13 September 2011 Remote Access Clients E75.20 Upgrading from SecureClient/SecuRemote NGX on R71 or R75 Security Management © 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12327 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk65209). Revision History Date Description 13 September 2011 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients E75.20 Upgrading from SecureClient/SecuRemote NGX on R71 or R75 Security Management ). Contents Important Information 3 Introduction to Remote Access Clients 5 Overview of Remote Access Clients 5 Endpoint Security VPN 5 Check Point Mobile for Windows 5 SecuRemote client 6 Upgrading on Different Management Servers 6 Why You Should Upgrade to Remote Access Clients 6 Before Upgrading to Remote Access Clients 7 Supported Gateways and Servers 7 New Remote Access Clients Features 7 SecureClient Features Supported in Remote Access Clients 8 SecureClient Features Not Yet Supported 10 Configuring Security Gateways to Support Remote Access Clients 11 Preparing the Security Gateways 11 Configuring Endpoint Security VPN and Check Point Mobile for Windows 11 Configuring SmartDashboard for SecuRemote client 16 Supporting Remote Access Clients and NGX Clients Simultaneously 18 Troubleshooting Dual Support 19 The Configuration File 21 Editing the TTM File 21 Customized Settings 21 Centrally Managing the Configuration File 22 Understanding the Configuration File 22 Configuration File Parameters 23 Migrating Secure Configuration Verification 25 Differences between SecureClient and Endpoint Security VPN CLI 26 Page 5 Chapter 1 Introduction to Remote Access Clients In This Chapter Overview of Remote Access Clients 5 Upgrading on Different Management Servers 6 Why You Should Upgrade to Remote Access Clients 6 Before Upgrading to Remote Access Clients 7 Overview of Remote Access Clients Remote Access Clients provide a simple and secure way for endpoints to connect remotely to corporate resources over the Internet, through a VPN tunnel. Check Point offers 3 enterprise-grade flavors of Remote Access to fit a wide variety of organizational needs. The clients offered in this release are:  Endpoint Security VPN - Incorporates Remote Access VPN with Desktop Security in a single client. It is recommended for managed endpoints that require a simple and transparent remote access experience together with desktop firewall rules.  Check Point Mobile for Windows - An easy to use IPsec VPN client to connect securely to corporate resources. Together with the Check Point Mobile clients for iPhone and Android, and the Check Point SSL VPN portal, this client offers a simple experience that is primarily targeted for non-managed machines.  SecuRemote client - A secure, yet limited-function IPsec VPN client, primarily targeted for small organizations that require very few remote access clients. For complete information about deploying and using Remote Access Clients, see the Remote Access Clients E75.20 Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk65209). Endpoint Security VPN  Replaces SecureClient and Endpoint Connect.  Enterprise Grade Remote Access Client with Desktop firewall and compliance checks.  Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status of Anti-virus, Windows updates, and other system components.  Integrated desktop firewall, centrally managed from Security Management Server.  In-place upgrade from Endpoint Security VPN R75.  In-place upgrade from Endpoint Connect R73.  Requires the IPSec VPN Software Blade on the gateway, and an Endpoint Container license and Endpoint VPN Software Blade on the Security Management Server. Check Point Mobile for Windows  New Enterprise Grade Remote Access Client. Upgrading on Different Management Servers Introduction to Remote Access Clients Page 6  Secure Configuration Verification (SCV) is integrated with Windows Security Center to query the status of antivirus, Windows updates, and other system components.  Requires IPSec VPN and SSL VPN Software Blades on the gateway. SecuRemote client  Replaces the NGX SecuRemote client.  Basic remote access functionality.  Unlimited number of connections for Security Gateways with the IPsec VPN blade.  Requires an IPSec VPN Software Blade on the gateway.  It is a free client and does not require additional licenses. Upgrading on Different Management Servers Environments with SecureClient or NGX SecuRemote client already deployed can be easily upgraded to Remote Access Clients. The SmartDashboard for different versions of management servers is different. Use the documentation for the SmartDashboard that you have. This guide is for an R71 Security Management Server, R71.30 or higher, or R75 Security Management Server. Guides for other management servers are available at sk65209 (http://supportcontent.checkpoint.com/solutions?id=sk65209).  For R70 Security Management Server, R70.40 or higher, see Remote Access Clients E75.20 Upgrade Guide from SecureClient/SecuRemote NGX on R70.  For NGX R65 SmartCenter Server, NGX R65.70 or higher, see Remote Access Clients E75.20 Upgrade Guide from SecureClient/SecuRemote NGX on NGX R65. Why You Should Upgrade to Remote Access Clients Check Point recommends that all customers upgrade from SecureClient or Endpoint Connect to Remote Access Clients as soon as possible, to have these enhancements.  Automatic and transparent upgrades, with no administrator privileges required  Supports 32-bit and 64-bit, Windows Vista and Windows 7  Uses less memory resources than SecureClient  Automatic disconnect/reconnect as clients move in and out of the network  Seamless connection experience while roaming  Supports most existing SecureClient features, including Secondary Connect, Office Mode, Desktop Firewall, Secure Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection.  Supports many additional new features  Does not require a Security Management Server upgrade  Remote Access Clients can coexist with SecureClient and NGX SecuRemote client NGX on client systems during the upgrade period. Note - Check Point will end its support for SecureClient in mid-2011. Before Upgrading to Remote Access Clients Introduction to Remote Access Clients Page 7 Before Upgrading to Remote Access Clients Before upgrading, consider these issues. Supported Gateways and Servers See the Remote Access Clients Release Notes for information about supported Security Gateway and Security Management Server versions. New Remote Access Clients Features This table describes new features in Remote Access Clients and on which Remote Access Clients they are available. Feature Description Endpoint Security VPN Check Point Mobile for Windows Secu- Remote client Hotspot Detection and Registration  Automatically detects hotspots that prevent the client system from establishing a VPN tunnel  Opens a mini-browser to allow the user to register to the hotspot and connect to the VPN gateway  Firewall support for hotspots Automatic Connectivity Detection Automatically detects whether the client is connected to the Internet or LAN Automatic Certificate Renewal in CLI Mode Supports automatic certificate renewal, including in CLI mode Location Awareness Automatically determines if client is inside or outside the enterprise network Roaming Maintains VPN tunnel if client disconnects and reconnects using different network interfaces Automatic and Transparent Upgrade Without Administrator Privileges Updates the client system securely and without user intervention Windows Vista / Windows 7 64 Bit Support Supports the latest 32-bit and 64-bit Windows operating systems Automatic Site Detection During first time configuration, the client detects the VPN site automatically Note: This requires DNS configuration and is only supported when configuring the client within the internal network. Before Upgrading to Remote Access Clients Introduction to Remote Access Clients Page 8 Feature Description Endpoint Security VPN Check Point Mobile for Windows Secu- Remote client Geo Clusters Connect client system to the closest VPN gateway based on location. Machine Idleness Disconnect VPN tunnel if the machine becomes inactive (because of lock or sleep) for a specified duration. Flush DNS Cache Remove previous DNS entries from the DNS cache when creating VPN tunnel Dead Gateway Detection Tests that the Security Gateway is active by sending tunnel test packets. Automatic Connectivity Detection Automatically detects whether the client is connected to the Internet or LAN. If the network connection is lost, the client seamlessly reconnects without user intervention. SecureClient Features Supported in Remote Access Clients This table describes features in Remote Access Clients that existed in SecureClient, and on which Remote Access Clients they are available. Feature Description Endpoint Security VPN Check Point Mobile for Windows R75 Secu- Remote client Authentication Methods  Username/Password  Certificate - CAPI/P12  SecurID (passcode, softID, key fobs)  Challenge Response  SAA Cached Credentials Cache credentials for user login NAT-T and Visitor Mode Let users connect from any location, such as a hotel, airport, or branch office Multiple Entry Point (MEP) Provides gateway High Availability and Load Sharing and lets the Remote Access Clients connect to the VPN from multiple gateways. Secondary Connect Gives access to multiple VPN gateways at the same time, to transparently connect users to distributed resources. Pre-Configured Client Packaging Predefined client installation package with configurations for easy provisioning Office Mode Internal IP address for remote access VPN users Before Upgrading to Remote Access Clients Introduction to Remote Access Clients Page 9 Feature Description Endpoint Security VPN Check Point Mobile for Windows R75 Secu- Remote client Extended DHCP Parameters When using Office Mode from a DHCP server, the gateway sends data that it got from the client to the DHCP server in the correct format - Hostname, FQDN, Vendor Class, and User Class. Compliance Policy - Secure Configuration Verification (SCV) Verifies client system policy compliance before allowing remote access to internal network Proxy Detection Detect proxy settings in client system web browsers for seamless connectivity Hub Mode Send all traffic from the client system through the VPN gateway Localization Supported languages:  Chinese (simplified)  English  French  German  Hebrew  Italian  Japanese  Russian  Spanish Certificate Enrollment and Renewal Automatic enrollment and renewal of certificates issued by Check Point Internal CA server CLI and API Support Manage client with third party software Tunnel Idleness Detection Disconnect VPN if there is no traffic for a specified duration Dialup Support dialup connections Smart Card Removal Detection Detects when the Smart Card is removed and closes the active VPN tunnel. Re-authentication After specified duration, user is asked for re- authentication Keep-alive Send keep-alive messages from client to the VPN gateway to maintain the VPN tunnel Check Gateway Certificate in CRL Validate VPN gateway certificate in the CRL list Desktop Firewall Personal firewall integrated into the client, managed with the SmartDashboard desktop policy. Logs are shown in SmartView Tracker. Before Upgrading to Remote Access Clients Introduction to Remote Access Clients Page 10 Feature Description Endpoint Security VPN Check Point Mobile for Windows R75 Secu- Remote client Configuration File Corruption Recovery Recover corrupted configuration files Secure Domain Logon (SDL) Establish VPN tunnel prior to user login End-user Configuration Lock Prevent users from changing the client configuration Update Dynamic DNS with the Office Mode IP Assign an internal IP address for remote access VPN users in the Dynamic DNS SmartView Monitor Monitor VPN tunnel and user statistics with SmartView Monitor Post Connect Script Execute manual scripts before and after VPN tunnel is established Secure Authentication API (SAA) Integrate with third party authentication providers. Split DNS Support multiple DNS servers VPN Connectivity to VPN-1 VSX Terminate VPN tunnel at Check Point VSX gateways DHCP Automatic Lease Renewal DHCP Automatic Lease Renewal SecureClient Features Not Yet Supported These features of SecureClient are not supported by Remote Access Clients. Many of these features are expected to be supported in the next release. Feature Description Single Sign-on (SSO) One set of credentials to log in to both VPN and Windows operating system Entrust Entelligence Support Entrust Entelligence package providing multiple security layers, strong authentication, digital signatures, and encryption Diagnostic Tools Tools for viewing logs and alerts "No Office Mode" Connect Mode Connect to the VPN gateway without requiring Office Mode Pre-shared secret Authentication method that uses a pre-shared secret Link Selection Multiple interface support with redundancy [...]... Configuring Security Gateways to Support Remote Access Clients In This Chapter Preparing the Security Gateways Configuring Endpoint Security VPN and Check Point Mobile for Windows Configuring SmartDashboard for SecuRemote client Supporting Remote Access Clients and NGX Clients Simultaneously Troubleshooting Dual Support 11 11 16 18 19 Preparing the Security Gateways If you have R71. 30 and higher or. .. or R75 and higher installed on a gateway, Security Management Server, or Multi-Domain Server, it can support Remote Access Clients It is not necessary to install a Hotfix See the System Requirements section of the Release Notes for exact details To use Secondary Connect, you might need to install the Secondary Connect Hotfix For more about the Secondary Connect Hotfix, see the Remote Access Clients E75.20. .. SmartDashboard to access Endpoint Security VPN configurations Note - If you already configured SmartDashboard for Endpoint Security VPN and Check Point Mobile for Windows, these procedures are not necessary To configure SmartDashboard for SecuRemote client: 1 On the gateway, configure Visitor Mode: Configuring Security Gateways to Support Remote Access Clients Page 16 Configuring SmartDashboard for SecuRemote... Authentication Configuring Security Gateways to Support Remote Access Clients Page 12 Configuring Endpoint Security VPN and Check Point Mobile for Windows On R75. x Security Gateways, open Legacy Authentication d) In the Users drop-down, select a user group to be assigned to the policy 2 Configure Visitor Mode: a) Open IPSec VPN > Remote Access b) Select Support Visitor Mode 3 Configure Office Mode: Configuring... directory Configuring Security Gateways to Support Remote Access Clients Page 20 Chapter 3 The Configuration File Policy is defined on each gateway in the trac_client_1.ttm configuration file located in the $FWDIR/conf directory In This Chapter Editing the TTM File Customized Settings Centrally Managing the Configuration File Understanding the Configuration File Migrating Secure Configuration Verification... resources To configure the gateways in SmartDashboard for management of Remote Access Clients and NGX clients: 1 For Check Point Mobile for Windows and SecuRemote client start, with step 2 For Endpoint Security VPN only, on the Desktop tab, add this rule to make sure that the Endpoint Security VPN firewall does not block SecureClient Allow outbound connections on:  UDP 18231  UDP 18233  UDP 2746 for UDP... Install the policy on each changed gateway Centrally Managing the Configuration File If the configuration file on each gateway is identical, you can manage one copy of the configuration file on the Security Management Server This file is copied to the gateways when you install the policy Important - You must use the newest configuration file installed on the gateway for Remote Access Clients If you do... Notes Configuring Endpoint Security VPN and Check Point Mobile for Windows You manage Remote Access Clients through the SmartDashboard This task explains how to set up the SmartDashboard to access configurations required for Endpoint Security VPN and Check Point Mobile for Windows Before you begin, make sure you have a network for Office Mode allocation To configure SmartDashboard for Endpoint Security. .. Gateways Configuring Security Gateways to Support Remote Access Clients Page 17 Supporting Remote Access Clients and NGX Clients Simultaneously c) If the Security Gateway is not already in the list of participating gateways: click Add, select the Security Gateway from the list of gateways, and click OK d) Click OK e) Click Close 4 Install the policy (Policy menu > Install) Supporting Remote Access Clients. .. Access Clients and NGX Clients Simultaneously To run Remote Access Clients along with SecureClient or NGX SecuRemote client on client systems, you must configure the server and the gateways that will manage these remote access clients Before you start the configuration, make sure that the encryption domains of all of the gateways are the same Also make sure that all gateways give connectivity to the . (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients E75. 20 Upgrading from SecureClient/SecuRemote NGX on R71 or R75 Security Management ). Contents Important Information 3 Introduction to Remote Access Clients. 13 September 201 1 Remote Access Clients E75. 20 Upgrading from SecureClient/SecuRemote NGX on R71 or R75 Security Management © 201 1 Check Point Software Technologies. For R70 Security Management Server, R70.40 or higher, see Remote Access Clients E75. 20 Upgrade Guide from SecureClient/SecuRemote NGX on R70.  For NGX R65 SmartCenter Server, NGX R65.70 or