In This Section: |
Domain Controller Name Resolution
This document presents the procedures for installing Check Point Endpoint Security Client on a local machine and for creating a self-extracting installation package for deploying Endpoint Security Client on remote client computers. Endpoint Security Client combines firewall, network access control, program control, anti-malware. On Endpoint Security VPN and Check Point Mobile for Windows, you can edit a parameter in the tracclient1.ttm configuration file to set if Split DNS is enabled, disabled, or depends on the client settings. Download endpoint security vpn for free. Security tools downloads - Check Point Endpoint Security by Checkpoint Software Inc. And many more programs are available for instant and free download. To that end, we are offering you an assessment of our world-leading endpoint security portfolio by one of our security experts, including: Remote Access VPN – Simply and safely connects your employees to their corporate email, calendar, contacts, plus other confidential data and corporate applications without risk, via both Layer-3 and SSL VPN. Check Point Endpoint VPN Users – IMPORTANT!!! By Askaris IT Dec 29, 2020. IMPORTANT: Client VPN/Endpoint versions E81.10 or earlier – MUST UPDATE before January 1st 2021. On August 2019 we released version E81.20 addressing usage limitation of older versions of Check Point’s Endpoint, VPN and SandBlast agent ( sk158912 ).
If clients are configured in Connect Mode and Office Mode, clients automatically resolve the NT domain name using dynamic WINS.
Otherwise, clients resolve the NT domain name using either LMHOSTS or WINS.
LMHOSTS
Enter the relevant information (see below) the $FWDIR/conf/dnsinfo.C
file on the Security Gateway, and install the policy.
When the topology is updated, the name resolution data will be automatically transferred to the dnsinfo
entry of the userc.C
file and then to its LMHOSTS
file.
Authentication Timeout and Password Caching
The Problem
Users consider multiple authentications during the course of a single session to be a nuisance. At the same time, these multiple authentications are an effective means of ensuring that the session has not been hijacked (for example, if the user steps away from the client for a period of time). The problem is finding the correct balance between convenience and security.
The Solution
Multiple authentication can be reduced by:
- Increasing the re-authentication interval
- Caching the user's password
Re-Authentication Interval
For Connect Mode, the countdown to the timeout begins from the time that the Client is connected.
To set the length of time between re-authentications:
- From Menu, select Global Properties.
- From the navigation tree, click Remote Access > Endpoint Security VPN.
- In Re-authenticate user every, select a number of minutes between re-authentications.
- Click OK.
- Install Policy.
Password Caching
When the timeout expires, the user will be asked to authenticate again. If password-caching is enabled, clients will supply the cached password automatically and the authentication will take place transparently to the user. In other words, the user will not be aware that re-authentication has taken place.
Password caching is possible only for multiple-use passwords. If the user's authentication scheme implement one-time passwords (for example, SecurID), then passwords cannot be cached, and the user will be asked to re-authenticate when the authentication time-out expires. For these schemes, this feature should not be implemented.
To configure password caching:
- From Menu, select Global Properties.
- From the navigation tree, click Remote Access > Endpoint Security VPN.
- In Enable password caching, select an option.
- If Password caching is enabled, in Cache password for, select the amount of minutes it is cached for.
Secure Domain Logon (SDL)
The Problem
When a Remote Access client user logs on to a domain controller, the user has not yet entered credentials and so the connection to the domain controller is not encrypted.
The Solution
When the Secure Domain Logon (SDL) feature is enabled, then after the user enters the OS user name and password (but before the connection to the domain controller is started), the User Authentication window is displayed. When the user enters the client credentials, the connection to the domain controller takes place over an encrypted tunnel.
Cached Information
When the Remote Access client computer successfully logs on to a domain controller, the user's profile is saved in cache. This cached information will be used if subsequent logons to the domain controller fail, for whatever reason.
To configure this option in the client registry, proceed as follows:
- Go to
HKLMSoftwareMicrosoftWindows NTCurrent VersionWinlogon
. - Create a new key
CachedLogonCount
with the valid range of values from 0 to 50. The value of the key is the number of previous logon attempts that a server will cache.A value of 0 disables logon caching and any value above 50 will only cache 50 logon attempts.
Configuring Secure Domain Logon
- Configure the SecuRemote client to use LMHOSTS (all platforms) or WINS (all platforms except Win 9x).
- For Win NT and Win 2000, configure the SDL timeout.
- Define the site where the domain controller resides and download/update the topology.
- If the client is not already a domain member, configure the machine as a domain member.
- For Win NT and 2000:
- Enable Auto Local Logon (optional)
- Enable Secure Domain Logon
- Reboot the computer and logon.
Check Point Endpoint Security Vpn Client
Using Secure Domain Logon
After you have rebooted the computer:
- When the Windows Logon window is displayed, enter the operating system credentials.
- Click OK.
The Logon window is displayed.
- Enter the client credentials in the defined time (see Configuring SDL Timeout).
If you fail to logon and no cached information is used, wait one minute and try again.
If SDL is already configured on the client, the administrator can customize the client installation packages with SDL enabled by default.
Create a self-extracting client package using the VPN Configuration Utility and select Enable Secure Domain Logon. See the Remote Access Clients for Windows Administration Guide for details.
How to Work with non-Check Point Firewalls
Check Point Endpoint Security Vpn
If a remote access client is located behind a non-Check Point firewall, the following ports must be opened on the firewall to allow VPN traffic to pass:
Port | Description |
---|---|
UDP port 500 | Always, even if using IKE over TCP |
TCP port 500 | Only if using IKE over TCP |
IP protocol 50 ESP | Unless always using UDP encapsulation |
UDP port 2746 | Only if using MEP, interface resolving or interface High Availability |
UDP port 259 | Only if using MEP, interface resolving or interface High Availability |
Resolving Internal Names with an Internal DNS Server
Problem:
Remote Access Clients use an internal DNS server to resolve the names of internal hosts (behind the Security Gateway) with non-unique IP addresses.
Solution:
Best practice is:
- For Endpoint Security VPN and Check Point Mobile for Windows, use Office mode.
- For SecuRemote, use the Split DNS feature.
Split DNS
Split DNS uses a SecuRemote DNS Server, an object that represents an internal DNS server that you can configure to resolve internal names with private IP addresses (RFC 1918). It is best to encrypt the DNS resolution of these internal names.
After you configure a SecuRemote DNS server to resolve traffic from a specified domain and install policy, it takes effect. If users try to access that domain while connected to the VPN, the request is resolved by the SecuRemote DNS server. The internal DNS server can only work when users are connected to the VPN.
You can configure multiple SecuRemote DNS servers for different domains.
Configuring Split DNS
To configure a SecuRemote DNS server for Split DNS:
- In SmartConsole, in the Objects tree, select New > More > Server > More > SecuRemote DNS.
The NewSecuRemote DNS window opens.
- In the General tab, enter a name for the server and select the host on which it runs.
- In the Domains tab, click Add to add the domains that will be resolved by the server.
The Domain window opens,
- Enter the Domain Suffix for the domain that the SecuRemote DNS server will resolve, for example, checkpoint.com.
- In the Domain Match Case section, select the maximum number of labels that can be in the URL before the suffix. URLs with more labels than the maximum will not be sent to that DNS.
- Match only *.suffix - Only requests with 1 label are sent to the SecuRemote DNS. For example, 'www.checkpoint.com' and 'whatever.checkpoint.com' but not 'www.internal.checkpoint.com.'
- Match up to x labels preceding the suffix- Select the maximum number of labels. For example, if you select 3, then the SecuRemote DNS Server will be used to resolve 'www.checkpoint.com' and 'www.internal.checkpoint.com' but not 'www.internal.inside.checkpoint.com'.
- Click OK.
- Click OK.
- Install the policy.
Enabling or Disabling Split DNS
Split DNS is automatically enabled. On Endpoint Security VPN and Check Point Mobile for Windows, you can edit a parameter in the trac_client_1.ttm
configuration file to set if Split DNS is enabled, disabled, or depends on the client settings.
To change the setting for Split DNS on the gateway:
- On the gateway, open the $
FWDIR/conf/trac_client_1.ttm
file with a text editor. - Add the
split_dns_enabled
property to the file:
- Set the value in the
:default
attribute:- true - enabled
- false (default) - disabled
- client_decide - Takes the value from a file on the client machine
- Save the file and install the policy.
Important: By default, a Security Gateway comes with a license for 5 users. You can attach a larger blade, if more users are required.
The blades come in 3 sizes: 50, 200 or Unlimited. You can attach 1 blade only. If more users are needed you have to trade in, and go to the next higher blade. For the MOB blade, each Security Gateway needs its own blade.
With a 50 blade attached, 55 concurrent users are supported; with a 200 blade attached, 205 concurrent users are allowed; and with Unlimited an Unlimited number are supported.
Check Point offers the following licenses for VPN products:
- Endpoint Security Remote Access VPN (CPSB-EP-VPN)
- Capsule Workspace (CP-CPSL-WORK or CP-CPSL-TOTAL)
IPSec VPN (CPSB-VPN)
The IPSec VPN Software Blade enables Check Point Security Gateways to allow encrypted traffic to traverse the enforcement point in general. This encrypted traffic passes over Site-to-Site VPN tunnels, as well as, over VPN tunnels established by SecuRemote.
Note: The IPSec VPN blade enables encrypted traffic to traverse the Security Gateway; this is not limited to IPSec VPN traffic. For exmaple, SSL traffic is also enabled. Additional licensing may still be required depending on the client license requirements as well. See below for more information.
Endpoint Security Remote Access VPN (CPSB-EP-VPN)
The Remote Access VPN Software Blade enables remote clients to connect to the network and to obtain an Office Mode IP address. The VPN clients enabled by this license include:
- Endpoint Security E80.x
- Endpoint Security VPN E75
- Endpoint Connect R73 (this product has officially reached end of life)
- SecureClient NGX R60 (this product has officially reached end of life)
This license is enforced based on installed endpoint clients. Both online (actively connected via VPN) and offline (not currently actively connected via VPN) endpoint clients require a license. An Endpoint is defined as a computer instance in the Check Point secured environment.
CPEP-C-1+1000 CPSB-EP-FW+1000 CPEP-PERP CPSB-SWB
The is the Endpoint firewall license that comes with EP-ACCESS. It would not allow VPN.
Mobile Access (CPSB-MOB)
The Mobile Access Software Blade enables both client and clientless remote users to connect to the network. These users may or may not receive an Office Mode IP address, and this depends on the type of connection that the user is making. The VPN connections permitted by this license include the following:
- Mobile Access (also known as SSL VPN, and formerly known as Connectra; not supported for use with the IPSO operating system)
- SSL Network Extender (also knows as SNX; 'Network Mode' provides an Office Mode IP address; 'Application Mode' does not offer an Office Mode IP address)
- Check Point Mobile for Windows
This license is enforced based on concurrent connections. Users connecting with one of these solutions will consume a license for the duration of the connection only; the license will be released for use by another user upon termination of the current connection.
CPSB-SSLVPN-5/10/50/U
This is the string that the MOB-x blade generates.
CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M
This is the license that allows SSL Network Extender. It generates from the MOB blade
Capsule Workspace (CP-CPSL-WORK or CP-CPSL-TOTAL)
The Mobile Enterprise Software Blades enables remote applications installed on SmartPhones and tablets to connect to a network and access limited network resources.
This license is enforced by user; each user can register up to 3 devices (for example, iPhone and iPad). Users connecting with this solution are issued a registration key for each device, which remain valid for a period of time determined by the Security Administrator.
Which license is required to allow L2TP VPN tunnels
Question: In order to allow L2TP VPN tunnels, if the customer already has the Endpoint VPN Remote Access Blade - is this enough, or is there a Mobile Access Blade license required? Meaning, for L2TP, do we need a Endpoint VPN Client license or a Mobile Access License?
Answer: In order to allow L2TP VPN tunnels, you would just need the IPSec VPN license on the Security Gateway. There is no need for the Mobile Access License.
More information about Office Mode
Mobile Access licenses are dependent on the client being used to connect to the Remote Access Gateway. There are 3 basic clients: SecuRemote, Check Point Mobile, and the Endpoint Security VPN client.SecuRemote requires no additional license, but does not offer an Office Mode IP. It is not designed for a large number of users.
The Check Point Mobile client offers an Office Mode IP.
Check Point Endpoint Security Vpn Autostart
This client uses the Mobile Access blade license on the gateway itself. By default, a gateway comes with a license for 5 users. Then you can attach a larger blade if more users are required. The blades come in 3 sizes. 50, 200 or Unlimited.
You can attach 1 blade only. If more users are needed you have to trade in and go to next higher blade. For the MOB blade, each gateway needs its own blade. With a 50 blade attached, 55 concurrent users are supported. With a 200 blade attached, 205 concurrent users are allowed, and with Unlimited an Unlimited number are supported. The eval for this would be the 'all in one' eval.
The third client is the Endpoint Security VPN client. It offers an Office Mode IP.