Professional Documents
Culture Documents
E75.10
Release Notes
27 September 2011
2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11999 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date 27 September 2011 Description Change to Management Server and Gateway Requirements (on page 11). UTM-1 Edge is not supported. R71.40 and R75.10 were released. Changed System Requirements ("Management Server and Gateway Requirements" on page 11) to show this. Clarified license requirements ("Remote Access Clients Comparison" on page 7). Initial version.
5 July 2011
30 June 2011
14 March 2011
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients for Windows 32-bit/64-bit E75.10 Release Notes).
Contents
Important Information .............................................................................................3 Introduction .............................................................................................................5 What's New in this Release ................................................................................. 6 New Remote Access Clients ........................................................................... 6 Remote Access Clients Comparison ............................................................... 7 New SCV Features ......................................................................................... 9 Testing the Windows Security Monitor Check ................................................. 9 Secure Authentication API (SAA) .................................................................... 9 Office Mode IP Address Lease Auto Renewal ................................................ 9 Editing trac_client_1.ttm .....................................................................................10 Upgrading from SecureClient .............................................................................10 System Requirements ..........................................................................................11 Management Server and Gateway Requirements ..............................................11 Client Requirements ...........................................................................................12 Build Numbers ....................................................................................................12 Installation .............................................................................................................13 Installing the Hotfix .............................................................................................13 Upgrading Clients to This Release .....................................................................14 Uninstalling a Hotfix ............................................................................................15 Resolved Issues ....................................................................................................15 Known Limitations ................................................................................................16
Introduction
The release of Endpoint Security VPN R75 introduced the Next Generation of SecureClient, including 64-bit support. This release, E75.10 Remote Access Clients, adds new features and two additional VPN Clients: Check Point Mobile for Windows and SecuRemote. All E75.10 Remote Access Clients give remote access users seamless and secure connectivity to corporate resources. They establish an encrypted and authenticated IPSec tunnel with Check Point Security Gateways. We recommend that you read this document before installing E75.10 Remote Access clients. Note - The E75 Remote Access Clients series was previously called R75. If you already installed the Endpoint Security VPN R75 Hotfix on gateways, you are not required to install a new Hotfix to use the new features of the E75.10 Remote Access Clients. Related Documentation: Remote Access Clients E75.10 Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11992) Endpoint Security VPN E75.10 User Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11993) Check Point Mobile for Windows E75.10 User Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11994) SecuRemote E75.10 User Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11995) Remote Access Clients E75.10 Release Notes (http://supportcontent.checkpoint.com/documentation_download?ID=11999)
For SecureClient features supported in Remote Access Clients, see sk56580 (http://supportcontent.checkpoint.com/solutions?id=sk56580).
Introduction
Page 5
Support for Secure Authentication API (SAA) Office Mode IP address lease auto renewal. General improvements
Introduction
Page 6
Client Purpose
Replaces Client
All traffic travels through a secure VPN tunnel. Monitor remote computers to confirm that the configuration complies with organization's security policy. Integrated endpoint firewall centrally managed from a Security Management Server Encrypt only traffic targeted to the VPN tunnel. Pass all connections through the gateway. When IPSEC connectivity is not possible, automatically connect over TCP port 443 (HTTPS port). Client seamlessly connects to an alternative site when the primary site is not available. Each VPN client is assigned an IP from the internal office network. Intelligently detect if the user is outside the internal office network, and automatically connect as required. If the client senses that it is inside the internal network, the VPN connection is terminated. Tunnel and connections remain active while roaming between networks.
Split Tunneling
Hub Mode
Office Mode IP
Roaming
Introduction
Page 7
Feature
SecuRemote
Description
Always Connected
VPN connection is established whenever the client exits the internal network. VPN tunnel and domain connectivity is established as part of Windows login allowing GPO and install scripts to execute on remote machines. Resolves internal names with the SecuRemote DNS Server configuration. Makes it easier for users to find and register with hotspots to connect to the VPN through local portals (such as in hotels or airports). Allows third party-extensions to the standard authentication schemes. This includes 3factor and biometrics authentication. E75.10 On the Gateway: IPSec VPN Blade On the Management: Endpoint Container & Endpoint VPN Blade for all installed endpoints IPSec VPN Blade and Mobile Access Blade (based on concurrent connections) On the Gateway: IPSec VPN Blade for an unlimited number of connections
Split DNS
Introduction
Page 8
This release includes these new SCV Global Parameters: scv_checks_intervals - Lets you change the default interval after which the SCV checks run. allow_non_scv_clients - Lets you allow gateway connection from clients that do not have SCV, such as SecuRemote. skip_firewall_enforcement_check - Lets you allow gateway connection from clients that do not have a desktop firewall enforced, such as SecuRemote or Check Point Mobile for Windows.
Introduction
Page 9
Editing trac_client_1.ttm
Editing trac_client_1.ttm
You can edit the trac_client_1.ttm configuration file for many reasons. To learn how, see the Remote Access Clients E75.10 Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11992). When you open the TTM file, you must make sure to use an editor that does not convert files to DOS format - it must remain in UNIX format. If you do convert the file to DOS, you must convert it back to UNIX. You can use the dos2unix command, or open it in an editor that can save it back in a UNIX format.
For SecureClient features supported in Remote Access Clients, see sk56580 (http://supportcontent.checkpoint.com/solutions?id=sk56580).
Introduction
Page 10
System Requirements
Read all requirements carefully.
Not Supported
UTM-1 Edge
Not supported
Important Notes:
* shows that the version was not yet released. Get all Hotfixes from sk61286 (http://supportcontent.checkpoint.com/solutions?id=sk61286). See the Release Notes of the specific Check Point version for the supported platforms.
System Requirements
Page 11
Client Requirements
Additional Notes Remote Access Clients support VPN gateway redundancy with Multiple Entry Point (MEP). You can install the Remote Access Clients package on multiple gateways and must install it on the server to enable Implicit MEP. The server and gateway can be installed on open servers or appliances. On UTM-1 appliances, you cannot use the WebUI to install Remote Access Clients. Remote Access Clients cannot be installed on the same device as Check Point Endpoint Security R73 or R80. If Zone Alarm is installed on a device, you can install Check Point Mobile for Windows and SecuRemote but not Endpoint Security VPN.
Client Requirements
Remote Access Clients E75.10 can be installed on these platforms: Microsoft Windows XP 32 bit SP2, SP3 Microsoft Windows Vista 32 bit and 64 bit, SP1 Microsoft Windows 7, all editions 32 bit and 64 bit, with and without SP1
Build Numbers
The build number of the Remote Access Clients for E75.10 is 835016656. To check this: Right-click the Client icon and select Help > About. The build number of the Remote Access Clients on the gateway before you install an E75.10 package is 835002205. Note - To change the build number:
Put a trac.cab file with the E75.10 client on the gateway. Change the build number in the trac_ver.txt file to 835016656, as described in Upgrading Clients to This Release (on page 14).
System Requirements
Page 12
Installation
If this is a new installation of Remote Access Clients on NGX R65.70 or R70.40, you must install the Remote Access Clients Hotfix on the gateways that will manage the remote access client traffic. If you already installed the Endpoint Security VPN R75 Hotfix on gateways, you are not required to install a new Hotfix to use the new features of the E75.10 Remote Access Clients. In This Section Installing the Hotfix Upgrading Clients to This Release Uninstalling a Hotfix 13 14 15
Installation
Page 13
3. Run the Hotfix on SecurePlatform and Solaris: a) tar -zxvf <name_of_file>.tgz b) ./UnixInstallScript 4. Follow the on-screen instructions. 5. Reboot the Multi-Domain Server.
Installation
Page 14
Uninstalling a Hotfix
Uninstalling a Hotfix
If you need to uninstall a Hotfix, use this procedure.
Resolved Issues
These issues from Endpoint Security VPN R75 are resolved by this build of Remote Access Clients: ID 00572712 Description Manual proxy settings in the client are not applied. Workaround: Users set up the proxy in Internet Explorer and select the option in the Proxy window that uses Internet Explorer settings. 00589338 Some log files (such as trac_fwpkt.log and helpdesk.log) do not have an upper size limit and grow as the application runs. Workaround: Delete large log files manually as needed. 00549038 To use a pre-packaged MSI, you must create the trac.config file from a newly created site before the first connection is attempted. Vista / Windows 7 may not be able to connect after awake from sleep. Workaround: Disconnect and re-connect. 00544682 00571075 SDL messages may be displayed for too short a time. Connection sessions may close after 15 minutes. Workaround: Extend the IP lease duration (Gateway Properties > Remote Access > Office Mode > Optional Parameters > IP lease Duration). 00596757 The instructions to configure <any_port> in hotspot ports that is described in sk41586 (http://supportcontent.checkpoint.com/solutions?id=sk41586) works for clients in this version. After installing Endpoint Security VPN, the firewall blocks inbound connections to the computer. The path for where the Remote Access client is installed on client computers must contain more than 14 characters. If the path contains less than 14 characters you might experience unexpected behavior. For example:
C:\Program Files\CheckPoint\Endpoint Security = more than 14 C:\temp = less than 14
00555015
00615533
00639205
Resolved Issues
Page 15
Uninstalling a Hotfix
Known Limitations
Known limitations from Endpoint Security VPN R75 (http://supportcontent.checkpoint.com/documentation_download?ID=11607) apply to this release, unless they are listed as resolved in this document These new limitations apply to this release: ID 00564959 Description Pre-shared secret authentication method is not supported. This will be resolved in upcoming Security Gateway versions. Split DNS does not work when the Client is disconnected. The User text field in the Connect window of the client may become disabled on rare occasions. Workaround: The user should restart the client. 00574415 Windows Security Center currently does not recognize the Endpoint Security VPN firewall. Therefore if the only enabled firewall is the Endpoint Security VPN firewall, Windows Security Center will say that no firewall is present. SCV does detect the Endpoint Security VPN firewall. If the Windows Security Monitor SCV check has NetworkFirewallRequired set to true, and SCV detects the Check Point firewall in a client, the client is considered compliant. 00639520 If a gateway with Endpoint Security VPN has the firewall disabled (the attribute enable_firewall is set to false in the ttm configuration file):
In R75 Endpoint Security VPN GA clients, SCV is also disabled. Clients that try to connect to a gateway that requires SCV will be considered non-compliant. In E75.10 clients, only the firewall is disabled and the client can still be SCV compliant.
00628689 00576066
00639204
If administrators have SecuRemote installed on their computers and they generate a new MSI package with Endpoint Security VPN or Check Point Mobile for Windows as the selected product, the installations created from that package have this limitation: The Route All Traffic feature is disabled. To create new installations without this limitation, do one of these:
Uninstall SecuRemote from the administrator's computer and then create the MSI package. Create the package from a different computer.
00648414
RSA SecureID software token 4.1 is not supported for authentication to the Remote Access Clients After a Remote Access Client is automatically updated from the gateway, the client icon might not show in the system tray notification area. To fix this, do one of these:
Reboot again. End the TrGui process and launch the client from the Start menu > Programs.
00627155
00646619 00634742
Secure Authentication API (SAA) is not supported from CLI mode. When Office Mode IP addresses are allocated from a predefined IP pool on the Security Gateway, the lease duration period is ignored for the Remote Access Clients. The behavior is that the lease duration period is the time set for the authentication timeout. To change the lease duration period, change the authentication timeout.
Known Limitations
Page 16
Uninstalling a Hotfix
ID 00650867
Description Remote Access Clients cannot be installed on the same device as Check Point Endpoint Security R73 or R80. If Zone Alarm is installed on a device, you can install Check Point Mobile for Windows and SecuRemote but not Endpoint Security VPN. On Windows 7 computers, the DNS configuration might not function properly for several 3G modems that use a legacy driver (not implemented as Microsoft WWAN device). This can result in DNS queries being directed to the DNS server configured by a 3G modem, instead of to the DNS server configured for the Remote Access. Workarounds: - If it exists, get a new a new driver for Windows 7 from the 3G modem provider. - Publish important DNS records on an external DNS server.
00647799
00648996
SecuRemote E75.10 does not require a special license. However, on R65.70 gateways with the Endpoint Security VPN Hotfix, SecuRemote does not connect unless the gateway has a license for Remote Access. To solve this you must install a new E75.10 Hotfix for NGX R65 HFA 70. See sk61286 (http://supportcontent.checkpoint.com/solutions?id=sk61286).
00654146
Problems can occur when you deploy software through a GPO. If you have issues after installing Remote Access Clients with a GPO, a fix is available from Check Point support. Computers with Remote Access Clients installed might not be able to ping a loopback interface. A fix is available from Check Point support if required
00648485
Known Limitations
Page 17