20 October 2010


Upgrading SecureClient to
Endpoint Security VPN R75

on R70.40 Security Management






© 2010 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page ( for a list of our trademarks.
Refer to the Third Party copyright notices ( for a list of
relevant copyrights and third-party licenses.

Important Information
Latest Documentation
The latest version of this document is at:

For additional technical information, visit the Check Point Support Center
().
Revision History
Date
Description
20 October 2010
Added procedure for restoring the TTM file with customizations
("Restoring Settings" on page 22).
14 October 2010
Added Desktop rule to allow MEP traffic ("Making a Desktop Rule
for MEP" on page 29).
The connect_timeout parameter was removed from the list of
commonly changed configuration file parameters, because it must
not be used in this installation.
10 October 2010
To reflect the easy process of moving from SecureClient to
Endpoint Security VPN, migration is changed to upgrading.
Updated Microsoft Windows 7 Editions and fixed client version
number in Supported Platforms ("System Requirements" on page
6).
28 September 2010
Updated feature lists ("Before Upgrading to Endpoint Security VPN"
on page 6)
13 September 2010

Window pictures added, different versions of document released for
different versions of SmartDashboard
June, 2010
Initial version

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:?subject=Feedback on Upgrading SecureClient to Endpoint
Security VPN R75 on R70.40 Security Management ).



Contents
Important Information 3
Introduction to Endpoint Security VPN 5
Using Different Management Servers 5
Why You Should Upgrade to Endpoint Security VPN 5
Before Upgrading to Endpoint Security VPN 6
System Requirements 6
New Endpoint Security VPN Features 6
SecureClient Features Supported in Endpoint Security VPN 7
SecureClient Features Not Yet Supported 9
Configuring Security Gateways to Support Endpoint Security VPN 10
Installing Hotfix on Gateways 10
Configuring SmartDashboard 11
Supporting Endpoint Security VPN and SecureClient Simultaneously 14
Troubleshooting Dual Support 17
Installing and Configuring Endpoint Security VPN on Client Systems 18
Installing Endpoint Security VPN on Client Systems 18

Client Icon 18
Helping Users Create a Site 18
Connecting to a Site 19
Pre-Configuring Proxy Settings 19
Pre-Configuring Always Connect 20
Using the Packaging Tool 20
The Configuration File 22
Configuration File Overview 22
Restoring Settings 22
Centrally Managing the Configuration File 22
Parameters in the Configuration File 23
Migrating Secure Configuration Verification 24
Multiple Entry Point (MEP) 25
Configuring Entry Point Choice 25
Defining MEP Method 26
Implicit MEP 26
Configuring Implicit First to Respond 26
Configuring Implicit Primary-Backup 27
Configuring Implicit Load Distribution 28
Manual MEP 29
Making a Desktop Rule for MEP 29
Differences between SecureClient and Endpoint Security VPN CLI 30


Page 5

Chapter 1
Introduction to Endpoint Security
VPN
Endpoint Security VPN is a lightweight remote access client for seamless, secure IPSec VPN connectivity to

remote resources. It authenticates the parties and encrypts the data that passes between them.
Endpoint Security VPN is intended to replace the current Check Point remote access client: SecureClient.

Note - You can install Endpoint Security VPN on several Linux/Unix-based platforms as well as
Microsoft Windows platforms. The procedures included in this document use the Linux/Unix
environment variable convention ($FWDIR).
If you are using a Windows platform, substitute %FWDIR% for the environment variable in the
applicable procedures.
In This Chapter
Using Different Management Servers 5
Why You Should Upgrade to Endpoint Security VPN 5
Before Upgrading to Endpoint Security VPN 6


Using Different Management Servers
Environments with SecureClient already deployed can be easily upgraded to Endpoint Security VPN. The
SmartDashboard for different versions of management servers is different. Use the documentation for the
SmartDashboard that you have.
This guide is for the R70.40 Security Management server.
 If you have NGX R65 SmartCenter server, see Upgrading SecureClient to Endpoint Security VPN R75
on NGX R65 SmartCenter server
(
 If you have the R71 Security Management server, see Upgrading SecureClient to Endpoint Security
VPN R75 on R71 Security Management
(

Why You Should Upgrade to Endpoint
Security VPN
Check Point recommends that all customers upgrade from SecureClient to Endpoint Security VPN as soon
as possible, to have these enhancements.

 Automatic and transparent upgrades, with no administrator privileges required
 Supports 32-bit and 64-bit, Windows Vista and Windows 7
 Uses less memory resources than SecureClient
 Automatic disconnect/reconnect as clients move in and out of the network
 Seamless connection experience while roaming
Before Upgrading to Endpoint Security VPN

Introduction to Endpoint Security VPN Page 6

 Supports most existing SecureClient features, including Office Mode, Desktop Firewall, Secure
Configuration Verification (SCV), Secure Domain Logon (SDL), and Proxy Detection
 Supports many additional new features
 Does not require a Security Management server upgrade
 Endpoint Security VPN and SecureClient can coexist on client systems during the upgrade period


Note - Check Point will end its support for SecureClient in mid-2011.

Before Upgrading to Endpoint Security VPN
Before upgrading, consider these issues.

System Requirements
Management Server and Gateway:

Note - See the Release Notes of the specific Check Point version for supported versions of
different platforms.
 All supported platforms NGX R65 HFA 70 (R65.70) with NGX R66 Management plug-in.
 All supported platforms for R70.40.



Notes -
Endpoint Security VPN supports VPN gateway redundancy with Multiple Entry Point (MEP). You
can install the Endpoint Security VPN package on multiple gateways and must install it on the
server to enable MEP.
The server and gateway can be installed on open servers or appliances. On UTM-1 appliances,
you cannot use the WebUI to install Endpoint Security VPN.
Support for R71 gateways will be released in a future HFA for Endpoint Security VPN.

Clients: Endpoint Security VPN R75 can be installed on these platforms:
 Microsoft Windows XP 32 bit SP2, SP3
 Microsoft Windows Vista 32 bit and 64 bit SP1
 Microsoft Windows 7 Home Edition 32 bit and 64 bit
 Microsoft Windows 7 Home Premium 32 bit and 64 bit
 Microsoft Windows 7 Pro 32 bit and 64 bit
 Microsoft Windows 7 Ultimate 32 bit and 64 bit
 Microsoft Windows 7 Enterprise 32 bit and 64 bit

New Endpoint Security VPN Features

Feature
Description
Hotspot Detection and
Registration (Exclusion for
Policy)
 Automatically detects hotspots that prevent the client system from
establishing a VPN tunnel
 Opens a mini-browser to allow the user to register to the hotspot and
connect to the VPN gateway
 Firewall support for hotspots
Before Upgrading to Endpoint Security VPN


Introduction to Endpoint Security VPN Page 7

Feature
Description
Automatic Connectivity
Detection
Automatically detects whether the client is connected to the Internet or LAN
Automatic Certificate Renewal
in CLI Mode
Supports automatic certificate renewal, including in CLI mode
Location Awareness
Automatically determines if client is inside or outside the enterprise network
Roaming
Maintains VPN tunnel if client disconnects and reconnects using different
network interfaces
Automatic and Transparent
Upgrade Without Administrator
Privileges
Updates the client system securely and without user intervention
Windows Vista / Windows 7 64
Bit Support
Supports the latest 32-bit and 64-bit Windows operating systems
Automatic Site Detection
During first time configuration, the client detects the VPN site automatically
Note: This requires DNS configuration and is only supported when
configuring the client within the internal network.
Geo Clusters
Connect client system to the closest VPN gateway based on location
For more information on geo clusters, see sk43107

(ttp://supportcontent.checkpoint.com/solutions?id=sk43107).
Machine Idleness
Disconnect VPN tunnel if the machine becomes inactive (because of lock or
sleep) for a specified duration.
Flush DNS Cache
Remove previous DNS entries from the DNS cache when creating VPN
tunnel


SecureClient Features Supported in Endpoint Security
VPN

Feature
Description
Authentication Methods
 Username/Password
 Certificate
 SecurID (passcode, softID, key fobs)
 Challenge Response
Cached Credentials
Cache credentials for user login
NAT-T/Visitor Mode
Let users connect from any location, such as a hotel, airport, or branch
office
Multiple Entry Point (MEP)
VPN gateway redundancy.
Endpoint Security VPN MEP gateways can be in different VPN domains
(see Appendix A).
Pre-Configured Client
Packaging

Predefined client installation package with configurations for easy
provisioning
Office Mode
Internal IP address for remote access VPN users
Before Upgrading to Endpoint Security VPN

Introduction to Endpoint Security VPN Page 8

Feature
Description
Compliance Policy - Secure
Configuration Verification
(SCV)
Verifies client system policy compliance before allowing remote access to
internal network
Proxy Detect / Replace
Detect proxy settings in client system web browsers for seamless
connectivity
Route All Traffic
Send all traffic from the client system through the VPN gateway
Localization
Supported languages:
 Chinese (simplified)
 English
 French
 German
 Hebrew
 Italian
 Japanese
 Russian

 Spanish
Certificate Enrollment /
Renewal
Automatic enrollment and renewal of certificates issued by Check Point
Internal CA server
CLI and API Support
Manage client with third party software
Tunnel Idleness
Disconnect VPN if there is no traffic for a specified duration
Dialup
Support dialup connections
Disconnect On Smart Card
Removal
Disconnect VPN if a Smart Card is removed from the client system
Re-authentication
After specified duration, user is asked for re-authentication
Keep-alive
Send keep-alive messages from client to the VPN gateway to maintain the
VPN tunnel
Check Gateway Certificate in
CRL
Validate VPN gateway certificate in the CRL list
Desktop Firewall Configured
from SmartDashboard
Desktop Policy
Personal firewall integrated into client, managed with the SmartDashboard
desktop policy
Configuration File Corruption
Recovery
Recover corrupted configuration files

Secure Domain Logon (SDL)
Establish VPN tunnel prior to user login
Desktop Firewall Logs in
SmartView Tracker
Desktop firewall logs are displayed in SmartView Tracker
End-user Configuration Lock
Prevent users from changing the client configuration
Update Dynamic DNS with the
Office Mode IP
Assign an internal IP address for remote access VPN users in the
Dynamic DNS
Secure Authentication API
(SAA)
Integrate with third party authentication providers
Before Upgrading to Endpoint Security VPN

Introduction to Endpoint Security VPN Page 9

Feature
Description
SmartView Monitor
Monitor VPN tunnel and user statistics with SmartView Monitor
Post Connect Script
Execute manual scripts before and after VPN tunnel is established


SecureClient Features Not Yet Supported
Currently, these features of SecureClient are not supported by Endpoint Security VPN. Many of these
features are expected to be supported in the next release.
Feature

Description
Single Sign-on (SSO)
One set of credentials to log in to both VPN and Windows
operating system
“Suggest Connect” Mode
(Auto Connect)
Create VPN tunnel when the client generates traffic to the VPN
domain resources
Entrust Entelligence Support
Entrust Entelligence package providing multiple security layers,
strong authentication, digital signatures, and encryption
Diagnostic Tools
Tools for viewing logs and alerts
Compression
Compress IPSec traffic
VPN Connectivity to VPN-1 VSX
Terminate VPN tunnel at Check Point VSX gateways
DNS Splitting
Support multiple DNS servers
"No Office Mode" Connect Mode
Connect to the VPN gateway without requiring Office Mode
Pre-shared secret
Authentication method that uses a pre-shared secret
Link Selection
Multiple interface support with redundancy
Secondary Connect (Including Fast
Failover)
Connect to multiple VPN gateways simultaneously and establish
VPN tunnels to all resources located behind each VPN gateway
DHCP Automatic Lease Renewal

Automatically renew IP addresses obtained from DHCP servers



Page 10

Chapter 2
Configuring Security Gateways to
Support Endpoint Security VPN
In This Chapter
Installing Hotfix on Gateways 10
Configuring SmartDashboard 11
Supporting Endpoint Security VPN and SecureClient Simultaneously 14
Troubleshooting Dual Support 17


Installing Hotfix on Gateways
To run Endpoint Security VPN and SecureClient simultaneously on client systems, install the hotfix on
production gateways or on a standalone, self-managed gateway.
To use the Implicit MEP feature, you must install the hotfix on the Security Management server. If you do not
need this feature, the hotfix does not have to be installed on the server (only on the gateways).

Important -
 If you install the hotfix on a new dedicated gateway in a production environment, with the
same management server as other Remote Access gateways, this gateway will also be
added to the topology used by SecureClient clients. This may cause SecureClient clients
to connect to the new Endpoint Security VPN gateway. You must make sure that
resources set by the encryption domain on the Endpoint Security VPN gateway are
accessible to the SecureClient clients.
 If you have clients that use a pre-shared secret to authenticate, you must give the users

a different authentication - one that is supported by Endpoint Security VPN.
To install the hotfix on a Security Gateway:
1. Download the hotfix from the Check Point Support Center ().
2. Copy the hotfix package to the gateway.
3. Run the hotfix:
 On SecurePlatform, Disk-based IPSO, and Solaris:
[admin@gateway ~/hf]$ tar -zxvf hotfix_file.tgz
[admin@gateway ~/hf]$ ./fw1_HOTFIX_FLO_HFA_EVE2_HF_553_
Do you want to proceed with installation of Check Point fw1 R70
Support FLO_HFA_EVE2 for Check Point VPN-1 Power/UTM NGX R65 on
this computer?
If you choose to proceed, installation will perform CPSTOP.
(y-yes, else no):y
 On Windows platforms, double-click the installation file and follow the instructions.
If WebUI is enabled on the gateway, it must listen on a port other than 443. Otherwise, Endpoint
Security VPN will not be able to connect.
4. Reboot the Security Gateway.

Configuring SmartDashboard

Configuring Security Gateways to Support Endpoint Security VPN Page 11

Configuring SmartDashboard
You manage Endpoint Security VPN through the SmartDashboard. This task explains how to set up the
SmartDashboard to access Endpoint Security VPN configurations. Before you begin, make sure you have a
network for Office Mode allocation. If you do not have such a network set up, create it now.
To configure SmartDashboard for Endpoint Security VPN:
1. Set the Security Gateway to be a policy server:
a) In the Network Objects Tree, right click the Security Gateway and select Edit.
The Check Point Gateway - General Properties window opens.


b) In Software Blades > Network Security, select IPSec VPN > Policy Server.
Configuring SmartDashboard

Configuring Security Gateways to Support Endpoint Security VPN Page 12

c) Open Authentication.

d) In Policy Server, select an existing user group, or create a new user group, to be assigned to the
policy.
2. Configure Visitor Mode:
a) Open Remote Access.

b) In Visitor Mode configuration, select Support Visitor Mode.
3. Configure Office Mode:
Configuring SmartDashboard

Configuring Security Gateways to Support Endpoint Security VPN Page 13

4. Open Remote Access > Office Mode.

a) In Office Mode Method, select Manual (using IP pool).
b) In Allocate IP addresses from network, select the network for Office Mode allocation.
5. Click OK.
6. Make sure that the Security Gateway is in the Remote Access community:
a) Select Manage > VPN Communities.
The VPN Communities window opens.
b) Double-click RemoteAccess.
The Remote Access Community Properties window opens.
Supporting Endpoint Security VPN and SecureClient Simultaneously


Configuring Security Gateways to Support Endpoint Security VPN Page 14

c) Open Participating Gateways.

d) If the Security Gateway is not already in the list of participating gateways: click Add, select the
Security Gateway from the list of gateways, and click OK.
e) Click OK.
f) Click Close.
7. Make sure that the desktop policy is configured correctly (Desktop tab).
8. Install the policy: Policy menu > Install.

Supporting Endpoint Security VPN and
SecureClient Simultaneously
To run both Endpoint Security VPN and SecureClient on client systems, you must configure the server and
the gateways that will handle these remote access clients.
Before you begin, make sure that the encryption domains on these gateways fully overlap with the
encryption domains of all other gateways and that all gateways provide connectivity to the same resources.
To configure the gateways in SmartDashboard for management of both clients:
1. On the Desktop tab, add this rule to ensure that the Endpoint Security VPN firewall does not block
SecureClient. Allow outbound connections on:
 UDP 18231
Supporting Endpoint Security VPN and SecureClient Simultaneously

Configuring Security Gateways to Support Endpoint Security VPN Page 15

 UDP 18233
 UDP 2746 for UDP Encapsulation
 UDP 500 for IKE
 TCP 500 for IKE over TCP

 TCP 264 for topology download
 UDP 259 for MEP configuration
 UDP 18234 for performing tunnel test when the client is inside the network
 UDP 4500 for IKE and IPSEC (NAT-T)
 TCP 18264 for ICA certificate registration
 TCP 443 for Visitor Mode
 TCP 80

2. Open Policy menu > Global Properties.
The Global Properties window opens.
3. Open Remote Access > VPN - Advanced.

4. Select Sent in clear.
5. If secure configuration verification (SCV) is configured, add an exception for Endpoint Security VPN.
a) Open Remote Access > Secure Configuration Verification (SCV).
Supporting Endpoint Security VPN and SecureClient Simultaneously

Configuring Security Gateways to Support Endpoint Security VPN Page 16

b) Select Apply Secure Configuration Verification on Simplified mode.

c) Click Exceptions.
The Secure Configuration Verification Exceptions window opens.

d) Select Do not apply Secure Configuration Verification on SSL clients connections.
e) Click OK.
6. Click OK.
7. Do Policy > Install.

Troubleshooting Dual Support


Configuring Security Gateways to Support Endpoint Security VPN Page 17

Suggest Connect Mode:
Users can disable the Suggest Connect option in SecureClient clients. If enabled, it might interfere with
Endpoint Security VPN connectivity.

Troubleshooting Dual Support
If SecureClient blocks Endpoint Security VPN traffic:
1. Make sure that you selected Remote Access > VPN - Advanced > Sent in clear.
2. Choose how you want to solve this issue.
Users manage their own clients: users delete the SecureClient site.

Note - It is not enough to disable the site. It must be deleted.
You solve this issue for all clients: change the Desktop rule base.
a) In the Outbound Rules, add this rule above the last rule. (The last rule should be Any Any Block.)
 Destination = Endpoint Security VPN Security Gateway
 Service = http, https, IKE_NAT_TRAVERSAL
 Action = Accept

b) Install the policy.
To uninstall SecureClient:
 If you install Endpoint Security VPN after SecureClient, and you want to uninstall SecureClient, you
cannot do it from Add/Remove Programs. You must open the Uninstall SecureClient program
from Start > Programs.
 To remotely uninstall SecureClient with a script, run: UninstallSecureClient.exe from the
SecureClient installation directory.


Page 18


Chapter 3
Installing and Configuring Endpoint
Security VPN on Client Systems
In This Chapter
Installing Endpoint Security VPN on Client Systems 18
Client Icon 18
Helping Users Create a Site 18
Connecting to a Site 19
Pre-Configuring Proxy Settings 19
Pre-Configuring Always Connect 20
Using the Packaging Tool 20


Installing Endpoint Security VPN on Client
Systems
The Endpoint Security VPN installation package is a self-installing executable that you can download from
the Check Point Download Center.
If you uninstall a client to install or upgrade Endpoint Security VPN, you must restart the client when
prompted.

Client Icon
The client tray icon shows the status of Endpoint Security VPN.
Icon
Status

Disconnected

Connecting


Connected

Encryption (encrypted data is being sent or received on the VPN)

Error
You can also hover your mouse on the icon to show the client status.

Helping Users Create a Site
Each client must have at least one site defined. The site is the VPN gateway. If you did not pre-configure the
client for a default site, make sure your users have:
Connecting to a Site

Installing and Configuring Endpoint Security VPN on Client Systems Page 19

 The gateway fingerprint.
 The gateway IP address or domain name.
 The authentication method you want them to use.
 Authentication materials (username, password, certificate file, RSA SecurID, or access to HelpDesk for
challenge/response authentication).

Connecting to a Site
You might have to help users connect to the VPN. The Endpoint Security VPN client lets users connect to
sites - where the site is the VPN gateway.
To connect to a site:
1. Right-click the client icon and select Connect or Connect to.
A site connection window opens.
 This window has authentication fields according to the selected authentication method.
 If you selected Connect to, you can select the site to which you would like to connect.
2. Enter credentials, and click Connect.
A connection progress window opens. Wait until the connection is made.


Pre-Configuring Proxy Settings

Note - Remote-location proxy-server settings are usually detected automatically.
If a user is at a remote site that has a proxy server, the Endpoint Security VPN client must be configured to
pass through the proxy server to reach the gateway.
If you know that this will be an issue, you can configure this option when you prepare the client MSI file.
Otherwise, you can help your user configure the proxy server when the issue comes up.
To configure proxy settings on the client:
1. In the Options > Advanced tab, click Proxy Settings.
The Proxy Settings window opens.

Pre-Configuring Always Connect

Installing and Configuring Endpoint Security VPN on Client Systems Page 20

2. Select an option.
 No Proxy - Make a direct connection to the VPN.
 Detect proxy from Internet Explorer settings - Take the proxy settings from Internet Explorer >
Tools > Internet options > Connections > LAN Settings.
 Manually define proxy - Enter the IP address and port number of the proxy. If necessary, enter a
valid user name and password for the proxy.
3. Click OK.

Pre-Configuring Always Connect
You can help users set the Always Connect option. This lets the client connect automatically to the active
site. In a default package, this option is available for users to change.
To configure Always Connect in the client:
1. Right-click the client icon and select VPN Options.
The Options window opens.

2. On the Sites tab, select the VPN gateway, and click Properties.
The Properties window for the site opens.
3. Open the Settings tab.
4. Click Enable Always-Connect.
5. Click OK.

Using the Packaging Tool
You can create a package of the Endpoint Security VPN client with pre-defined settings, such as a VPN site
and authentication methods. When you deploy the package to users, it is easier for them to connect quickly.
Endpoint Security VPN Administration mode lets you create pre-configured packages. You open one
instance of the client, configure all settings, and save the client MSI.
If any of these features are disabled on the client in Administration mode, change the configuration of the
gateways.
To create a pre-configured package:
1. Open the client in Administration mode:
 32-bit systems - C:\Program Files\CheckPoint\Endpoint Connect\AdminMode.bat
 64-bit systems - C:\Program Files(x86)\CheckPoint\Endpoint Connect\AdminMode.bat
2. Right-click the client icon and select VPN Options.
The Options window opens, with the Administration tab.
3. On the Sites tab, define the site you want clients.
Using the Packaging Tool

Installing and Configuring Endpoint Security VPN on Client Systems Page 21

4. Select the site and click Properties > Settings.

5. Select VPN options:
 Always-Connect - Let the client connect automatically to the active site.
 VPN tunneling - Make sure the client connects to the VPN for all outbound traffic. Enable Hub
Mode for the gateway.

 Authentication
6. Click OK.
7. Open the Advanced tab and select relevant settings.
8. Open the Administration tab.

a) Input MSI Package Path - Select the input MSI package file.
b) Replace user's configuration when upgrading - Decide whether to keep the user configuration on
upgrade (clear the checkbox) or to merge the new configuration with existing configuration, including
client authentication. If you select this checkbox, users do not have to apply for new credentials to a
site they have been using.
c) Click Generate to create the MSI package.
A window opens to prompt for a location to save the generated package.
9. Distribute this package to Endpoint Security VPN users.


Page 22

Chapter 4
The Configuration File
In This Chapter
Configuration File Overview 22
Restoring Settings 22
Centrally Managing the Configuration File 22
Parameters in the Configuration File 23
Migrating Secure Configuration Verification 24


Configuration File Overview
The gateways save configuration parameters in the $FWDIR/conf/trac_client_1.ttm configuration file.
After you edit and save the file, install the policy.


Note - When editing the configuration file, do not use a DOS editor, such as Microsoft Word,
which adds formatting codes to the file.

Restoring Settings
If you customized the trac_client_1.ttm in a previous installation, you can restore your settings to the new
$FWDIR/conf/trac_client_1.ttm file. Do not do this procedure if you did not change this file from its default
settings - the new defaults, in the new file, are recommended for this installation.
To restore settings:
1. See the difference in parameter values between the backup and new trac_client_1.ttm file.

Important - When copying settings from the backup TTM file, make sure not to copy the
connect_timeout parameter.
If you do, the clients cannot connect.
2. Copy the values from the backup that you want to restore, to the new trac_client_1.ttm.
3. Save the file.
4. Install the policy.

Centrally Managing the Configuration File
If the configuration file on each gateway is identical, you can manage one copy of the configuration file on
the Security Management server. This file is copied to the Security Gateways when you install the policy.

Important - You must use the newest configuration file installed on the gateway for Endpoint
Security VPN. This is important, because if you do not install Endpoint Security VPN on the
Security Management server, the server will have an outdated configuration file that does not
support new features.
To centrally manage the configuration file:
1. On the gateway, save a backup of $FWDIR/conf/trac_client_1.ttm.
Parameters in the Configuration File


The Configuration File Page 23

2. From the gateway, copy trac_client_1.ttm to the server.
3. Open $FWDIR/conf/fwrl.conf and find the % SEGMENT FILTERLOAD section.
4. Within this section, add this line:
NAME = conf/trac_client_1.ttm;DST = conf/trac_client_1.ttm;
This copies the file to the Endpoint Security VPN gateways whenever you run Install Policy.
5. Save the file and install the policy.
When clients download the new policy from the gateway, configuration changes are applied.
Parameters in the Configuration File
This table shows some of the parameters of the TTM file. The default value is the recommended value.
Parameter
Description
Default
allow_disable_firewall
Enable/disable menu option for user to disable
desktop firewall.
Applied only if enable_firewall is true or
client_decide.
false
certificate_key_length
certificate_strong_protection
certificate_provider
internal_ca_site
internal_ca_dn
Certificate enrollment settings.
1024
true
"Microsoft
Enhanced

Cryptographic
Provider v1.0"
none
none
default_authentication_method
Default authentication method.
none
disconnect_on_smartcard_removal
Enable/disable client disconnection when Smart
Card with current certificate is removed.
false
do_proxy_replacement
Enable/disable proxy replacement.
true
enable_capi
Enable/disable CAPI authentication.
true
enable_firewall
Enable/disable desktop firewall
true, false, or client_decide.
true
enable_gw_resolving
Enable/disable DNS resolution on each
connection.
Used for MEP.
true
flush_dns_cache
Enable/disable flushing the DNS cache while
connecting.
false

hotspot_detection_enabled
Enable/disable automatic hotspot detection.
true
automatic_mep_topology
Enable/disable the implicit (automatic) MEP
method.
False - manual MEP method.
true
Migrating Secure Configuration Verification

The Configuration File Page 24

Parameter
Description
Default
ips_of_gws_in_mep
Security Gateway IP addresses for clients to
connect to. Applied only if
automatic_mep_topology is false.
Addresses are separated by "&#", and the list is
terminated by a final "&#":
NNN.NNN.NNN.NNN&#MMM.MMM.MMM.MMM&#
none
mep_mode
MEP mode, priority of Security Gateways defined
in ips_of_gws_in_mep. Applied only if
automatic_mep_topology is false.
Valid values:
 dns_based
 first_to_respond

 primary_backup
 load_sharing
dns_based
predefined_sites_only
Enable/disable user ability to create or modify
sites.
false
send_client_logs
Email addresses to which debug logs are sent.
none
suspend_tunnel_while_locked
Enable/disable traffic suspension if the machine
becomes inactive (due to lock or sleep) for a
specified duration.
false
tunnel_idleness_ignore_icmp
Enable/disable monitor of ICMP packets to see if
a tunnel is active.
true
tunnel_idleness_ignored_tcp_ports
TCP ports that are not monitored to determine if
a tunnel is active.
none
tunnel_idleness_ignored_udp_ports
UDP ports that are not monitored to determine if
a tunnel is active.
53&#137&#138&#
tunnel_idleness_timeout
Time, in minutes, after which a client will close an
inactive tunnel.

Zero (0) - the feature is disabled. The VPN tunnel
will never close due to inactivity.
0

Note - sk42850 ( explains the
complete file contents and syntax.

Migrating Secure Configuration Verification
SecureClient uses SCV compliance checks, and so does Endpoint Security VPN. Some features of
SecureClient compliance are ignored by the Endpoint Security VPN client.
 user_policy_scv - This SCV check sets the compliance status of a client after a user disables the
Desktop security policy. (SecureClient users can disable the firewall.) If the value of this check in
local.scv is true, the SecureClient client is still compliant, if the SecureClient user disables the firewall.
If the value is false and the user disables the firewall, the SecureClient client is not compliant.
To let Endpoint Security VPN users disable the Desktop security policy and keep compliance for the
client, configure the $FWDIR/conf/trac_client_1.ttm file: find allow_disable_firewall and
set :default(true).
 sc_ver_scv - This SCV check tests for the version of SecureClient. Currently, there is no SCV check for
the version of Endpoint Security VPN.
 ckp_scv - This SCV check is obsolete.
Configuring Entry Point Choice

Multiple Entry Point (MEP) Page 25

Appendix A
Multiple Entry Point (MEP)
Multiple Entry Point (MEP) gives high availability and load sharing to VPN connections. A Security Gateway
is one point of entry to the internal network. If the Security Gateway becomes unavailable, the internal
network is also unavailable. A Check Point MEP environment has two or more Security Gateways for the
same VPN domain to give remote users uninterrupted access. Endpoint Security VPN automatically detects

and uses MEP topology.
MEP topology gives High Availability and load sharing with these characteristics:
 There is no physical restriction on the location of MEP Security Gateways. They can be geographically
separated and not directly connected.
 MEP Security Gateways can be managed by different management servers.
 There is no state synchronization in MEP. If a Security Gateway fails, the current connection falls and
one of the auxiliary Security Gateways picks up the next connection.
 Remote clients, not the gateways, find the Security Gateway to use.
To enable MEP, you must install the Hotfix on the Security Management server and on each Security
Gateway.
In This Appendix
Configuring Entry Point Choice 25
Defining MEP Method 26
Implicit MEP 26
Manual MEP 29
Making a Desktop Rule for MEP 29


Configuring Entry Point Choice
Configure how the client will choose a gateway from the multiple list of entry points.
 First to Respond - The first Security Gateway to reply is chosen and the VPN tunnel is between that
gateway and the client. The client asks for a response for each connection.
Recommendation: If you have multiple gateways that are geographically distant. For example, an
organization has three gateways: London, Sundsvall, and Paris. Usually, the London Security Gateway
responds first to clients in England and is their entry point to the internal network. If the London gateway
goes down, these users access the network through the Paris or Sundsvall gateway that responds first.
 Primary-Backup - One or multiple auxiliary Security Gateways give high availability for a primary
Security Gateway. Endpoint Security VPN is configured to connect with the primary Security Gateway,
but switches to a Backup Security Gateway if the Primary goes down.
Recommendation: If you have multiple gateways, and one is stronger or connects faster. Set the

stronger machine as the primary. Clients use the backup if the primary is unavailable.
 Load Distribution - Endpoint Security VPN randomly selects a Security Gateway.
Recommendation: If you have multiple gateways of equal performance. The traffic of Endpoint Security
VPN clients is shared between the gateways. Each client creates a tunnel with a random, available
gateway.
 Geo-Cluster Name Resolution - By default, Endpoint Security VPN resolves Security Gateway DNS
names for all connections. Optionally, you can store IP addresses in a cache. This can improve
performance by preventing repetitive DNS name resolution.