Single Sign-on (SSO) One set of credentials to log in to both VPN and Windows
operating system
“Suggest Connect” Mode Create VPN tunnel when the client generates traffic to the VPN
(Auto Connect) domain resources
Entrust Entelligence Support Entrust Entelligence package providing multiple security layers,
strong authentication, digital signatures, and encryption
VPN Connectivity to VPN-1 VSX Terminate VPN tunnel at Check Point VSX gateways
"No Office Mode" Connect Mode Connect to the VPN gateway without requiring Office Mode
Secondary Connect (Including Fast Connect to multiple VPN gateways simultaneously and establish
Failover) VPN tunnels to all resources located behind each VPN gateway
DHCP Automatic Lease Renewal Automatically renew IP addresses obtained from DHCP servers
Page 10
Configuring SmartDashboard
Configuring SmartDashboard
You manage Endpoint Security VPN through the SmartDashboard. This task explains how to set up the
SmartDashboard to access Endpoint Security VPN configurations. Before you begin, make sure you have a
network for Office Mode allocation. If you do not have such a network set up, create it now.
To configure SmartDashboard for Endpoint Security VPN:
1. Set the Gateway to be a policy server:
a) In the Network Objects Tree, right click the Gateway and select Edit.
The Check Point Gateway - General Properties window opens.
c) Open Authentication.
d) In Policy Server, select an existing user group, or create a new user group, to be assigned to the
policy.
2. Configure Visitor Mode:
a) Open Remote Access.
d) If the Gateway is not already in the list of participating gateways: click Add, select the Gateway from
the list of gateways, and click OK.
e) Click OK.
f) Click Close.
6. Make sure that the desktop policy is configured correctly (Desktop tab).
7. Install the policy (Policy menu > Install).
UDP 18233
UDP 2746 for UDP Encapsulation
UDP 500 for IKE
TCP 500 for IKE over TCP
TCP 264 for topology download
UDP 259 for MEP configuration
UDP 18234 for performing tunnel test when the client is inside the network
UDP 4500 for IKE and IPSEC (NAT-T)
TCP 18264 for ICA certificate registration
TCP 443 for Visitor Mode
TCP 80
c) Click Exceptions.
The Secure Configuration Verification Exceptions window opens.
You solve this issue for all clients: change the Desktop rule base.
a) In the Outbound Rules, add this rule above the last rule. (The last rule should be Any Any Block.)
Destination = Endpoint Security VPN Gateway
Service = http, https, IKE_NAT_TRAVERSAL
Action = Accept
Client Icon
The client tray icon shows the status of Endpoint Security VPN.
Icon Status
Disconnected
Connecting
Connected
Error
You can also hover your mouse on the icon to show the client status.
Page 18
Helping Users Create a Site
Give the users the fingerprint to compare with their client installation and site definition.
To prepare the gateway fingerprint:
1. In SmartDashboard, click Manage menu > Servers and OPSEC Applications.
2. In the Servers and OPSEC Applications window, select the Certificate Authority and click Edit.
3. Open the Local Security Management Server or OPSEC PKI tab and click View.
4. In the Certificate Authority Certificate View window, copy the SHA-1 Fingerprint.
The wizard shows the progress while the Endpoint Security VPN client resolves the site name or
address to the actual gateway. This step in the wizard notifies the user that:
This may take several minutes, depending on the speed of your network
connection.
If the user see the certificate warning, make sure they check the fingerprint of the gateway:
a) Compare the site fingerprint with the SIC fingerprint on the gateway.
b) Click Details to see additional warnings.
c) If site details are correct, click Trust and Continue. The fingerprint is stored in the Windows registry
and the security warning is not opened again for the site, even if the client is upgraded.
OR
1. Right-click the client icon and select Connect to.
Connecting to a Site
You might have to help users connect to the VPN. The Endpoint Security VPN client lets users connect to
sites - where the site is the VPN gateway.
To connect to a site:
1. Right-click the client icon and select Connect or Connect to.
A site connection window opens.
This window has authentication fields according to the selected authentication method.
If you selected Connect to, you can select the site to which you would like to connect.
2. Enter credentials, and click Connect.
A connection progress window opens. Wait until the connection is made.
If a user is at a remote site that has a proxy server, the Endpoint Security VPN client must be configured to
pass through the proxy server to reach the gateway.
If you know that this will be an issue, you can configure this option when you prepare the client MSI file.
Otherwise, you can help your user configure the proxy server when the issue comes up.
To configure proxy settings on the client:
1. In the Options > Advanced tab, click Proxy Settings.
2. Select an option.
No Proxy - Make a direct connection to the VPN.
Detect proxy from Internet Explorer settings - Take the proxy settings from Internet Explorer >
Tools > Internet options > Connections > LAN Settings.
Manually define proxy - Enter the IP address and port number of the proxy. If necessary, enter a
valid user name and password for the proxy.
3. Click OK.
a) Input MSI Package Path - Select the input MSI package file.
b) Replace user's configuration when upgrading - Decide whether to keep the user configuration on
upgrade (clear the checkbox) or to merge the new configuration with existing configuration, including
client authentication. If you select this checkbox, users do not have to apply for new credentials to a
site they have been using.
c) Click Generate to create the MSI package.
A window opens to prompt for a location to save the generated package.
9. Distribute this package to Endpoint Security VPN users.
Note - When editing the configuration file, do not use a DOS editor, such as Microsoft Word,
which adds formatting codes to the file.
Restoring Settings
If you customized the trac_client_1.ttm in a previous installation, you can restore your settings to the new
$FWDIR/conf/trac_client_1.ttm file. Do not do this procedure if you did not change this file from its default
settings - the new defaults, in the new file, are recommended for this installation.
To restore settings:
1. See the difference in parameter values between the backup and new trac_client_1.ttm file.
Important - When copying settings from the backup TTM file, make sure not to copy the
connect_timeout parameter.
If you do, the clients cannot connect.
2. Copy the values from the backup that you want to restore, to the new trac_client_1.ttm.
3. Save the file.
4. Install the policy.
Important - You must use the newest configuration file installed on the gateway for Endpoint
Security VPN. This is important, because if you do not install Endpoint Security VPN on the
SmartCenter server, the server will have an outdated configuration file that does not support
new features.
Page 25
Parameters in the Configuration File
Appendix A
Multiple Entry Point (MEP)
Multiple Entry Point (MEP) gives high availability and load sharing to VPN connections. A Gateway is one
point of entry to the internal network. If the Gateway becomes unavailable, the internal network is also
unavailable. A Check Point MEP environment has two or more Gateways for the same VPN domain to give
remote users uninterrupted access. Endpoint Security VPN automatically detects and uses MEP topology.
MEP topology gives High Availability and load sharing with these characteristics:
There is no physical restriction on the location of MEP Gateways. They can be geographically separated
and not directly connected.
MEP Gateways can be managed by different management servers.
There is no state synchronization in MEP. If a Gateway fails, the current connection falls and one of the
auxiliary Gateways picks up the next connection.
Remote clients, not the gateways, find the Gateway to use.
To enable MEP, you must install the Hotfix on the SmartCenter server and on each Gateway.
In This Appendix
MEP or Roaming 28
Configuring Entry Point Choice 28
Defining MEP Method 29
Implicit MEP 30
Manual MEP 32
Making a Desktop Rule for MEP 32
MEP or Roaming
For MEP to work with Endpoint Security VPN, you must disable or limit the Roaming feature. If a gateway
connection fails, Roaming maintains the connection to the current gateway, while MEP finds a new gateway
to connect to. If these two features were enabled at the same time, they would conflict with each other.
To limit roaming (and enable MEP):
1. Open SmartDashboard > Global Properties.
2. Open Remote Access > Endpoint Connect.
3. Set Disconnect when connectivity to network is lost to Yes.
4. Click OK.
5. Open GuiDBedit.
6. Find endpoint_vpn_implicit_disconnect_timeout and set it to 1.
7. Click Save.
8. Install the policy.
Recommendation: If you have multiple gateways that are geographically distant. For example, an
organization has three gateways: London, Sundsvall, and Paris. Usually, the London Gateway responds
first to clients in England and is their entry point to the internal network. If the London gateway goes
down, these users access the network through the Paris or Sundsvall gateway that responds first.
Primary-Backup - One or multiple auxiliary Gateways give high availability for a primary Gateway.
Endpoint Security VPN is configured to connect with the primary Gateway, but switches to a Backup
Gateway if the Primary goes down.
Recommendation: If you have multiple gateways, and one is stronger or connects faster. Set the
stronger machine as the primary. Clients use the backup if the primary is unavailable.
Load Distribution - Endpoint Security VPN randomly selects a Gateway.
Recommendation: If you have multiple gateways of equal performance. The traffic of Endpoint Security
VPN clients is shared between the gateways. Each client creates a tunnel with a random, available
gateway.
Geo-Cluster Name Resolution - By default, Endpoint Security VPN resolves Gateway DNS names for
all connections. Optionally, you can store IP addresses in a cache. This can improve performance by
preventing repetitive DNS name resolution.
To enable DNS IP address cache:
1. On the Gateway, open $FWDIR/conf/trac_client_1.ttm.
2. Change the :default attribute, located in the :enable_gw_resolving attribute, to false.
:enable_gw_resolving (
:Gateway (
:map (
:false (false)
:true (true)
:client_decide (client_decide)
)
:default (false)
)
)
3. Save the file.
4. Install the policy.
Implicit MEP
With Implicit MEP, the configurations of the gateways are used to make the VPN connections. Gateways are
configured differently for each MEP method.
Before you begin, make sure that $FWDIR/conf/trac_client_1.ttm has:
enable_gw_resolving (true)
automatic_mep_topology (true)
4. Click OK.
5. For each gateway, open the properties window > Topology.
6. In the VPN Domain section, click Manually Defined and select the same VPN Domain for all
Gateways.
7. Click OK.
8. Install the policy.
2. In the network objects tree, Groups section, create a group of Gateways to act as backup Gateways.
3. Open the VPN properties of the Primary Gateway:
NGX R65 and R70: gateway properties > VPN
R71: gateway properties >IPSec VPN
4. Select Use Backup Gateways, and select the group of backup Gateways.
Manual MEP
For SecureClient, the gateways have to belong to the same VPN domain for MEP to function. For Endpoint
Security VPN, the gateways do not have to belong to the same VPN domain. The gateways are configured
in the TTM file.
To configure the Gateways for MEP:
1. On a Gateway, open $FWDIR/conf/trac_client_1.ttm.
2. Search for the enable_gw_resolving attribute:
:enable_gw_resolving (
:gateway (
:default (true)
)
)
3. Make sure the attribute is set to its default value: true.
4. Search for the automatic_mep_topology attribute, and make sure its value is false.
5. Manually add the mep_mode attribute:
:mep_mode (
:gateway (
:default (xxx)
)
)
Where xxx is a valid value:
dns_base
first_to_respond
primary_backup
load_sharing
6. Manually add the ips_of_gws_in_mep attribute:
:ips_of_gws_in_mep (
:gateway (
:default (192.168.53.220À.168.53.133&#)
)
)
These are the IP addresses the client should try.
IP addresses are separated by an ampersand and hash symbol (&#)
The last IP address in the list has a final &#.
7. Save the file.
8. Install the policy.
Page 33
Making a Desktop Rule for MEP