Upgrading SecureClient to Endpoint Security VPN R75 on R70.40 Security Management ppt

10 Installing Hotfix on Gateways ...10 Configuring SmartDashboard ...11 Supporting Endpoint Security VPN and SecureClient Simultaneously ...14 Troubleshooting Dual Support ...17 Inst

20 October 2010

Upgrading SecureClient to Endpoint Security VPN R75

on R70.40 Security Management

© 2010 Check Point Software Technologies Ltd

All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses

20 October 2010 Added procedure for restoring the TTM file with customizations

("Restoring Settings" on page 22)

14 October 2010 Added Desktop rule to allow MEP traffic ("Making a Desktop Rule

for MEP" on page 29)

The connect_timeout parameter was removed from the list of commonly changed configuration file parameters, because it must not be used in this installation

10 October 2010 To reflect the easy process of moving from SecureClient to

Endpoint Security VPN, migration is changed to upgrading

Updated Microsoft Windows 7 Editions and fixed client version number in Supported Platforms ("System Requirements" on page 6)

28 September 2010 Updated feature lists ("Before Upgrading to Endpoint Security VPN"

on page 6)

13 September 2010 Window pictures added, different versions of document released for

different versions of SmartDashboard June, 2010 Initial version

Feedback

Check Point is engaged in a continuous effort to improve its documentation

Please help us by sending your comments

(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Upgrading SecureClient to Endpoint Security VPN R75 on R70.40 Security Management )

Contents

Important Information 3

Introduction to Endpoint Security VPN 5

Using Different Management Servers 5

Why You Should Upgrade to Endpoint Security VPN 5

Before Upgrading to Endpoint Security VPN 6

System Requirements 6

New Endpoint Security VPN Features 6

SecureClient Features Supported in Endpoint Security VPN 7

SecureClient Features Not Yet Supported 9

Configuring Security Gateways to Support Endpoint Security VPN 10

Installing Hotfix on Gateways 10

Configuring SmartDashboard 11

Supporting Endpoint Security VPN and SecureClient Simultaneously 14

Troubleshooting Dual Support 17

Installing and Configuring Endpoint Security VPN on Client Systems 18

Installing Endpoint Security VPN on Client Systems 18

Client Icon 18

Helping Users Create a Site 18

Connecting to a Site 19

Pre-Configuring Proxy Settings 19

Pre-Configuring Always Connect 20

Using the Packaging Tool 20

The Configuration File 22

Configuration File Overview 22

Restoring Settings 22

Centrally Managing the Configuration File 22

Parameters in the Configuration File 23

Migrating Secure Configuration Verification 24

Multiple Entry Point (MEP) 25

Configuring Entry Point Choice 25

Defining MEP Method 26

Implicit MEP 26

Configuring Implicit First to Respond 26

Configuring Implicit Primary-Backup 27

Configuring Implicit Load Distribution 28

Manual MEP 29

Making a Desktop Rule for MEP 29

Differences between SecureClient and Endpoint Security VPN CLI 30

Endpoint Security VPN is intended to replace the current Check Point remote access client: SecureClient

Note - You can install Endpoint Security VPN on several Linux/Unix-based platforms as well as

Microsoft Windows platforms The procedures included in this document use the Linux/Unix

environment variable convention ($FWDIR)

If you are using a Windows platform, substitute %FWDIR% for the environment variable in the

applicable procedures

In This Chapter

Why You Should Upgrade to Endpoint Security VPN 5

Using Different Management Servers

Environments with SecureClient already deployed can be easily upgraded to Endpoint Security VPN The SmartDashboard for different versions of management servers is different Use the documentation for the SmartDashboard that you have

This guide is for the R70.40 Security Management server

 If you have NGX R65 SmartCenter server, see Upgrading SecureClient to Endpoint Security VPN R75

Check Point recommends that all customers upgrade from SecureClient to Endpoint Security VPN as soon

as possible, to have these enhancements

 Automatic and transparent upgrades, with no administrator privileges required

 Supports 32-bit and 64-bit, Windows Vista and Windows 7

 Uses less memory resources than SecureClient

 Automatic disconnect/reconnect as clients move in and out of the network

 Seamless connection experience while roaming

Before Upgrading to Endpoint Security VPN

Introduction to Endpoint Security VPN Page 6

 Supports most existing SecureClient features, including Office Mode, Desktop Firewall, Secure

Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection

 Supports many additional new features

 Does not require a Security Management server upgrade

 Endpoint Security VPN and SecureClient can coexist on client systems during the upgrade period

Note - Check Point will end its support for SecureClient in mid-2011

Before Upgrading to Endpoint Security VPN

Before upgrading, consider these issues

System Requirements

Management Server and Gateway:

Note - See the Release Notes of the specific Check Point version for supported versions of

different platforms

 All supported platforms NGX R65 HFA 70 (R65.70) with NGX R66 Management plug-in

 All supported platforms for R70.40

Notes -

Endpoint Security VPN supports VPN gateway redundancy with Multiple Entry Point (MEP) You can install the Endpoint Security VPN package on multiple gateways and must install it on the server to enable MEP

The server and gateway can be installed on open servers or appliances On UTM-1 appliances, you cannot use the WebUI to install Endpoint Security VPN

Support for R71 gateways will be released in a future HFA for Endpoint Security VPN

Clients: Endpoint Security VPN R75 can be installed on these platforms:

 Microsoft Windows XP 32 bit SP2, SP3

 Microsoft Windows Vista 32 bit and 64 bit SP1

 Microsoft Windows 7 Home Edition 32 bit and 64 bit

 Microsoft Windows 7 Home Premium 32 bit and 64 bit

 Microsoft Windows 7 Pro 32 bit and 64 bit

 Microsoft Windows 7 Ultimate 32 bit and 64 bit

 Microsoft Windows 7 Enterprise 32 bit and 64 bit

New Endpoint Security VPN Features

Feature Description

Hotspot Detection and

Registration (Exclusion for

Before Upgrading to Endpoint Security VPN

Introduction to Endpoint Security VPN Page 7

Feature Description

Automatic Connectivity

Detection

Automatically detects whether the client is connected to the Internet or LAN

Automatic Certificate Renewal

in CLI Mode

Supports automatic certificate renewal, including in CLI mode

Location Awareness Automatically determines if client is inside or outside the enterprise network Roaming Maintains VPN tunnel if client disconnects and reconnects using different

network interfaces Automatic and Transparent

Upgrade Without Administrator

Privileges

Updates the client system securely and without user intervention

Windows Vista / Windows 7 64

Bit Support

Supports the latest 32-bit and 64-bit Windows operating systems

Automatic Site Detection During first time configuration, the client detects the VPN site automatically

Note: This requires DNS configuration and is only supported when configuring the client within the internal network

Geo Clusters Connect client system to the closest VPN gateway based on location

For more information on geo clusters, see sk43107 (ttp://supportcontent.checkpoint.com/solutions?id=sk43107)

Machine Idleness Disconnect VPN tunnel if the machine becomes inactive (because of lock or

sleep) for a specified duration

Flush DNS Cache Remove previous DNS entries from the DNS cache when creating VPN

NAT-T/Visitor Mode Let users connect from any location, such as a hotel, airport, or branch

office Multiple Entry Point (MEP) VPN gateway redundancy

Endpoint Security VPN MEP gateways can be in different VPN domains

(see Appendix A)

Before Upgrading to Endpoint Security VPN

Introduction to Endpoint Security VPN Page 8

Renewal

Automatic enrollment and renewal of certificates issued by Check Point Internal CA server

CLI and API Support Manage client with third party software

Tunnel Idleness Disconnect VPN if there is no traffic for a specified duration

Disconnect On Smart Card

Removal

Disconnect VPN if a Smart Card is removed from the client system

Re-authentication After specified duration, user is asked for re-authentication

Keep-alive Send keep-alive messages from client to the VPN gateway to maintain the

VPN tunnel Check Gateway Certificate in

CRL

Validate VPN gateway certificate in the CRL list

Desktop Firewall Configured

Recover corrupted configuration files

Secure Domain Logon (SDL) Establish VPN tunnel prior to user login

Desktop Firewall Logs in

SmartView Tracker

Desktop firewall logs are displayed in SmartView Tracker

End-user Configuration Lock Prevent users from changing the client configuration

Update Dynamic DNS with the

Before Upgrading to Endpoint Security VPN

Introduction to Endpoint Security VPN Page 9

Feature Description

SmartView Monitor Monitor VPN tunnel and user statistics with SmartView Monitor

Post Connect Script Execute manual scripts before and after VPN tunnel is established

SecureClient Features Not Yet Supported

Currently, these features of SecureClient are not supported by Endpoint Security VPN Many of these features are expected to be supported in the next release

Entrust Entelligence Support Entrust Entelligence package providing multiple security layers,

strong authentication, digital signatures, and encryption Diagnostic Tools Tools for viewing logs and alerts

VPN Connectivity to VPN-1 VSX Terminate VPN tunnel at Check Point VSX gateways

"No Office Mode" Connect Mode Connect to the VPN gateway without requiring Office Mode

Pre-shared secret Authentication method that uses a pre-shared secret

Link Selection Multiple interface support with redundancy

Secondary Connect (Including Fast

Failover)

Connect to multiple VPN gateways simultaneously and establish VPN tunnels to all resources located behind each VPN gateway DHCP Automatic Lease Renewal Automatically renew IP addresses obtained from DHCP servers

Page 10

Chapter 2

Configuring Security Gateways to

Support Endpoint Security VPN

In This Chapter

Supporting Endpoint Security VPN and SecureClient Simultaneously 14

Installing Hotfix on Gateways

To run Endpoint Security VPN and SecureClient simultaneously on client systems, install the hotfix on production gateways or on a standalone, self-managed gateway

To use the Implicit MEP feature, you must install the hotfix on the Security Management server If you do not need this feature, the hotfix does not have to be installed on the server (only on the gateways)

Important -

 If you install the hotfix on a new dedicated gateway in a production environment, with the same management server as other Remote Access gateways, this gateway will also be added to the topology used by SecureClient clients This may cause SecureClient clients

to connect to the new Endpoint Security VPN gateway You must make sure that resources set by the encryption domain on the Endpoint Security VPN gateway are accessible to the SecureClient clients

 If you have clients that use a pre-shared secret to authenticate, you must give the users

a different authentication - one that is supported by Endpoint Security VPN

To install the hotfix on a Security Gateway:

1 Download the hotfix from the Check Point Support Center (http://supportcenter.checkpoint.com)

2 Copy the hotfix package to the gateway

3 Run the hotfix:

 On SecurePlatform, Disk-based IPSO, and Solaris:

[admin@gateway ~/hf]$ tar -zxvf hotfix_file.tgz

[admin@gateway ~/hf]$ /fw1_HOTFIX_FLO_HFA_EVE2_HF_553_

Do you want to proceed with installation of Check Point fw1 R70

Support FLO_HFA_EVE2 for Check Point VPN-1 Power/UTM NGX R65 on

this computer?

If you choose to proceed, installation will perform CPSTOP

(y-yes, else no):y

 On Windows platforms, double-click the installation file and follow the instructions

If WebUI is enabled on the gateway, it must listen on a port other than 443 Otherwise, Endpoint

Security VPN will not be able to connect

4 Reboot the Security Gateway

To configure SmartDashboard for Endpoint Security VPN:

1 Set the Security Gateway to be a policy server:

a) In the Network Objects Tree, right click the Security Gateway and select Edit

The Check Point Gateway - General Properties window opens

b) In Software Blades > Network Security, select IPSec VPN > Policy Server

2 Configure Visitor Mode:

a) Open Remote Access

b) In Visitor Mode configuration, select Support Visitor Mode

3 Configure Office Mode:

Configuring SmartDashboard

Configuring Security Gateways to Support Endpoint Security VPN Page 13

4 Open Remote Access > Office Mode

a) In Office Mode Method, select Manual (using IP pool)

b) In Allocate IP addresses from network, select the network for Office Mode allocation

5 Click OK

6 Make sure that the Security Gateway is in the Remote Access community:

a) Select Manage > VPN Communities

The VPN Communities window opens

b) Double-click RemoteAccess

The Remote Access Community Properties window opens

Supporting Endpoint Security VPN and SecureClient Simultaneously

Configuring Security Gateways to Support Endpoint Security VPN Page 14

c) Open Participating Gateways

d) If the Security Gateway is not already in the list of participating gateways: click Add, select the Security Gateway from the list of gateways, and click OK

e) Click OK

f) Click Close

7 Make sure that the desktop policy is configured correctly (Desktop tab)

8 Install the policy: Policy menu > Install

Supporting Endpoint Security VPN and

SecureClient Simultaneously

To run both Endpoint Security VPN and SecureClient on client systems, you must configure the server and the gateways that will handle these remote access clients

Before you begin, make sure that the encryption domains on these gateways fully overlap with the

encryption domains of all other gateways and that all gateways provide connectivity to the same resources

To configure the gateways in SmartDashboard for management of both clients:

1 On the Desktop tab, add this rule to ensure that the Endpoint Security VPN firewall does not block

SecureClient Allow outbound connections on:

 UDP 18231

Supporting Endpoint Security VPN and SecureClient Simultaneously

Configuring Security Gateways to Support Endpoint Security VPN Page 15

 UDP 18233

 UDP 2746 for UDP Encapsulation

 UDP 500 for IKE

 TCP 500 for IKE over TCP

 TCP 264 for topology download

 UDP 259 for MEP configuration

 UDP 18234 for performing tunnel test when the client is inside the network

 UDP 4500 for IKE and IPSEC (NAT-T)

 TCP 18264 for ICA certificate registration

 TCP 443 for Visitor Mode

 TCP 80

2 Open Policy menu > Global Properties

The Global Properties window opens

3 Open Remote Access > VPN - Advanced

4 Select Sent in clear

5 If secure configuration verification (SCV) is configured, add an exception for Endpoint Security VPN

a) Open Remote Access > Secure Configuration Verification (SCV)