20 October 2010 Upgrading SecureClient to Endpoint Security VPN R75 on NGX R65 SmartCenter Server © 2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11130 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 20 October 2010 Added procedure for restoring the TTM file with customizations ("Restoring Settings" on page 25). 14 October 2010 Added Desktop rule to allow MEP traffic ("Making a Desktop Rule for MEP" on page 32). The connect_timeout parameter was removed from the list of commonly changed configuration file parameters, because it must not be used in this installation. 10 October 2010 To reflect the easy process of moving from SecureClient to Endpoint Security VPN, migration is changed to upgrading. Updated Microsoft Windows 7 Editions and fixed client version number in Supported Platforms ("System Requirements" on page 6). 28 September 2010 Updated features lists ("Before Upgrading to Endpoint Security VPN" on page 6) 13 September 2010 Window pictures added, different versions of document released for different versions of SmartDashboard June, 2010 Initial version Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Upgrading SecureClient to Endpoint Security VPN R75 on NGX R65 SmartCenter Server ). Contents Important Information 3 Introduction to Endpoint Security VPN 5 Using Different Management Servers 5 Why You Should Upgrade to Endpoint Security VPN 5 Before Upgrading to Endpoint Security VPN 6 System Requirements 6 New Endpoint Security VPN Features 6 SecureClient Features Supported in Endpoint Security VPN 7 SecureClient Features Not Yet Supported 9 Configuring Gateways to Support Endpoint Security VPN 10 Installing Hotfix on Gateways 10 Configuring SmartDashboard 11 Supporting Endpoint Security VPN and SecureClient Simultaneously 14 Troubleshooting Dual Support 17 Installing and Configuring Endpoint Security VPN on Client Systems 18 Installing Endpoint Security VPN on Client Systems 18 Client Icon 18 Helping Users Create a Site 18 Preparing the Gateway Fingerprint 19 Using the Site Wizard 20 Opening the Site Wizard Again 21 Connecting to a Site 22 Pre-Configuring Proxy Settings 22 Pre-Configuring Always Connect 23 Using the Packaging Tool 23 The Configuration File 25 Configuration File Overview 25 Restoring Settings 25 Centrally Managing the Configuration File 25 Parameters in the Configuration File 26 Migrating Secure Configuration Verification 27 Multiple Entry Point (MEP) 28 MEP or Roaming 28 Configuring Entry Point Choice 28 Defining MEP Method 29 Implicit MEP 30 Configuring Implicit First to Respond 30 Configuring Implicit Primary-Backup 30 Configuring Implicit Load Distribution 31 Manual MEP 32 Making a Desktop Rule for MEP 32 Differences between SecureClient and Endpoint Security VPN CLI 33 Page 5 Chapter 1 Introduction to Endpoint Security VPN Endpoint Security VPN is a lightweight remote access client for seamless, secure IPSec VPN connectivity to remote resources. It authenticates the parties and encrypts the data that passes between them. Endpoint Security VPN is intended to replace the current Check Point remote access client: SecureClient. Note - You can install Endpoint Security VPN on several Linux/Unix-based platforms as well as Microsoft Windows platforms. The procedures included in this document use the Linux/Unix environment variable convention ($FWDIR). If you are using a Windows platform, substitute %FWDIR% for the environment variable in the applicable procedures. In This Chapter Using Different Management Servers 5 Why You Should Upgrade to Endpoint Security VPN 5 Before Upgrading to Endpoint Security VPN 6 Using Different Management Servers Environments with SecureClient already deployed can be easily upgraded to Endpoint Security VPN. The SmartDashboard for different versions of management servers is different. Use the documentation for the SmartDashboard that you have. This guide is for the NGX R65 SmartCenter server.  If you have the R70.40 SmartCenter server, see Upgrading SecureClient to Endpoint Security VPN R75 on R70.40 Security Management (http://supportcontent.checkpoint.com/documentation_download?ID=11131).  If you have the R71 SmartCenter server, see Upgrading SecureClient to Endpoint Security VPN R75 on R71 Security Management (http://supportcontent.checkpoint.com/documentation_download?ID=11132). Why You Should Upgrade to Endpoint Security VPN Check Point recommends that all customers upgrade from SecureClient to Endpoint Security VPN as soon as possible, to have these enhancements.  Automatic and transparent upgrades, with no administrator privileges required  Supports 32-bit and 64-bit, Windows Vista and Windows 7  Uses less memory resources than SecureClient  Automatic disconnect/reconnect as clients move in and out of the network  Seamless connection experience while roaming Before Upgrading to Endpoint Security VPN Introduction to Endpoint Security VPN Page 6  Supports most existing SecureClient features, including Office Mode, Desktop Firewall, Secure Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection  Supports many additional new features  Does not require a SmartCenter server upgrade  Endpoint Security VPN and SecureClient can coexist on client systems during the upgrade period Note - Check Point will end its support for SecureClient in mid-2011. Before Upgrading to Endpoint Security VPN Before upgrading, consider these issues. System Requirements Management Server and Gateway: Note - See the Release Notes of the specific Check Point version for supported versions of different platforms.  All supported platforms NGX R65 HFA 70 (R65.70) with NGX R66 Management plug-in.  All supported platforms for R70.40. Notes - Endpoint Security VPN supports VPN gateway redundancy with Multiple Entry Point (MEP). You can install the Endpoint Security VPN package on multiple gateways and must install it on the server to enable MEP. The server and gateway can be installed on open servers or appliances. On UTM-1 appliances, you cannot use the WebUI to install Endpoint Security VPN. Support for R71 gateways will be released in a future HFA for Endpoint Security VPN. Clients: Endpoint Security VPN R75 can be installed on these platforms:  Microsoft Windows XP 32 bit SP2, SP3  Microsoft Windows Vista 32 bit and 64 bit SP1  Microsoft Windows 7 Home Edition 32 bit and 64 bit  Microsoft Windows 7 Home Premium 32 bit and 64 bit  Microsoft Windows 7 Pro 32 bit and 64 bit  Microsoft Windows 7 Ultimate 32 bit and 64 bit  Microsoft Windows 7 Enterprise 32 bit and 64 bit New Endpoint Security VPN Features Feature Description Hotspot Detection and Registration (Exclusion for Policy)  Automatically detects hotspots that prevent the client system from establishing a VPN tunnel  Opens a mini-browser to allow the user to register to the hotspot and connect to the VPN gateway  Firewall support for hotspots Before Upgrading to Endpoint Security VPN Introduction to Endpoint Security VPN Page 7 Feature Description Automatic Connectivity Detection Automatically detects whether the client is connected to the Internet or LAN Automatic Certificate Renewal in CLI Mode Supports automatic certificate renewal, including in CLI mode Location Awareness Automatically determines if client is inside or outside the enterprise network Roaming Maintains VPN tunnel if client disconnects and reconnects using different network interfaces Automatic and Transparent Upgrade Without Administrator Privileges Updates the client system securely and without user intervention Windows Vista / Windows 7 64 Bit Support Supports the latest 32-bit and 64-bit Windows operating systems Automatic Site Detection During first time configuration, the client detects the VPN site automatically Note: This requires DNS configuration and is only supported when configuring the client within the internal network. Geo Clusters Connect client system to the closest VPN gateway based on location For more information on geo clusters, see sk43107 (ttp://supportcontent.checkpoint.com/solutions?id=sk43107). Machine Idleness Disconnect VPN tunnel if the machine becomes inactive (because of lock or sleep) for a specified duration. Flush DNS Cache Remove previous DNS entries from the DNS cache when creating VPN tunnel SecureClient Features Supported in Endpoint Security VPN Feature Description Authentication Methods  Username/Password  Certificate  SecurID (passcode, softID, key fobs)  Challenge Response Cached Credentials Cache credentials for user login NAT-T/Visitor Mode Let users connect from any location, such as a hotel, airport, or branch office Multiple Entry Point (MEP) VPN gateway redundancy. Endpoint Security VPN MEP gateways can be in different VPN domains (see Appendix A). Pre-Configured Client Packaging Predefined client installation package with configurations for easy provisioning Office Mode Internal IP address for remote access VPN users Before Upgrading to Endpoint Security VPN Introduction to Endpoint Security VPN Page 8 Feature Description Compliance Policy - Secure Configuration Verification (SCV) Verifies client system policy compliance before allowing remote access to internal network Proxy Detect / Replace Detect proxy settings in client system web browsers for seamless connectivity Route All Traffic Send all traffic from the client system through the VPN gateway Localization Supported languages:  Chinese (simplified)  English  French  German  Hebrew  Italian  Japanese  Russian  Spanish Certificate Enrollment / Renewal Automatic enrollment and renewal of certificates issued by Check Point Internal CA server CLI and API Support Manage client with third party software Tunnel Idleness Disconnect VPN if there is no traffic for a specified duration Dialup Support dialup connections Disconnect On Smart Card Removal Disconnect VPN if a Smart Card is removed from the client system Re-authentication After specified duration, user is asked for re-authentication Keep-alive Send keep-alive messages from client to the VPN gateway to maintain the VPN tunnel Check Gateway Certificate in CRL Validate VPN gateway certificate in the CRL list Desktop Firewall Configured from SmartDashboard Desktop Policy Personal firewall integrated into client, managed with the SmartDashboard desktop policy Configuration File Corruption Recovery Recover corrupted configuration files Secure Domain Logon (SDL) Establish VPN tunnel prior to user login Desktop Firewall Logs in SmartView Tracker Desktop firewall logs are displayed in SmartView Tracker End-user Configuration Lock Prevent users from changing the client configuration Update Dynamic DNS with the Office Mode IP Assign an internal IP address for remote access VPN users in the Dynamic DNS Secure Authentication API (SAA) Integrate with third party authentication providers Before Upgrading to Endpoint Security VPN Introduction to Endpoint Security VPN Page 9 Feature Description SmartView Monitor Monitor VPN tunnel and user statistics with SmartView Monitor Post Connect Script Execute manual scripts before and after VPN tunnel is established SecureClient Features Not Yet Supported Currently, these features of SecureClient are not supported by Endpoint Security VPN. Many of these features are expected to be supported in the next release. Feature Description Single Sign-on (SSO) One set of credentials to log in to both VPN and Windows operating system “Suggest Connect” Mode (Auto Connect) Create VPN tunnel when the client generates traffic to the VPN domain resources Entrust Entelligence Support Entrust Entelligence package providing multiple security layers, strong authentication, digital signatures, and encryption Diagnostic Tools Tools for viewing logs and alerts Compression Compress IPSec traffic VPN Connectivity to VPN-1 VSX Terminate VPN tunnel at Check Point VSX gateways DNS Splitting Support multiple DNS servers "No Office Mode" Connect Mode Connect to the VPN gateway without requiring Office Mode Pre-shared secret Authentication method that uses a pre-shared secret Link Selection Multiple interface support with redundancy Secondary Connect (Including Fast Failover) Connect to multiple VPN gateways simultaneously and establish VPN tunnels to all resources located behind each VPN gateway DHCP Automatic Lease Renewal Automatically renew IP addresses obtained from DHCP servers Page 10 Chapter 2 Configuring Gateways to Support Endpoint Security VPN In This Chapter Installing Hotfix on Gateways 10 Configuring SmartDashboard 11 Supporting Endpoint Security VPN and SecureClient Simultaneously 14 Troubleshooting Dual Support 17 Installing Hotfix on Gateways To run Endpoint Security VPN and SecureClient simultaneously on client systems, install the hotfix on production gateways or on a standalone, self-managed gateway. To use the Implicit MEP feature, you must install the hotfix on the SmartCenter server. If you do not need this feature, the hotfix does not have to be installed on the server (only on the gateways). Important: Before You Begin -  If you choose to install the hotfix on a new dedicated gateway in the production environment, managed by the same management server as the rest of the RA gateways, this gateway will also be added to the topology used by SecureClient clients. This may cause them to connect to the new gateway. Thus, you must make sure the configuration is valid and that resources set by the encryption domain on this gateway are indeed accessible.  If you have clients that use a pre-shared secret to authenticate, you must give the users a different authentication - one that is supported by Endpoint Security VPN. To install the hotfix on a Gateway: 1. Download the hotfix from the Check Point Support Center (http://supportcenter.checkpoint.com). 2. Copy the hotfix package to the gateway. 3. Run the hotfix:  On SecurePlatform: [admin@gateway ~/hf]$ tar -zxvf hotfix_file.tgz [admin@gateway ~/hf]$ ./fw1_HOTFIX_ENFI_HFA_EVE2_620631013_1 Do you want to proceed with installation of Check Point fw1 NGX R65 Support ENFI_HFA_EVE2 for Check Point VPN-1 Power/UTM NGX R65 on this computer? If you choose to proceed, installation will perform CPSTOP. (y-yes, else no):y  On Windows, double-click the installation file and follow the instructions. 4. If WebUI is enabled on the gateway, it must listen on a port other than 443. Otherwise, Endpoint Security VPN will not be able to connect. 5. Reboot the Gateway. [...]... encryption domains of all other gateways and that all gateways provide connectivity to the same resources To configure gateways to manage both clients: 1 On the Desktop tab, add this rule to ensure that the Endpoint Security VPN firewall does not block SecureClient Allow outbound connections on:  UDP 18231 Configuring Gateways to Support Endpoint Security VPN Page 14 Supporting Endpoint Security VPN and SecureClient. .. Access > VPN - Advanced 4 Select Sent in clear 5 If secure configuration verification (SCV) is configured, add an exception for Endpoint Security VPN a) Open Remote Access > Secure Configuration Verification (SCV) Configuring Gateways to Support Endpoint Security VPN Page 15 Supporting Endpoint Security VPN and SecureClient Simultaneously b) Select Apply Secure Configuration Verification on Simplified... Connect to 2 In the Site drop-down, select New Site The Site Wizard opens Connecting to a Site You might have to help users connect to the VPN The Endpoint Security VPN client lets users connect to sites - where the site is the VPN gateway To connect to a site: 1 Right-click the client icon and select Connect or Connect to A site connection window opens  This window has authentication fields according to. .. Uninstall SecureClient program from Start > Programs  To remotely uninstall SecureClient with a script, run: UninstallSecureClient.exe from the SecureClient installation directory Configuring Gateways to Support Endpoint Security VPN Page 17 Chapter 3 Installing and Configuring Endpoint Security VPN on Client Systems In This Chapter Installing Endpoint Security VPN on Client Systems Client Icon Helping... configuration file installed on the gateway for Endpoint Security VPN This is important, because if you do not install Endpoint Security VPN on the SmartCenter server, the server will have an outdated configuration file that does not support new features To centrally manage the configuration file: 1 On the gateway, save a backup of $FWDIR/conf/trac_client_1.ttm Page 25 Parameters in the Configuration...  automatic_mep_topology (true) Configuring Implicit First to Respond When more than one Gateway leads to the same (overlapping) VPN domain, they are in a MEP configuration The first Gateway to respond is chosen To configure first to respond, define that part of the network that is shared by all the Gateways into a single group and assign that group as the VPN domain To configure First to Respond MEP:... Simplified mode c) Click Exceptions The Secure Configuration Verification Exceptions window opens d) Select Do not apply Secure Configuration Verification on SSL clients connections e) Click OK 6 Click OK 7 Do Policy > Install Configuring Gateways to Support Endpoint Security VPN Page 16 Troubleshooting Dual Support Suggest Connect Mode: Users can disable the Suggest Connect option in SecureClient clients If... the topology and configuration of gateways that are in fully overlapping encryption domains or that have Primary-Backup gateways  Manual - You can edit the list of MEP Gateways in the Endpoint Security VPN TTM file Whichever you choose, you must set the Endpoint Security VPN configuration file to identify the configuration To define MEP topology: 1 Open the $FWDIR/conf/trac_client_1.ttm configuration... not have to apply for new credentials to a site they have been using c) Click Generate to create the MSI package A window opens to prompt for a location to save the generated package 9 Distribute this package to Endpoint Security VPN users Installing and Configuring Endpoint Security VPN on Client Systems Page 24 Chapter 4 The Configuration File In This Chapter Configuration File Overview Restoring Settings... authentication method  If you selected Connect to, you can select the site to which you would like to connect 2 Enter credentials, and click Connect A connection progress window opens Wait until the connection is made Pre-Configuring Proxy Settings Note - Remote-location proxy -server settings are usually detected automatically If a user is at a remote site that has a proxy server, the Endpoint Security VPN . (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Upgrading SecureClient to Endpoint Security VPN R75 on NGX R65 SmartCenter Server ). Contents Important Information 3 Introduction. Information 3 Introduction to Endpoint Security VPN 5 Using Different Management Servers 5 Why You Should Upgrade to Endpoint Security VPN 5 Before Upgrading to Endpoint Security VPN 6 System Requirements. the NGX R65 SmartCenter server.  If you have the R70.40 SmartCenter server, see Upgrading SecureClient to Endpoint Security VPN R75 on R70.40 Security Management (http://supportcontent.checkpoint.com/documentation_download?ID=11131).