13 September 2011 User Guide Endpoint Security VPN for Windows 32-bit/64-bit E75.20 © 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12322 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk65209). Revision History Date Description 13 September 2011 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Endpoint Security VPN for Windows 32-bit/64-bit E75.20 User Guide). Contents Important Information 3 Introduction to Endpoint Security VPN 5 The Installation Process 5 Receiving an Automatic Upgrade 5 Getting Started 6 Defining a Site 6 Basic Operations 8 Connect Window 8 Client Icon 9 Understanding the Firewall 9 Disabling the Firewall 9 Compliance 10 Setting up the Client 11 Configuring Proxy Settings 11 Secure Domain Logon 11 Configuring VPN 11 Changing the Site Authentication Scheme 12 Certificate Enrollment and Renewal 13 Importing a Certificate into the CAPI Store 13 Authenticating with PKCS#12 Certificate File 13 SecurID 14 Challenge-Response 14 Secure Authentication API (SAA) 14 Collecting Logs 16 Page 5 Chapter 1 Introduction to Endpoint Security VPN Endpoint Security VPN is a remote access client for easy, secure connectivity to corporate resources over the internet, through a VPN tunnel. In This Chapter The Installation Process 5 Receiving an Automatic Upgrade 5 The Installation Process Important - To install a Remote Access client on any version of Windows, you need Administrator permissions. Consult with your system administrator. To install a Remote Access client: 1. Log in to Windows with a user name that has Administrator permissions. 2. Get the installation package from your system administrator, and double-click the installation package. 3. Follow the installation wizard. Note - On Windows Vista and Windows 7, there may be a prompt to allow access, depending on the UAC settings. 4. If your administrator did not include a specified Remote Access client in the installation package, you are prompted to choose a product to install. Your administrator might have instructed you which client to install. The options are: Endpoint Security VPN Check Point Mobile for Windows SecuRemote After installation, the Client icon appears in the system tray notification area. 5. Double-click the Client icon. If you are prompted to define a site, make a site with the IP address that your system administrator gave you. Receiving an Automatic Upgrade If you have a Check Point VPN Client, when you connect to a site you might receive an automatic upgrade to the latest version of Remote Access Clients. Follow instructions to complete the upgrade. Depending on the settings set by your administrator, you might not need to do anything. When you open your client from the client icon, you will see that it has a new name and looks different. Page 6 Chapter 2 Getting Started In This Chapter Defining a Site 6 Basic Operations 8 Connect Window 8 Client Icon 9 Understanding the Firewall 9 Compliance 10 Defining a Site You must have at least one site to connect to a VPN. If your system administrator pre-configured the client package, you can connect to the VPN site immediately. If not, you must define the site. Before you start, make sure you know how you will authenticate to the VPN and that you have the credentials (for example, password or certificate file). You might also require the gateway fingerprint, to make sure that the client is connecting to the correct gateway. Get this from your system administrator. To define a site: 1. Right-click the client icon and select VPN Options. The Options window opens. The first time you open the window, no sites are listed. 2. On the Sites tab, click New. Defining a Site Getting Started Page 7 The Site Wizard opens. 3. Click Next. 4. Enter the name or IP address of the Security Gateway and click Next. Wait for the Client to identify the site name. 5. After the client resolves the site, a security warning might open: The site's security certificate is not trusted! While verifying the site's certificate, the following possible security risks were discovered: Ask your system administrator for the fingerprint of the server. If the server fingerprint matches the fingerprint in the warning message, you can click Trust and Continue. If there is no match, consult with your system administrator. 6. The Authentication Method window opens. Select an authentication method according to your system administrator's instructions. 7. Click Next and follow the instructions to enter your authentication materials. Basic Operations Getting Started Page 8 If you selected Secure Authentication API (SAA), an SAA window opens to select the type of SAA and a DLL file to use. See Secure Authentication API (SAA) (on page 14). 8. Click Finish. The client opens a prompt to connect you to the newly created site. 9. Click Yes to connect to the site, or No to save the site details and connect at a different time. Basic Operations Right-click the Client icon in the system tray to use basic operations. (Not all options appear for every client status and configuration.) To quickly connect to last active site, double-click the Client icon. To use other basic operations, right-click the Client icon and select an option. Option Function Connect Opens the main connection window, with the last active site selected. If you authenticate with a certificate, the client immediately connects to the selected site. Connect to Opens the main connection window. VPN Options Opens the Options window to set a proxy server, choose interface language, enable Secure Domain Logon, collect logs, and select a DLL file for SAA Authentication. Register to Hotspot Lets you bypass the firewall to register to a hotspot. After you click this option, open a browser. It will open to the hotspot registration page. Show Compliance Report See if your computer is compliant with the Security Policy, and if not, why not and how to fix the issue. Show Client Open the Client overview. Shutdown Client Closes the Client and the VPN connection. You can also see most of these options from the Client Overview. Connect Window In the Connect window you authenticate to the VPN. Based on the settings that your administrator configures, you might have options to choose a Site and Gateway, or only a Site. Client Icon Getting Started Page 9 In the Connect Window: 1. In Site, select the site to connect to. If you were not instructed differently by your administrator, connect to the default site. 2. You might have a Gateway field. If necessary select a gateway. If you were not instructed differently by your administrator, connect to the default gateway. 3. Enter authentication to connect to the VPN: If you have a Certificate, browse to the certificate file and enter the password. If you use SecurID, enter your PIN or passcode. If you get a key in response, copy it. If you use Username and Password, enter your username and password. If you use Challenge Response, enter the first key. When the challenge comes, enter the response. If you use SAA, click Connect and a new window opens for authentication. While you use the VPN resources, you might have to enter your authentication credentials again. This can occur if you try to access a resource that is on a different gateway and your credentials are not cached. Client Icon The Client icon in the system tray notification area shows the status of Remote Access Clients. Icon Status Disconnected Connecting Connected Encryption (encrypted data is being sent or received on the VPN) There is an issue that requires users to take action. You can also hover your mouse on the icon to show the client status. Understanding the Firewall When Endpoint Security VPN is installed on your computer, it includes a firewall. The firewall examines all network traffic that comes to your computer and asks: Where did the traffic come from and where is it addressed to? Do the firewall rules allow traffic to that address? Does the traffic violate global rules? Based on the answers to these questions, traffic is allowed or blocked. The administrator sets the policies and rules that control what traffic the firewall allows. Disabling the Firewall Your administrator can give you the option to disable the firewall on your computer. If you do have this option, when you right-click the Endpoint Security VPN icon in the system tray, one of the choices is Disable Security Policy. If you select this, the firewall is disabled. Depending on the compliance settings, you might not be able to connect to the VPN if your firewall is disabled. If the firewall is disabled, the option Enable Security Policy shows in the right-click menu of the Client icon. Select this to enable the firewall. Compliance Getting Started Page 10 Compliance Your administrator can configure checks for your computer or device to make sure it is compliant before you connect to the VPN site. Some examples of what these checks can include are: If your Operating System is supported. If you are logged in correctly. If you have an updated Anti-virus client. Your computer must be compliant with all checks to access the VPN. If your computer is not compliant, the Client icon looks like this: If your computer is found to be non-compliant based on one check, you cannot access the VPN. In the Client Overview window, it shows that you are not compliant and a message opens. If your computer does not comply based on multiple factors you can see multiple messages. Follow the instructions in the message to make your computer compliant. If you have questions, contact your administrator. You can see a compliance report that shows if your computer is compliant with the Security Policy, and if not, how to fix the issue. To get a compliance report, right-click the Client icon in the system tray and select Show Compliance Report. The compliance check always works in the background, if you are connected to the VPN or not. At any time it can report that your computer has failed a check and is not compliant. [...]... option is disabled in Endpoint Security VPN or Check Point Mobile for Windows, consult your system administrator 5 Click OK Changing the Site Authentication Scheme If you have the option from your system administrator, you can change the method that you use to authenticate to the VPN To change the client authentication method for a specific site: 1 Right-click the Client icon and select VPN Options The Options... authentication information directly in that window If SAA is the authentication method for the site, there are no fields for authentication information in the login window You must click the Connect button in the window and a new window opens for authentication information Setting up the Client Page 15 Changing the Site Authentication Scheme Collecting Logs If your system administrator or help desk asks for logs... method when you create a site, you need this information: The type of SAA authentication that you must select - one of these: Username and Password - Users enter a username and password Challenge Response - Users enter a response to a challenge You might need a DLL file If your administrator already configured this, then you do not need it Note - Only users with administrator permissions can replace... to go through the VPN for all your Internet traffic This is more secure Page 11 Changing the Site Authentication Scheme To configure VPN Tunneling: 1 Right-click the Client icon and select VPN Options The Options window opens 2 On the Sites tab, select the site to which you want to connect, and click Properties The Properties window for the site opens 3 Open the Settings tab 4 In VPN tunneling, click... CAPI or P12 window opens 5 For CAPI, choose the certificate you want to renew from the drop-down list For P12, choose a P12 file and enter its password 6 Click Renew The certificate is renewed and ready for use Importing a Certificate into the CAPI Store Before you can use the certificate to authenticate your computer, you must get: The certificate file The password for the file The name of the... tray, and select VPN Options 2 On the Sites tab, select the site from which you will enroll a certificate and click Properties The site Properties window opens 3 Select the Settings tab 4 Choose the setting type you want, CAPI or P12, and click Enroll The CAPI or P12 window opens 5 For CAPI, choose the provider to which you will enroll the certificate 6 For P12, choose a new password for the certificate... If required, enter a user name and password for the proxy 5 Click OK Secure Domain Logon If the system administrator says that you must use SDL, enable Secure Domain Logon (SDL) To enable SDL on a client: 1 2 3 4 Right-click the Client icon and select VPN Options In Options > Advanced, select Enable Secure Domain Logon (SDL) Click OK Restart the computer and log in Configuring VPN You might have the... Browse to the P12 file Enter the certificate password and click Import Authenticating with PKCS#12 Certificate File For security reasons, your system administrator might require you to authenticate directly with the PKCS#12 certificate and not from the certificate stored in the CAPI For example, if you use several desktop workstations and laptops, you might not want to leave your certificate on different... connect Setting up the Client Page 13 Changing the Site Authentication Scheme to the site For increased security, your administrator might instruct you to save the PKCS#12 certificate to a USB stick or other storage device To authenticate with a PKC#12 certificate file: 1 Configure the site to use "Certificate – P12" for authentication 2 Connect to the site The Connect window opens 3 In the Certificate... from the local system administrator Find out if the proxy needs a user name and password To configure proxy settings: 1 Right-click the Client icon and select VPN Options The Options window opens 2 Open the Advanced tab 3 Click Proxy Settings The Proxy Settings window opens 4 Select an option No Proxy - Make a direct connection to the VPN Detect proxy from Internet Explorer settings - Get the proxy . (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Endpoint Security VPN for Windows 32-bit/64-bit E75. 20 User Guide) . Contents Important Information 3 Introduction to Endpoint Security VPN 5 The Installation. 13 September 201 1 User Guide Endpoint Security VPN for Windows 32-bit/64-bit E75. 20 © 201 1 Check Point Software Technologies Ltd. All. 1 Introduction to Endpoint Security VPN Endpoint Security VPN is a remote access client for easy, secure connectivity to corporate resources over the internet, through a VPN tunnel. In This