20 October 2010 Upgrading SecureClient to Endpoint Security VPN R75 on R70.40 Security Management © 2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=1131 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 20 October 2010 Added procedure for restoring the TTM file with customizations ("Restoring Settings" on page 22). 14 October 2010 Added Desktop rule to allow MEP traffic ("Making a Desktop Rule for MEP" on page 29). The connect_timeout parameter was removed from the list of commonly changed configuration file parameters, because it must not be used in this installation. 10 October 2010 To reflect the easy process of moving from SecureClient to Endpoint Security VPN, migration is changed to upgrading. Updated Microsoft Windows 7 Editions and fixed client version number in Supported Platforms ("System Requirements" on page 6). 28 September 2010 Updated feature lists ("Before Upgrading to Endpoint Security VPN" on page 6) 13 September 2010 Window pictures added, different versions of document released for different versions of SmartDashboard June, 2010 Initial version Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Upgrading SecureClient to Endpoint Security VPN R75 on R70.40 Security Management ). Contents Important Information 3 Introduction to Endpoint Security VPN 5 Using Different Management Servers 5 Why You Should Upgrade to Endpoint Security VPN 5 Before Upgrading to Endpoint Security VPN 6 System Requirements 6 New Endpoint Security VPN Features 6 SecureClient Features Supported in Endpoint Security VPN 7 SecureClient Features Not Yet Supported 9 Configuring Security Gateways to Support Endpoint Security VPN 10 Installing Hotfix on Gateways 10 Configuring SmartDashboard 11 Supporting Endpoint Security VPN and SecureClient Simultaneously 14 Troubleshooting Dual Support 17 Installing and Configuring Endpoint Security VPN on Client Systems 18 Installing Endpoint Security VPN on Client Systems 18 Client Icon 18 Helping Users Create a Site 18 Connecting to a Site 19 Pre-Configuring Proxy Settings 19 Pre-Configuring Always Connect 20 Using the Packaging Tool 20 The Configuration File 22 Configuration File Overview 22 Restoring Settings 22 Centrally Managing the Configuration File 22 Parameters in the Configuration File 23 Migrating Secure Configuration Verification 24 Multiple Entry Point (MEP) 25 Configuring Entry Point Choice 25 Defining MEP Method 26 Implicit MEP 26 Configuring Implicit First to Respond 26 Configuring Implicit Primary-Backup 27 Configuring Implicit Load Distribution 28 Manual MEP 29 Making a Desktop Rule for MEP 29 Differences between SecureClient and Endpoint Security VPN CLI 30 Page 5 Chapter 1 Introduction to Endpoint Security VPN Endpoint Security VPN is a lightweight remote access client for seamless, secure IPSec VPN connectivity to remote resources. It authenticates the parties and encrypts the data that passes between them. Endpoint Security VPN is intended to replace the current Check Point remote access client: SecureClient. Note - You can install Endpoint Security VPN on several Linux/Unix-based platforms as well as Microsoft Windows platforms. The procedures included in this document use the Linux/Unix environment variable convention ($FWDIR). If you are using a Windows platform, substitute %FWDIR% for the environment variable in the applicable procedures. In This Chapter Using Different Management Servers 5 Why You Should Upgrade to Endpoint Security VPN 5 Before Upgrading to Endpoint Security VPN 6 Using Different Management Servers Environments with SecureClient already deployed can be easily upgraded to Endpoint Security VPN. The SmartDashboard for different versions of management servers is different. Use the documentation for the SmartDashboard that you have. This guide is for the R70.40 Security Management server.  If you have NGX R65 SmartCenter server, see Upgrading SecureClient to Endpoint Security VPN R75 on NGX R65 SmartCenter server (http://supportcontent.checkpoint.com/documentation_download?ID=11130).  If you have the R71 Security Management server, see Upgrading SecureClient to Endpoint Security VPN R75 on R71 Security Management (http://supportcontent.checkpoint.com/documentation_download?ID=11132). Why You Should Upgrade to Endpoint Security VPN Check Point recommends that all customers upgrade from SecureClient to Endpoint Security VPN as soon as possible, to have these enhancements.  Automatic and transparent upgrades, with no administrator privileges required  Supports 32-bit and 64-bit, Windows Vista and Windows 7  Uses less memory resources than SecureClient  Automatic disconnect/reconnect as clients move in and out of the network  Seamless connection experience while roaming Before Upgrading to Endpoint Security VPN Introduction to Endpoint Security VPN Page 6  Supports most existing SecureClient features, including Office Mode, Desktop Firewall, Secure Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection  Supports many additional new features  Does not require a Security Management server upgrade  Endpoint Security VPN and SecureClient can coexist on client systems during the upgrade period Note - Check Point will end its support for SecureClient in mid-2011. Before Upgrading to Endpoint Security VPN Before upgrading, consider these issues. System Requirements Management Server and Gateway: Note - See the Release Notes of the specific Check Point version for supported versions of different platforms.  All supported platforms NGX R65 HFA 70 (R65.70) with NGX R66 Management plug-in.  All supported platforms for R70.40. Notes - Endpoint Security VPN supports VPN gateway redundancy with Multiple Entry Point (MEP). You can install the Endpoint Security VPN package on multiple gateways and must install it on the server to enable MEP. The server and gateway can be installed on open servers or appliances. On UTM-1 appliances, you cannot use the WebUI to install Endpoint Security VPN. Support for R71 gateways will be released in a future HFA for Endpoint Security VPN. Clients: Endpoint Security VPN R75 can be installed on these platforms:  Microsoft Windows XP 32 bit SP2, SP3  Microsoft Windows Vista 32 bit and 64 bit SP1  Microsoft Windows 7 Home Edition 32 bit and 64 bit  Microsoft Windows 7 Home Premium 32 bit and 64 bit  Microsoft Windows 7 Pro 32 bit and 64 bit  Microsoft Windows 7 Ultimate 32 bit and 64 bit  Microsoft Windows 7 Enterprise 32 bit and 64 bit New Endpoint Security VPN Features Feature Description Hotspot Detection and Registration (Exclusion for Policy)  Automatically detects hotspots that prevent the client system from establishing a VPN tunnel  Opens a mini-browser to allow the user to register to the hotspot and connect to the VPN gateway  Firewall support for hotspots Before Upgrading to Endpoint Security VPN Introduction to Endpoint Security VPN Page 7 Feature Description Automatic Connectivity Detection Automatically detects whether the client is connected to the Internet or LAN Automatic Certificate Renewal in CLI Mode Supports automatic certificate renewal, including in CLI mode Location Awareness Automatically determines if client is inside or outside the enterprise network Roaming Maintains VPN tunnel if client disconnects and reconnects using different network interfaces Automatic and Transparent Upgrade Without Administrator Privileges Updates the client system securely and without user intervention Windows Vista / Windows 7 64 Bit Support Supports the latest 32-bit and 64-bit Windows operating systems Automatic Site Detection During first time configuration, the client detects the VPN site automatically Note: This requires DNS configuration and is only supported when configuring the client within the internal network. Geo Clusters Connect client system to the closest VPN gateway based on location For more information on geo clusters, see sk43107 (ttp://supportcontent.checkpoint.com/solutions?id=sk43107). Machine Idleness Disconnect VPN tunnel if the machine becomes inactive (because of lock or sleep) for a specified duration. Flush DNS Cache Remove previous DNS entries from the DNS cache when creating VPN tunnel SecureClient Features Supported in Endpoint Security VPN Feature Description Authentication Methods  Username/Password  Certificate  SecurID (passcode, softID, key fobs)  Challenge Response Cached Credentials Cache credentials for user login NAT-T/Visitor Mode Let users connect from any location, such as a hotel, airport, or branch office Multiple Entry Point (MEP) VPN gateway redundancy. Endpoint Security VPN MEP gateways can be in different VPN domains (see Appendix A). Pre-Configured Client Packaging Predefined client installation package with configurations for easy provisioning Office Mode Internal IP address for remote access VPN users Before Upgrading to Endpoint Security VPN Introduction to Endpoint Security VPN Page 8 Feature Description Compliance Policy - Secure Configuration Verification (SCV) Verifies client system policy compliance before allowing remote access to internal network Proxy Detect / Replace Detect proxy settings in client system web browsers for seamless connectivity Route All Traffic Send all traffic from the client system through the VPN gateway Localization Supported languages:  Chinese (simplified)  English  French  German  Hebrew  Italian  Japanese  Russian  Spanish Certificate Enrollment / Renewal Automatic enrollment and renewal of certificates issued by Check Point Internal CA server CLI and API Support Manage client with third party software Tunnel Idleness Disconnect VPN if there is no traffic for a specified duration Dialup Support dialup connections Disconnect On Smart Card Removal Disconnect VPN if a Smart Card is removed from the client system Re-authentication After specified duration, user is asked for re-authentication Keep-alive Send keep-alive messages from client to the VPN gateway to maintain the VPN tunnel Check Gateway Certificate in CRL Validate VPN gateway certificate in the CRL list Desktop Firewall Configured from SmartDashboard Desktop Policy Personal firewall integrated into client, managed with the SmartDashboard desktop policy Configuration File Corruption Recovery Recover corrupted configuration files Secure Domain Logon (SDL) Establish VPN tunnel prior to user login Desktop Firewall Logs in SmartView Tracker Desktop firewall logs are displayed in SmartView Tracker End-user Configuration Lock Prevent users from changing the client configuration Update Dynamic DNS with the Office Mode IP Assign an internal IP address for remote access VPN users in the Dynamic DNS Secure Authentication API (SAA) Integrate with third party authentication providers Before Upgrading to Endpoint Security VPN Introduction to Endpoint Security VPN Page 9 Feature Description SmartView Monitor Monitor VPN tunnel and user statistics with SmartView Monitor Post Connect Script Execute manual scripts before and after VPN tunnel is established SecureClient Features Not Yet Supported Currently, these features of SecureClient are not supported by Endpoint Security VPN. Many of these features are expected to be supported in the next release. Feature Description Single Sign-on (SSO) One set of credentials to log in to both VPN and Windows operating system “Suggest Connect” Mode (Auto Connect) Create VPN tunnel when the client generates traffic to the VPN domain resources Entrust Entelligence Support Entrust Entelligence package providing multiple security layers, strong authentication, digital signatures, and encryption Diagnostic Tools Tools for viewing logs and alerts Compression Compress IPSec traffic VPN Connectivity to VPN-1 VSX Terminate VPN tunnel at Check Point VSX gateways DNS Splitting Support multiple DNS servers "No Office Mode" Connect Mode Connect to the VPN gateway without requiring Office Mode Pre-shared secret Authentication method that uses a pre-shared secret Link Selection Multiple interface support with redundancy Secondary Connect (Including Fast Failover) Connect to multiple VPN gateways simultaneously and establish VPN tunnels to all resources located behind each VPN gateway DHCP Automatic Lease Renewal Automatically renew IP addresses obtained from DHCP servers Page 10 Chapter 2 Configuring Security Gateways to Support Endpoint Security VPN In This Chapter Installing Hotfix on Gateways 10 Configuring SmartDashboard 11 Supporting Endpoint Security VPN and SecureClient Simultaneously 14 Troubleshooting Dual Support 17 Installing Hotfix on Gateways To run Endpoint Security VPN and SecureClient simultaneously on client systems, install the hotfix on production gateways or on a standalone, self-managed gateway. To use the Implicit MEP feature, you must install the hotfix on the Security Management server. If you do not need this feature, the hotfix does not have to be installed on the server (only on the gateways). Important -  If you install the hotfix on a new dedicated gateway in a production environment, with the same management server as other Remote Access gateways, this gateway will also be added to the topology used by SecureClient clients. This may cause SecureClient clients to connect to the new Endpoint Security VPN gateway. You must make sure that resources set by the encryption domain on the Endpoint Security VPN gateway are accessible to the SecureClient clients.  If you have clients that use a pre-shared secret to authenticate, you must give the users a different authentication - one that is supported by Endpoint Security VPN. To install the hotfix on a Security Gateway: 1. Download the hotfix from the Check Point Support Center (http://supportcenter.checkpoint.com). 2. Copy the hotfix package to the gateway. 3. Run the hotfix:  On SecurePlatform, Disk-based IPSO, and Solaris: [admin@gateway ~/hf]$ tar -zxvf hotfix_file.tgz [admin@gateway ~/hf]$ ./fw1_HOTFIX_FLO_HFA_EVE2_HF_553_ Do you want to proceed with installation of Check Point fw1 R70 Support FLO_HFA_EVE2 for Check Point VPN-1 Power/UTM NGX R65 on this computer? If you choose to proceed, installation will perform CPSTOP. (y-yes, else no):y  On Windows platforms, double-click the installation file and follow the instructions. If WebUI is enabled on the gateway, it must listen on a port other than 443. Otherwise, Endpoint Security VPN will not be able to connect. 4. Reboot the Security Gateway. [...]... configured, add an exception for Endpoint Security VPN a) Open Remote Access > Secure Configuration Verification (SCV) Configuring Security Gateways to Support Endpoint Security VPN Page 15 Supporting Endpoint Security VPN and SecureClient Simultaneously b) Select Apply Secure Configuration Verification on Simplified mode c) Click Exceptions The Secure Configuration Verification Exceptions window opens d)... UninstallSecureClient.exe from the SecureClient installation directory Configuring Security Gateways to Support Endpoint Security VPN Page 17 Chapter 3 Installing and Configuring Endpoint Security VPN on Client Systems In This Chapter Installing Endpoint Security VPN on Client Systems Client Icon Helping Users Create a Site Connecting to a Site Pre-Configuring Proxy Settings Pre-Configuring Always Connect... MEP Security Gateways in the Endpoint Security VPN TTM file Whichever you choose, you must set the Endpoint Security VPN configuration file to identify the configuration To define MEP topology: 1 Open the $FWDIR/conf/trac_client_1.ttm configuration file 2 Make sure that enable_gw_resolving is true 3 Set the value of automatic_mep_topology  true - implicit configuration  false - manual configuration... authentication method you want them to use  Authentication materials (username, password, certificate file, RSA SecurID, or access to HelpDesk for challenge/response authentication) Connecting to a Site You might have to help users connect to the VPN The Endpoint Security VPN client lets users connect to sites - where the site is the VPN gateway To connect to a site: 1 Right-click the client icon and select... Secure Configuration Verification on SSL clients connections e) Click OK 6 Click OK 7 Do Policy > Install Configuring Security Gateways to Support Endpoint Security VPN Page 16 Troubleshooting Dual Support Suggest Connect Mode: Users can disable the Suggest Connect option in SecureClient clients If enabled, it might interfere with Endpoint Security VPN connectivity Troubleshooting Dual Support If SecureClient. .. the Desktop tab, add this rule to ensure that the Endpoint Security VPN firewall does not block SecureClient Allow outbound connections on:  UDP 18231 Configuring Security Gateways to Support Endpoint Security VPN Page 14 Supporting Endpoint Security VPN and SecureClient Simultaneously  UDP 18233  UDP 2746 for UDP Encapsulation  UDP 500 for IKE  TCP 500 for IKE over TCP  TCP 264 for topology... not have to apply for new credentials to a site they have been using c) Click Generate to create the MSI package A window opens to prompt for a location to save the generated package 9 Distribute this package to Endpoint Security VPN users Installing and Configuring Endpoint Security VPN on Client Systems Page 21 Chapter 4 The Configuration File In This Chapter Configuration File Overview Restoring Settings... copied to the Security Gateways when you install the policy Important - You must use the newest configuration file installed on the gateway for Endpoint Security VPN This is important, because if you do not install Endpoint Security VPN on the Security Management server, the server will have an outdated configuration file that does not support new features To centrally manage the configuration file: 1 On. .. select Connect or Connect to A site connection window opens  This window has authentication fields according to the selected authentication method  If you selected Connect to, you can select the site to which you would like to connect 2 Enter credentials, and click Connect A connection progress window opens Wait until the connection is made Pre-Configuring Proxy Settings Note - Remote-location proxy-server... configurations of the gateways are used to make the VPN connections Gateways are configured differently for each MEP method Before you begin, make sure that $FWDIR/conf/trac_client_1.ttm has:  enable_gw_resolving (true)  automatic_mep_topology (true) Configuring Implicit First to Respond When more than one Security Gateway leads to the same (overlapping) VPN domain, they are in a MEP configuration . (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Upgrading SecureClient to Endpoint Security VPN R75 on R70. 40 Security Management ). Contents Important Information 3 Introduction. Information 3 Introduction to Endpoint Security VPN 5 Using Different Management Servers 5 Why You Should Upgrade to Endpoint Security VPN 5 Before Upgrading to Endpoint Security VPN 6 System Requirements. Upgrade to Endpoint Security VPN 5 Before Upgrading to Endpoint Security VPN 6 Using Different Management Servers Environments with SecureClient already deployed can be easily upgraded to Endpoint