Professional Documents
Culture Documents
14 February 2012
Classification: [Public]
© 2012 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=11999
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date Description
26 December 2011 Updated Remote Access Clients Comparison (on page 7).
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients for Windows
32-bit/64-bit E75.10 Release Notes).
Contents
Introduction
The release of Endpoint Security VPN R75 introduced the Next Generation of SecureClient, including 64-bit
support. This release, E75.10 Remote Access Clients, adds new features and two additional VPN Clients:
Check Point Mobile for Windows and SecuRemote.
All E75.10 Remote Access Clients give remote access users seamless and secure connectivity to corporate
resources. They establish an encrypted and authenticated IPSec tunnel with Check Point Security
Gateways.
We recommend that you read this document before installing E75.10 Remote Access clients.
Note - The E75 Remote Access Clients series was previously called R75.
If you already installed the Endpoint Security VPN R75 Hotfix on gateways, you are not required to install a
new Hotfix to use the new features of the E75.10 Remote Access Clients.
Related Documentation:
Remote Access Clients E75.10 Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11992)
Endpoint Security VPN E75.10 User Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11993)
Check Point Mobile for Windows E75.10 User Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11994)
SecuRemote E75.10 User Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11995)
Remote Access Clients E75.10 Release Notes
(http://supportcontent.checkpoint.com/documentation_download?ID=11999)
For SecureClient features supported in Remote Access Clients, see sk56580
(http://supportcontent.checkpoint.com/solutions?id=sk56580).
Version E75.10
Editing trac_client_1.ttm
You can edit the trac_client_1.ttm configuration file for many reasons. To learn how, see the Remote
Access Clients E75.10 Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11992).
When you open the TTM file, you must make sure to use an editor that does not convert files to DOS format
- it must remain in UNIX format.
If you do convert the file to DOS, you must convert it back to UNIX. You can use the dos2unix command, or
open it in an editor that can save it back in a UNIX format.
System Requirements
Read all requirements carefully.
Check Point Security Version Supported for Version Supported for Version Supported for
Gateway Endpoint Security VPN Check Point Mobile for SecuRemote
Windows
Security Gateway NGX HFA 70 + Endpoint Not Supported HFA 70 + Endpoint
R65 Security VPN Security VPN
R75/Remote Access R75/Remote Access
Clients E75.10 Hotfix Clients E75.10 Hotfix
Important Notes:
Get all Hotfixes from sk61286 (http://supportcontent.checkpoint.com/solutions?id=sk61286).
See the Release Notes of the specific Check Point version for the supported platforms.
More Notes -
Remote Access Clients support VPN gateway redundancy with Multiple Entry Point (MEP). You
can install the Remote Access Clients package on multiple gateways and must install it on the
server to enable Implicit MEP.
The server and gateway can be installed on open servers or appliances. On UTM-1 appliances,
you cannot use the WebUI to install Remote Access Clients.
Remote Access Clients cannot be installed on the same device as Check Point Endpoint
Security R73 or R80. If Zone Alarm is installed on a device, you can install Check Point Mobile
for Windows and SecuRemote but not Endpoint Security VPN.
Client Requirements
Remote Access Clients E75.10 can be installed on these platforms:
Microsoft Windows XP 32 bit SP2, SP3
Microsoft Windows Vista 32 bit and 64 bit, SP1
Microsoft Windows 7, all editions 32 bit and 64 bit, with and without SP1
Build Numbers
The build number of the Remote Access Clients for E75.10 is 835016656.
To check this: Right-click the Client icon and select Help > About.
The build number of the Remote Access Clients on the gateway before you install an E75.10 package is
835002205.
Note - To change the build number:
Put a trac.cab file with the E75.10 client on the gateway.
Change the build number in the trac_ver.txt file to 835016656, as described
in Upgrading Clients to This Release (on page 14).
Installation
If this is a new installation of Remote Access Clients on NGX R65.70 or R70.40, you must install the
Remote Access Clients Hotfix on the gateways that will manage the remote access client traffic.
If you already installed the Endpoint Security VPN R75 Hotfix on gateways, you are not required to install a
new Hotfix to use the new features of the E75.10 Remote Access Clients.
In This Section
Important - If you download the Automatic Upgrade for ATM file, you get a file called
TRAC_ATM.cab. You must rename it to TRAC.cab before you put it on the gateway.
Uninstalling a Hotfix
If you need to uninstall a Hotfix, use this procedure.
To uninstall a Hotfix from a gateway:
1. Go to the installation directory: cd /opt/CPsuite-version/
For example, the installation directory on an R70.40 gateway is: /opt/CPsuite-R70/
2. Run: ./uninstall_<name_of_original_Hotfix_file>
The name of the Hotfix is different for gateway version and for Hotfix functionality.
Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 14
Resolved Issues
Resolved Issues
These issues from Endpoint Security VPN R75 are resolved by this build of Remote Access Clients:
ID Description
00589338 Some log files (such as trac_fwpkt.log and helpdesk.log) do not have an upper size
limit and grow as the application runs.
Workaround: Delete large log files manually as needed.
00549038 To use a pre-packaged MSI, you must create the trac.config file from a newly created
site before the first connection is attempted.
00555015 Vista / Windows 7 may not be able to connect after awake from sleep.
Workaround: Disconnect and re-connect.
00596757 The instructions to configure <any_port> in hotspot ports that is described in sk41586
(http://supportcontent.checkpoint.com/solutions?id=sk41586) works for clients in this
version.
00615533 After installing Endpoint Security VPN, the firewall blocks inbound connections to the
computer.
00639205 The path for where the Remote Access client is installed on client computers must
contain more than 14 characters. If the path contains less than 14 characters you
might experience unexpected behavior. For example:
C:\Program Files\CheckPoint\Endpoint Security = more than 14
C:\temp = less than 14
We recommend that you use the default paths.
Known Limitations
Known limitations from Endpoint Security VPN R75
(http://supportcontent.checkpoint.com/documentation_download?ID=11607) apply to this release, unless
they are listed as resolved in this document
These new limitations apply to this release:
ID Description
00628689 Split DNS does not work when the Client is disconnected.
00576066 The User text field in the Connect window of the client may become disabled on
rare occasions.
Workaround: The user should restart the client.
00574415 Windows Security Center currently does not recognize the Endpoint Security VPN
firewall. Therefore if the only enabled firewall is the Endpoint Security VPN firewall,
Windows Security Center will say that no firewall is present.
SCV does detect the Endpoint Security VPN firewall. If the Windows Security
Monitor SCV check has NetworkFirewallRequired set to true, and SCV detects the
Check Point firewall in a client, the client is considered compliant.
00639520 If a gateway with Endpoint Security VPN has the firewall disabled (the attribute
enable_firewall is set to false in the ttm configuration file):
In R75 Endpoint Security VPN GA clients, SCV is also disabled. Clients that try to
connect to a gateway that requires SCV will be considered non-compliant.
In E75.10 clients, only the firewall is disabled and the client can still be SCV
compliant.
00639204 If administrators have SecuRemote installed on their computers and they generate
a new MSI package with Endpoint Security VPN or Check Point Mobile for Windows
as the selected product, the installations created from that package have this
limitation: The Route All Traffic feature is disabled.
To create new installations without this limitation, do one of these:
Uninstall SecuRemote from the administrator's computer and then create the
MSI package.
Create the package from a different computer.
00648414 RSA SecureID software token 4.1 is not supported for authentication to the Remote
Access Clients
00627155 After a Remote Access Client is automatically updated from the gateway, the client
icon might not show in the system tray notification area. To fix this, do one of these:
Reboot again.
End the TrGui process and launch the client from the Start menu >
Programs.
00646619 Secure Authentication API (SAA) is not supported from CLI mode.
00634742 When Office Mode IP addresses are allocated from a predefined IP pool on the
Security Gateway, the lease duration period is ignored for the Remote Access
Clients. The behavior is that the lease duration period is the time set for the
authentication timeout. To change the lease duration period, change the
authentication timeout.
ID Description
00650867 Remote Access Clients cannot be installed on the same device as Check Point
Endpoint Security R73 or R80. If Zone Alarm is installed on a device, you can install
Check Point Mobile for Windows and SecuRemote but not Endpoint Security VPN.
00647799 On Windows 7 computers, the DNS configuration might not function properly for
several 3G modems that use a legacy driver (not implemented as Microsoft WWAN
device). This can result in DNS queries being directed to the DNS server configured
by a 3G modem, instead of to the DNS server configured for the Remote Access.
Workarounds:
- If it exists, get a new a new driver for Windows 7 from the 3G modem provider.
- Publish important DNS records on an external DNS server.
00648996 SecuRemote E75.10 does not require a special license. However, on R65.70
gateways with the Endpoint Security VPN Hotfix, SecuRemote does not connect
unless the gateway has a license for Remote Access.
To solve this you must install a new E75.10 Hotfix for NGX R65 HFA 70. See
sk61286 (http://supportcontent.checkpoint.com/solutions?id=sk61286).
00654146 Problems can occur when you deploy software through a GPO. If you have issues
after installing Remote Access Clients with a GPO, a fix is available from Check
Point support.
00648485 Computers with Remote Access Clients installed might not be able to ping a
loopback interface. A fix is available from Check Point support if required