Professional Documents
Culture Documents
Check Point Endpoint Connect: User Guide Version NGX R66 HFA01
Check Point Endpoint Connect: User Guide Version NGX R66 HFA01
User Guide
Version NGX R66 HFA01
Preface
Who Should Use This Guide ..........................................................................................................................................3
Summary of Contents....................................................................................................................................................3
More Information..........................................................................................................................................................3
Documentation Feedback ..............................................................................................................................................3
Terminology
IPSec ..........................................................................................................................................................................7
IKE .............................................................................................................................................................................7
Remote Access VPN......................................................................................................................................................7
Remote Access Community............................................................................................................................................7
Visitor Mode.................................................................................................................................................................7
Endpoint Security On Demand .......................................................................................................................................8
Prerequisites
Platforms .....................................................................................................................................................................9
Supported Gateways .....................................................................................................................................................9
Authentication
User Name and Password ............................................................................................................................................13
Certificates ................................................................................................................................................................14
SecurID .....................................................................................................................................................................17
Challenge Response....................................................................................................................................................19
Changing Authentication Schemes ...............................................................................................................................19
1
Changing Proxy Settings ..............................................................................................................................................29
Staying Connected all the Time....................................................................................................................................30
Understanding VPN Tunneling .....................................................................................................................................30
Upgrading Endpoint Connect .......................................................................................................................................31
Collecting and Sending Log Files .................................................................................................................................31
Hotspot Detection and Exclusion..................................................................................................................................33
Certificate Enrollment and Renewal..............................................................................................................................34
Dial Up Support .........................................................................................................................................................38
Smart Card Removal ...................................................................................................................................................39
Tunnel Idleness..........................................................................................................................................................39
2
Preface
Summary of Contents
This guide contains the following chapters:
Title Description
“Check Point Endpoint Connect” on page 4 Covers the basic capabilities of the Endpoint
Connect client
“Terminology” on page 7 Covers basic terminology
“Prerequisites” on page 9 Covers supported platforms and gateways
“Installing Endpoint Connect” on page 10 Covers basic installation
“Authentication” on page 13 Covers the various authentication schemes
available on Endpoint Connect
“Site Creation and First-Time Connection” on page 20 Covers creating a site and connecting for the
first time
“Connecting with Endpoint Connect” on page 25 Covers alternative methods of connecting
“Working with Endpoint Connect” on page 27 Covers Endpoint connect features
More Information
For additional technical information about Check Point products, consult Check Point’s
SecureKnowledge at:
http://support.checkpoint.com.
• To view the latest version of this document in the Check Point User Center, go
http://support.checkpoint.com.
Documentation Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by
sending your comments to:
cp_techpub_feedback@checkpoint.com
3
Check Point Endpoint Connect
In This Section:
Introduction page 4
Why Endpoint Connect? page 4
Capabilities page 4
Introduction
Endpoint Connect is Check Point’s new lightweight remote access client. Providing seamless,
secure (IPSec) VPN connectivity to corporate resources, the client works transparently with VPN-1
and Connectra gateways.
Note - While Endpoint Connect can reside on the same host with SecureClient or Endpoint
Security, users should avoid connecting with the two VPN clients to the same network at the same
time
Capabilities
Resident on the users desktop or laptop, Endpoint Connect provides various capabilities for
connectivity, security, installation and administration.
Copyright © 2008 Check Point Software Technologies, Ltd. All rights reserved 4
Capabilities
Connectivity
• Network Layer Connectivity
An IPSec VPN connection to the VPN-1 gateway for secure encrypted communication. If the
network connection is lost, the client seamlessly reconnects without user intervention.
• Intelligent Auto detect and connect
Whenever the VPN-1 gateway or client’s location changes, Endpoint Connect autodetects the
best method to establish a connection, using either NAT-T or Visitor mode, intelligently
auto-switching between the two modes as necessary.
• Smart location awareness
Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain
(Enterprise LAN), and automatically connects or disconnects as required.
• Proxy detection
Proxy servers between the client and the VPN-1 gateway are automatically detected,
authenticated to, and replaced when no longer valid.
• Transparent Network and Interface Roaming
If the IP address of the client changes, for example if the client is using a wireless connection
then physically connects to a LAN that is not part of the VPN domain, interface roaming
maintains the logical connection.
• Multiple Sites
Endpoint Connect connects to any one of a number of user defined gateways.
• Dead Gateway Detection
If the client fails to receive an encrypted packet within a specified time interval, it sends a
special “tunnel test” packet to the VPN-1 gateway. If the tunnel test packet is acknowledged,
then the gateway is active. If number of tunnel test packets remain unacknowledged, the
gateway is considered inactive or dead.
• Hotspot Support
• Dialup Support
Security
• Endpoint Security on Demand
Provides a full, effective end point compliance check (for required software updates, anti virus
signatures, presence of malware) when connecting, and repeat scans at specified time
intervals. Clients that fail the initial scan when connecting gain access to remediation sources.
• Full IPSec VPN
Internet Key Exchange (version 1) support for secure authentication.
• Support for strong authentication schemes such as:
a. Username and passwords (including cached passwords)
b. SecurID
c. Challenge-Response
d. CAPI software and hardware tokens
• Certificate enrollment, renewal, and auto Renewal
• Tunnel idleness Detection
5
Capabilities
Administration
• Unified Central Management
• Advanced User Management
• Unified updates
• Regulatory Compliance with Advanced Monitoring, Logging and Reporting
DLL version numbers collected in a special file for troubleshooting purposes.
6
Terminology
In This Section:
IPSec page 7
IKE page 7
Remote Access VPN page 7
Remote Access Community page 7
Visitor Mode page 7
Endpoint Security On Demand page 8
IPSec
A security protocol for authentication and encryption over the Internet.
IKE
Internet Key Exchange, a method used in the IPSec protocol for:
• Authenticating users
• Negotiating an encryption method
• Exchanging a secret key used for data encryption
Visitor Mode
A Check Point remote access VPN solution that enables tunneling of all client-to-gateway
communication over a regular TCP connection on port 443. Visitor mode ensures secure
communication through firewalls and proxy servers configured to block IPSec packets.
7
Endpoint Security On Demand
Note - The Endpoint Security Compliance scan is only available when the client connects to
corporate resources through the NGX R66 Connectra remote access gateway.
8
Prerequisites
Platforms
Endpoint Connect can only be installed on following platforms:
• Windows 2000 SP4
• Windows XP SP2
• Windows x86 Vista (32 bit only)
Supported Gateways
• Connectra NGX R66
• VPN-1 NGX R65
9
Installing Endpoint Connect
In This Section:
10
Configuring Proxy Settings
Right-clicking the icon opens the client system tray options menu:
Option Purpose
Quick Connect Opens the main connection window with the last active site selected. If you
authenticate using a certificate, the client connects immediately.
Connect to VPN Opens the main connection window and lets you connect to a specific site from the
drop-down list.
VPN Options Opens a window for site and advanced settings.
View Compliance Report Displays the report created after an Endpoint Security on Demand scan.
Help Opens online help file, or displays a window that shows the client version number
(build number). Hovering the mouse over the system tray icon reveals the client’s
status (either idle, connected, or disconnected).
Show Client Opens the client window.
Shutdown Client Closes Endpoint Connect
Note - In most cases, the settings of the remote location’s proxy server are detected automatically.
11
Configuring Proxy Settings
12
Authentication
In This Section:
13
Certificates
Certificates
Your system administrator might request you to use a Check Point certificate for authentication.
Understanding Certificates
A certificate is the digital equivalent of an ID card. It is issued by a by trusted third party known
as a Certification Authority (CA). While there are well known external CAs such as VeriSign and
Thawte, Endpoint Connect uses the digital certificates issued by the VPN-1 gateway, which has its
own Internal Certificate Authority (ICA). The digital certificate used by Endpoint Connect contains:
• Your name
• A serial number
• Expiration dates
• A copy of the certificate holder's public key (used for encrypting messages and digital
signatures)
• The digital signature of the certificate-issuing authority, in this instance the ICA, so that the
VPN-1 gateway can verify that the certificate is real and (if real) still valid.
Certificates can either be imported to the CAPI store or saved to a folder of your choice.
Obtaining a Certificate
Certificates are either supplied by your system administrator, or obtained through the enrollment
and renewal process. See “Certificate Enrollment and Renewal” on page 34.
14
Certificates
2. Click Next.
The correct path to the file you wish to import is automatically shown:
3. Click Next, and enter the password for the private key.
This is the key you obtained from your system administrator. If you:
• Enable strong private key protection you will be prompted to enter the password each time
the private key is used by the client.
• Mark this key exportable, the key can be backed up or transported at a later time.
15
Certificates
4. Click Next, and either allow the file to be automatically stored or browse to a specific storage
folder.
5. Click Connect.
Note - If you have the Always-Connect option configured, then each time the client loses
communication with the site, you will be prompted to enter the certificate’s password.
Another advantage of not having the PKCS#12 certificate in the CAPI store is that, if someone
steals your laptop, they will not be able to use the client to connect to the site without knowing the
password—even if they have the PKCS#12. For this reason, your system administrator may switch
from using the certificate stored in the CAPI and to require you to authenticate using the PKCS#12
certificate directly. If this happens, a message displays when you try to connect to the active site.
Browse to the folder where the certificate is stored.
16
SecurID
SecurID
The RSA SecurID authentication mechanism consists of either hardware (FOB,USB token) or
software (softID) that generates an authentication code at fixed intervals (usually one minute) using
a built-in clock and an encoded random key.
The most typical form of SecurID Token is the hand-held device. The device is usually a key FOB
or slim card. The token can have a PIN pad, onto which a user enters a Personal Identification
Number (PIN) to generate a passcode. When the token has no PIN pad, a tokencode is displayed.
A tokencode is the changing number displayed on the key FOB.
The Endpoint Connect site wizard supports both methods as well as softID (See “SoftID” on
page 18).
Endpoint Connect uses both the PIN and tokencode or just the passcode to authenticate to the
VPN-1 gateway.
17
SecurID
SoftID
SoftID operates the same as a passcode device but consists only of software that sits on the
desktop.
The Advanced view displays the tokencode and passcode with COPY buttons, allowing the user to
cut and paste between softID and the client.
Key Fobs
A small hardware device with built-in authentication mechanisms that control access to network
services and information is known as a key fob. While a password can be stolen without the owner's
knowledge, a missing key fob is immediately apparent. Key fobs provide the same two-factor
authentication as other SecurID devices: the user has a personal identification number (PIN),
which authenticates them as the device's owner; after the user correctly enters their PIN, the
device displays a number which allows them to log on to the network. The SecurID SID700 Key
Fob is a typical example of such a device:
When the Endpoint connect window opens for a user that has identified secureID as the preferred
method of authentication, a field for the PIN is displayed:
18
Challenge Response
Challenge Response
Challenge-response is an authentication protocol in which one party presents a question (the
challenge) and another party provides an answer (the response). For authentication to take place, a
valid answer must be provided to the question. Security systems that rely on smart cards are based
on challenge-response. A user is given a code (the challenge) which he or she enters into the smart
card. The smart card then displays a new code (the response) that the user presents to log in.
19
Site Creation and First-Time Connection
Creating a Site
This section covers how to create a new site, and connect for the first time.
To create a site:
1. From your system administrator, obtain the name or IP address of the VPN-1 gateway that
provides remote access to the corporate network.
2. Right-click the client icon in the system tray, and select Options.
20
Creating a Site
5. Select an authentication method, and click Next. If Certificate is your preferred method of
authentication, when you click Next the Certificate authentication window opens:
Select whether to use a PKCS#12 certificate stored in a folder, or a PKCS#12 that has been
entered into the CAPI store.
• See “Understanding Certificates” on page 14 for more information.
• See “Certificate Enrollment and Renewal” on page 34 if you do not have a certificate and
wish to obtain one.
6. Click Next...
The digital fingerprint, a way for the site to authenticate itself to the client, appears:
21
Creating a Site
This digital fingerprint is kept in the Windows registry and not displayed again — even if the
client is upgraded.
7. Click Yes, and wait until the Site created successfully message appears:
8. Click Finish.
9. When asked if you would like to connect, click yes.
10. The main connection window opens:
22
Creating a Site
The site runs the Endpoint Security on Demand Scanner to determine whether the remote peer
is secured by such things as anti virus software, the presence of a firewall, recommended and
relevant software updates:
If the remote peer (your desktop or laptop) fails the initial compliance check, a report is
displayed that contains links to online remediation sources:
Follow the links to correct the problems discovered by the endpoint security check, then try to
connect again through the main connection window:
23
Creating a Site
When the “connection succeeded” message displays, click Hide. The client is now connected.
Note - The Endpoint Security on Demand report is also available by right-clicking the client icon in
the system tray, and selecting View Compliance Report.
24
Connecting with Endpoint Connect
In This Section:
Connecting to a Site
To connect to a newly created or existing site:
1. Right-click the client icon in the system tray.
2. Select Connect to VPN...
The Connection window opens:
25
Alternative Ways of Connecting
Password Caching
Providing that your site administrator has enabled password caching, then Endpoint client
remembers any password you entered during the last authenticated/successful connect operation.
For example if you use username/password as your authentication scheme, or enter the password to
your p12 certificate.
• This password is held only in memory and deleted once you explicitly disconnect from a site.
• If, for example, location awareness is enabled, then as the client automatically reconnects to
the site, the password is supplied transparently from cache.
• If you see the password field already populated when you attempt to connect to a site, this
means that the cached credentials will be used. If necessary, you can override them and enter
new credentials.
26
Working with Endpoint Connect
In This Section:
27
Command Line Options
Command Function
Start Starts the Endpoint Connect service
Stop Stops the Endpoint Connect service
Status Prints status information and lists current
connections
info [-s <site name>] Lists all connections or prints site name
information
connect -s <sitename> [-u <username> -p <password> | -d connects using the given connection.
<dn> | -f <p12> | -pin <PIN> -sn <serial>] Optional credentials can be supplied.
disconnect Disconnects the current connection
create -s <sitename> Creates a new connection
delete -s <site name> Deletes the given connection
help / h Shows how to use the command
list Lists user Domain Names stored in the CAPI
ver Prints the version
log Prints log messages
enroll_p12 -s <sitename> -f <filename> -p <password> -r Enroll a p12 certificate
<registrationkey> [ -l <keylength> ]
enroll_capi -s <sitename> -r <registrationkey> [ -i Enroll a capi certificate
<providerindex> -l <keylength> -sp <strongkeyprotection> ]
renew_capi -s <sitename> -d <dn> [ -l <keylength> -sp Renew a capi certificate
<strongkeyprotection> ]
change_p12_pwd -f <filename> [ -o <oldpassword> -n Change p12 password
<newpassword> ]
28
Understanding the Client Window
29
Staying Connected all the Time
3. Configure your proxy definition and proxy authentication credentials according to the new
settings.
30
Upgrading Endpoint Connect
3. In the VPN tunneling area of the window, select Encrypt all traffic and route to gateway.
• If you select Encrypt all traffic and route to gateway, all outbound traffic on the client is
encrypted and sent to the VPN-1 gateway but only traffic directed at site resources passes
through the gateway. All other traffic is dropped.
• If you do not select Encrypt all traffic and route to gateway, only traffic directed at site
resources is encrypted and sent to the gateway. All other outbound client traffic passes in
the clear.
• For the VPN-1 gateway to act as a hub for content inspection of all inbound and outbound
client traffic, regardless of destination, the gateway administrator needs to define a
network application that includes the range: 0.0.0.1 > 255.255.255.254.
31
Collecting and Sending Log Files
• If your system administrator has preconfigured an email address for the logs, your default
email program opens with the address already entered and the logs attached as a single
CAB file.
32
Hotspot Detection and Exclusion
• If no email address has been configured, the log files are gathered into a single folder and
the contents displayed:
Hotspot Exclusion
When the connection to the hotspot server failed, the client stored the IP address of the hotspot
server. Upon connection to the site, if the client discovers that the IP address of the hotspot server
is duplicated on a gateway within the VPN domain, that gateway is removed from the topology. This
enables the client to send “stay alive” packets to the right address and keep the hotspot open for
the duration of the connection.
33
Certificate Enrollment and Renewal
2. Click Next.
When the Site Created Successfully Message appears, click Finish.
3. When asked if you would like to create a certificate now, click Yes.
The client’s enrollment window opens, either for CAPI:
34
Certificate Enrollment and Renewal
Or PCKS#12:
4. Enter the required authentication details, such as the registration key, and click Enroll.
• If you have a PCKS#12 certificate, the SAVE AS window opens. Save the certificate to an
appropriate directory.
i. You are asked if you want to connect. Click Yes.
ii. When the main connection window opens, browse to the location of your PCKS#12
certificate.
• CAPI certificates are automatically entered into the CAPI store.
i. The RSA window opens:
35
Certificate Enrollment and Renewal
v. After the Enrollment succeeded message, the connection window opens with the
certificate selected:
Certificate Renewal
A certificate can be renewed at any time. To renew a certificate:
1. In the VPN Options window:
36
Certificate Enrollment and Renewal
2. Click Renew.
The authentication window opens:
37
Dial Up Support
Dial Up Support
Endpoint Connect supports dialup connections for a number of scenarios:
• If no network is available when you try to connect to a site, and no dialup connection has been
configured, the client displays a connection failed message:
38
Smart Card Removal
Click the link to configure a dialup connection. The link opens the New Connection Wizard:
Tunnel Idleness
If you see a VPN tunnel has disconnected. Tunnel inactivity timeout reached message, this means that
no traffic has passed between you and the site during a period set in minutes by your system
administrator.
Your organization may have specific security requirements, such that an open VPN tunnel should
be transporting work-related traffic to the site at all times. An idle or inactive tunnel should be
shut down.
A mail program such as OUTLOOK performing a send-receive operation every five minutes would be
considered work-related, and the tunnel kept open.
39