The Endpoint Security VPN for Mac E75.01 file is a Disc Image containing the client installation. Endpoint Security VPN for Mac E75.01 This file is an installation package containing the client installation. To access the lab: 1) Download the Check Point Endpoint Security VPN Client. Download Endpoint Security VPN E75.01 for Mac: EPS_VPN_Mac_E75.dmg.
1 Endpoint Security VPN for Windows 32-bit/64-bit E75.10 User Guide 14 March 2011 2 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point.
While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS and FAR TRADEMARKS: Refer to the Copyright page ( for a list of our trademarks. Refer to the Third Party copyright notices ( for a list of relevant copyrights and third-party licenses. 3 Important Information Latest Documentation The latest version of this document is at: For additional technical information, visit the Check Point Support Center ( Revision History Date Description 14 March 2011 Initial version. Feedback Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments on Endpoint Security VPN for Windows 32-bit/64-bit E75.10 User Guide). 4 Contents Important Information. 3 Introduction to Remote Access Clients. 5 Client Platforms. 5 The Installation Process. 5 Receiving an Automatic Upgrade.
6 Getting Started. 7 Defining a Site. 7 Basic Operations. 9 Connect Window.
9 Client Icon. 9 Understanding the Firewall Disabling the Firewall Compliance Setting up a Remote Access Client Configuring Proxy Settings Configuring VPN Changing the Site Authentication Scheme Certificate Enrollment and Renewal Importing a Certificate into the CAPI Store Authenticating with Certificate File SecurID Challenge-Response Secure Authentication API (SAA) Collecting Logs Secure Domain Logon. 17 5 Chapter 1 Introduction to Remote Access Clients Remote Access Clients E75.10 are lightweight remote access clients for seamless, secure IPSec VPN connectivity to remote resources.
They authenticate the parties and encrypt the data that passes between them. Remote Access Clients E75.10 are intended to replace the current Check Point remote access clients: SecureClient NGX, Endpoint Connect NGX, and SecuRemote client NGX. The clients offered in this release are: Endpoint Security VPN - Replaces SecureClient and Endpoint Connect. Check Point Mobile for Windows - New Remote Access Client.
SecuRemote - Replaces SecuRemote client NGX. In This Chapter Client Platforms 5 The Installation Process 5 Receiving an Automatic Upgrade 6 Client Platforms You can install this version of Remote Access Clients on several Windows platforms. Microsoft Windows XP 32 bit SP2, SP3 Microsoft Windows Vista 32 bit and 64 bit SP1 Microsoft Windows 7, all editions 32 bit and 64 bit The Installation Process Important - To install a Remote Access client on any version of Windows, you need Administrator permissions. Consult with your system administrator.
To install a Remote Access client: 1. Log in to Windows with a user name that has Administrator permissions. Get the installation package from your system administrator, and double-click the installation package. Follow the installation wizard. Note - On Windows Vista and Windows 7, there may be a prompt to allow access, depending on the UAC settings.
If your administrator did not include a specified Remote Access client in the installation package, you are prompted to choose a product to install. Your administrator might have instructed you which client to install. The options are: Endpoint Security VPN Check Point Mobile for Windows Page 5 6 Receiving an Automatic Upgrade SecuRemote After installation, the Client icon appears in the system tray notification area. Double-click the Client icon. If you are prompted to define a site, make a site with the IP address that your system administrator gave you. Receiving an Automatic Upgrade If you have a Check Point VPN Client, when you connect to a site you might receive an automatic upgrade to the latest version of Remote Access Clients. Follow instructions to complete the upgrade.
Depending on the settings set by your administrator, you might not need to do anything. When you open your client from the client icon, you will see that it has a new name and looks different. Introduction to Remote Access Clients Page 6. 7 Chapter 2 Getting Started In This Chapter Defining a Site 7 Basic Operations 9 Connect Window 9 Client Icon 9 Understanding the Firewall 10 Compliance 10 Defining a Site You need at least one site to connect to a VPN. If your system administrator pre-configured the client package, you can connect to the VPN site immediately. If not, you must define the site.
Before you begin, make sure you know how you will authenticate to the VPN and that you have the credentials (password, certificate file, or whatever the system administrator says you need). Also, you may need the gateway fingerprint, to verify that the client is connecting to the correct gateway. You should get this from your system administrator. To define a site: 1.
Right-click the client icon and select VPN Options. The Options window opens. The first time you open the window, no sites are listed. On the Sites tab, click New. 8 Defining a Site The Site Wizard opens. Enter the name or IP address of the Security Gateway and click Next.
It may take a few minutes for the Client to identify the site name. After resolving the site, a security warning may open: The site's security certificate is not trusted! While verifying the site's certificate, the following possible security risks were discovered: Ask your system administrator for the fingerprint of the server. If the server fingerprint matches the fingerprint in the warning message, you can click Trust and Continue.
Otherwise, consult with your system administrator. The Authentication Method window opens. Getting Started Page 8 9 Basic Operations 5. Select an authentication method according to your system administrator's instructions. Click Next and follow the instructions to enter your authentication materials. If you selected Secure Authentication API (SAA), an SAA window opens to select the type of SAA.
And a DLL file to use. See Secure Authentication API (SAA) (on page 16). Click Finish. The client offers to connect you to the newly created site. Click Yes to connect to the site, or No to save the site details and connect later.
Basic Operations Right-click the Client icon in the system tray to access basic operations. (Not all options appear for every client status and configuration.) To quick connect to last active site, double-click the Client icon. To access other basic operations, right-click the Client icon and select an option.
Option Connect Connect to VPN Options Register to Hotspot Show Compliance Report Show Client Shutdown Client Function Opens the main connection window, with the last active site selected. If you authenticate with a certificate, the client immediately connects to the selected site. Opens the main connection window. Opens the Options window to set a proxy server, choose interface language, enable Secure Domain Logon, collect logs, and select a DLL file for SAA Authentication. Lets you bypass the firewall to register to a hotspot. After you click this option, open a browser. It will open to the hotspot registration page.
See if your computer is compliant with the Security Policy, and if not, why not and how to fix the issue. Open the Client overview. Closes the Client and the VPN connection.
You can also access most of these options from the Client Overview. Connect Window In the Connect window, you provide authentication to connect to the VPN If you have a Certificate, browse to the certificate file and provide the password. If you use SecurID, enter your PIN or passcode.
If you get a key in response, copy it. If you use Username and Password, enter your username and password. If you use Challenge Response, provide the first key.
When the challenge comes, provides the response. If you use SAA, click Connect and a new window opens for authentication.
Client Icon The Client icon in the system tray notification area shows the status of Remote Access Clients. Getting Started Page 9 10 Understanding the Firewall Icon Status Disconnected Connecting Connected Encryption (encrypted data is being sent or received on the VPN) There is an issue that requires users to take action. You can also hover your mouse on the icon to show the client status. Understanding the Firewall When Endpoint Security VPN is installed on your computer, it includes a firewall. The firewall examines all network traffic that comes to your computer and asks: Where did the traffic come from and where is it addressed to?
Do the firewall rules allow traffic to that address? Does the traffic violate global rules?
Based on the answers to these questions, traffic is allowed or blocked. The administrator sets the policies and rules that control what traffic the firewall allows. Disabling the Firewall Your administrator can give you the option to disable the firewall on your computer.
If you do have this option, when you right-click the Endpoint Security VPN icon in the system tray, one of the choices is Disable Security Policy. If you select this, the firewall is disabled. Depending on the compliance settings, you might not be able to connect to the VPN if your firewall is disabled. If the firewall is disabled, the option Enable Security Policy shows in the right-click menu of the Client icon.
Select this to enable the firewall. Compliance Your administrator can configure checks for your computer or device to make sure it is compliant before you connect to the VPN site. Some examples of what these checks can include are: If your Operating System is supported. If you are logged in correctly.
If you have an updated Anti-virus client. Your computer must be compliant with all checks to access the VPN. If your computer is not compliant, the Client icon looks like this: Getting Started Page 10. 11 Compliance If your computer is found to be non-compliant based on one check, you cannot access the VPN. In the Client Overview window, it shows that you are not compliant and a message opens. If your computer does not comply based on multiple factors you can see multiple messages. Follow the instructions in the message to make your computer compliant.
If you have questions, contact your administrator. You can see a compliance report that shows if your computer is compliant with the Security Policy, and if not, how to fix the issue. To get a compliance report, right-click the Client icon in the system tray and select Show Compliance Report. The compliance check always works in the background, if you are connected to the VPN or not.
At any time it can report that your computer has failed a check and is not compliant. Getting Started Page 11 12 Chapter 3 Setting up a Remote Access Client In This Chapter Configuring Proxy Settings 12 Configuring VPN 12 Changing the Site Authentication Scheme 13 Configuring Proxy Settings If you are at a remote site which has a proxy server, the client must be configured to pass through the proxy server. Usually the client can detect proxy settings automatically. If not, you can configure it. Before you begin, get the IP address of the proxy server from the local system administrator. Find out if the proxy needs a user name and password.
To configure proxy settings: 1. Right-click the Client icon and select VPN Options. The Options window opens. Open the Advanced tab. Click Proxy Settings. The Proxy Settings window opens.
Select an option. No Proxy - Make a direct connection to the VPN.
Detect proxy from Internet Explorer settings - Take the proxy settings from Internet Explorer Tools Internet options Connections LAN Settings. Manually define proxy - Enter the IP address port number of the proxy. If required, enter a valid user name and password for the proxy. Configuring VPN You may have the option to go through the VPN for all your Internet traffic.
This is more secure. To configure VPN Tunneling: 1. Right-click the Client icon and select VPN Options.
The Options window opens. On the Sites tab, select the site to which you want to connect, and click Properties. The Properties window for the site opens. Page 12 13 Changing the Site Authentication Scheme 3. Open the Settings tab.
In VPN tunneling, click Encrypt all traffic and route to gateway. Note - In SecuRemote, this option is disabled, If this option is disabled in Endpoint Security VPN or Check Point Mobile for Windows, consult your system administrator. Changing the Site Authentication Scheme If you have the option from your system administrator, you can change the way that you authenticate to the VPN. To change the client authentication scheme for a specific site: 1. Right-click the Client icon and select VPN Options.
The Options window opens 2. On the Site tab, select the relevant site and click Properties. The Properties window for the site opens. On the Settings tab, select the appropriate Authentication Scheme drop-down menu option. Username and password Certificate - CAPI Certificate - P12 SecurID - KeyFob SecurID - PinPad SecurID Software Token Challenge Response SAA - Username and Password SAA - Challenge Response Certificate Enrollment and Renewal You can import a certificate to the CAPI store or save it to a folder of your choice.
Setting up a Remote Access Client Page 13 14 Changing the Site Authentication Scheme Before you enroll a certificate, make sure you have the registration key from the system administrator. Ask the system administrator whether you should use CAPI (if so, ask for the provider name) or P12. To enroll a certificate: 1. Right-click the Client icon in the system tray, and select VPN Options.
On the Sites tab, select the site from which you want to enroll a certificate and click Properties. The site Properties window opens. Select the Settings tab. Choose an Authentication Method (Certificate - CAPI or Certificate - P12), and click Enroll. CAPI: In the window that opens, select the provider. P12: In the window that opens, enter a new password for the certificate and confirm it.
Enter the Registration Key that your administrator sent you. Click Enroll. Your system administrator may tell you to renew your certificate, or you see a message that the certificate expired. To renew a certificate: 1. In the Settings tab Method, select either Certificate - CAPI or Certificate - P Click Renew. In the window that opens, select your certificate type: Setting up a Remote Access Client Page 14 15 Changing the Site Authentication Scheme CAPI: select the certificate from the list. P12: browse to the P12 file and enter the password.
Importing a Certificate into the CAPI Store Before you can use the certificate to authenticate your computer, you must get: The certificate file. The password for the file. The name of the site (each certificate is valid for one site). If the system administrator said to save the certificate on the computer, import it to the CAPI store. (Otherwise, the administrator will give you the certificate file on a USB or other removable media. Make sure you get the password.) To import a certificate file to the CAPI store: 1. Right-click the client tray icon, and select VPN Options.
On the Sites tab, select the site and click Properties. Open the Settings tab.
Make sure that Certificate - CAPI is selected in the Method list. Click Import.
Browse to the P12 file. Enter the certificate password and click Import. Authenticating with Certificate File If Certificate P12 is used, browse to the P12 file to authenticate. To authenticate with a P12 file: 1. Configure the client to use Certificate P12 for authentication.
Connect to the site. The connection dialog opens. In the Certificate File area, browse to the P12 file. Enter the certificate password. Click Connect. Note - If Always-Connect is on, the Client asks for the certificate password if a secure connection is lost. You do not have to browse to the certificate file again.
SecurID RSA SecurID authentication uses hardware (Key Fob or PINPad) or software (softid) that generates an authentication code at fixed intervals (usually one minute), with a built-in clock and an encoded random key. The Client uses both the PIN and tokencode, or just the passcode, to authenticate to the Security Gateway. The most common form of SecurID token is the hand-held device, usually a Key Fob or PINPad. With PINPad, you enter a personal identification number (PIN), to generate a passcode that you can use for the client. When the token does not have a PINPad, a tokencode is displayed. A tokencode is the changing number displayed on the Key Fob. If Key Fob is the authentication method, you enter the PIN and the tokencode separately.
SoftID operates the same way as a passcode device, but consists only of software that sits on the desktop. You can use it as a simple Key Fob and copy the token code. Or, you can set the authentication method to SecurID Software Token, and the client will take the token code automatically. Setting up a Remote Access Client Page 15.
16 Changing the Site Authentication Scheme Challenge-Response Challenge-response is an authentication protocol in which one party provides the first string (the challenge), and the other party verifies it with the next string (the response). For authentication to take place, the response is validated. Secure Authentication API (SAA) Secure Authentication API (SAA) lets you use third- party authentication technologies with your Remote Access client. To work, it requires a DLL file that is installed on your client. If your administrator instructs you to select Secure Authentication API (SAA) as the authentication method when you create a site, you need this information: The type of SAA authentication that you must select - one of these: Username and Password - Users enter a username and password. Challenge Response - Users enter a response to a challenge. You might need a DLL file.
If your administrator already configured this, then you do not need it. Note - Only users with administrator permissions can replace the DLL. If you select SAA as the authentication in the site wizard, a new page opens where you select the type of SAA authentication and a DLL file, if required. Replacing the SAA DLL File Your administrator might instruct you to replace the DLL file on your client. Note - Only users with administrator permissions can replace the DLL.
To replace the local DLL file: 1. Right-click the client icon and select Options. In the Advanced tab, next to Use a Secure Authentication API File, browse to select the new DLL file. This file is used for SAA authentication.
![]()
Setting up a Remote Access Client Page 16. 17 Connecting to a Site with SAA Changing the Site Authentication Scheme Usually, when you connect to a site, a login window opens and you enter your authentication information directly in that window. If SAA is the authentication method for the site, there are no fields for authentication information in the login window. You must click the Connect button in the window and a new window opens for authentication information. Collecting Logs If your system administrator or help desk asks for logs to troubleshoot issues, you can collect the logs from your client. To collect logs: 1.
Right-click the Client icon and select VPN Options. Open the Advanced tab. Click Enable Logging. Reproduce the problem. Click Collect Logs. Note - The logs are saved to%TEMP% trac trlogstimestamp.cab. It opens after the logs are collected.
This folder is sometimes hidden. If you need to locate this folder, in Control panel Folder Options View, select Show hidden files and folders. Secure Domain Logon If the system administrator says that you should use SDL, you can configure your client in this way. To enable SDL on a client: 1. Right-click the Client icon and select VPN Options. In Options Advanced, select Enable Secure Domain Logon (SDL).
Restart the computer and log in. Collecting Logs Page 17.
PLEASE READ THIS AGREEMENT CAREFULLY. BY CLICKING ON THE 'DOWNLOAD' BUTTON, YOU EXPRESSLY AGREE TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS DOWNLOAD AGREEMENT. This Software Download Agreement (“Agreement”) is between you (either as an individual or company) and Check Point Software Technologies Ltd. ('Check Point'), for the software and documentation provided by this Agreement (“Software”).
Check Point grants to you the ability to download and access the Software and/or any modifications, corrections, and/or updates to the Software (“Software Subscription”) for which you have registered and paid the applicable fees, only if you fully comply with the terms and conditions set forth below. Software Subscription is made available for downloading (i) solely for customers who purchase and register a Check Point Software Subscription Program in matching quantity and SKUs relative to the Check Point Product SKUs, and (ii) only for the duration of such active registered Software Subscription Program. The Software is licensed to you under the applicable Check Point End User License Agreement (“EULA”) which accompanied your product purchase. Any and all use of the Software and Software Subscription is governed exclusively by that EULA, the terms and conditions of which are incorporated by reference herein. See the EULA for the specific language governing permissions and limitations under the EULA. In the event that you do not agree with the terms of the EULA or this Agreement, then you must immediately delete all copies of the Software from your computer system and back-up system(s). Failure to comply with the EULA limitations and this Agreement will result in termination of your right to use of the Software.
All title and copyrights in and to the Software and Software Subscription are owned by Check Point and its licensors. Any use, reproduction, or distribution of the components of the Software and Software Subscription to anyone that has not validly registered and purchased such items, or any dissemination not in accordance with the EULA, is expressly prohibited by law and may result in severe civil and criminal penalties. Violators will be prosecuted to the maximum extent possible. If you are downloading a limited availability product, it may not be disseminated in any fashion. Unless you have procured support services from Check Point under the terms of Check Point’s applicable Service Level Agreement, Check Point has no obligation to provide to you any support for this limited availability product.This Software is subject to Israel and United States export control laws. Prior to exporting please inquire as to the Software’s export classification.
Under no circumstances may Software be exported to: Cuba, Iran, North Korea, Sudan and Syria. SOFTWARE AND SOFTWARE SUBSCRIPTION IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. IN NO EVENT SHALL CHECK POINT OR ITS SUPPLIERS OR DISTRIBUTORS BE LIABLE TO YOU OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY KIND INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS OR ANY OTHER COMMERCIAL LOSS.
Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |