Check Point Endpoint Connect

User Guide
Version NGX R66 HFA01

November 12, 2008

 Contents

Preface
Who Should Use This Guide ..........................................................................................................................................3
Summary of Contents....................................................................................................................................................3
More Information..........................................................................................................................................................3
Documentation Feedback ..............................................................................................................................................3

Check Point Endpoint Connect

Introduction .................................................................................................................................................................4
Why Endpoint Connect? ................................................................................................................................................4
Capabilities..................................................................................................................................................................4

Terminology
IPSec ..........................................................................................................................................................................7
IKE .............................................................................................................................................................................7
Remote Access VPN......................................................................................................................................................7
Remote Access Community............................................................................................................................................7
Visitor Mode.................................................................................................................................................................7
Endpoint Security On Demand .......................................................................................................................................8

Prerequisites
Platforms .....................................................................................................................................................................9
Supported Gateways .....................................................................................................................................................9

Installing Endpoint Connect

Obtaining Endpoint Connect ........................................................................................................................................10
Installing Endpoint Connect.........................................................................................................................................10
Understanding the System Tray Options........................................................................................................................10
Configuring Proxy Settings...........................................................................................................................................11

Authentication
User Name and Password ............................................................................................................................................13
Certificates ................................................................................................................................................................14
SecurID .....................................................................................................................................................................17
Challenge Response....................................................................................................................................................19
Changing Authentication Schemes ...............................................................................................................................19

Site Creation and First-Time Connection

Creating a Site ...........................................................................................................................................................20

Connecting with Endpoint Connect

Connecting to a Site ...................................................................................................................................................25
Alternative Ways of Connecting ....................................................................................................................................26
Disconnecting from a Site ...........................................................................................................................................26
Password Caching.......................................................................................................................................................26

Working with Endpoint Connect

Stopping and Starting Endpoint Connect.......................................................................................................................27
Command Line Options ...............................................................................................................................................27
Understanding the Client Window ................................................................................................................................29

1
Changing Proxy Settings ..............................................................................................................................................29
Staying Connected all the Time....................................................................................................................................30
Understanding VPN Tunneling .....................................................................................................................................30
Upgrading Endpoint Connect .......................................................................................................................................31
Collecting and Sending Log Files .................................................................................................................................31
Hotspot Detection and Exclusion..................................................................................................................................33
Certificate Enrollment and Renewal..............................................................................................................................34
Dial Up Support .........................................................................................................................................................38
Smart Card Removal ...................................................................................................................................................39
Tunnel Idleness..........................................................................................................................................................39

2
Preface

Who Should Use This Guide

This Guide is intended for users of Check Point Endpoint Connect remote access client, version
NGX R66 HFA01.

Summary of Contents
This guide contains the following chapters:

Title
“Check Point Endpoint Connect” on page 4
“Terminology” on page 7
“Prerequisites” on page 9
“Installing Endpoint Connect” on page 10
“Authentication” on page 13
“Site Creation and First-Time Connection” on page 20
“Connecting with Endpoint Connect” on page 25
“Working with Endpoint Connect” on page 27
Description
Covers the basic capabilities of the Endpoint
Connect client
Covers basic terminology
Covers supported platforms and gateways
Covers basic installation
Covers the various authentication schemes
available on Endpoint Connect
Covers creating a site and connecting for the
first time
Covers alternative methods of connecting
Covers Endpoint connect features

More Information
For additional technical information about Check Point products, consult Check Point’s
SecureKnowledge at:
http://support.checkpoint.com.
• To view the latest version of this document in the Check Point User Center, go
http://support.checkpoint.com.

Documentation Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by
sending your comments to:
cp_techpub_feedback@checkpoint.com

3
Check Point Endpoint Connect

In This Section:

Introduction page 4
Why Endpoint Connect? page 4
Capabilities page 4

Introduction
Endpoint Connect is Check Point’s new lightweight remote access client. Providing seamless,
secure (IPSec) VPN connectivity to corporate resources, the client works transparently with VPN-1
and Connectra gateways.

Why Endpoint Connect?

With their requirement to repeatedly reconnect and authenticate to the corporate gateway,
traditional IPSec clients can be slow and cumbersome. Even SSL VPNs with their explicit login
requirements through a browser, are a less than optimal solution for highly mobile laptop users.
Providing a highly secured, low footprint VPN technology with advanced security scanning
capabilities, Endpoint Connect uses intelligent Auto-Connect and roaming technologies to facilitate
seamless and transparent interaction with VPN-1 and Connectra gateways at the perimeter of the
corporate network.
Designed for corporate users who prefer to use their native desktop to launch business applications
rather than the Connectra SSL portal, Endpoint Connect users do not have to authenticate each
time they connect. Through interface roaming technologies, client users are always connected to
the resources available behind the VPN-1 or Connectra gateway. As corporate users move around,
an auto connect mode discovers whether users are outside of a secure environment, and
implements the best way to connect, using either NAT-T or Visitor Mode. In practical terms, if
client users outside of the internal network open their mail programs a connection is transparently
established to the mail server behind the VPN-1 or Connectra gateway. If client users have mapped
drives to servers on the internal network, those mapped drives remain functional even as users
roam in and out of the network.

Note - While Endpoint Connect can reside on the same host with SecureClient or Endpoint
Security, users should avoid connecting with the two VPN clients to the same network at the same
time

Capabilities
Resident on the users desktop or laptop, Endpoint Connect provides various capabilities for
connectivity, security, installation and administration.

Copyright © 2008 Check Point Software Technologies, Ltd. All rights reserved 4
 Capabilities

Connectivity
• Network Layer Connectivity
An IPSec VPN connection to the VPN-1 gateway for secure encrypted communication. If the
network connection is lost, the client seamlessly reconnects without user intervention.
• Intelligent Auto detect and connect
Whenever the VPN-1 gateway or client’s location changes, Endpoint Connect autodetects the
best method to establish a connection, using either NAT-T or Visitor mode, intelligently
auto-switching between the two modes as necessary.
• Smart location awareness
Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain
(Enterprise LAN), and automatically connects or disconnects as required.
• Proxy detection
Proxy servers between the client and the VPN-1 gateway are automatically detected,
authenticated to, and replaced when no longer valid.
• Transparent Network and Interface Roaming
If the IP address of the client changes, for example if the client is using a wireless connection
then physically connects to a LAN that is not part of the VPN domain, interface roaming
maintains the logical connection.
• Multiple Sites
Endpoint Connect connects to any one of a number of user defined gateways.
• Dead Gateway Detection
If the client fails to receive an encrypted packet within a specified time interval, it sends a
special “tunnel test” packet to the VPN-1 gateway. If the tunnel test packet is acknowledged,
then the gateway is active. If number of tunnel test packets remain unacknowledged, the
gateway is considered inactive or dead.
• Hotspot Support
• Dialup Support

Security
• Endpoint Security on Demand
Provides a full, effective end point compliance check (for required software updates, anti virus
signatures, presence of malware) when connecting, and repeat scans at specified time
intervals. Clients that fail the initial scan when connecting gain access to remediation sources.
• Full IPSec VPN
Internet Key Exchange (version 1) support for secure authentication.
• Support for strong authentication schemes such as:
a. Username and passwords (including cached passwords)
b. SecurID
c. Challenge-Response
d. CAPI software and hardware tokens
• Certificate enrollment, renewal, and auto Renewal
• Tunnel idleness Detection

5
 Capabilities

• Smartcard Removal Detection

• Hub Mode
Increases security by routing all traffic, such as traffic to and from the Internet, through the
VPN-1 gateway, where the traffic can be inspected for malicious content before being passed
to the client.
• Visitor Mode
When the client needs to connect through a gateway that limits connections to port 80 or 443,
encrypted (IPSec) traffic between the client and the gateway is tunneled inside a regular TCP
connection.

Installation and Use

• Small footprint
• Offline and Web deployment
Endpoint Connect is easily distributed through the NGX R66 Connectra portal.
• Automatic upgrades
Endpoint Connect upgrades are automatic, transparent to the user, and do not require
administrator privileges or a client reboot.
• Site and Create New Site connection wizards
For quickly configuring connections to corporate resources.
• CLI Scripting
For automation and internal testing, and use as an embedded “headless” client.
• OPSEC API
Available for embedded applications, Endpoint Connect is also designed to be part of
specialized customer integrations and deployments, for example, organizations that build their
own corporate presence applications that require VPN components. The client’s intelligent
auto-detect and disconnect features make it ideal for remote unmanned devices that need
multiple High Availability options, such as embedded Windows ATMs. For such scenarios,
Endpoint Connect offers a native Command Line Interface and OPSec API for configuration
and monitoring, as well as the ability to be installed and run as a service.

Administration
• Unified Central Management
• Advanced User Management
• Unified updates
• Regulatory Compliance with Advanced Monitoring, Logging and Reporting
DLL version numbers collected in a special file for troubleshooting purposes.

6
Terminology

In This Section:

IPSec page 7
IKE page 7
Remote Access VPN page 7
Remote Access Community page 7
Visitor Mode page 7
Endpoint Security On Demand page 8

IPSec
A security protocol for authentication and encryption over the Internet.

IKE
Internet Key Exchange, a method used in the IPSec protocol for:
• Authenticating users
• Negotiating an encryption method
• Exchanging a secret key used for data encryption

Remote Access VPN

Refers to remote users accessing the network with client software, for example Endpoint Connect.
The Connectra Gateway provides a Remote Access Service for remote clients.

Remote Access Community

Remote Access Community is a Check Point VPN-1 concept. It is a type of VPN community created
specifically for users that usually work from remote locations outside of the corporate LAN.

Visitor Mode
A Check Point remote access VPN solution that enables tunneling of all client-to-gateway
communication over a regular TCP connection on port 443. Visitor mode ensures secure
communication through firewalls and proxy servers configured to block IPSec packets.

7
 Endpoint Security On Demand

Endpoint Security On Demand

In addition to providing an effective endpoint compliance check (for required software updates,
anti virus signatures, etc) when connecting, the Endpoint Security On Demand scanner also
screens endpoint computers for potentially harmful software before allowing access to the internal
network. Access is granted or denied to the end user based on the compliance options set by the
VPN-1 gateway administrator.
The Endpoint Security on Demand Scanner screens endpoints for:

Table 1 Screened Software Types

Software Type Description

Worms Programs that replicate over a computer network for the purpose of
disrupting network communications or damaging software or data.
Trojan horses Malicious programs that masquerade as harmless applications.
Hacker tools Tools that facilitate a hacker’s access to a computer and/or the
extraction of data from that computer.
Keystroke loggers Programs that record user input activity (that is, mouse or keyboard
use) with or without the user’s consent. Some keystroke loggers
transmit the recorded information to third parties.
Adware Programs that display advertisements, or record information about Web
use habits and forward it to marketers or advertisers without the user’s
knowledge.
Browser plug-ins Programs that change the user's browser settings or add additional
functionality. Some browser plug-ins change the default search page to
a pay-per-search site, change the user's home page, or transmit browser
history to a third party.
Dialers Programs that change the user’s dialup connection settings so that
instead of connecting to a local Internet Service Provider, the user
connects to a different network, usually a toll number or international
phone number.
Third party cookies Cookies that are used to deliver information about the user’s Internet
activity to marketers.
Other undesirable software Any unsolicited software that secretly performs undesirable actions on a
user's computer.

Note - The Endpoint Security Compliance scan is only available when the client connects to
corporate resources through the NGX R66 Connectra remote access gateway.

8
Prerequisites

This section covers the current prerequisites.

Platforms
Endpoint Connect can only be installed on following platforms:
• Windows 2000 SP4
• Windows XP SP2
• Windows x86 Vista (32 bit only)

Supported Gateways
• Connectra NGX R66
• VPN-1 NGX R65

9
Installing Endpoint Connect

In This Section:

Obtaining Endpoint Connect page 10

Installing Endpoint Connect page 10
Understanding the System Tray Options page 10
Configuring Proxy Settings page 11

Obtaining Endpoint Connect

Endpoint Connect is delivered as a single self-installing executable. The client can be obtained by
either from the Check Point Download Center or by downloading it from a Connectra NGX R66
gateway.

From a Connectra Gateway

To obtain the client:.
1. Contact your system administrator for the URL of the Connectra user portal
2. Using a browser, connect to the NGX R66 Connectra user portal.
3. Click on Settings.
The Native Application Settings window opens.
4. Click on the Endpoint Connect link to manually download the client.

From the Download Center

Visit the Check Point Download Center at:
https://supportcenter.checkpoint.com

Installing Endpoint Connect

Double-click the setup.msi file and follow the installation wizard.

Understanding the System Tray Options

Once Endpoint Connect is installed, the client icon appears in the system tray:

10
 Configuring Proxy Settings

Figure 1 System Tray icon

Right-clicking the icon opens the client system tray options menu:

Table 2 System Tray Menu Options

Option Purpose
Quick Connect Opens the main connection window with the last active site selected. If you
authenticate using a certificate, the client connects immediately.
Connect to VPN Opens the main connection window and lets you connect to a specific site from the
drop-down list.
VPN Options Opens a window for site and advanced settings.
View Compliance Report Displays the report created after an Endpoint Security on Demand scan.
Help Opens online help file, or displays a window that shows the client version number
(build number). Hovering the mouse over the system tray icon reveals the client’s
status (either idle, connected, or disconnected).
Show Client Opens the client window.
Shutdown Client Closes Endpoint Connect

Configuring Proxy Settings

Before you create a site and connect for the first time, you first need to configure the client’s proxy
server settings. A proxy server is a computer system or an application that forwards requests to
other servers. A client connects to the proxy server and requests a resource (such as a file, or web
page or service) available from a different server. The proxy provides the resource by connecting to
the specified server and requesting the service on behalf of the client, in this case Endpoint
Connect.

Note - In most cases, the settings of the remote location’s proxy server are detected automatically.

To configure proxy settings:

1. Right-click the client icon in the system tray.
2. Select Options.
The Options window opens.
3. On the Advanced tab, click Proxy Settings.
4. The Proxy Settings window opens.
In consultation with your system administrator, select one of the following:
• No proxy
Select this setting if you are certain there are no proxy servers on the network.
• Detect proxy from Internet Explorer settings
If this option is selected, proxy settings are taken from Internet Explorer on condition that
the settings in Internet Explorer are manually defined. In Internet Explorer under Tools >
Internet options... > Connections tab > LAN Settings, verify the Use a proxy server for your
LAN...” option is selected, and the correct IP address and port number entered.

11
 Configuring Proxy Settings

If Automatically detect settings or Use automatic configuration script is selected, the

client will not be able to detect the proxy settings from Internet Explorer.
• Manually define proxy
In situations where the proxy’s settings cannot be automatically detected from Internet
Explorer, enter the IP address and port number of the proxy as supplied by your system
administrator.
• Proxy Authentication
Obtain from your system administrator a valid user name and password. This user name
and password enables you to authenticate to the proxy server.
Now that the proxy settings are configured, you need to:
1. Authenticate.
See “Authentication” on page 13.
2. Create a site.
See “Site Creation and First-Time Connection” on page 20.
3. Connect for the first time.
See “Connecting with Endpoint Connect” on page 25.

12
Authentication

In This Section:

User Name and Password page 13

Certificates page 14
SecurID page 17
Challenge Response page 19
Changing Authentication Schemes page 19

This section covers various ways to authenticate to VPN-1 gateway.

User Name and Password

User name and password is the simplest form of authentication. Together with your system
administrator, decide on an appropriate user name and password. Strong passwords:
• Are lengthy
A 15-character password composed of random letters and numbers is much more secure than
an 8-character password composed of characters taken from the entire keyboard. Each
character that you add to the password increases the protection that the password provides.
• Combine letters, numbers, and symbols
A mixture of upper and lower case letters, numbers, and symbols (including punctuation marks
not on the upper row of the keyboard).
• Avoid sequences or repeated characters
For example 12345, or aaaaa.
• Avoid look-alike substitutions of numbers or characters
For example replacing the letter “i” with the number “1”, or zero with the letter “o”.
• Avoid your login name
• Avoid dictionary words in any language
These authentication credentials are stored either in the SmartCenter server database, on an LDAP
or RADIUS server.

13
 Certificates

Certificates
Your system administrator might request you to use a Check Point certificate for authentication.

Understanding Certificates
A certificate is the digital equivalent of an ID card. It is issued by a by trusted third party known
as a Certification Authority (CA). While there are well known external CAs such as VeriSign and
Thawte, Endpoint Connect uses the digital certificates issued by the VPN-1 gateway, which has its
own Internal Certificate Authority (ICA). The digital certificate used by Endpoint Connect contains:
• Your name
• A serial number
• Expiration dates
• A copy of the certificate holder's public key (used for encrypting messages and digital
signatures)
• The digital signature of the certificate-issuing authority, in this instance the ICA, so that the
VPN-1 gateway can verify that the certificate is real and (if real) still valid.
Certificates can either be imported to the CAPI store or saved to a folder of your choice.

Obtaining a Certificate
Certificates are either supplied by your system administrator, or obtained through the enrollment
and renewal process. See “Certificate Enrollment and Renewal” on page 34.

Storing a Certificate in the CAPI Store

By means of a Windows software library that implements the Microsoft Cryptographic Application
Programming Interface (CAPI), Check Point certificates for Endpoint Connect are stored as either
hardware or software tokens. A token is a complex string of numbers used for authentication and
encryption. CAPI enables Windows-based applications such as Endpoint Connect to perform
secure, cryptographic operations.
Controlled by the Windows operating system, the CAPI store is a repository of digital certificates
associated with a given Cryptographic Service Provider (CSP). CAPI oversees the certificates, while
each CSP controls the cryptographic keys belonging to the certificates. For Endpoint Connect, the
CPS is the Internal Certificate Authority (ICA) of the VPN-1 gateway.
If you are using certificates for authentication, your system administrator will supply (out of band)
a file with a P12 extension. This is a PKCS#12 file, a format commonly used to store private
encryption keys. The PKCS#12 file is password protected. The password will have been set by your
system administrator. Once you have this password from your system administrator, you can enter
your certificate into the CAPI store.
To enter the PKCS#12 file into the CAPI store:
1. Double-click the file with the p12 extension.

14
 Certificates

The certificate import wizard opens:

2. Click Next.
The correct path to the file you wish to import is automatically shown:

3. Click Next, and enter the password for the private key.
This is the key you obtained from your system administrator. If you:
• Enable strong private key protection you will be prompted to enter the password each time
the private key is used by the client.
• Mark this key exportable, the key can be backed up or transported at a later time.

15
 Certificates

4. Click Next, and either allow the file to be automatically stored or browse to a specific storage
folder.

5. Click Finish to complete the certificate import wizard.

Saving the Certificate to a Folder of your Choice

If you do not wish to save your certificate to the CAPI store, for example you use several desktop
workstations and laptops and for security reasons do not wish to leave your certificate on different
machines, then save the PKCS#12 certificate to a floppy or USB disk and:
1. Configure the client to use certificates for authentication. (See “Changing Authentication
Schemes” on page 19 for more information.)
2. From the drop-down Certificate box, select From File.
3. In the From File area, browse to the certificates stored on a floppy or USB disk.
4. Enter the certificate’s password.

5. Click Connect.

Note - If you have the Always-Connect option configured, then each time the client loses
communication with the site, you will be prompted to enter the certificate’s password.

Another advantage of not having the PKCS#12 certificate in the CAPI store is that, if someone
steals your laptop, they will not be able to use the client to connect to the site without knowing the
password—even if they have the PKCS#12. For this reason, your system administrator may switch
from using the certificate stored in the CAPI and to require you to authenticate using the PKCS#12
certificate directly. If this happens, a message displays when you try to connect to the active site.
Browse to the folder where the certificate is stored.

16
 SecurID

SecurID
The RSA SecurID authentication mechanism consists of either hardware (FOB,USB token) or
software (softID) that generates an authentication code at fixed intervals (usually one minute) using
a built-in clock and an encoded random key.
The most typical form of SecurID Token is the hand-held device. The device is usually a key FOB
or slim card. The token can have a PIN pad, onto which a user enters a Personal Identification
Number (PIN) to generate a passcode. When the token has no PIN pad, a tokencode is displayed.
A tokencode is the changing number displayed on the key FOB.
The Endpoint Connect site wizard supports both methods as well as softID (See “SoftID” on
page 18).

Endpoint Connect uses both the PIN and tokencode or just the passcode to authenticate to the
VPN-1 gateway.

SecurID Authentication Devices

Several versions of SecurID devices are available. The older format is a small device that displays
a numeric code (tokencode) and time bars. The token code changes every sixty seconds, and
provides the basis for authentication. To authenticate, the user must add to the beginning of the
tokencode a special PIN (Personal Identification Number). The time bar indicates how much time
is left before the next tokencode is generated. The remote user is requested to enter both the PIN
number and tokencode into the Client’s main connection window.
The newer format resembles a credit card, and displays the tokencode, time bars and a numeric
pad for typing in the PIN number. These type of device mixes the tokencode with the entered PIN
number to create a Passcode. SecureClient requests only the passcode.

17
 SecurID

SoftID
SoftID operates the same as a passcode device but consists only of software that sits on the
desktop.

The Advanced view displays the tokencode and passcode with COPY buttons, allowing the user to
cut and paste between softID and the client.

Key Fobs
A small hardware device with built-in authentication mechanisms that control access to network
services and information is known as a key fob. While a password can be stolen without the owner's
knowledge, a missing key fob is immediately apparent. Key fobs provide the same two-factor
authentication as other SecurID devices: the user has a personal identification number (PIN),
which authenticates them as the device's owner; after the user correctly enters their PIN, the
device displays a number which allows them to log on to the network. The SecurID SID700 Key
Fob is a typical example of such a device:

When the Endpoint connect window opens for a user that has identified secureID as the preferred
method of authentication, a field for the PIN is displayed:

18
 Challenge Response

Challenge Response
Challenge-response is an authentication protocol in which one party presents a question (the
challenge) and another party provides an answer (the response). For authentication to take place, a
valid answer must be provided to the question. Security systems that rely on smart cards are based
on challenge-response. A user is given a code (the challenge) which he or she enters into the smart
card. The smart card then displays a new code (the response) that the user presents to log in.

Changing Authentication Schemes

To change the authentication scheme used by the client for a specific site:
1. Right-click the client’s icon in the system tray, and select VPN Options.
The Options window opens
2. On the Site tab, select the relevant site and click Properties.
The Properties window for that site opens.
On the Settings tab, use the drop-down Authentication Scheme box to either:
a. Username and password
b. Certificate - CAPI
c. Certificate - P12
d. SecurID - Keyfob
e. SecurID - PinPad
f. SoftID
g. Challenge Response

19
Site Creation and First-Time Connection

Creating a Site
This section covers how to create a new site, and connect for the first time.
To create a site:
1. From your system administrator, obtain the name or IP address of the VPN-1 gateway that
provides remote access to the corporate network.
2. Right-click the client icon in the system tray, and select Options.

The Options window opens:

3. On the Sites tab, click New.

The Site Wizard opens:

4. Enter name or IP address of the VPN-1 gateway, and click Next.

20
 Creating a Site

The Authentication Method window opens.

5. Select an authentication method, and click Next. If Certificate is your preferred method of
authentication, when you click Next the Certificate authentication window opens:

Select whether to use a PKCS#12 certificate stored in a folder, or a PKCS#12 that has been
entered into the CAPI store.
• See “Understanding Certificates” on page 14 for more information.
• See “Certificate Enrollment and Renewal” on page 34 if you do not have a certificate and
wish to obtain one.
6. Click Next...

The digital fingerprint, a way for the site to authenticate itself to the client, appears:

21
 Creating a Site

This digital fingerprint is kept in the Windows registry and not displayed again — even if the
client is upgraded.
7. Click Yes, and wait until the Site created successfully message appears:

8. Click Finish.
9. When asked if you would like to connect, click yes.
10. The main connection window opens:

11. Enter your authentication credentials, and click Connect.

The client connection window opens:

L

22
 Creating a Site

The site runs the Endpoint Security on Demand Scanner to determine whether the remote peer
is secured by such things as anti virus software, the presence of a firewall, recommended and
relevant software updates:

If the remote peer (your desktop or laptop) fails the initial compliance check, a report is
displayed that contains links to online remediation sources:

Follow the links to correct the problems discovered by the endpoint security check, then try to
connect again through the main connection window:

12. Enter your authentication credentials again, and click Connect.

The connection status window appears:

23
 Creating a Site

When the “connection succeeded” message displays, click Hide. The client is now connected.

Note - The Endpoint Security on Demand report is also available by right-clicking the client icon in
the system tray, and selecting View Compliance Report.

24
Connecting with Endpoint Connect

In This Section:

Connecting to a Site page 25

Alternative Ways of Connecting page 26
Disconnecting from a Site page 26
Password Caching page 26

Connecting to a Site
To connect to a newly created or existing site:
1. Right-click the client icon in the system tray.
2. Select Connect to VPN...
The Connection window opens:

3. Enter your authentication credentials.

If you are using a certificate, the last certificate is automatically selected.
4. Click Connect.
The Connection Status window displays:

During this time:

• You are authenticated using your chosen method
• Network topology information is downloaded from the gateway to your local client

25
 Alternative Ways of Connecting

• Virtual network adapters are loaded

• If configured by the site administrator, an Endpoint Compliance check is run

Alternative Ways of Connecting

Endpoint Connect offers three alternative ways of connecting.
• If the site and authentication scheme are already defined, simply to double-clicking the client
icon in the system tray. Endpoint Connect connects transparently to a site.
• Right-click the client icon in the system tray, and select Quick Connect.
• Endpoint Connect connects directly to the last active site.
• A tool tip appears when the connection is established.
• Right-click the client icon in the system tray, select Connect to VPN.
• A list of all available sites are available from the Site drop-down box.
• When the connection succeeded message displays, click Hide.

Disconnecting from a Site

To disconnect from a site:
1. Right-click the client icon in the system tray.
2. Click Disconnect.
A tooltip appears above the system tray informing you that the client is disconnected.

Password Caching
Providing that your site administrator has enabled password caching, then Endpoint client
remembers any password you entered during the last authenticated/successful connect operation.
For example if you use username/password as your authentication scheme, or enter the password to
your p12 certificate.
• This password is held only in memory and deleted once you explicitly disconnect from a site.
• If, for example, location awareness is enabled, then as the client automatically reconnects to
the site, the password is supplied transparently from cache.
• If you see the password field already populated when you attempt to connect to a site, this
means that the cached credentials will be used. If necessary, you can override them and enter
new credentials.

26
Working with Endpoint Connect

In This Section:

Stopping and Starting Endpoint Connect page 27

Command Line Options page 27
Understanding the Client Window page 29
Changing Proxy Settings page 29
Staying Connected all the Time page 30
Understanding VPN Tunneling page 30
Upgrading Endpoint Connect page 31
Collecting and Sending Log Files page 31
Hotspot Detection and Exclusion page 33
Certificate Enrollment and Renewal page 34
Dial Up Support page 38
Smart Card Removal page 39
Tunnel Idleness page 39

Stopping and Starting Endpoint Connect

Endpoint Connect can be manually stopped and started.
To stop Endpoint Connect:
1. Right-click the client icon in the system tray.
2. Click Shutdown Client.
The client icon is removed from the system tray.
To start Endpoint Connect:
1. On the start menu > Programs > Check Point Endpoint VPN.
2. Click Check Point Endpoint VPN.

Command Line Options

The Endpoint Connect can also be run from the command line. The client has a number of
command line options of the type: command_line <command>[<args>].
To use the command line:
1. Open a command prompt.
Start > Run > type: cmd
2. Browse to the Endpoint Connect directory:
C:\Program Files\CheckPoint\TRAC
3. Enter command_line <command> [<args>]:

27
 Command Line Options

Where <command> is one of the following:

Table 1 Command line options for Endpoint Connect

Command Function
Start Starts the Endpoint Connect service
Stop Stops the Endpoint Connect service
Status Prints status information and lists current
connections
info [-s <site name>] Lists all connections or prints site name
information
connect -s <sitename> [-u <username> -p <password> | -d connects using the given connection.
<dn> | -f <p12> | -pin <PIN> -sn <serial>] Optional credentials can be supplied.
disconnect Disconnects the current connection
create -s <sitename> Creates a new connection
delete -s <site name> Deletes the given connection
help / h Shows how to use the command
list Lists user Domain Names stored in the CAPI
ver Prints the version
log Prints log messages
enroll_p12 -s <sitename> -f <filename> -p <password> -r Enroll a p12 certificate
<registrationkey> [ -l <keylength> ]
enroll_capi -s <sitename> -r <registrationkey> [ -i Enroll a capi certificate
<providerindex> -l <keylength> -sp <strongkeyprotection> ]
renew_capi -s <sitename> -d <dn> [ -l <keylength> -sp Renew a capi certificate
<strongkeyprotection> ]
change_p12_pwd -f <filename> [ -o <oldpassword> -n Change p12 password
<newpassword> ]

28
 Understanding the Client Window

Understanding the Client Window

Right-clicking the client icon in the system tray, and selecting Show Client displays the main client
window:

The left-hand navigation tree displays information regarding:

• Overview. Displays version information and whether or not a VPN connection exists.
• Firewall. Information about Endpoint security
• VPN
• Program Control
• Anti Virus / Spyware
• Email protection
• Privacy

Changing Proxy Settings

From time to time you may need to change your proxy server settings.
To change the proxy settings Endpoint Connect:
1. Right-click the client icon in the system tray and select VPN Options.
The Options window opens.
2. Click the Advanced tab and select Proxy Settings.

29
 Staying Connected all the Time

The Proxy Settings window opens.

3. Configure your proxy definition and proxy authentication credentials according to the new
settings.

Staying Connected all the Time

To ensure that you remain connected to the active site:
1. Right-click the client icon in the system tray and select VPN Options.
The Options window opens.
2. On the Sites tab, select the site to which you wish to remain connected, and click Properties.
The Properties window for the site opens.

3. In the Always-Connect area of the window, select Enable Always-Connect.

Understanding VPN Tunneling

A VPN tunnel is an encrypted channel that provides secure access to the active site. To configure
VPN Tunnel settings:
1. Right-click the client icon in the system tray and select VPN Options.
The Options window opens.
2. On the Sites tab, select the site to which you wish to remain connected, and click Properties.

30
 Upgrading Endpoint Connect

The Properties window for the site opens.

3. In the VPN tunneling area of the window, select Encrypt all traffic and route to gateway.
• If you select Encrypt all traffic and route to gateway, all outbound traffic on the client is
encrypted and sent to the VPN-1 gateway but only traffic directed at site resources passes
through the gateway. All other traffic is dropped.
• If you do not select Encrypt all traffic and route to gateway, only traffic directed at site
resources is encrypted and sent to the gateway. All other outbound client traffic passes in
the clear.
• For the VPN-1 gateway to act as a hub for content inspection of all inbound and outbound
client traffic, regardless of destination, the gateway administrator needs to define a
network application that includes the range: 0.0.0.1 > 255.255.255.254.

Upgrading Endpoint Connect

Three upgrade modes are available to your system administrator:
• Do not upgrade
The client does not upgrade even when a new version is available.
• Ask User
You must give permission for the upgrade to take place. If you choose not to upgrade, you are
reminded (through a tooltip) to upgrade each time you attempt to connect to the site.
• Always upgrade
Endpoint Connect is transparently upgraded without the need for your intervention. When the
process is complete, an upgrade notification appears as a tooltip above the client icon in the
system tray.
Unless they are specifically overridden by the upgrade package, existing client settings and
authentication credentials are preserved during the upgrade process.

Collecting and Sending Log Files

To troubleshoot unforeseen issues with the Endpoint Connect, your system administrator may ask
you to send log files. Before you can collect and send log files, logging must be enabled.
To enable Logging:
1. Right-click the client icon in the system tray and select VPN Options.
The Options window opens.

31
 Collecting and Sending Log Files

2. On the Advanced tab, select Enable logging.

To send log files:

1. Right-click the client icon in the system tray and select VPN Options.
The Options window opens.
2. On the Advanced tab, click Collect Logs.

• If your system administrator has preconfigured an email address for the logs, your default
email program opens with the address already entered and the logs attached as a single
CAB file.

32
 Hotspot Detection and Exclusion

• If no email address has been configured, the log files are gathered into a single folder and
the contents displayed:

3. Send the contents of the folder to your site administrator.

Hotspot Detection and Exclusion

For wireless connections, Endpoint Connect automatically detects the presence of hotspot. When
connecting for the first time through the hotspot server, the connection fails and the following
client window appears:

1. Click on the link to register.

2. If required on the hotspot server registration page, enter your authentication and credit card
details.
3. Once your authentication and payment credentials have been accepted, connect to a defined
site.

Hotspot Exclusion
When the connection to the hotspot server failed, the client stored the IP address of the hotspot
server. Upon connection to the site, if the client discovers that the IP address of the hotspot server
is duplicated on a gateway within the VPN domain, that gateway is removed from the topology. This
enables the client to send “stay alive” packets to the right address and keep the hotspot open for
the duration of the connection.

33
 Certificate Enrollment and Renewal

Certificate Enrollment and Renewal

Enrollment refers to the process of applying for and receiving a certificate from a recognized
Certificate Authority (CA), in this case Check Point’s Internal CA. In the enrollment process, your
system administrator creates a certificate and sends you the certificate’s registration key. The client
sends this key to gateway, and in return receives the certificate, either CAPI or PCKS#12, which is
saved or stored. (See “Storing a Certificate in the CAPI Store” on page 14).
You can enroll either when creating a site or after a site is created.

Enrolling During Site Creation.

When you reach the Certificate Authentication window of the site wizard
1. Select Check this if you don’t have a certificate yet (only works with ICA certificates).

2. Click Next.
When the Site Created Successfully Message appears, click Finish.
3. When asked if you would like to create a certificate now, click Yes.
The client’s enrollment window opens, either for CAPI:

34
 Certificate Enrollment and Renewal

Or PCKS#12:

4. Enter the required authentication details, such as the registration key, and click Enroll.
• If you have a PCKS#12 certificate, the SAVE AS window opens. Save the certificate to an
appropriate directory.
i. You are asked if you want to connect. Click Yes.
ii. When the main connection window opens, browse to the location of your PCKS#12
certificate.
• CAPI certificates are automatically entered into the CAPI store.
i. The RSA window opens:

ii. Click OK.

The certificate will be protected item. Each time the client uses the certificate, you
will be required to manually grant permission.
iii. The enrollment window opens:

iv. When prompted, add the certificate to the root store:

35
 Certificate Enrollment and Renewal

v. After the Enrollment succeeded message, the connection window opens with the
certificate selected:

vi. Click Connect.

Enrolling After A Site is Created

When using certificates for authentication, each time you connect to the site, the client checks to
see how close the certificate is to its expiration date. If necessary, and simultaneously with the
connect process, the certificate is renewed. A message balloon appears in the system tray:
Certificate renewal in progress.

Certificate Renewal
A certificate can be renewed at any time. To renew a certificate:
1. In the VPN Options window:

36
 Certificate Enrollment and Renewal

Open the properties for a site:

2. Click Renew.
The authentication window opens:

3. Using the drop-down box, select your certificate.

4. When prompted, grant access to the protected item (your certificate):

37
 Dial Up Support

5. Wait while the certificate is renewed:

A Renewal Succeeded message appears, followed by the connection window:

Dial Up Support
Endpoint Connect supports dialup connections for a number of scenarios:
• If no network is available when you try to connect to a site, and no dialup connection has been
configured, the client displays a connection failed message:

38
 Smart Card Removal

Click the link to configure a dialup connection. The link opens the New Connection Wizard:

Complete the wizard to configure a dialup connection.

• If a single dialup connection is already defined, then clicking the “activate dialup” link
instructs the client to dial it.
• If more than a single dialup connection is configured, then choose which connection to choose
from the displayed list.
• If Transparent Network and Interface Roaming is enabled, and the client is in a state of
“reconnecting”, the option to configure a dialup connection displays:

Smart Card Removal

If you are authenticating using a Smart Card, and the smart card or smart reader is removed from
the USB port, the client detects that the certificate is no longer available and disconnects from the
site. A VPN tunnel has disconnected. Smart card was removed message is displayed.

Tunnel Idleness
If you see a VPN tunnel has disconnected. Tunnel inactivity timeout reached message, this means that
no traffic has passed between you and the site during a period set in minutes by your system
administrator.
Your organization may have specific security requirements, such that an open VPN tunnel should
be transporting work-related traffic to the site at all times. An idle or inactive tunnel should be
shut down.
A mail program such as OUTLOOK performing a send-receive operation every five minutes would be
considered work-related, and the tunnel kept open.

39