Remote Access Clients

for Windows 32-bit/64-bit

E75.10
Release Notes

14 February 2012

Classification: [Public]
© 2012 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=11999
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).

Revision History
Date Description

14 February 2012 Updated Management Server and Gateway Requirements (on

page 11) for UTM-1 Edge support.

26 December 2011 Updated Remote Access Clients Comparison (on page 7).

27 September 2011 Change to Management Server and Gateway Requirements (on

page 11). UTM-1 Edge is not supported.

5 July 2011 R71.40 and R75.10 were released. Changed System

Requirements ("Management Server and Gateway
Requirements" on page 11) to show this.

30 June 2011 Clarified license requirements ("Remote Access Clients

Comparison" on page 7).

14 March 2011 Initial version.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients for Windows
32-bit/64-bit E75.10 Release Notes).
 Contents

Important Information .............................................................................................3

Introduction .............................................................................................................5
What's New in this Release ................................................................................. 6
New Remote Access Clients ........................................................................... 6
Remote Access Clients Comparison ............................................................... 7
New SCV Features ......................................................................................... 9
Testing the Windows Security Monitor Check ................................................. 9
Secure Authentication API (SAA) .................................................................... 9
Office Mode IP Address Lease Auto Renewal ................................................ 9
Editing trac_client_1.ttm .....................................................................................10
Upgrading from SecureClient .............................................................................10
System Requirements ..........................................................................................11
Management Server and Gateway Requirements ..............................................11
Client Requirements ...........................................................................................12
Build Numbers ....................................................................................................12
Installation .............................................................................................................13
Installing the Hotfix .............................................................................................13
Upgrading Clients to This Release .....................................................................14
Uninstalling a Hotfix ............................................................................................14
Resolved Issues ....................................................................................................15
Known Limitations ................................................................................................16
 Introduction

Introduction
The release of Endpoint Security VPN R75 introduced the Next Generation of SecureClient, including 64-bit
support. This release, E75.10 Remote Access Clients, adds new features and two additional VPN Clients:
Check Point Mobile for Windows and SecuRemote.
All E75.10 Remote Access Clients give remote access users seamless and secure connectivity to corporate
resources. They establish an encrypted and authenticated IPSec tunnel with Check Point Security
Gateways.
We recommend that you read this document before installing E75.10 Remote Access clients.

Note - The E75 Remote Access Clients series was previously called R75.

If you already installed the Endpoint Security VPN R75 Hotfix on gateways, you are not required to install a
new Hotfix to use the new features of the E75.10 Remote Access Clients.
Related Documentation:
 Remote Access Clients E75.10 Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11992)
 Endpoint Security VPN E75.10 User Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11993)
 Check Point Mobile for Windows E75.10 User Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11994)
 SecuRemote E75.10 User Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11995)
 Remote Access Clients E75.10 Release Notes
(http://supportcontent.checkpoint.com/documentation_download?ID=11999)
For SecureClient features supported in Remote Access Clients, see sk56580
(http://supportcontent.checkpoint.com/solutions?id=sk56580).

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 5

 Introduction

What's New in this Release

Here is a summary of what is new in this release. More details are in the next sections.
 New and improved Remote Access Clients:
 Endpoint Security VPN
 Check Point Mobile for Windows
 SecuRemote
 New SCV Features:
 Verifies the compliance of virtually all anti-virus programs and other components that are monitored
by Windows Security Center.
 Verifies compliance by running a specified executable on the client machine.
 Support for Secure Authentication API (SAA)
 Office Mode IP address lease auto renewal.
 General improvements

New Remote Access Clients

 Endpoint Security VPN - Enterprise Grade Remote Access Client with Desktop firewall and compliance
checks.
 Check Point Mobile for Windows - New Enterprise Grade Remote Access Client with compliance
checks.
 SecuRemote - Basic Remote Access Client.

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 6

 Introduction

Remote Access Clients Comparison

Feature Endpoint Check Point SecuRemote Description
Security VPN Mobile for
Windows
Client Purpose Secure Secure Basic secure
connectivity with connectivity & connectivity
centrally managed compliance
desktop firewall & checks
compliance
checks

Replaces Client SecureClient NGX Endpoint SecuRemote

R60 Connect R73 NGX R60
Endpoint Connect
R73

IPSEC VPN All traffic travels through a

Tunnel secure VPN tunnel.

Security Monitor remote computers to

Compliance confirm that the configuration
Check (SCV) complies with organization's
security policy.

Integrated Integrated endpoint firewall

Desktop Firewall centrally managed from a
Security Management Server

Split Tunneling Encrypt only traffic targeted to

the VPN tunnel.

Hub Mode Pass all connections through

the gateway.

Dynamic When IPSEC connectivity is

Detection of not possible, automatically
Connection connect over TCP port 443
Method (HTTPS port).

Multi Entry Point Client seamlessly connects to

(MEP) an alternative site when the
primary site is not available.

Office Mode IP Each VPN client is assigned

an IP from the internal office
network.

Back Connection Support protocols where the

Protocols client sends its IP to the server
and the server initiates a
connection back to the client
using the IP it receives. These
protocols include: Active FTP,
X11, some VoIP protocols.

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 7

 Introduction

Feature Endpoint Check Point SecuRemote Description

Security VPN Mobile for
Windows
Auto Connect Intelligently detect if the user is
and Location outside the internal office
Awareness network, and automatically
connect as required. If the
client senses that it is inside
the internal network, the VPN
connection is terminated.

Roaming Tunnel and connections

remain active while roaming
between networks.

Always VPN connection is established

Connected whenever the client exits the
internal network.

Secure Domain VPN tunnel and domain

Logon (SDL) connectivity is established as
part of Windows login allowing
GPO and install scripts to
execute on remote machines.

Split DNS Resolves internal names with

the SecuRemote DNS Server
configuration.

Hotspot Makes it easier for users to

Detection and find and register with hotspots
Registration to connect to the VPN through
local portals (such as in hotels
or airports).

Secure Allows third party-extensions

Authentication to the standard authentication
API (SAA) schemes. This includes 3-
factor and biometrics
authentication.

Version E75.10

Required On the Gateway: IPSec VPN Blade On the Gateway:

Licenses IPSec VPN Blade and Mobile IPSec VPN Blade
Access Blade for an unlimited
On the
(based on number of
Management:
concurrent connections
Endpoint
connections)
Container &
Endpoint VPN
Blade for all
installed endpoints

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 8

 Introduction

New SCV Features

This release includes these new SCV (Secure Configuration Verification) compliance checks:
 Windows Security Monitor - Verifies that components monitored by Window Security Center are
installed and enforced (for example, check if there is Anti-virus installed and running). You can define
which components you want to check.
To configure Windows Security Monitor check, see the Secure Configuration Verification section of the
Remote Access Clients E75.10 Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11992).
To try it, see Testing the Windows Security Monitor Check (on page 9).
 ScriptRun - Runs a specified executable on the client machine and checks the return code of the
executable. For example, a script can check if a certain file is present on the client machine. It can
perform additional configuration checks that you choose.
This release includes these new SCV Global Parameters:
 scv_checks_intervals - Lets you change the default interval after which the SCV checks run.
 allow_non_scv_clients - Lets you allow gateway connection from clients that do not have SCV, such
as SecuRemote.
 skip_firewall_enforcement_check - Lets you allow gateway connection from clients that do not have a
desktop firewall enforced, such as SecuRemote or Check Point Mobile for Windows.

Testing the Windows Security Monitor Check

If you have used SCV in the past and want to try out this new SCV check, you can test it with an example
file.
To test the Windows Security Monitor check:
1. Download the Windows Security Monitor Example local.scv file
(http://supportcontent.checkpoint.com/documentation_download?ID=11923).
2. On your Security Management Server, go to $FWDIR/conf directory.
3. Back up the local.scv file.
4. Replace the current local.scv file with the file that you downloaded.
5. Install policy on the gateways from the SmartDashboard
6. Test the Windows Security Monitor check.
7. When you finish testing it, replace the example local.scv file with your previous local.scv file.
8. Configure the Windows Security Monitor check according to the instructions in the Administration Guide.
For more about the new SCV checks and parameters see the Remote Access Clients E75.10 Administration
Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11992).

Secure Authentication API (SAA)

For more about SAA, see the Remote Access Clients E75.10 Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11992).

Office Mode IP Address Lease Auto Renewal

For more about this ,see IP Address Lease Duration in the Remote Access Clients E75.10 Administration
Guide. (http://supportcontent.checkpoint.com/documentation_download?ID=11992)

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 9

 Introduction

Editing trac_client_1.ttm
You can edit the trac_client_1.ttm configuration file for many reasons. To learn how, see the Remote
Access Clients E75.10 Administration Guide
(http://supportcontent.checkpoint.com/documentation_download?ID=11992).
When you open the TTM file, you must make sure to use an editor that does not convert files to DOS format
- it must remain in UNIX format.
If you do convert the file to DOS, you must convert it back to UNIX. You can use the dos2unix command, or
open it in an editor that can save it back in a UNIX format.

Upgrading from SecureClient

Environments with SecureClient already deployed can be easily upgraded to Endpoint Security VPN or
Check Point Mobile for Windows. Clients who had SecuRemote client can use the same steps to upgrade to
SecuRemote E75.10. The SmartDashboard for different versions of management servers is different. Use
the documentation for the SmartDashboard that you have.
 If you have NGX R65 SmartCenter Server, see Upgrading to Remote Access Clients on NGX R65
SmartCenter server (http://supportcontent.checkpoint.com/documentation_download?ID=11998).
 If you have the R70.40 Security Management Server, see Upgrading to Remote Access Clients on
R70.40 Security Management
(http://supportcontent.checkpoint.com/documentation_download?ID=11997).
 If you have the R71.30 Security Management Server, see Upgrading to Remote Access Clients on
R71.x or R75.x Security Management
(http://supportcontent.checkpoint.com/documentation_download?ID=11996).
For SecureClient features supported in Remote Access Clients, see sk56580
(http://supportcontent.checkpoint.com/solutions?id=sk56580).

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 10

 System Requirements

System Requirements
Read all requirements carefully.

Management Server and Gateway Requirements

Remote Access Clients requires a supported gateway version. These Check Point versions support these
E75.10 Remote Access Clients:

Check Point Security Version Supported for Version Supported for Version Supported for
Gateway Endpoint Security VPN Check Point Mobile for SecuRemote
Windows
Security Gateway NGX HFA 70 + Endpoint Not Supported HFA 70 + Endpoint
R65 Security VPN Security VPN
R75/Remote Access R75/Remote Access
Clients E75.10 Hotfix Clients E75.10 Hotfix

Security Gateway R70 R70.40 + Endpoint Not Supported R70.40 + Endpoint

Security VPN Security VPN
R75/Remote Access R75/Remote Access
Clients E75.10 Hotfix Clients E75.10 Hotfix
To be supported on To be supported on
R70.50* (no Hotfix) R70.50* (no Hotfix)

Security Gateway R71 R71.30 R71.40 R71.30

Security Gateway R75 R75 R75 + Hotfix from R75.10

sk60940
R75.10

VSX R67 To be supported on Not Supported To be supported on

R67.10* R67.10*

UTM-1 Edge firmware 8.2.33 firmware 8.2.33 Not Supported

Important Notes:
 Get all Hotfixes from sk61286 (http://supportcontent.checkpoint.com/solutions?id=sk61286).
 See the Release Notes of the specific Check Point version for the supported platforms.

More Notes -
 Remote Access Clients support VPN gateway redundancy with Multiple Entry Point (MEP). You
can install the Remote Access Clients package on multiple gateways and must install it on the
server to enable Implicit MEP.
 The server and gateway can be installed on open servers or appliances. On UTM-1 appliances,
you cannot use the WebUI to install Remote Access Clients.
 Remote Access Clients cannot be installed on the same device as Check Point Endpoint
Security R73 or R80. If Zone Alarm is installed on a device, you can install Check Point Mobile
for Windows and SecuRemote but not Endpoint Security VPN.

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 11

 System Requirements

Client Requirements
Remote Access Clients E75.10 can be installed on these platforms:
 Microsoft Windows XP 32 bit SP2, SP3
 Microsoft Windows Vista 32 bit and 64 bit, SP1
 Microsoft Windows 7, all editions 32 bit and 64 bit, with and without SP1

Build Numbers
 The build number of the Remote Access Clients for E75.10 is 835016656.
To check this: Right-click the Client icon and select Help > About.
 The build number of the Remote Access Clients on the gateway before you install an E75.10 package is
835002205.
Note - To change the build number:
 Put a trac.cab file with the E75.10 client on the gateway.
 Change the build number in the trac_ver.txt file to 835016656, as described
in Upgrading Clients to This Release (on page 14).

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 12

 Installation

Installation
If this is a new installation of Remote Access Clients on NGX R65.70 or R70.40, you must install the
Remote Access Clients Hotfix on the gateways that will manage the remote access client traffic.
If you already installed the Endpoint Security VPN R75 Hotfix on gateways, you are not required to install a
new Hotfix to use the new features of the E75.10 Remote Access Clients.

In This Section

Installing the Hotfix 13

Upgrading Clients to This Release 14
Uninstalling a Hotfix 14

Installing the Hotfix

If you have R71.30 and higher or R75 and higher installed on a gateway, Security Management Server, or
Multi-Domain Server, it can support Remote Access Clients. It is not necessary to install a Hotfix. See the
System Requirements section of the Release Notes for exact details.
For other supported gateway versions, install the Hotfix. Find the Hotfix for your gateway version and
operating system in sk61286 (http://supportcontent.checkpoint.com/solutions?id=sk61286).
The Remote Access Clients Hotfix enables NGX R65.70 and R70.40 gateways to support E75.10 Remote
Access Clients.
Before you install the Hotfix:
This Hotfix has possible conflicts with other installed Hotfixes. If you can, it is safest to uninstall all Hotfixes
installed on the Security Management Server or gateways. See Uninstalling a Hotfix (on page 14). If you
cannot uninstall a Hotfix, contact Check Point Technical Support.
To install the Hotfix on a Security Gateway or Security Management Server:
1. Download the Remote Access Clients Hotfix.
2. Copy the Hotfix package to the Security Gateway or Security Management Server.
3. Run the Hotfix:
On SecurePlatform, Disk-based IPSO, and Solaris:
a) tar -zxvf <name_of_file>.tgz
b) ./UnixInstallScript
On Windows platforms: double-click the installation file and follow the instructions.
4. Reboot the Security Gateway or Security Management Server.

To install the Hotfix on a Multi-Domain Server:

1. On the Multi-Domain Server, run: mdsenv.
2. Download the Remote Access Clients Hotfix from sk65209
(http://supportcontent.checkpoint.com/solutions?id=sk65209) to the Multi-Domain Server.
3. Run the Hotfix on SecurePlatform and Solaris:
a) tar -zxvf <name_of_file>.tgz
b) ./UnixInstallScript
4. Follow the on-screen instructions.
5. Reboot the Multi-Domain Server.

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 13

 Installation

Upgrading Clients to This Release

To automatically update clients to this release of Remote Access Clients or a future release, upgrade the
client package on the gateway. Then all clients receive the new package when they next connect.
If you have a gateway version that requires the Remote Access Clients Hotfix, make sure that the Hotfix is
installed before you put an upgraded package on the gateway.
If you have R71.x with SSL VPN enabled, put the TRAC.cab file in a different directory, as shown in the
instructions.
Users must have administrator privileges to install an upgrade with an MSI package. Administrative
privileges are not required for automatic upgrades from the gateway.
Unattended (ATM) Clients
You cannot upgrade regular Remote Access Clients and unattended (ATM) Endpoint Security VPN clients
from the same gateway.

Important - If you download the Automatic Upgrade for ATM file, you get a file called
TRAC_ATM.cab. You must rename it to TRAC.cab before you put it on the gateway.

To distribute the Remote Access Clients from the gateway:

1. On the gateway, in the $FWDIR/conf/extender/CSHELL directory, back up the TRAC.cab and
trac_ver.txt files.
For R71.x, back up the TRAC.cab file in:
$CVPNDIR/htdocs/SNX/CSHELL
2. Download the Remote Access Clients E75.10 Automatic Upgrade file
(http://supportcontent.checkpoint.com/solutions?id=sk65209).
3. Put the new TRAC.cab and ver.ini files in the same directory on the gateway:
$FWDIR/conf/extender/CSHELL
For R71.x, put the TRAC.cab file also in:
$CVPNDIR/htdocs/SNX/CSHELL
4. On a non-Windows gateway, run: chmod 750 TRAC.cab
5. Edit the trac_ver.txt file in the directory and change the version number to the number in the new
ver.ini.
6. Make sure the client upgrade mode is set:
a) Open the SmartDashboard.
b) Open Policy > Global Properties > Remote Access > Endpoint Connect.
c) Set the Client upgrade mode to Ask user (to let user confirm upgrade) or Always upgrade
(automatic upgrade).
d) Click OK.
7. Install the policy.
When the client connects to the gateway, the user is prompted for an automatic upgrade of the newer
version.
 If users had Endpoint Security VPN R75, it keeps the existing settings.
 If users had Endpoint Connect R73, it automatically upgrades to Endpoint Security VPN.

Uninstalling a Hotfix
If you need to uninstall a Hotfix, use this procedure.
To uninstall a Hotfix from a gateway:
1. Go to the installation directory: cd /opt/CPsuite-version/
For example, the installation directory on an R70.40 gateway is: /opt/CPsuite-R70/
2. Run: ./uninstall_<name_of_original_Hotfix_file>
The name of the Hotfix is different for gateway version and for Hotfix functionality.
Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 14
 Resolved Issues

3. Enter y at the prompt.

4. Reboot the Security Gateway.

Resolved Issues
These issues from Endpoint Security VPN R75 are resolved by this build of Remote Access Clients:
ID Description

00572712 Manual proxy settings in the client are not applied.

Workaround: Users set up the proxy in Internet Explorer and select the option in the
Proxy window that uses Internet Explorer settings.

00589338 Some log files (such as trac_fwpkt.log and helpdesk.log) do not have an upper size
limit and grow as the application runs.
Workaround: Delete large log files manually as needed.

00549038 To use a pre-packaged MSI, you must create the trac.config file from a newly created
site before the first connection is attempted.

00555015 Vista / Windows 7 may not be able to connect after awake from sleep.
Workaround: Disconnect and re-connect.

00544682 SDL messages may be displayed for too short a time.

00571075 Connection sessions may close after 15 minutes.

Workaround: Extend the IP lease duration (Gateway Properties > Remote Access >
Office Mode > Optional Parameters > IP lease Duration).

00596757 The instructions to configure <any_port> in hotspot ports that is described in sk41586
(http://supportcontent.checkpoint.com/solutions?id=sk41586) works for clients in this
version.

00615533 After installing Endpoint Security VPN, the firewall blocks inbound connections to the
computer.

00639205 The path for where the Remote Access client is installed on client computers must
contain more than 14 characters. If the path contains less than 14 characters you
might experience unexpected behavior. For example:
 C:\Program Files\CheckPoint\Endpoint Security = more than 14
 C:\temp = less than 14
We recommend that you use the default paths.

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 15

 Known Limitations

Known Limitations
Known limitations from Endpoint Security VPN R75
(http://supportcontent.checkpoint.com/documentation_download?ID=11607) apply to this release, unless
they are listed as resolved in this document
These new limitations apply to this release:

ID Description

00564959 Pre-shared secret authentication method is not supported.

This will be resolved in upcoming Security Gateway versions.

00628689 Split DNS does not work when the Client is disconnected.

00576066 The User text field in the Connect window of the client may become disabled on
rare occasions.
Workaround: The user should restart the client.

00574415 Windows Security Center currently does not recognize the Endpoint Security VPN
firewall. Therefore if the only enabled firewall is the Endpoint Security VPN firewall,
Windows Security Center will say that no firewall is present.
SCV does detect the Endpoint Security VPN firewall. If the Windows Security
Monitor SCV check has NetworkFirewallRequired set to true, and SCV detects the
Check Point firewall in a client, the client is considered compliant.

00639520 If a gateway with Endpoint Security VPN has the firewall disabled (the attribute
enable_firewall is set to false in the ttm configuration file):
 In R75 Endpoint Security VPN GA clients, SCV is also disabled. Clients that try to
connect to a gateway that requires SCV will be considered non-compliant.
 In E75.10 clients, only the firewall is disabled and the client can still be SCV
compliant.
00639204 If administrators have SecuRemote installed on their computers and they generate
a new MSI package with Endpoint Security VPN or Check Point Mobile for Windows
as the selected product, the installations created from that package have this
limitation: The Route All Traffic feature is disabled.
To create new installations without this limitation, do one of these:
 Uninstall SecuRemote from the administrator's computer and then create the
MSI package.
 Create the package from a different computer.
00648414 RSA SecureID software token 4.1 is not supported for authentication to the Remote
Access Clients

00627155 After a Remote Access Client is automatically updated from the gateway, the client
icon might not show in the system tray notification area. To fix this, do one of these:
 Reboot again.
 End the TrGui process and launch the client from the Start menu >
Programs.
00646619 Secure Authentication API (SAA) is not supported from CLI mode.

00634742 When Office Mode IP addresses are allocated from a predefined IP pool on the
Security Gateway, the lease duration period is ignored for the Remote Access
Clients. The behavior is that the lease duration period is the time set for the
authentication timeout. To change the lease duration period, change the
authentication timeout.

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 16

 Known Limitations

ID Description

00650867 Remote Access Clients cannot be installed on the same device as Check Point
Endpoint Security R73 or R80. If Zone Alarm is installed on a device, you can install
Check Point Mobile for Windows and SecuRemote but not Endpoint Security VPN.

00647799 On Windows 7 computers, the DNS configuration might not function properly for
several 3G modems that use a legacy driver (not implemented as Microsoft WWAN
device). This can result in DNS queries being directed to the DNS server configured
by a 3G modem, instead of to the DNS server configured for the Remote Access.
Workarounds:
- If it exists, get a new a new driver for Windows 7 from the 3G modem provider.
- Publish important DNS records on an external DNS server.

00648996 SecuRemote E75.10 does not require a special license. However, on R65.70
gateways with the Endpoint Security VPN Hotfix, SecuRemote does not connect
unless the gateway has a license for Remote Access.
To solve this you must install a new E75.10 Hotfix for NGX R65 HFA 70. See
sk61286 (http://supportcontent.checkpoint.com/solutions?id=sk61286).

00654146 Problems can occur when you deploy software through a GPO. If you have issues
after installing Remote Access Clients with a GPO, a fix is available from Check
Point support.

00648485 Computers with Remote Access Clients installed might not be able to ping a
loopback interface. A fix is available from Check Point support if required

Remote Access Clients for Windows 32-bit/64-bit Release Notes E75.10 | 17