Upgrading SecureClient to Endpoint Security VPN R75 on R71 Security Management doc

10 Installing Hotfix on Security Gateways ...10 Configuring SmartDashboard ...11 Supporting Endpoint Security VPN and SecureClient Simultaneously ...15 Troubleshooting Dual Support ..

20 October 2010

Upgrading SecureClient to Endpoint Security VPN R75

on R71 Security Management

© 2010 Check Point Software Technologies Ltd

All rights reserved This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses

10 October 2010 To reflect the easy process of moving from SecureClient to Endpoint Security

VPN, migration is changed to upgrading

Updated Microsoft Windows 7 Editions and fixed client version number in Supported Platforms ("System Requirements" on page 6)

28 September 2010 Updated feature lists ("Before Upgrading to Endpoint Security VPN" on page

6)

13 September 2010 Window pictures added, different versions of document released for different

versions of SmartDashboard June, 2010 Initial version

Feedback

Check Point is engaged in a continuous effort to improve its documentation

Please help us by sending your comments

(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Upgrading SecureClient to Endpoint Security VPN R75 on R71 Security Management )

Contents

Important Information 3

Introduction to Endpoint Security VPN 5

Using Different Management Servers 5

Why You Should Upgrade to Endpoint Security VPN 5

Before Upgrading to Endpoint Security VPN 6

System Requirements 6

New Endpoint Security VPN Features 6

SecureClient Features Supported in Endpoint Security VPN 7

SecureClient Features Not Yet Supported 9

Configuring Security Gateways to Support Endpoint Security VPN 10

Installing Hotfix on Security Gateways 10

Configuring SmartDashboard 11

Supporting Endpoint Security VPN and SecureClient Simultaneously 15

Troubleshooting Dual Support 17

Installing and Configuring Endpoint Security VPN on Client Systems 18

Installing Endpoint Security VPN on Client Systems 18

Client Icon 18

Helping Users Create a Site 18

Connecting to a Site 19

Pre-Configuring Proxy Settings 19

Pre-Configuring Always Connect 20

Using the Packaging Tool 20

The Configuration File 22

Configuration File Overview 22

Restoring Settings 22

Centrally Managing the Configuration File 22

Parameters in the Configuration File 23

Migrating Secure Configuration Verification 24

Multiple Entry Point (MEP) 25

Configuring Entry Point Choice 25

Defining MEP Method 26

Implicit MEP 26

Configuring Implicit First to Respond 26

Configuring Implicit Primary-Backup 27

Configuring Implicit Load Distribution 28

Manual MEP 29

Making a Desktop Rule for MEP 29

Differences between SecureClient and Endpoint Security VPN CLI 30

Endpoint Security VPN is intended to replace the current Check Point remote access client: SecureClient

Note - You can install Endpoint Security VPN on several Linux/Unix-based platforms as well as

Microsoft Windows platforms The procedures included in this document use the Linux/Unix

environment variable convention ($FWDIR)

If you are using a Windows platform, substitute %FWDIR% for the environment variable in the

applicable procedures

In This Chapter

Why You Should Upgrade to Endpoint Security VPN 5

Using Different Management Servers

Environments with SecureClient already deployed can be easily upgraded to Endpoint Security VPN The SmartDashboard for different versions of management servers is different Use the documentation for the SmartDashboard that you have

This guide is for the R71 Security Management Server

 If you have NGX R65 SmartCenter server, see Upgrading SecureClient to Endpoint Security VPN R75

Check Point recommends that all customers upgrade from SecureClient to Endpoint Security VPN as soon

as possible, to have these enhancements

 Automatic and transparent upgrades, with no administrator privileges required

 Supports 32-bit and 64-bit, Windows Vista and Windows 7

 Uses less memory resources than SecureClient

 Automatic disconnect/reconnect as clients move in and out of the network

 Seamless connection experience while roaming

Before Upgrading to Endpoint Security VPN

Introduction to Endpoint Security VPN Page 6

 Supports most existing SecureClient features, including Office Mode, Desktop Firewall, Secure

Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection

 Supports many additional new features

 Does not require a Security Management Server upgrade

 Endpoint Security VPN and SecureClient can coexist on client systems during the upgrade period

Note - Check Point will end its support for SecureClient in mid-2011

Before Upgrading to Endpoint Security VPN

Before upgrading, consider these issues

System Requirements

Management Server and Gateway:

Note - See the Release Notes of the specific Check Point version for supported versions of

different platforms

 All supported platforms NGX R65 HFA 70 (R65.70) with NGX R66 Management plug-in

 All supported platforms for R70.40

Notes -

Endpoint Security VPN supports VPN gateway redundancy with Multiple Entry Point (MEP) You can install the Endpoint Security VPN package on multiple gateways and must install it on the server to enable MEP

The server and gateway can be installed on open servers or appliances On UTM-1 appliances, you cannot use the WebUI to install Endpoint Security VPN

Support for R71 gateways will be released in a future HFA for Endpoint Security VPN

Clients: Endpoint Security VPN R75 can be installed on these platforms:

 Microsoft Windows XP 32 bit SP2, SP3

 Microsoft Windows Vista 32 bit and 64 bit SP1

 Microsoft Windows 7 Home Edition 32 bit and 64 bit

 Microsoft Windows 7 Home Premium 32 bit and 64 bit

 Microsoft Windows 7 Pro 32 bit and 64 bit

 Microsoft Windows 7 Ultimate 32 bit and 64 bit

 Microsoft Windows 7 Enterprise 32 bit and 64 bit

New Endpoint Security VPN Features

Feature Description

Hotspot Detection and

Registration (Exclusion for

Before Upgrading to Endpoint Security VPN

Introduction to Endpoint Security VPN Page 7

Feature Description

Automatic Connectivity

Detection

Automatically detects whether the client is connected to the Internet or LAN

Automatic Certificate Renewal

in CLI Mode

Supports automatic certificate renewal, including in CLI mode

Location Awareness Automatically determines if client is inside or outside the enterprise network Roaming Maintains VPN tunnel if client disconnects and reconnects using different

network interfaces Automatic and Transparent

Upgrade Without Administrator

Privileges

Updates the client system securely and without user intervention

Windows Vista / Windows 7 64

Bit Support

Supports the latest 32-bit and 64-bit Windows operating systems

Automatic Site Detection During first time configuration, the client detects the VPN site automatically

Note: This requires DNS configuration and is only supported when configuring the client within the internal network

Geo Clusters Connect client system to the closest VPN gateway based on location

For more information on geo clusters, see sk43107 (ttp://supportcontent.checkpoint.com/solutions?id=sk43107)

Machine Idleness Disconnect VPN tunnel if the machine becomes inactive (because of lock or

sleep) for a specified duration

Flush DNS Cache Remove previous DNS entries from the DNS cache when creating VPN

NAT-T/Visitor Mode Let users connect from any location, such as a hotel, airport, or branch

office Multiple Entry Point (MEP) VPN gateway redundancy

Endpoint Security VPN MEP gateways can be in different VPN domains

(see Appendix A)

Before Upgrading to Endpoint Security VPN

Introduction to Endpoint Security VPN Page 8

Renewal

Automatic enrollment and renewal of certificates issued by Check Point Internal CA server

CLI and API Support Manage client with third party software

Tunnel Idleness Disconnect VPN if there is no traffic for a specified duration

Disconnect On Smart Card

Removal

Disconnect VPN if a Smart Card is removed from the client system

Re-authentication After specified duration, user is asked for re-authentication

Keep-alive Send keep-alive messages from client to the VPN gateway to maintain the

VPN tunnel Check Gateway Certificate in

CRL

Validate VPN gateway certificate in the CRL list

Desktop Firewall Configured

Recover corrupted configuration files

Secure Domain Logon (SDL) Establish VPN tunnel prior to user login

Desktop Firewall Logs in

SmartView Tracker

Desktop firewall logs are displayed in SmartView Tracker

End-user Configuration Lock Prevent users from changing the client configuration

Update Dynamic DNS with the

Before Upgrading to Endpoint Security VPN

Introduction to Endpoint Security VPN Page 9

Feature Description

SmartView Monitor Monitor VPN tunnel and user statistics with SmartView Monitor

Post Connect Script Execute manual scripts before and after VPN tunnel is established

SecureClient Features Not Yet Supported

Currently, these features of SecureClient are not supported by Endpoint Security VPN Many of these features are expected to be supported in the next release

Entrust Entelligence Support Entrust Entelligence package providing multiple security layers,

strong authentication, digital signatures, and encryption Diagnostic Tools Tools for viewing logs and alerts

VPN Connectivity to VPN-1 VSX Terminate VPN tunnel at Check Point VSX gateways

"No Office Mode" Connect Mode Connect to the VPN gateway without requiring Office Mode

Pre-shared secret Authentication method that uses a pre-shared secret

Link Selection Multiple interface support with redundancy

Secondary Connect (Including Fast

Failover)

Connect to multiple VPN gateways simultaneously and establish VPN tunnels to all resources located behind each VPN gateway DHCP Automatic Lease Renewal Automatically renew IP addresses obtained from DHCP servers

Supporting Endpoint Security VPN and SecureClient Simultaneously 15

Installing Hotfix on Security Gateways

To run Endpoint Security VPN and SecureClient simultaneously on client systems, install the hotfix on production gateways or on a standalone, self-managed gateway

To use the Implicit MEP feature, you must install the hotfix on the Security Management Server If you do not need this feature, the hotfix does not have to be installed on the server (only on the gateways)

Important: Before You Begin

 If you choose to install the hotfix on a new dedicated gateway in the production environment, managed by the same management server as the rest of the Remote Access gateways, this gateway will also be added to the topology used by SecureClient clients This causes them to connect to the new gateway Thus, you must make sure the configuration is valid and that resources set by the encryption domain on this gateway are accessible

 If you have clients that use a pre-shared secret to authenticate, you must give the users a different authentication - one that is supported by Endpoint Security VPN

To install the hotfix on a Security Gateway:

1 Download the hotfix from the Check Point Support Center (http://supportcenter.checkpoint.com)

2 Copy the hotfix package to the gateway

3 Run the hotfix:

If you choose to proceed, installation will perform CPSTOP

(y-yes, else no):y

 On Windows, double-click the installation file and follow the instructions

If WebUI is enabled on the gateway, it must listen on a port other than 443 Otherwise, Endpoint Security VPN will not be able to connect

4 Reboot the Security Gateway

To configure SmartDashboard for Endpoint Security VPN:

1 Set the Security Gateway to be a policy server:

a) In the Network Objects Tree, right-click the Security Gateway and select Edit

The Check Point Gateway - General Properties window opens

b) In Software Blades > Network Security, click IPSec VPN and Policy Server

Configuring SmartDashboard

Configuring Security Gateways to Support Endpoint Security VPN Page 12

c) Open Authentication

d) In the Users drop-down, select a user group to be assigned to the policy

2 Configure Visitor Mode:

a) Open IPSec VPN > Remote Access

b) Select Support Visitor Mode

3 Configure Office Mode:

Configuring SmartDashboard

Configuring Security Gateways to Support Endpoint Security VPN Page 13

a) Open IPSec VPN > Office Mode

b) In Office Mode Method, select Manual (using IP pool)

c) In Allocate IP addresses from network, select the network for Office Mode allocation

4 Click OK

5 Make sure that the Security Gateway is in the Remote Access community:

a) Select Manage > VPN Communities

The VPN Communities window opens

b) Double-click RemoteAccess

The Remote Access Community Properties window opens

Configuring SmartDashboard

Configuring Security Gateways to Support Endpoint Security VPN Page 14

Open Participating Gateways

c) If the Security Gateway is not already in the list of participating gateways: click Add, select the Security Gateway from the list of gateways, and click OK

d) Click OK

e) Click Close

6 Make sure that the desktop policy is configured correctly (Desktop tab)

Supporting Endpoint Security VPN and SecureClient Simultaneously

Configuring Security Gateways to Support Endpoint Security VPN Page 15

7 Install the policy (Policy menu > Install)

Supporting Endpoint Security VPN and

SecureClient Simultaneously

To run both Endpoint Security VPN and SecureClient on client systems, you must configure the server and the gateways that will handle these remote access clients

Before you begin, make sure that the encryption domains on these gateways fully overlap with the

encryption domains of all other gateways and that all gateways provide connectivity to the same resources

To configure the gateways in SmartDashboard for management of both clients:

1 On the Desktop tab, add this rule to ensure that the Endpoint Security VPN firewall does not block

SecureClient Allow outbound connections on:

 UDP 18231

 UDP 18233

 UDP 2746 for UDP Encapsulation

 UDP 500 for IKE

 TCP 500 for IKE over TCP

 TCP 264 for topology download

 UDP 259 for MEP configuration

 UDP 18234 for performing tunnel test when the client is inside the network