Scribd
Upload
279 views14 pages

CP E80.61 RemoteAccessClients ForWin ReleaseNotes

configuración VPN en Windows

Uploaded by

RaquelScarlettGonzálezHernández
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
279 views14 pages

CP E80.61 RemoteAccessClients ForWin ReleaseNotes

configuración VPN en Windows

Uploaded by

RaquelScarlettGonzálezHernández
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

14 July 2015

Remote Access Clients for


Windows
E80.61

Release Notes
Classification: [Protected]
© 2015 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.

Check Point E80.61


For more about this release, see the E80.61 home page
(http://supportcontent.checkpoint.com/solutions?id=sk105123).

Latest Version of this Document


Download the latest version of this document
http://supportcontent.checkpoint.com/documentation_download?ID=40524.
To learn more, visit the Check Point Support Center
http://supportcenter.checkpoint.com.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:[email protected]?subject=Feedback on Remote Access
Clients for Windows E80.61 Release Notes).

Revision History
Date Description
14 July 2015 Updated build number for the release ("Build Numbers" on page 9)

31 March 2015 First release of this document


Contents
Important Information................................................................................................... 3
Introduction ................................................................................................................... 5
What's New ................................................................................................................... 5
Remote Access Clients Comparison ............................................................................. 6
Remote Access Client Upgrades ................................................................................... 8
Build Numbers .............................................................................................................. 9
Remote Access VPN Requirements .............................................................................. 9
Security Management Server and Security Gateway Requirements ......................... 9
Client Requirements ................................................................................................. 9
ATM Client Hardware Requirements ...................................................................... 10
Additional Requirements ........................................................................................ 10
Configuring Password Complexity Requirements ...................................................... 10
Remote Access Client Installation for Windows .......................................................... 11
Upgrading SmartDashboard-Managed Clients ........................................................... 11
Installing the Remote Access Clients Hotfix ............................................................... 13
Uninstalling this Hotfix............................................................................................ 14
Known Limitations and Resolved Issues ..................................................................... 14
Introduction

Introduction
Check Point offers multiple enterprise-grade VPN clients to fit a wide variety of organizational
needs. The Remote Access VPN stand-alone clients provide a simple and secure way for
endpoints to connect remotely to corporate resources over the Internet, through a VPN tunnel,
and are all SmartDashboard-managed.
These are the stand-alone clients offered in this release:
 Endpoint Security VPN - Incorporates Remote Access VPN with Desktop Security in a single
client. It is recommended for managed endpoints that require a simple and transparent
remote access experience together with desktop firewall rules.
 Check Point Mobile for Windows - An easy to use IPsec VPN client to connect securely to
corporate resources. Together with the Capsule Workspace clients for iPhone and Android,
and the Check Point SSL VPN portal, this client offers a simple experience that is primarily
targeted for non-managed machines.
 SecuRemote - A secure, yet limited-function IPsec VPN client, primarily targeted for small
organizations that require very few remote access clients.
See Remote Access Clients Comparison (on page 6) for a detailed feature comparison.
Endpoint Security VPN is also the Remote Access VPN client in the Endpoint Security Suite.

We recommend that you read this document before installing E80.61 Remote Access clients.

What's New
New in this release:
 Improved stability, and bug fixes.
 Configure password complexity requirements in the VPN Configuration Utility

Remote Access Clients for Windows Release Notes E80.61 | 5


Remote Access Clients Comparison

Remote Access Clients Comparison


Feature Endpoint Check SecuRemote Endpoint Description
Security Point Security
VPN for Mobile for VPN for
Windows Windows Mac
Client Secure Secure Basic secure Secure
Purpose connectivity connectivity connectivity connectivity
with & with
desktop compliance desktop
firewall & checks firewall
compliance
checks

Replaces SecureClie Endpoint SecuRemote SecureClie


Client nt NGX R60 Connect NGX R60 nt for Mac
R73
Endpoint
Connect
R73

IPSEC VPN All traffic travels through a


Tunnel secure VPN tunnel.

Security Monitor remote computers to


Compliance confirm that the configuration
Check (SCV) complies with organization's
security policy.

Integrated Integrated endpoint firewall


Desktop centrally managed from a
Firewall Security Management Server

Split Encrypt only traffic targeted to


Tunneling the VPN tunnel.

Hub Mode Pass all connections through


the gateway.

Dynamic When NAT-T connectivity is not


Optimization possible, automatically
of Connection connect over TCP port 443
Method (HTTPS port).

Multi Entry Client seamlessly connects to


Point (MEP) an alternative site when the
Manual only
primary site is not available.

Remote Access Clients for Windows Release Notes E80.61 | 6


Remote Access Clients Comparison

Feature Endpoint Check SecuRemote Endpoint Description


Security Point Security
VPN for Mobile for VPN for
Windows Windows Mac
Secondary End-users can connect once
Connect and get transparent access to
resources, regardless of their
location.

Office Mode Each VPN client is assigned an


IP IP from the internal office
network.

Back Support protocols where the


Connection client sends its IP to the server
Protocols and the server initiates a
connection back to the client
using the IP it receives. These
protocols include: Active FTP,
X11, some VoIP protocols.

Auto Connect Intelligently detect if the user


and Location is outside the internal office
Awareness network, and automatically
connect as required. If the
client senses that it is inside
the internal network, the VPN
connection is terminated.

Roaming Tunnel and connections


remain active while roaming
between networks.

Always VPN connection is established


Connected whenever the client exits the
internal network.

Secure VPN tunnel and domain


Domain connectivity is established as
Logon (SDL) part of Windows login allowing
GPO and install scripts to
execute on remote machines.

Split DNS Resolves internal names with


the SecuRemote DNS Server
configuration.

Hotspot Makes it easier for users to


Detection and find and register with hot spots
Detection
Registration to connect to the VPN through
only
local portals (such as in hotels
or airports).
Remote Access Clients for Windows Release Notes E80.61 | 7
Remote Access Client Upgrades

Feature Endpoint Check SecuRemote Endpoint Description


Security Point Security
VPN for Mobile for VPN for
Windows Windows Mac
Secure Allows third party-extensions
Authenticatio to the standard authentication
n API (SAA) schemes. This includes
3-factor and biometrics
authentication.

Required On IPsec VPN On Gateway: On


Licenses Gateway: Blade and IPsec VPN Gateway:
IPsec VPN Mobile Blade for an IPsec VPN
Blade Access unlimited Blade
On Blade number of On
Manageme (based on connections Manageme
nt: Endpoint concurrent nt: Endpoint
Container & connections Container &
Endpoint ) Endpoint
VPN Blade VPN Blade
for all for all
installed installed
endpoints endpoints

Remote Access Client Upgrades


These upgrade paths are available for Remote Access VPN clients:

From To See
Endpoint Connect R73.x, E80.61 Upgrading Endpoint Security
E75.x, or E80.x Remote SmartEndpoint-managed Clients in Endpoint Security E80.61
Access Clients, Remote Access VPN Administration Guide
SmartDashboard-managed (http://supportcontent.checkpoint.c
om/solutions?id=sk105123)

Endpoint Connect R73.x, E80.61 See Upgrading


E75.x, or E80.x Remote SmartDashboard-managed SmartDashboard-Managed Clients
Access Clients, Remote Access VPN (on page 11)
SmartDashboard-managed
clients

E80.4x or higher Endpoint E80.61 Upgrading Endpoint Security


Security suite with or SmartEndpoint-managed Clients in Endpoint Security E80.61
without Remote Access VPN Remote Access VPN Administration Guide
(http://supportcontent.checkpoint.c
om/solutions?id=sk105123)

 SmartEndpoint-managed Remote Access VPN clients are part of the Endpoint Security Suite.

Remote Access Clients for Windows Release Notes E80.61 | 8


Build Numbers

 SmartDashboard-managed Remote Access VPN clients are standalone, without the Endpoint
Security Suite.
For upgrades from SecureClient see the Upgrading to Remote Access VPN Clients from
SecureClient Guide http://supportcontent.checkpoint.com/documentation_download?ID=24854.

Build Numbers
The build number for this release is: 986000320

Remote Access VPN Requirements


Security Management Server and Security Gateway
Requirements
For the most up-to-date list of supported operating systems, server and gateway requirements,
see sk67820 http://supportcontent.checkpoint.com/solutions?id=sk67820.
Remote Access VPN requires a supported gateway version. If you use Automatic MEP, the Security
Management Server or Multi-Domain Server must also be supported, with the required hotfixes.
For Security Management Servers and gateways of versions earlier than R70.50, R71.50, or
R75.40, you must install the Remote Access Hotfix.

Client Requirements
Remote Access Clients E80.61 can be installed on these Windows platforms:

Windows Version Editions Architecture


8.1 with or without Enterprise, Pro 32/64 bit BIOS/UEFI
Update 1

8 Enterprise, Pro 32/64 bit BIOS/UEFI

7 Enterprise, Professional, Ultimate, 32/64 bit


with or without SP1

Vista Enterprise, Professional, SP1 or 32/64 bit


higher

XP Professional, SP3 32-bit

Remote Access Clients for Windows Release Notes E80.61 | 9


Configuring Password Complexity Requirements

ATM Client Hardware Requirements


These are the minimum hardware requirements for client computers that run the
SmartDashboard-based Endpoint Security VPN ATM package.

Component Minimum Requirement


Memory 256 MB RAM

Free disk space 500 MB

CPU Intel® Pentium® 4 CPU 3.20 GHz or equivalent

Additional Requirements
 To enable Secondary Connect, see the requirements in sk65312
http://supportcontent.checkpoint.com/solutions?id=sk65312.
 To enable automatic, implicit MEP (Multiple Entry Points), you must install the Remote Access
Clients Hotfix on the Security Management Server and on all Security Gateways. This
procedure is not necessary for manual MEP.
 The Security Management Server and Security Gateway can be installed on open servers or
appliances. On UTM-1 appliances, you cannot use the WebUI to install Remote Access Clients.
 Remote Access Clients cannot be installed on the same device as Check Point Endpoint
Security R73 or R80. If ZoneAlarm is installed on a device, you can install Check Point Mobile
for Windows and SecuRemote but not Endpoint Security VPN.
 All Security Gateways used as primary MEP connections must support this release, with the
Remote Access Clients Hotfix installed. NGX R65.70 Security Gateways must be managed by
NGX R65.70 Security Management Servers. The servers must also have the Remote Access
Clients Hotfix installed.

Configuring Password Complexity


Requirements
Configure password complexity requirements in the trac.defaults file and add it to a package
with the VPN Configuration Utility.
The parameters below are in the trac.defaults file. To require one or more of the parameters,
change the value from 0 to the number of instances required in the password.

Parameter Description
min_P12_password_lower_case Minimum number of lower case letters in the password

min_P12_password_upper_case Minimum number of upper case letters in the password

min_P12_password_numbers Minimum number of digits in the password

Remote Access Clients for Windows Release Notes E80.61 | 10


Remote Access Client Installation for Windows

Parameter Description
min_P12_password_special_ Minimum number of special characters in the password
characters
Characters can be: !, ", $, &, \ ,, #, +, ,-, ., /, :, ;, <, =, >, ?,
@, [ , \\, ], ^, _, `, {, |, }, ~

See the E80.60 Remote Access Clients Administration Guide for more information on the VPN
Configuration Utility.

Remote Access Client Installation for


Windows
You can create packages of the Remote Access Clients with pre-defined settings, such as which
client to install, a VPN site and authentication methods. When you deploy the package to users, it
is easier for them to connect quickly.
See the Remote Access Clients E80.60 Administration Guide for how to create deployment
packages.

To install a Remote Access client:


1. Download the Windows Remote Access Clients E80.61 MSI file
(http://supportcontent.checkpoint.com/solutions?id=sk105123).
2. Double-click the MSI and follow the on-screen instructions.

Upgrading SmartDashboard-Managed
Clients
Get all files from the Endpoint Security Client E80.61 homepage
(http://supportcontent.checkpoint.com/solutions?id=sk105123).
To automatically update clients to this release of Remote Access Clients or a future release,
upgrade the client package on the gateway. Then all clients receive the new package when they
next connect.
If you have a gateway version that requires the Remote Access Clients Hotfix, make sure that the
Hotfix is installed before you put an upgraded package on the gateway.
There are two packages: one for ATM installation and one for non-ATM installation.
Each package has:
 TRAC_ATM.cab or TRAC.cab
 ver.ini
 CheckPointEndpointSecurityForATM.msi (packaged in the cab file)
 CheckPointVPN.msi

Remote Access Clients for Windows Release Notes E80.61 | 11


Upgrading SmartDashboard-Managed Clients

If you have R71.x with SSL VPN enabled, put the TRAC.cab file in a different directory, as shown in
the instructions.
Users must have administrator privileges to install an upgrade with an MSI package.
Administrative privileges are not required for automatic upgrades from the gateway.

Unattended (ATM) Clients


You cannot upgrade regular Remote Access Clients and unattended (ATM) Endpoint Security VPN
clients from the same gateway.

Important - If you download the Automatic Upgrade for ATM file, you get a file called
TRAC_ATM.cab. You must rename it to TRAC.cab before you put it on the gateway.

To distribute the Remote Access Clients from the gateway:


1. On the gateway, in the $FWDIR/conf/extender/CSHELL directory, back up the TRAC.cab
and trac_ver.txt files.
For R71.x, back up the TRAC.cab file in:
$CVPNDIR/htdocs/SNX/CSHELL
2. Download the Remote Access Clients E80.61 Automatic Upgrade file from the sk homepage.
3. Put the new TRAC.cab and ver.ini files in the same directory on the gateway:
$FWDIR/conf/extender/CSHELL
For R71.x, put the TRAC.cab file also in:
$CVPNDIR/htdocs/SNX/CSHELL
4. On a non-Windows gateway, run: chmod 750 TRAC.cab
5. Edit the trac_ver.txt file in the directory and change the version number to the number in
the new ver.ini.
6. Make sure the client upgrade mode is set:
a) Open the SmartDashboard.
b) Open Policy > Global Properties > Remote Access > Endpoint Connect.
c) Set the Client upgrade mode to Ask user (to let user confirm upgrade) or Always upgrade
(automatic upgrade).
d) Click OK.
7. Install the policy.
When the client connects to the gateway, the user is prompted for an automatic upgrade of the
newer version.
 If users had Endpoint Security VPN R75, it keeps the existing settings.
 If users had Endpoint Connect R73, it automatically upgrades to Endpoint Security VPN.
8. When the ATM client is installed with No Office Mode, those attributes will not change during
upgrade. If the client is automatically upgraded, it is an ATM client with No Office Mode.
In this release you can distribute a customized package from the gateway. See Upgrading with a
Customized Package in the E80.61 Remote Access Clients Administration Guide.

Remote Access Clients for Windows Release Notes E80.61 | 12


Installing the Remote Access Clients Hotfix

Installing the Remote Access Clients


Hotfix
If you have R71.30 and higher or R75 and higher installed on a gateway, Security Management
Server, or Multi-Domain Server, it can support Remote Access Clients. It is not necessary to
install a Hotfix. See the System Requirements section of the Release Notes for exact details.
For earlier supported gateway versions, install the Hotfix
http://supportcontent.checkpoint.com/solutions?id=sk67820.
Install the Remote Access Clients E80.61 Hotfix on gateways or standalone, self-managed gateway
deployments. In a Multi-Domain Security Management environment install the Hotfix on the
Multi-Domain Server.

Before you install the Hotfix:


This Hotfix has possible conflicts with other installed Hotfixes. If you can, it is safest to uninstall all
Hotfixes installed on the Security Management Server or gateways. See Uninstalling a Hotfix
("Uninstalling this Hotfix" on page 14). If you cannot uninstall a Hotfix, contact Check Point
Technical Support.

To install the Hotfix on a Security Gateway or Security Management Server:


1. Download the Hotfix.
2. Copy the Hotfix package to the Security Gateway or Security Management Server.
3. Run the Hotfix:
On SecurePlatform, Disk-based IPSO, and Solaris:
a) tar -zxvf <name_of_file>.tgz
b) ./UnixInstallScript
On Windows platforms: double-click the installation file and follow the instructions.
4. Reboot the Security Gateway or Security Management Server.

To install the Hotfix on a Multi-Domain Server:


1. On the Multi-Domain Server, run: mdsenv.
2. Download the Remote Access Clients Hotfix to the Multi-Domain Server.
3. Run the Hotfix on SecurePlatform and Solaris:
a) tar -zxvf <name_of_file>.tgz
b) ./UnixInstallScript
4. Follow the on-screen instructions.
5. Reboot the Multi-Domain Server.

Remote Access Clients for Windows Release Notes E80.61 | 13


Known Limitations and Resolved Issues

Uninstalling this Hotfix


If you need to uninstall a Hotfix, use this procedure.

To uninstall a Hotfix from a gateway:


1. Go to the installation directory: cd /opt/CPsuite-version/
For example, the installation directory on an R70.40 gateway is: /opt/CPsuite-R70/
2. Run: ./uninstall_<name_of_original_Hotfix_file>
The name of the Hotfix is different for gateway version and for Hotfix functionality.
3. Enter y at the prompt.
4. Reboot the Security Gateway.

Known Limitations and Resolved Issues


For known limitations that apply to this release, see sk105124
http://supportcontent.checkpoint.com/solutions?id=sk105124.
For issues resolved in this release, see sk105125
http://supportcontent.checkpoint.com/solutions?id=sk105125 .

Remote Access Clients for Windows Release Notes E80.61 | 14

You might also like