Endpoint Security VPN for Windows 32-bit/64-bit E75.20 User Guide pot

11 Configuring Proxy Settings ...11 Secure Domain Logon ...11 Configuring VPN ...11 Changing the Site Authentication Scheme ...12 Certificate Enrollment and Renewal ...13 Importing a

13 September 2011

User Guide

Endpoint Security VPN

for Windows 32-bit/64-bit

E75.20

© 2011 Check Point Software Technologies Ltd

All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses

Important Information

Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks

Latest Documentation

The latest version of this document is at:

http://supportcontent.checkpoint.com/documentation_download?ID=12322

For additional technical information, visit the Check Point Support Center

(http://supportcenter.checkpoint.com)

For more about this release, see the home page at the Check Point Support Center

(http://supportcontent.checkpoint.com/solutions?id=sk65209)

Revision History

Date Description

13 September 2011 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation

Please help us by sending your comments

(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Endpoint Security VPN for Windows 32-bit/64-bit E75.20 User Guide)

Contents

Important Information 3

Introduction to Endpoint Security VPN 5

The Installation Process 5

Receiving an Automatic Upgrade 5

Getting Started 6

Defining a Site 6

Basic Operations 8

Connect Window 8

Client Icon 9

Understanding the Firewall 9

Disabling the Firewall 9

Compliance 10

Setting up the Client 11

Configuring Proxy Settings 11

Secure Domain Logon 11

Configuring VPN 11

Changing the Site Authentication Scheme 12

Certificate Enrollment and Renewal 13

Importing a Certificate into the CAPI Store 13

Authenticating with PKCS#12 Certificate File 13

SecurID 14

Challenge-Response 14

Secure Authentication API (SAA) 14

Collecting Logs 16

Page 5

Chapter 1

Introduction to Endpoint Security

VPN

Endpoint Security VPN is a remote access client for easy, secure connectivity to corporate resources over the internet, through a VPN tunnel

In This Chapter

The Installation Process

Important - To install a Remote Access client on any version of Windows, you need

Administrator permissions Consult with your system administrator

To install a Remote Access client:

1 Log in to Windows with a user name that has Administrator permissions

2 Get the installation package from your system administrator, and double-click the installation package

3 Follow the installation wizard

Note - On Windows Vista and Windows 7, there may be a prompt to allow access,

depending on the UAC settings

4 If your administrator did not include a specified Remote Access client in the installation package, you are prompted to choose a product to install Your administrator might have instructed you which client to install The options are:

 Endpoint Security VPN

 Check Point Mobile for Windows

 SecuRemote

After installation, the Client icon appears in the system tray notification area

5 Double-click the Client icon

If you are prompted to define a site, make a site with the IP address that your system administrator gave you

Receiving an Automatic Upgrade

If you have a Check Point VPN Client, when you connect to a site you might receive an automatic upgrade

to the latest version of Remote Access Clients

Follow instructions to complete the upgrade Depending on the settings set by your administrator, you might not need to do anything

When you open your client from the client icon, you will see that it has a new name and looks different

Page 6

Chapter 2

Getting Started

In This Chapter

Defining a Site

You must have at least one site to connect to a VPN If your system administrator pre-configured the client package, you can connect to the VPN site immediately If not, you must define the site

Before you start, make sure you know how you will authenticate to the VPN and that you have the

credentials (for example, password or certificate file) You might also require the gateway fingerprint, to make sure that the client is connecting to the correct gateway Get this from your system administrator

To define a site:

1 Right-click the client icon and select VPN Options

The Options window opens

The first time you open the window, no sites are listed

2 On the Sites tab, click New

Defining a Site

Getting Started Page 7

The Site Wizard opens

3 Click Next

4 Enter the name or IP address of the Security Gateway and click Next

Wait for the Client to identify the site name

5 After the client resolves the site, a security warning might open:

The site's security certificate is not trusted!

While verifying the site's certificate, the following possible security risks were discovered:

Ask your system administrator for the fingerprint of the server If the server fingerprint matches the

fingerprint in the warning message, you can click Trust and Continue If there is no match, consult with

your system administrator

6 The Authentication Method window opens Select an authentication method according to your system

administrator's instructions

7 Click Next and follow the instructions to enter your authentication materials

Basic Operations

Getting Started Page 8

If you selected Secure Authentication API (SAA), an SAA window opens to select the type of SAA and

a DLL file to use See Secure Authentication API (SAA) (on page 14)

8 Click Finish

The client opens a prompt to connect you to the newly created site

9 Click Yes to connect to the site, or No to save the site details and connect at a different time

Basic Operations

Right-click the Client icon in the system tray to use basic operations

(Not all options appear for every client status and configuration.)

To quickly connect to last active site, double-click the Client icon

To use other basic operations, right-click the Client icon and select an option

Option Function

Connect Opens the main connection window, with the last active site selected If you

authenticate with a certificate, the client immediately connects to the selected site Connect to Opens the main connection window

VPN Options Opens the Options window to set a proxy server, choose interface language, enable

Secure Domain Logon, collect logs, and select a DLL file for SAA Authentication

Register to

Hotspot

Lets you bypass the firewall to register to a hotspot After you click this option, open a browser It will open to the hotspot registration page

Show Compliance

Report

See if your computer is compliant with the Security Policy, and if not, why not and how

to fix the issue

Show Client Open the Client overview

Shutdown Client Closes the Client and the VPN connection

You can also see most of these options from the Client Overview

Connect Window

In the Connect window you authenticate to the VPN Based on the settings that your administrator

configures, you might have options to choose a Site and Gateway, or only a Site

Client Icon

Getting Started Page 9

In the Connect Window:

1 In Site, select the site to connect to

If you were not instructed differently by your administrator, connect to the default site

2 You might have a Gateway field If necessary select a gateway

If you were not instructed differently by your administrator, connect to the default gateway

3 Enter authentication to connect to the VPN:

 If you have a Certificate, browse to the certificate file and enter the password

 If you use SecurID, enter your PIN or passcode If you get a key in response, copy it

 If you use Username and Password, enter your username and password

 If you use Challenge Response, enter the first key When the challenge comes, enter the response

 If you use SAA, click Connect and a new window opens for authentication

While you use the VPN resources, you might have to enter your authentication credentials again This can occur if you try to access a resource that is on a different gateway and your credentials are not cached

Client Icon

The Client icon in the system tray notification area shows the status of Remote Access Clients

Icon Status

Disconnected Connecting Connected Encryption (encrypted data is being sent or received on the VPN) There is an issue that requires users to take action

You can also hover your mouse on the icon to show the client status

Understanding the Firewall

When Endpoint Security VPN is installed on your computer, it includes a firewall The firewall examines all network traffic that comes to your computer and asks:

 Where did the traffic come from and where is it addressed to?

 Do the firewall rules allow traffic to that address?

 Does the traffic violate global rules?

Based on the answers to these questions, traffic is allowed or blocked

The administrator sets the policies and rules that control what traffic the firewall allows

Disabling the Firewall

Your administrator can give you the option to disable the firewall on your computer If you do have this

option, when you right-click the Endpoint Security VPN icon in the system tray, one of the choices is Disable

Security Policy

If you select this, the firewall is disabled Depending on the compliance settings, you might not be able to connect to the VPN if your firewall is disabled

If the firewall is disabled, the option Enable Security Policy shows in the right-click menu of the Client icon

Select this to enable the firewall

Compliance

Getting Started Page 10

Compliance

Your administrator can configure checks for your computer or device to make sure it is compliant before you connect to the VPN site Some examples of what these checks can include are:

 If your Operating System is supported

 If you are logged in correctly

 If you have an updated Anti-virus client

Your computer must be compliant with all checks to access the VPN

If your computer is not compliant, the Client icon looks like this:

If your computer is found to be non-compliant based on one check, you cannot access the VPN In the Client Overview window, it shows that you are not compliant and a message opens If your computer does not comply based on multiple factors you can see multiple messages

Follow the instructions in the message to make your computer compliant If you have questions, contact your administrator

You can see a compliance report that shows if your computer is compliant with the Security Policy, and if not, how to fix the issue To get a compliance report, right-click the Client icon in the system tray and select

Show Compliance Report

The compliance check always works in the background, if you are connected to the VPN or not At any time

it can report that your computer has failed a check and is not compliant

Page 11

Chapter 3

Setting up the Client

In This Chapter

Changing the Site Authentication Scheme 12

Configuring Proxy Settings

If you are at a remote site which has a proxy server, the client must be configured to go through the proxy server Usually the client can find proxy settings automatically If not, you can configure it

Before you begin, get the IP address of the proxy server from the local system administrator Find out if the proxy needs a user name and password

To configure proxy settings:

1 Right-click the Client icon and select VPN Options

The Options window opens

2 Open the Advanced tab

3 Click Proxy Settings

The Proxy Settings window opens

4 Select an option

 No Proxy - Make a direct connection to the VPN

 Detect proxy from Internet Explorer settings - Get the proxy settings from Internet Explorer > Tools > Internet options > Connections > LAN Settings

 Manually define proxy - Enter the IP address port number of the proxy If required, enter a user

name and password for the proxy

5 Click OK

Secure Domain Logon

If the system administrator says that you must use SDL, enable Secure Domain Logon (SDL)

To enable SDL on a client:

1 Right-click the Client icon and select VPN Options

2 In Options > Advanced, select Enable Secure Domain Logon (SDL)

3 Click OK

4 Restart the computer and log in

Configuring VPN

You might have the option to go through the VPN for all your Internet traffic This is more secure

Changing the Site Authentication Scheme

Setting up the Client Page 12

To configure VPN Tunneling:

1 Right-click the Client icon and select VPN Options

The Options window opens

2 On the Sites tab, select the site to which you want to connect, and click Properties

The Properties window for the site opens

3 Open the Settings tab

4 In VPN tunneling, click Encrypt all traffic and route to gateway

Note - In SecuRemote, this option is disabled, If this option is disabled

in Endpoint Security VPN or Check Point Mobile for Windows, consult your system administrator

5 Click OK

Changing the Site Authentication Scheme

If you have the option from your system administrator, you can change the method that you use to

authenticate to the VPN

To change the client authentication method for a specific site:

1 Right-click the Client icon and select VPN Options

The Options window opens

2 On the Site tab, select the site and click Properties

The Properties window for the site opens

On the Settings tab, select an option from the Authentication Scheme drop-down menu

 Username and password

 Certificate - CAPI

 Certificate - P12

 SecurID - KeyFob

 SecurID - PinPad

 SecurID Software Token

 Challenge Response

 SAA - Username and Password

 SAA - Challenge Response

Changing the Site Authentication Scheme

Setting up the Client Page 13

Certificate Enrollment and Renewal

A To enroll a certificate:

1 Right-click the client icon in the system tray, and select VPN Options

2 On the Sites tab, select the site from which you will enroll a certificate and click Properties

The site Properties window opens

3 Select the Settings tab

4 Choose the setting type you want, CAPI or P12, and click Enroll

The CAPI or P12 window opens

5 For CAPI, choose the provider to which you will enroll the certificate

6 For P12, choose a new password for the certificate and confirm it

7 Enter the Registration Key that your administrator sent you

8 Click Enroll

The certificate is enrolled and ready for use

B To renew a certificate:

1 Right-click the client icon in the system tray, and select VPN Options

2 On the Sites tab, select the site from which you will renew a certificate and click Properties

The site Properties window opens

The authentication method you chose is set and the certificate will be renewed accordingly

3 Select the Settings tab

4 Click the Renew button

The CAPI or P12 window opens

5 For CAPI, choose the certificate you want to renew from the drop-down list For P12, choose a P12 file and enter its password

6 Click Renew

The certificate is renewed and ready for use

Importing a Certificate into the CAPI Store

Before you can use the certificate to authenticate your computer, you must get:

 The certificate file

 The password for the file

 The name of the site (each certificate is valid for one site)

If the system administrator instructed you to save the certificate on the computer, import it to the CAPI store

If not, the administrator will give you the certificate file on a USB or other removable media Make sure you get the password

To import a certificate file to the CAPI store:

1 Right-click the client tray icon, and select VPN Options

2 On the Sites tab, select the site and click Properties

3 Open the Settings tab

4 Make sure that Certificate - CAPI is selected in the Method list

5 Click Import

6 Browse to the P12 file

7 Enter the certificate password and click Import

Authenticating with PKCS#12 Certificate File

For security reasons, your system administrator might require you to authenticate directly with the PKCS#12 certificate and not from the certificate stored in the CAPI For example, if you use several desktop

workstations and laptops, you might not want to leave your certificate on different computers If the

PKCS#12 certificate is in the CAPI store and someone steals your laptop, they can use the client to connect