Remote Access Clients

for Windows 32-bit/64-bit

E75.10
Release Notes

27 September 2011

 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11999 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History
Date 27 September 2011 Description Change to Management Server and Gateway Requirements (on page 11). UTM-1 Edge is not supported. R71.40 and R75.10 were released. Changed System Requirements ("Management Server and Gateway Requirements" on page 11) to show this. Clarified license requirements ("Remote Access Clients Comparison" on page 7). Initial version.

5 July 2011

30 June 2011

14 March 2011

Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients for Windows 32-bit/64-bit E75.10 Release Notes).

Contents
Important Information .............................................................................................3 Introduction .............................................................................................................5 What's New in this Release ................................................................................. 6 New Remote Access Clients ........................................................................... 6 Remote Access Clients Comparison ............................................................... 7 New SCV Features ......................................................................................... 9 Testing the Windows Security Monitor Check ................................................. 9 Secure Authentication API (SAA) .................................................................... 9 Office Mode IP Address Lease Auto Renewal ................................................ 9 Editing trac_client_1.ttm .....................................................................................10 Upgrading from SecureClient .............................................................................10 System Requirements ..........................................................................................11 Management Server and Gateway Requirements ..............................................11 Client Requirements ...........................................................................................12 Build Numbers ....................................................................................................12 Installation .............................................................................................................13 Installing the Hotfix .............................................................................................13 Upgrading Clients to This Release .....................................................................14 Uninstalling a Hotfix ............................................................................................15 Resolved Issues ....................................................................................................15 Known Limitations ................................................................................................16

What's New in this Release

Introduction
The release of Endpoint Security VPN R75 introduced the Next Generation of SecureClient, including 64-bit support. This release, E75.10 Remote Access Clients, adds new features and two additional VPN Clients: Check Point Mobile for Windows and SecuRemote. All E75.10 Remote Access Clients give remote access users seamless and secure connectivity to corporate resources. They establish an encrypted and authenticated IPSec tunnel with Check Point Security Gateways. We recommend that you read this document before installing E75.10 Remote Access clients. Note - The E75 Remote Access Clients series was previously called R75. If you already installed the Endpoint Security VPN R75 Hotfix on gateways, you are not required to install a new Hotfix to use the new features of the E75.10 Remote Access Clients. Related Documentation: Remote Access Clients E75.10 Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11992) Endpoint Security VPN E75.10 User Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11993) Check Point Mobile for Windows E75.10 User Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11994) SecuRemote E75.10 User Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11995) Remote Access Clients E75.10 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=11999)

For SecureClient features supported in Remote Access Clients, see sk56580 (http://supportcontent.checkpoint.com/solutions?id=sk56580).

Introduction

Page 5

What's New in this Release

What's New in this Release

Here is a summary of what is new in this release. More details are in the next sections. New and improved Remote Access Clients: Endpoint Security VPN Check Point Mobile for Windows SecuRemote Verifies the compliance of virtually all anti-virus programs and other components that are monitored by Windows Security Center. Verifies compliance by running a specified executable on the client machine.

New SCV Features:

Support for Secure Authentication API (SAA) Office Mode IP address lease auto renewal. General improvements

New Remote Access Clients

Endpoint Security VPN - Enterprise Grade Remote Access Client with Desktop firewall and compliance checks. Check Point Mobile for Windows - New Enterprise Grade Remote Access Client with compliance checks. SecuRemote - Basic Remote Access Client.

Introduction

Page 6

What's New in this Release

Remote Access Clients Comparison

Feature Endpoint Security VPN Secure connectivity with centrally managed desktop firewall & compliance checks Check Point Mobile for Windows Secure connectivity & compliance checks SecuRemote Description

Client Purpose

Basic secure connectivity

Replaces Client

SecureClient NGX Endpoint R60 Connect R73 Endpoint Connect R73

SecuRemote NGX R60

IPSEC VPN Tunnel Security Compliance Check (SCV)

All traffic travels through a secure VPN tunnel. Monitor remote computers to confirm that the configuration complies with organization's security policy. Integrated endpoint firewall centrally managed from a Security Management Server Encrypt only traffic targeted to the VPN tunnel. Pass all connections through the gateway. When IPSEC connectivity is not possible, automatically connect over TCP port 443 (HTTPS port). Client seamlessly connects to an alternative site when the primary site is not available. Each VPN client is assigned an IP from the internal office network. Intelligently detect if the user is outside the internal office network, and automatically connect as required. If the client senses that it is inside the internal network, the VPN connection is terminated. Tunnel and connections remain active while roaming between networks.

Integrated Desktop Firewall

Split Tunneling

Hub Mode

Dynamic Detection of Connection Method Multi Entry Point (MEP)

Office Mode IP

Auto Connect and Location Awareness

Roaming

Introduction

Page 7

What's New in this Release

Feature

Endpoint Security VPN

Check Point Mobile for Windows

SecuRemote

Description

Always Connected

VPN connection is established whenever the client exits the internal network. VPN tunnel and domain connectivity is established as part of Windows login allowing GPO and install scripts to execute on remote machines. Resolves internal names with the SecuRemote DNS Server configuration. Makes it easier for users to find and register with hotspots to connect to the VPN through local portals (such as in hotels or airports). Allows third party-extensions to the standard authentication schemes. This includes 3factor and biometrics authentication. E75.10 On the Gateway: IPSec VPN Blade On the Management: Endpoint Container & Endpoint VPN Blade for all installed endpoints IPSec VPN Blade and Mobile Access Blade (based on concurrent connections) On the Gateway: IPSec VPN Blade for an unlimited number of connections

Secure Domain Logon (SDL)

Split DNS

Hotspot Detection and Registration

Secure Authentication API (SAA)

Version Required Licenses

Introduction

Page 8

What's New in this Release

New SCV Features

This release includes these new SCV (Secure Configuration Verification) compliance checks: Windows Security Monitor - Verifies that components monitored by Window Security Center are installed and enforced (for example, check if there is Anti-virus installed and running). You can define which components you want to check. To configure Windows Security Monitor check, see the Secure Configuration Verification section of the Remote Access Clients E75.10 Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11992). To try it, see Testing the Windows Security Monitor Check (on page 9). ScriptRun - Runs a specified executable on the client machine and checks the return code of the executable. For example, a script can check if a certain file is present on the client machine. It can perform additional configuration checks that you choose.

This release includes these new SCV Global Parameters: scv_checks_intervals - Lets you change the default interval after which the SCV checks run. allow_non_scv_clients - Lets you allow gateway connection from clients that do not have SCV, such as SecuRemote. skip_firewall_enforcement_check - Lets you allow gateway connection from clients that do not have a desktop firewall enforced, such as SecuRemote or Check Point Mobile for Windows.

Testing the Windows Security Monitor Check

If you have used SCV in the past and want to try out this new SCV check, you can test it with an example file.

To test the Windows Security Monitor check:

1. Download the Windows Security Monitor Example local.scv file (http://supportcontent.checkpoint.com/documentation_download?ID=11923). 2. On your Security Management Server, go to $FWDIR/conf directory. 3. Back up the local.scv file. 4. Replace the current local.scv file with the file that you downloaded. 5. Install policy on the gateways from the SmartDashboard 6. Test the Windows Security Monitor check. 7. When you finish testing it, replace the example local.scv file with your previous local.scv file. 8. Configure the Windows Security Monitor check according to the instructions in the Administration Guide. For more about the new SCV checks and parameters see the Remote Access Clients E75.10 Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11992).

Secure Authentication API (SAA)

For more about SAA, see the Remote Access Clients E75.10 Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11992).

Office Mode IP Address Lease Auto Renewal

For more about this ,see IP Address Lease Duration in the Remote Access Clients E75.10 Administration Guide. (http://supportcontent.checkpoint.com/documentation_download?ID=11992)

Introduction

Page 9

Editing trac_client_1.ttm

Editing trac_client_1.ttm
You can edit the trac_client_1.ttm configuration file for many reasons. To learn how, see the Remote Access Clients E75.10 Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11992). When you open the TTM file, you must make sure to use an editor that does not convert files to DOS format - it must remain in UNIX format. If you do convert the file to DOS, you must convert it back to UNIX. You can use the dos2unix command, or open it in an editor that can save it back in a UNIX format.

Upgrading from SecureClient

Environments with SecureClient already deployed can be easily upgraded to Endpoint Security VPN or Check Point Mobile for Windows. Clients who had SecuRemote client can use the same steps to upgrade to SecuRemote E75.10. The SmartDashboard for different versions of management servers is different. Use the documentation for the SmartDashboard that you have. If you have NGX R65 SmartCenter Server, see Upgrading to Remote Access Clients on NGX R65 SmartCenter server (http://supportcontent.checkpoint.com/documentation_download?ID=11998). If you have the R70.40 Security Management Server, see Upgrading to Remote Access Clients on R70.40 Security Management (http://supportcontent.checkpoint.com/documentation_download?ID=11997). If you have the R71.30 Security Management Server, see Upgrading to Remote Access Clients on R71.x or R75.x Security Management (http://supportcontent.checkpoint.com/documentation_download?ID=11996).

For SecureClient features supported in Remote Access Clients, see sk56580 (http://supportcontent.checkpoint.com/solutions?id=sk56580).

Introduction

Page 10

Management Server and Gateway Requirements

System Requirements
Read all requirements carefully.

Management Server and Gateway Requirements

Remote Access Clients requires a supported gateway version. These Check Point versions support these E75.10 Remote Access Clients: Check Point Security Gateway Security Gateway NGX R65 Version Supported for Endpoint Security VPN HFA 70 + Endpoint Security VPN R75/Remote Access Clients E75.10 Hotfix R70.40 + Endpoint Security VPN R75/Remote Access Clients E75.10 Hotfix To be supported on R70.50* (no Hotfix) Security Gateway R71 Security Gateway R75 R71.30 R75 R71.40 R75 + Hotfix from sk60940 R75.10 VSX R67 To be supported on R67.10* Not supported Not Supported To be supported on R67.10* Not supported Version Supported for Check Point Mobile for Windows Not Supported Version Supported for SecuRemote HFA 70 + Endpoint Security VPN R75/Remote Access Clients E75.10 Hotfix R70.40 + Endpoint Security VPN R75/Remote Access Clients E75.10 Hotfix To be supported on R70.50* (no Hotfix) R71.30 R75.10

Security Gateway R70

Not Supported

UTM-1 Edge

Not supported

Important Notes:
* shows that the version was not yet released. Get all Hotfixes from sk61286 (http://supportcontent.checkpoint.com/solutions?id=sk61286). See the Release Notes of the specific Check Point version for the supported platforms.

System Requirements

Page 11

Client Requirements

Additional Notes Remote Access Clients support VPN gateway redundancy with Multiple Entry Point (MEP). You can install the Remote Access Clients package on multiple gateways and must install it on the server to enable Implicit MEP. The server and gateway can be installed on open servers or appliances. On UTM-1 appliances, you cannot use the WebUI to install Remote Access Clients. Remote Access Clients cannot be installed on the same device as Check Point Endpoint Security R73 or R80. If Zone Alarm is installed on a device, you can install Check Point Mobile for Windows and SecuRemote but not Endpoint Security VPN.

Client Requirements
Remote Access Clients E75.10 can be installed on these platforms: Microsoft Windows XP 32 bit SP2, SP3 Microsoft Windows Vista 32 bit and 64 bit, SP1 Microsoft Windows 7, all editions 32 bit and 64 bit, with and without SP1

Build Numbers
The build number of the Remote Access Clients for E75.10 is 835016656. To check this: Right-click the Client icon and select Help > About. The build number of the Remote Access Clients on the gateway before you install an E75.10 package is 835002205. Note - To change the build number:
Put a trac.cab file with the E75.10 client on the gateway. Change the build number in the trac_ver.txt file to 835016656, as described in Upgrading Clients to This Release (on page 14).

System Requirements

Page 12

Installing the Hotfix

Installation
If this is a new installation of Remote Access Clients on NGX R65.70 or R70.40, you must install the Remote Access Clients Hotfix on the gateways that will manage the remote access client traffic. If you already installed the Endpoint Security VPN R75 Hotfix on gateways, you are not required to install a new Hotfix to use the new features of the E75.10 Remote Access Clients. In This Section Installing the Hotfix Upgrading Clients to This Release Uninstalling a Hotfix 13 14 15

Installing the Hotfix

If you have R71.30 and higher or R75 and higher installed on a gateway, Security Management Server, or Multi-Domain Server, it can support Remote Access Clients. It is not necessary to install a Hotfix. See the System Requirements section of the Release Notes for exact details. For other supported gateway versions, install the Hotfix. Find the Hotfix for your gateway version and operating system in sk61286 (http://supportcontent.checkpoint.com/solutions?id=sk61286). The Remote Access Clients Hotfix enables NGX R65.70 and R70.40 gateways to support E75.10 Remote Access Clients. To use Implicit MEP, install this hotfix also on the NGX R65.70 and R70.40 Security Management Server. Note - In environments that require Implicit MEP functionality, the Security Gateways must be the same Check Point version as the Security Management Server, and they must all have the Remote Access Clients Hotfix installed. To use Implicit MEP in a Multi-Domain Security Management environment, install this hotfix also on the NGX R65.70 and R70.40 Multi-Domain Server.

Before you install the Hotfix:

This Hotfix has possible conflicts with other installed Hotfixes. If you can, it is safest to uninstall all Hotfixes installed on the Security Management Server or gateways. See Uninstalling a Hotfix (on page 15). If you cannot uninstall a Hotfix, contact Check Point Technical Support.

To install the Hotfix on a Security Gateway or Security Management Server:

1. Download the Remote Access Clients Hotfix from the sk65209 (http://supportcontent.checkpoint.com/solutions?id=sk65209). 2. Copy the Hotfix package to the Security Gateway or Security Management Server. 3. Run the Hotfix: On SecurePlatform, Disk-based IPSO, and Solaris: a) tar -zxvf <name_of_file>.tgz b) ./UnixInstallScript On Windows platforms: double-click the installation file and follow the instructions. 4. Reboot the Security Gateway or Security Management Server.

To install the Hotfix on a Multi-Domain Server:

1. On the Multi-Domain Server, run: mdsenv. 2. Download the Remote Access Clients Hotfix from sk65209 (http://supportcontent.checkpoint.com/solutions?id=sk65209) to the Multi-Domain Server.

Installation

Page 13

Upgrading Clients to This Release

3. Run the Hotfix on SecurePlatform and Solaris: a) tar -zxvf <name_of_file>.tgz b) ./UnixInstallScript 4. Follow the on-screen instructions. 5. Reboot the Multi-Domain Server.

Upgrading Clients to This Release

To automatically update clients to this release of Remote Access Clients or a future release, upgrade the client package on the gateway. Then all clients receive the new package when they next connect. If you have a gateway version that requires the Remote Access Clients Hotfix, make sure that the Hotfix is installed before you put an upgraded package on the gateway. If you have R71.x with SSL VPN enabled, put the TRAC.cab file in a different directory, as shown in the instructions. Users must have administrator privileges to install an upgrade with an MSI package. Administrative privileges are not required for automatic upgrades from the gateway.

Unattended (ATM) Clients

You cannot upgrade regular Remote Access Clients and unattended (ATM) Endpoint Security VPN clients from the same gateway. Important - If you download the Automatic Upgrade for ATM file, you get a file called TRAC_ATM.cab. You must rename it to TRAC.cab before you put it on the gateway.

To distribute the Remote Access Clients from the gateway:

1. On the gateway, in the $FWDIR/conf/extender/CSHELL directory, back up the TRAC.cab and trac_ver.txt files. For R71.x, back up the TRAC.cab file in: $CVPNDIR/htdocs/SNX/CSHELL 2. Download the Remote Access Clients E75.10 Automatic Upgrade file (http://supportcontent.checkpoint.com/solutions?id=sk65209). 3. Put the new TRAC.cab and ver.ini files in the same directory on the gateway: $FWDIR/conf/extender/CSHELL For R71.x, put the TRAC.cab file also in: $CVPNDIR/htdocs/SNX/CSHELL 4. On a non-Windows gateway, run: chmod 750 TRAC.cab 5. Edit the trac_ver.txt file in the directory and change the version number to the number in the new ver.ini. 6. Make sure the client upgrade mode is set: a) Open the SmartDashboard. b) Open Policy > Global Properties > Remote Access > Endpoint Connect. c) Set the Client upgrade mode to Ask user (to let user confirm upgrade) or Always upgrade (automatic upgrade). d) Click OK. 7. Install the policy. When the client connects to the gateway, the user is prompted for an automatic upgrade of the newer version. If users had Endpoint Security VPN R75, it keeps the existing settings. If users had Endpoint Connect R73, it automatically upgrades to Endpoint Security VPN.

Installation

Page 14

Uninstalling a Hotfix

Uninstalling a Hotfix
If you need to uninstall a Hotfix, use this procedure.

To uninstall a Hotfix from a gateway:

1. Go to the installation directory: cd /opt/CPsuite-version/ For example, the installation directory on an R70.40 gateway is: /opt/CPsuite-R70/ 2. Run: ./uninstall_<name_of_original_Hotfix_file> The name of the Hotfix is different for gateway version and for Hotfix functionality. 3. Enter y at the prompt. 4. Reboot the Security Gateway.

Resolved Issues
These issues from Endpoint Security VPN R75 are resolved by this build of Remote Access Clients: ID 00572712 Description Manual proxy settings in the client are not applied. Workaround: Users set up the proxy in Internet Explorer and select the option in the Proxy window that uses Internet Explorer settings. 00589338 Some log files (such as trac_fwpkt.log and helpdesk.log) do not have an upper size limit and grow as the application runs. Workaround: Delete large log files manually as needed. 00549038 To use a pre-packaged MSI, you must create the trac.config file from a newly created site before the first connection is attempted. Vista / Windows 7 may not be able to connect after awake from sleep. Workaround: Disconnect and re-connect. 00544682 00571075 SDL messages may be displayed for too short a time. Connection sessions may close after 15 minutes. Workaround: Extend the IP lease duration (Gateway Properties > Remote Access > Office Mode > Optional Parameters > IP lease Duration). 00596757 The instructions to configure <any_port> in hotspot ports that is described in sk41586 (http://supportcontent.checkpoint.com/solutions?id=sk41586) works for clients in this version. After installing Endpoint Security VPN, the firewall blocks inbound connections to the computer. The path for where the Remote Access client is installed on client computers must contain more than 14 characters. If the path contains less than 14 characters you might experience unexpected behavior. For example:
C:\Program Files\CheckPoint\Endpoint Security = more than 14 C:\temp = less than 14

00555015

00615533

00639205

We recommend that you use the default paths.

Resolved Issues

Page 15

Uninstalling a Hotfix

Known Limitations
Known limitations from Endpoint Security VPN R75 (http://supportcontent.checkpoint.com/documentation_download?ID=11607) apply to this release, unless they are listed as resolved in this document These new limitations apply to this release: ID 00564959 Description Pre-shared secret authentication method is not supported. This will be resolved in upcoming Security Gateway versions. Split DNS does not work when the Client is disconnected. The User text field in the Connect window of the client may become disabled on rare occasions. Workaround: The user should restart the client. 00574415 Windows Security Center currently does not recognize the Endpoint Security VPN firewall. Therefore if the only enabled firewall is the Endpoint Security VPN firewall, Windows Security Center will say that no firewall is present. SCV does detect the Endpoint Security VPN firewall. If the Windows Security Monitor SCV check has NetworkFirewallRequired set to true, and SCV detects the Check Point firewall in a client, the client is considered compliant. 00639520 If a gateway with Endpoint Security VPN has the firewall disabled (the attribute enable_firewall is set to false in the ttm configuration file):
In R75 Endpoint Security VPN GA clients, SCV is also disabled. Clients that try to connect to a gateway that requires SCV will be considered non-compliant. In E75.10 clients, only the firewall is disabled and the client can still be SCV compliant.

00628689 00576066

00639204

If administrators have SecuRemote installed on their computers and they generate a new MSI package with Endpoint Security VPN or Check Point Mobile for Windows as the selected product, the installations created from that package have this limitation: The Route All Traffic feature is disabled. To create new installations without this limitation, do one of these:
Uninstall SecuRemote from the administrator's computer and then create the MSI package. Create the package from a different computer.

00648414

RSA SecureID software token 4.1 is not supported for authentication to the Remote Access Clients After a Remote Access Client is automatically updated from the gateway, the client icon might not show in the system tray notification area. To fix this, do one of these:
Reboot again. End the TrGui process and launch the client from the Start menu > Programs.

00627155

00646619 00634742

Secure Authentication API (SAA) is not supported from CLI mode. When Office Mode IP addresses are allocated from a predefined IP pool on the Security Gateway, the lease duration period is ignored for the Remote Access Clients. The behavior is that the lease duration period is the time set for the authentication timeout. To change the lease duration period, change the authentication timeout.

Known Limitations

Page 16

Uninstalling a Hotfix

ID 00650867

Description Remote Access Clients cannot be installed on the same device as Check Point Endpoint Security R73 or R80. If Zone Alarm is installed on a device, you can install Check Point Mobile for Windows and SecuRemote but not Endpoint Security VPN. On Windows 7 computers, the DNS configuration might not function properly for several 3G modems that use a legacy driver (not implemented as Microsoft WWAN device). This can result in DNS queries being directed to the DNS server configured by a 3G modem, instead of to the DNS server configured for the Remote Access. Workarounds: - If it exists, get a new a new driver for Windows 7 from the 3G modem provider. - Publish important DNS records on an external DNS server.

00647799

00648996

SecuRemote E75.10 does not require a special license. However, on R65.70 gateways with the Endpoint Security VPN Hotfix, SecuRemote does not connect unless the gateway has a license for Remote Access. To solve this you must install a new E75.10 Hotfix for NGX R65 HFA 70. See sk61286 (http://supportcontent.checkpoint.com/solutions?id=sk61286).

00654146

Problems can occur when you deploy software through a GPO. If you have issues after installing Remote Access Clients with a GPO, a fix is available from Check Point support. Computers with Remote Access Clients installed might not be able to ping a loopback interface. A fix is available from Check Point support if required

00648485

Known Limitations

Page 17