You are on page 1of 24

Keyword: VPN

CHECK POINT MOBILE USER GUIDE

9/28/2012

Table of Contents
Introduction Getting a VPN Account Installing Check Point Mobile Authentication Compliance & System Requirements System Tray Connecting with Check Point Mobile Stopping and Starting Check Point Mobile Compliance Window VPN Options Advanced VPN Options Deleting and Creating Sites Collecting and Sending Log Files Troubleshooting Technical Support Appendix Client Icon Software Downloads 23 23 15 16 17 18 22 2 3 3 6 7 8 9 14 14

Page |1

CHECK POINT MOBILE USER GUIDE

9/28/2012

Introduction
Virtual Private Networks (VPNs) allow FedEx employees and vendors to work away from the office. VPNs create secure tunnels over the Internet, ensuring confidentiality, integrity, and authenticity. This form of remote access makes services such as internal web sites, email, and departmental servers available from places such as a home office or hotel.

Page |2

CHECK POINT MOBILE USER GUIDE

9/28/2012

Getting a VPN Account


A VPN account must first be requested. Both FedEx employees and vendors must: 1. 2. 3. 4. Login to IdM using your FedEx ID and enterprise password Click the System Access tab at the top of the page Click the Application/Data Access link in the left-hand menu Select VPN using the keyword search and complete the request form. The request will automatically be sent to your manager for approval.

The next step is getting an IdentityGuard eGrid account. After your VPN request has been fully approved in IdM, you must: 1. Login to the FedEx IdentityGuard self-service web site to complete a short enrollment process. 2. You'll receive an IdentityGuard eGrid sheet (JPEG image format) that will be used for VPN login. 3. Keep your eGrid secure and do not share it with others.

Installing Check Point Mobile


1. Sign in to https://idguard.fedex.com. This link works from both inside and outside the FedEx network. You will be required to authenticate using your FedEx ID, enterprise password and eGrid card. 2. Select 'I'd like to download the Remote Access Software'. 3. Download Check Point Mobile. a. Internet Explorer 8 or older i. Click the Check Point Mobile VPN Client link. ii. Click Save on the File Download window. iii. Select desktop to save the file to your desktop. iv. Click Save v. After download completes close the browser. b. Internet Explorer 9 i. Click the Check Point Mobile VPN Client link. ii. Click the drop down arrow next to Save then select Save As. iii. Select desktop to save the file to your desktop. iv. Click Save v. After the download completes disregard the unsafe message and close the browser. 4. Perform the installation using the evpn-installer file on your desktop. 5. Double-click the installer to open it. It may be in your Downloads folder or on your Desktop.

Page |3

CHECK POINT MOBILE USER GUIDE

9/28/2012

6. Click Next

7. Accept the license agreement

8. Click Next

9. Click Next

Page |4

CHECK POINT MOBILE USER GUIDE

9/28/2012

10. Installation in progress [no interaction required]

11. Click Finished

12. Test the connection by following the normal procedures used to establish VPN connectivity.

Page |5

CHECK POINT MOBILE USER GUIDE

9/28/2012

Authentication
FedEx requires two-factor authentication to login to VPN. Your employee number and enterprise password are the first factor, and the security grid card is the second. The security grid card is called an eGrid. New/replacement eGrids can be acquired at the IdentityGuard web site, Keyword eGrid. The eGrid web site is externally accessible (ie from home or hotel) at https://idguard.fedex.com. If youve lost your eGrid you can access the site using your challenge questions. If youve forgotten your challenge questions you can contact your regional/OpCo help desk for a onetime PIN. The temporary PIN will allow you to download a new eGrid. Always be sure to cancel lost/compromised eGrids at the IdentityGuard site. eGrid provides secure and cost effective two-factor authentication. The eGrid contains a series of numbers and letters in clearly marked rows and columns. After entering the user name and enterprise password the user will be prompted for the eGrid coordinates. The user then cross-references each letter and number combination, similar to using a Bingo card. For example, if Mobile VPN prompted the user for [C5] [D4] [H4], the user would match [C5] with J, [D4] with E, and [H4] with E.

Check the expiration date on your eGrid before logging in

Check the expiration date on your eGrid before logging in

Page |6

CHECK POINT MOBILE USER GUIDE

9/28/2012

Compliance & System Requirements


Check Point Mobile VPN requires a working personal firewall and anti-virus agent in order to use FedEx Remote Access. This requirement is enforced by Mobile VPN using a Compliance Policy. Most any anti-virus and personal firewall software that gives a green light in Windows Security Center (XP/Vista) or Action Center (Windows 7) satisfies the Compliance Policy. Anti-virus software that has not received updates for 14 days will fail the compliance check. McAfee anti-virus is available to FedEx employees at no cost for the personal computer they use for VPN. Both Check Point Mobile and McAfee can be downloaded at Keyword VPN and the Internet-accessible IdentityGuard eGrid web site. The Compliance Policy is updated during every connection attempt. Enabling Automatic Updates (Windows Update) is not required but recommended. The user can check their compliance status at the Compliance Window. Systems that are not compliant cannot use VPN until they are.

Supported Operating Systems Windows XP Home and Professional 32-bit, with or without Service Packs 1, 2, or 3 Windows Vista 32-bit and 64-bit, with or without Services Packs 1 or 2 Windows 7 32-bit and 64-bit, Premium or Enterprise, with or without Service Pack 1

Windows Firewall will satisfy the Personal Firewall requirement.

Page |7

CHECK POINT MOBILE USER GUIDE

9/28/2012

System Tray
The VPN client can be accessed from an area on your PC known as the System Tray, or Systray. It is in the bottom right-hand corner, immediately left of the clock. You may already see some icons there such as WiFi, volume control, and Outlook. The icon youre looking for is a gold padlock. It may be hidden from view, which you can expand by clicking on the double up arrows. 1. This is a screenshot of the System Tray. 1.2 The VPN client icon is currently visible. 1.3 Right-click on the icon to display the VPN clients menu. 2. This is a screenshot of the System Tray. 2.1 The VPN client icon is currently hidden from view. 2.2 Left-click on the up arrows to expand the System Tray. 3. The System Tray has been expanded. 3.1 The VPN client icon, a gold padlock, is now visible.

4. You can right-click on the icon to show the menu for the VPN client. From here you can connect to VPN, create a new site, and more.

Page |8

CHECK POINT MOBILE USER GUIDE

9/28/2012

Connecting with Check Point Mobile


You will be able to connect after installing Check Point Mobile and acquiring your eGrid. 1. Right-click the icon in the Systray

2. Click Connect to...

Page |9

CHECK POINT MOBILE USER GUIDE

9/28/2012

3. Input your login credentials. Username = FedEx ID Password = Enterprise password (8 characters)

4. Click Connect

P a g e | 10

CHECK POINT MOBILE USER GUIDE

9/28/2012

5. You are presented with the eGrid challenge-response.

6. Look up the coordinates on your eGrid card and input the results.

P a g e | 11

CHECK POINT MOBILE USER GUIDE

9/28/2012

7. [No interaction required] Check Point Mobile will now connect.

8. You should receive a successful connection. You can click Close or wait for the window to close automatically. From here you can use Outlook and access internal FedEx web sites.

P a g e | 12

CHECK POINT MOBILE USER GUIDE

9/28/2012

Quick Connect
Quick Connect re-connects to the users last VPN Gateway Open the Systray (gold padlock), right-click on the icon, and click Connect.

Disconnecting from a Site


1. Open the Systray (gold padlock), right-click on the icon, and click Disconnect 2. Click Yes to confirm disconnecting 3. A tooltip appears above the system tray informing the user that the client is disconnected.

Changing Sites
You may experience better network performance by choosing a VPN gateway geographically closer to you.

P a g e | 13

CHECK POINT MOBILE USER GUIDE

9/28/2012

Stopping and Starting Check Point Mobile


To stop Checkpoint Mobile: Open the Systray (gold padlock), right-click on the icon, and click Shutdown Client To start Checkpoint Mobile: 1. 2. 3. From the Start Menu click Programs Select Check Point Click Check Point Mobile

Compliance Window
Right-clicking the client icon in the system tray and selecting Show Client displays the main client window.

The left-hand navigation tree displays information regarding:


Status: Displays the details of the VPN connection, Firewall, and Compliance. Tools: Gives the option of Connect or Disconnect depending on the status of VPN.

P a g e | 14

CHECK POINT MOBILE USER GUIDE

9/28/2012

Advanced VPN Options (normally not needed)


1. Right-click the client icon in the system tray and select

VPN Options.

2. The Options window opens. Select Advanced Options.

Enable Logging: Collects information useful for troubleshooting Collect Logs: Exports logs to a CAB file. Reproduce the problem before sending your logs to support. Proxy Settings: Open and Set to No Proxy Use Secure Authentication API File: do not check Enable Secure Domain Logon: Log into VPN upon logging into Windows

P a g e | 15

CHECK POINT MOBILE USER GUIDE

9/28/2012

Deleting and Creating Sites


For troubleshooting purposes a site may need to be deleted and re-created. For example, if you have trouble connecting to wtce but not the other three employee VPN gateways, deleting and re-creating the wtce site would be a good first step towards solving the issue. 1. 2. 3. 4. 5. Go to VPN Options from the Systray Delete the previous site at the VPN Options screen. At the VPN Options screen click New. At the Welcome screen, click Next. Input the site name you are creating. Then click Next. 6. For Authentication Method, pick Username and Password. Then click Next. 7. Click Finish. 8. You will be prompted to test your new connection. It is highly recommended that you do so.

VPN Sites Location Memphis Memphis EMEA APAC Employees wtce.fw.fedex.com ctce.fw.fedex.com nose.fw.fedex.com singapore.vpn.fedex.com Vendors wtcy.fw.fedex.com memy.fw.fedex.com nosy.fw.fedex.com siny.fw.fedex.com

P a g e | 16

CHECK POINT MOBILE USER GUIDE

9/28/2012

Collecting and Sending Log Files


To troubleshoot unforeseen issues with Check Point Mobile VPN, the users support person may ask them to send log files. Logging must be enabled in Advanced Options before the user can collect logs. The user must then reproduce the problem with logging enabled. The logs can then be sent to support. Click Collect Logs under Advanced Options. After a few seconds a Computer Folder window opens. Go up one directory to Check Point Endpoint Security.

Go up one directory. Then right-click on the highlighted file and do Send to >> Documents. The file is now in the Documents folder, ready to be attached to an email. It is named format trlogs_dd-mm-yyyy_hh.mm.ss.

From file name dd mm yyyy hh mm ss

Day, as in 21 Month, as in 05 Year, as in 2012 24 Hour format, as in 14 Minute, as in 02 Second, as in 31

P a g e | 17

CHECK POINT MOBILE USER GUIDE

9/28/2012

Troubleshooting
Wrong username/password when trying to connect

Check the expiration date on your eGrid. Its in the bottom right-hand corner. If its expired you need to get a new one at the eGrid site using your challenge questions. If youve forgotten your challenge questions you can get
a temporary PIN from your regional/OpCo help desk.

Vendors: Make sure you are using the vendor package with the vendor sites and not attempting to connect to the employee sites. Verify your eGrid is not locked out by logging into the eGrid web site. Make sure your caps lock is off. Verify your enterprise password hasn't expired by logging into the eGrid web site. Verify the date and time on your computer is correct.

Missing Systray Icon


By default all icons in the Systray do show. To un-hide the Systray icon in Windows 7 go to Control Panel >> Notification Area Icons. Click the drop down menu beside Check Point Endpoint Connect GUI to Show icon and Notifications or select Always show all icons and notifications on the taskbar. For Windows XP, right-click on the task bar (bar at bottom of the screen). Select Properties, then uncheck Hide Inactive Icons.

P a g e | 18

CHECK POINT MOBILE USER GUIDE

9/28/2012

Not Compliant

Check Point Mobile VPN will tell you how to become compliant. The above graphic informs the user that they need to update their Anti-Virus software. Compliance Policy is corrupt This occurs because the client has not connected and downloaded the Compliance Policy.

Cannot Connect
Connection errors are the second most commonly reported error with Check Point Mobile. This section will provide stepby-step troubleshooting instructions. Try pinging at least two major web sites. Go to Start >> All Programs >> Command Prompt Use the ping command ping google.com ping twitter.com ping facebook.com ping yahoo.com

P a g e | 19

CHECK POINT MOBILE USER GUIDE

9/28/2012

If you get a "reply from (IP address here)", you have basic Internet connectivity. If there is packet loss during several ping attempts it is an indicator that connectivity at their location is having issues, such as interference with WiFi, faulty home network equipment, or Internet Service Provider issues. Try accessing at least two major web sites with a web browser http://www.google.com http://www.twitter.com http://www.facebook.com http://www.yahoo.com Are you attempting to connect over a connection with some kind of web filtering or VPN blocking? VPN will not work at a FedEx location unless you are using a mobile broadband connection such as a MiFi or AirCard. Some hotels block VPN connections. Contact the IT support staff for the hotel and verify VPN (IPSec protocol) is not blocked. Some hotspots such as those at public libraries, coffee shops, universities, or airports block VPN connections. Contact the IT support staff for that hotspot and verify VPN (IPSec protocol) is not blocked. Some mobile broadband/cellular/3G/4G providers such as Verizon, AT&T, Sprint, or T-Mobile may require proprietary drivers/applications to connect with a MiFi or AirCard (USB, ExpressCard, or PC Card). Contact your provider and verify they don't block VPN (IPSec protocol) and that the proprietary drivers/applications are configured properly for VPN (IPSec protocol). Disable Proxy usage in Check Point VPN Client (see Check Point Mobile Technical Guide) 1. 2. 3. 4. 5. 6. 7. Open the Internet Options menu From Internet Explorer: go to Tools >> Internet Options From the Control Panel: go to Internet Options Go to the Connections tab at the top of the menu Go to LAN Settings near the bottom of the menu Check Automatically Detect Settings Uncheck everything else

P a g e | 20

CHECK POINT MOBILE USER GUIDE

9/28/2012

Make sure the system is using an automatically assigned (DHCP) IP address and not a static IP address (frequently used at FedEx locations). Windows 7 Go to: Start Control Panel >> Network >> Sharing Click Change View (top right corner of Control Panel) Set to Small Icons. Click Network >> Sharing On the left side, click Change Adapter Settings Right-click on the network adapter being used for Internet Access and select Properties For Ethernet, it will usually be named "Local Area Connection 1, 2, 3, etc." For WiFi, it will usually be named "Wireless Network Connection For 3G/4G AirCard, it may be named "Mobile Broadband" or 3G/4G adapter" In the Networking tab, click Internet Protocol Version 4 (TCP/IPv4) and select Properties Set both radio buttons to Obtain IP address/DNS server address automatically Click Ok, then click Close Windows XP Go to: Start >> Control Panel >> Network Connections For Ethernet, it will usually be named "Local Area Connection 1, 2, 3, etc." For WiFi, it will usually be named "Wireless Network Connection 3. For 3G/4G aircard, it may be named "Mobile Broadband" or "3G/4G adapter" In the Networking tab, click Internet Protocol Version 4(TCP/IPv4) and select Properties Set both radio buttons to Obtain IP address/DNS server address automatically Click Ok, then click Close

P a g e | 21

CHECK POINT MOBILE USER GUIDE

9/28/2012

Technical Support

Check the expiration date on your eGrid before calling


Argentina: 4630-3456 Asian Pacific (APAC): http://iserv.apac.fedex.com/aboutus/contact.php Canada: 1-888-783-33339 Chile: 361-6099 Colombia: 414-8854 Corporate Executives: 1-901-818-7326 Europe/Middle East/Africa (EMEA): 011-32-2-752-6666 FedEx Custom Critical: 1-234-310-4140 x 2302 FedEx Express Domestic / Pilots: 1-888-339-8324 FedEx Freight: 1-870-391-7708 FedEx Ground (including Sales): 1-800-435-7647 FedEx Office: 1-800-546-5674 FedEx Services 1-888-339-8324 FedEx Services Sales: 1-877-852-4322 FedEx Supply Chain Services: 1-800-432-7657 FedEx Trade Networks: 1-716-879-1278 GSP Tech Support: 32-2-752-6666 Internal Audit: 1-888-339-8324 LAC Keyword: LAC Help Latin America and the Caribbean (LAC): http://lac-miaweb01.prod.fedex.com:8888/NexusJump/ Mexico: 55-5228-8025 Miami/PRC: 1-786-388-2855 Uruguay: 623-1878 Venezuela: 1-212-205-3128 Verizon Help Desk: 1-877-852-4322

Check the expiration date on your eGrid before calling

P a g e | 22

CHECK POINT MOBILE USER GUIDE

9/28/2012

Appendix
Client Icon

Software Downloads
Check Point Mobile and McAfee anti-virus are available at the following sites: http://www.infosec.fedex.com/vpn https://idguard.fedex.com/ Keyword: VPN Externally accessible from Internet (ie from home or hotel). Requires eGrid to login.

P a g e | 23