- How to fix Check Point VPN connection on MacBook Catalina 1. Certain administrative settings for all users on this Mac. A a TracSrvWrapper sShd Endpoint vpN Software Update. Downloads Locations Network Tags Red Orange Yellow Green Blue App Store Automator Books Calculator Ca endar.
- Support for macOS 10.15 (Catalina) by Remote Access clients. Below is Check Point's roadmap for VPN clients and SSL Network Extender (SNX) aligned with the MacOS 10.15 (Catalina) release. Open Safari and navigate to 'The connection is not private' message will appear. Click 'Show Details', then 'Visit this webpage'.
Enterprise Endpoint Security R77.30.03 Server and E80.65 Client 2. E80.60 / E80.61 / E80.62 / E80.64 / E80.65 Remote Access Clients for Windows OS Administration Guide. Dec 6, 2015 - Product, SecuRemote, Check Point Mobile, Endpoint Security VPN. E80.62 Check Point Endpoint Security Clients for Windows OS (ZIP). Check Point grants to you the ability to download and access the Software and/or. For more information about E80.51, refer to Endpoint Security Client E80.51 Known Limitations and Endpoint Security Client E80.51 Resolved Issues. Important: For Check Point Endpoint Security support for Microsoft Windows 10, see sk108375. Endpoint Security Clients Downloads and Documentation.
We help you compare the best VPN services: Anonmity, Logging Policys, Costs, IPs, Servers, Countries, if filesharing is allowed, which operating and devices they offer clients for (Windows, Mac, Linux, iPhones / iPads, Android Tablets and Phones, Checkpoint Vpn For Mac High Sierra Settop-Boxes and more) as well as in depth reviews of the biggest and most trustworthy VPN.
SSL Network Extender
In This Section: |
Introduction to the SSL Network Extender
Whenever users access the organization from remote locations, it is essential that not only the usual requirements of secure connectivity be met but also the special demands of remote clients. These requirements include:
- Connectivity: The remote client must be able to access the organization from various locations, even if behind a NATing device, Proxy or Firewall. The range of applications available must include web applications, mail, file shares, and other more specialized applications required to meet corporate needs.
- Secure connectivity: Guaranteed by the combination of authentication, confidentiality and data integrity for every connection.
- Usability: Installation must be easy. No configuration should be required as a result of network modification. The given solution should be seamless for the connecting user.
To resolve these issues, a secure connectivity framework is needed to ensure that remote access to the corporate network is securely enabled.
The SSL (Secure Socket Layer) Network Extender is a simple-to-implement remote access solution. A thin client is installed on the user's machine. (The SSL Network Extender client has a much smaller size than other clients.) It is connected to an SSL enabled web server that is part of the Enforcement Module. By default, the SSL enabled web server is disabled. It is activated by using the SmartDashboard, thus enabling full secure IP connectivity over SSL. The SSL Network Extender requires a server side configuration only, unlike other remote access clients. Once the end user has connected to a server, the thin client is downloaded as an ActiveX component, installed, and then used to connect to the corporate network using the SSL protocol.
It is much easier to deploy a new version of the SSL Network Extender client than it is to deploy a new version of other conventional clients.
Note - If the Mobile Access blade is active on a Security Gateway, SSL Network Extender works through Mobile Access and not IPsec VPN. In this case, SSL Network Extender must be configured through the Mobile Access blade. If you already had SSL Network Extender configured on an IPsec VPN Security Gateway and then you enable the Mobile Access blade, you must reconfigure SSL Network Extender for the Mobile Access blade. |
How the SSL Network Extender Works
The SSL Network Extender is a thin client installed on the user's computer and an SSL enabled web server component, integrated into the Security Gateway.
To enable connectivity for clients using the SSL Network Extender, a Security Gateway must be configured to support Remote Access Clients, in addition to a minor configuration specific to SSL Network Extender.
Users download SSL Network Extender from a Security Gateway portal.
Commonly Used Concepts
This section briefly describes commonly used concepts that you will encounter when dealing with the SSL Network Extender. It is strongly recommended that you review the 'Remote Access VPN' section of this bookbefore reading this guide.
Checkpoint Endpoint Security Vpn Client Download Mac
Remote Access VPN
Refers to remote users accessing the network with client software such as Endpoint VPN clients, SSL clients, or third party IPsec clients. The Security Gateway provides a Remote Access Service to the remote clients.
Remote Access Community
A Remote Access Community, a Check Point concept, is a type of VPN community created specifically for users that usually work from remote locations, outside of the corporate LAN.
Office Mode
Office Mode is a Check Point remote access VPN solution feature. It enables a Security Gateway to assign a remote client an IP address. This IP address is used only internally for secure encapsulated communication with the home network, and therefore is not visible in the public network. The assignment takes place once the user connects and authenticates. The assignment lease is renewed as long as the user is connected. The address may be taken either from a general IP address pool, or from an IP address pool specified per user group, using a configuration file.
Visitor Mode
Visitor Mode is a Check Point remote access VPN solution feature. It enables tunneling of all client-to-Security Gateway communication through a regular TCP connection on port 443. Visitor mode is designed as a solution for firewalls and Proxy servers that are configured to block IPsec connectivity.
Endpoint Security on Demand
Endpoint Security on Demand (ESOD) may be used to scan endpoint computers for potentially harmful software before allowing them to access the internal application. When end users access the SSL Network Extender for the first time, they are prompted to download an ActiveX component that scans the end user machine for Malware. The scan results are presented both to the Security Gateway and to the end user. SSL Network Extender access is granted/denied to the end user based on the compliance options set by the administrator.
ESOD Policy per User Group
Since there are many different kinds of threats to your network's security, different users may require different configurations in order to guard against the increasing number and variety of threats. The ability to configure a variety of ESOD policies enables the administrator to customize the software screening process between different user groups.
Screened Software Types
ESOD can screen for the Malware software types listed in the following table:
Software Type | Description |
---|---|
Worms | Programs that replicate over a computer network for the purpose of disrupting network communications or damaging software or data. |
Trojan horses | Malicious programs that masquerade as harmless applications. |
Hacker tools | Tools that facilitate a hacker's access to a computer and/or the extraction of data from that computer. |
Keystroke loggers | Programs that record user input activity (that is, mouse or keyboard use) with or without the user's consent. Some keystroke loggers transmit the recorded information to third parties. |
Adware | Programs that display advertisements, or records information about Web use habits and store it or forward it to marketers or advertisers without the user's authorization or knowledge. |
Browser plug-ins | Programs that change settings in the user's browser or adds functionality to the browser. Some browser plug-ins change the default search page to a pay-per-search site, change the user's home page, or transmit the browser history to a third party. |
Dialers | Programs that change the user's dialup connection settings so that instead of connecting to a local Internet Service Provider, the user connects to a different network, usually a toll number or international phone number. |
3rd party cookies | Cookies that are used to deliver information about the user's Internet activity to marketers. |
Other undesirable software | Any unsolicited software that secretly performs undesirable actions on a user's computer and does not fit any of the above descriptions. |
Special Considerations for the SSL Network Extender
This section lists SSL Network Extender special considerations, such as pre-requisites, features and limitations:
Pre-Requisites
The SSL Network Extender pre-requisites are listed below:
Client-side Pre-Requisites
The SSL Network Extender client-side pre-requisites for remote clients are:
- A supported Windows or Mac operating system.
- Allow ActiveX or Java Applet.
- A supported browser
- First time client installation, uninstallation, and upgrade require administrator privileges on the client computer.
Server-Side Pre-Requisites
The SSL Network Extender server-side pre-requisites are listed below:
- The SSL Network Extender is a server side component, which is part of a specific Enforcement Module, with which the SSL Network Extender is associated. It may be enabled on the Security Gateway, already configured to serve as a Remote Access SecureClient Security Gateway.
- The specific Security Gateway must be configured as a member of the Remote Access Community, and configured to work with Visitor Mode. This will not interfere with SecureClient functionality, but will allow SecureClient users to utilize Visitor Mode.
- The same access rules are configured for both SecureClient and SSL Network Extender users.
Features
The SSL Network Extender features are listed below:
- Easy installation and deployment.
- Intuitive and easy interface for configuration and use.
- The SSL Network Extender mechanism is based on Visitor Mode and Office Mode.
- Automatic proxy detection is implemented.
- Small size client: Download size of SSL Network Extender < 400K; after installation, size of SSL Network Extender on disk is approximately 650K.
- All Security Gateway authentication schemes are supported: Authentication can be performed using a certificate, Check Point password or external user databases, such as SecurID, LDAP, RADIUS and so forth.
- At the end of the session, no information about the user or Security Gateway remains on the client machine.
- Extensive logging capability, on the Security Gateway, identical to that in VPN-1 SecuRemote / SecureClient.
- High Availability Clusters and Failover are supported.
- SSL Network Extender Upgrade is supported.
- The SSL Network Extender supports the RC4 encryption method.
- Users can authenticate using certificates issued by any trusted CA that is defined as such by the system administrator in SmartDashboard.
- SSL Network Extender is now supported on IPSO.
- Endpoint Security on Demand prevents threats posed by Malware types, such as Worms, Trojan horses, Hacker's tools, Key loggers, Browser plug-ins, Adwares, Third party cookies, and so forth.
- SSL Network Extender can be configured to work in Hub Mode. VPN routing for remote access clients is enabled via Hub Mode. In Hub mode, all traffic is directed through a central Hub.
Configuring SSL Network Extender
The following sections describe how to configure the server. Load Sharing Cluster Support, customizing the Web GUI, upgrading the SSL Network Extender client and Installation for Users without Administrator privileges are also discussed.
Configuring the Server
Before configuring the server, verify that you have a valid license for the SSL Network Extender.
Use cpconfig
to verify that you have a valid license for the SSL Network Extender. Check Point software is activated with a License Key. You can obtain this License Key by registering the Certificate Key that appears on the back of the software media pack, in the Check Point Support Center.
Server-Side Configuration
The SSL Network Extender requires only server side configuration
Configuring the Security Gateway as a Member of the Remote Access Community
- Open SmartDashboard, select the Security Gateway object on the Network Object tab of the Objects Tree.
The General Properties window is displayed.
- Verify that the IPsec VPN bladeis selected and click OK.
- Select VPN in the objects tree on the left hand side.
- Verify that the module participates in the Remote Access Community. If not, add the module to the Remote Access Community.
- In the Topology Tab of the Security Gateway Properties page, configure the VPN Domain for SSL Network Extender, in the same way that you configure it for SecureClient.
Note - You can use the VPN Domain to configure SSL Network Extender to work in Hub Mode. All traffic is then directed through a central Hub. You can also use the 'Set domain for Remote Access Community .' button on the same tab to create different encryption domain for Remote Access clients that connect to the Security Gateway (see Configuring Selective Routing).
- Configure Visitor Mode, as described in the 'Resolving Connectivity Issues' chapter. Configuring Visitor Mode doesn't interfere with regular SecureClient users' functionality. It merely allows SecureClient users to enable Visitor Mode. (For a description of Visitor Mode, refer to Visitor Mode.)
Note - The SSL Network Extender uses TCP 443 (SSL) to establish a secure connection with VPN. The IPSO platform uses TCP 443 (SSL) for remote administration purposes. Another port may be assigned to the SSL Network Extender, however, this is not recommended, as most proxies do not allow ports other than 80 and 443. Instead, it is strongly recommended that you assign the IPSO platform web user interface to a port other than 443.
- To change a Voyager port on an IPSO platform, run:
voyager –e x –S <port number>
(x represents the encryption level.)For more information, run:
voyager –h
- Select IPSec VPN > Office Mode.
- Configure Office Mode, as described in the 'Office Mode' chapter. (For a description, refer to Office Mode.)
Note - Office Mode support is mandatory on the Security Gateway side
- Configure Users and Authentication.
Configuring the Security Gateway to Support the SSL Network Extender
Note - If the Mobile Access blade is active on a Security Gateway, SSL Network Extender works through Mobile Access and not IPsec VPN. In this case, SSL Network Extender must be configured through the Mobile Access blade. If you already had SSL Network Extender configured on an IPsec VPN Security Gateway and then you enable the Mobile Access blade, you must reconfigure SSL Network Extender for the Mobile Access blade. |
To configure the SSL Network Extender:
Note - You must configure each Security Gateway that will be using the SSL Network Extender |
- Select Remote Access > SSL Network Extender.
- Select SSL Network Extender.
- Select the server side certificate with which the Security Gateway will authenticate from the drop-down list.
- Click OK.
Configuring the SSL Network Extender
- Select Policy > Global Properties > Remote Access > SSL Network Extender. The SSL Network ExtenderGlobal Properties window is displayed.
- Select the user authentication method, employed by the SSL Network Extender, from the drop-down list. The options are:
- Certificate: The system will authenticate the user only via a certificate. Enrollment is not allowed.
- Certificate with enrollment: The system will authenticate the user only via a certificate. Enrollment is allowed. If the user does not have a certificate, he/she can enroll using a registration key, received previously from the system administrator.
- Legacy: (Default)The system authenticates the user via his/her Username and Password.
- Mixed: The system attempts to authenticate the user via a certificate. If the user does not have a valid certificate, the system attempts to authenticate the user via his/her Username and Password.
Management of Internal CA Certificates
If the administrator has configured Certificate with Enrollment as the user authentication scheme, users can create a certificate for their use, by using a registration key, provided by the system administrator.
To create a user certificate for enrollment:
- Follow the procedure described in 'The Internal Certificate Authority (ICA) and the ICA Management Tool' in the R77 Security Management Server Administration Guide.
Note - In this version, enrollment to an External CA is not supported.
- Browse to the ICA Management Tool site, https://<mngmt IP>:18265, and select Create Certificates.
- Enter the user's name, and click Initiate to receive a Registration Key, and send it to the user.
When the user attempts to connect to the SSL Network Extender, without having a certificate, the Enrollment window is displayed, and he/she can create a certificate for his/her use by entering the Registration Key, received from the system administrator.
For a description of the user login experience, refer to Downloading and Connecting the Client.
Note - The system administrator can direct the user to the URL, http://<IP>/registration.html, to allow the user to receive a Registration Key and create a certificate, even if they do not wish to use the SSL Network Extender, at this time.
- You can determine whether the SSL Network Extender will be upgraded automatically, or not. Select the client upgrade mode from the drop-down list. The options are:
- Do not upgrade: Users of older versions will not be prompted to upgrade.
- Ask user: (Default) Ask user whether or not toupgrade, when the user connects.
- Force upgrade: Every user, whether users of older versions or new users will download and install the newest SSL Network Extender version.
Note - The Force Upgrade option should only be used in cases where the system administrator is sure that all the users have administrator privileges. Otherwise, the user will not be able to connect to and use the SSL Network Extender.
For a description of the user upgrade experience, refer to Downloading and Connecting the Client.
- Select the supported encryption method from the drop-down list. The options are:
- 3DES only: (Default) The SSL Network Extender client supports 3DES, only.
- 3DES or RC4: The SSL Network Extender client supports the RC4 encryption method, as well as 3DES.
- You can determine whether the SSL Network Extender will be uninstalled automatically, when the user disconnects. Select the desired option from the drop-down list. The options are:
- Keep installed: (Default) Do not uninstall. If the user wishes to uninstall the SSL Network Extender, he/she can do so manually.
- Ask user whether to uninstall: Ask user whether or not touninstall, when the user disconnects.
- Force uninstall: Always uninstall automatically, when the user disconnects.
For a description of the user disconnect experience, refer to Uninstall on Disconnect.
Note - The Uninstall on Disconnect feature will not ask the user whether or not touninstall, and will not uninstall the SSL Network Extender, if a user has entered a suspend/hibernate state, while he/she was connected.
- You can determine whether Endpoint Security on Demand will be activated, or not. When ESOD is activated, users attempting to connect to the SSL Network Extender will be required to successfully undergo an ESOD scan before being allowed to access the SSL Network Extender. Select the desired option from the drop-down list. The options are:
- None
- Endpoint Security on Demand
Fetching the XML Configuration File
After installing the ESOD server and configuring it, fetch the XML config file from the ESOD server:
- Open a browser on any computer or server.
- Browse to http://<site ip>/<site name or virtual directory>/sre/ report.asp and save the displayed XML file to disk, using Save As.
- Copy the XML file to
$FWDIR/conf/extender/request.xml
on the Security Gateway.
Upgrading ESOD
Note - At present, the Dynamic ESOD Update feature is not supported. |
You can manually upgrade ESOD as follows:
- Replace the
ICSScanner.cab
file, under$FWDIR/conf/extender
, with the new package. - Edit the file
ics.html
, under$FWDIR/conf/extender
, as follows: - Search for
#Version=
and replace the current value with the new version. - Save.
Configuring ESOD Policies
On the Security Management Server:
Note - Make sure that Endpoint Security on Demand is enabled in the Global Properties > Remote Access > SSL Network Extender page. |
- Navigate to the
$FWDIR/lib
directory. - Backup the
vpn_table.def
file. - Change the file name
vpn_table_HFA.def to vpn_table.def
.
On the Security Gateway:
- Using the ESOD server, or ESOD configuration Tool (which can be downloaded from the Check Point download center), create xml policy files for each group and place them in
$FWDIR/conf/extender
. - You can create a default policy file, named request.xml. This is only optional, and will be used when no group is given.
- In the
$FWDIR/conf
folder, create a file calledics.group
. This should be a text file, in which, each row lists a group name and its policy xml file.Example of ics.group file:
Group1 group1.xml
Group2 group2.xml
Group3 defGroup.xml
Group4 defGroup.xml
Important notes about the
ics.group
file:- The group name must be the same as its name in SmartDashboard.
- Several groups can register to the same xml file.
- Each group must appear only once in the
ics.group
file. - Only groups that are listed in the
ics.group
file will use their specific xml files. Groups that are not listed in theics.group
file will try to use the default policy, located in therequest.xml
file. If therequest.xml
file does not exist, an error will be returned. - The default xml file,
request.xml
, cannot appear in theics.group
file.
- After creating the
ics.group
file (or after any change has been made), install policy. - Run
cpstop
and thencpstart
on the Security Gateway. - Each user should be assigned the specific URL that matches his group. The URL should be in the format:
https://hostIP/<groupName>_ics.html
For example, all users belonging to 'group1' will surf to the assigned URL:
https://10.10.10.10/group1_ics.html
.
For troubleshooting tips, see Troubleshooting.
Load Sharing Cluster Support
The SSL Network Extender provides Load Sharing Cluster Support.
To provide Load Sharing Cluster Support:
- Double-click the Security Gateway Cluster Object on the Network Object tab of the Objects Tree. The Security Gateway Cluster Properties window is displayed.
Note - A Load Sharing Cluster must have been created before you can configure use of sticky decision function.
- Select Cluster XL. The Cluster XL tab is displayed.
- Click Advanced. The Advanced Load Sharing Configuration window is displayed.
- Select Use Sticky Decision Function. When the client connects to the cluster, all its traffic will pass through a single Security Gateway. If that member Security Gateway fails, the client will reconnect transparently to another cluster member and resume its session.
- Select Security Gateway Cluster Object > Remote Access > Office Mode. When defining Office Mode, for use with Load Sharing Clusters, only the Manual (using IP pool) method is supported.
Customizing the SSL Network Extender Portal
You can modify the SSL Network Extender Portal by changing skins and languages.
Configuring the Skins Option
To configure the Skins Option:
The skin directory is located under $FWDIR/conf/extender
on the SSL Network Extender Security Gateways.
There are two subdirectories. They are:
chkp
: contains skins that Check Point provides by default. At upgrade, this subdirectory may be overwritten.custom
: contains skins defined by the customer. If custom does not exist yet, create it. At upgrade, this subdirectory is not overwritten. New skins are added in this subdirectory.
Checkpoint Vpn Client Software Download
Disabling a Skin
- Enter the specific skin subdirectory, under custom, that is to be disabledand create a file named disable. This file may be empty.
- If the specific skin does not exist under custom, create it and then create a file within it named disable.
- Install Policy. The next time that the user connects to the SSL Network Extender portal, this skin will not be available to him/her.
Example
Broadcom bcm57788 ethernet controller driver n. cd $FWDIR/conf/extender/skin/custom
mkdir skin1
touch disable
Creating a Skin
- Enter the custom subdirectory.
- Create a folder with the desired skin name.
Note - Verify that this name is not already used in
chkp
. If it is, the new skin definition will override the existing skin definition (as long as the new skin definition exists). Once you have deleted the new skin definition, thechkp
skin definition will once again be used.Each skin folder must contain the following five style sheets:
help_data.css
: The main OLH page uses this style sheet.help.css
: The inner frame on the OLH page uses this style sheet.index.css
: The ESOD pages, and the main SSL Network Extender portal page use this style sheet.style.css
: All login pages use this style sheet.style_main.css
: The main SSL Network Extender Connection page, Proxy Authentication page and Certificate Registration page use this style sheet.
Note - It is recommended that you copy the aforementioned files from another chkp skin,and then modify them as desired.
- Install Policy after creating the new skin.
Example
Add your company logo to the main SSL Network Extender portal page.
cd $FWDIR/conf/extender/skin/custom
mkdir <skin_name>
cd <skin_name>
copy ././chkp/skin2/*
.
Place logo image file in this directory
Editindex.css
.
Goto .company_logo
and replace the existing URL reference with a reference to the new logo image file.
Save.
Install Policy.
Note - No spaces are allowed in the |
Configuring the Languages Option
To configure the Languages Option:
The languages
directory is located under $FWDIR/conf/extender
on the SSL Network Extender Security Gateways.
There may be two subdirectories. They are:
chkp
: contains languages that Check Point provides by default. At upgrade, this subdirectory may be overwritten.custom
: contains languages defined by the customer. Ifcustom
does not exist yet, create it. At upgrade, this subdirectory is not overwritten. New languages are added in this subdirectory.
Disabling a Language
- Enter the specific language subdirectory, under
custom
, that is to be disabled(if it exists)and create a file nameddisable
. This file may be empty. - If the specific language does not exist under
custom
, create it and then create a file within it nameddisable
. - Install Policy. The next time that the user connects to the SSL Network Extender portal, this language will not be available to him/her.
Adding a Language
- Enter the
custom
subdirectory. - Create a folder with the desired language name.
Note - Verify that this name is not already used in
chkp
. If it is, the new language definition will override the existing language definition (as long as the new language definition exists). Once you have deleted the new language definition, thechkp
language definition will once again be used. - Copy the
messages.js
file of an existingchkp
language to this folder. - Edit the
messages.js
file and translate the text bracketed by quotation marks. - Save.
- Install Policy after adding the new language.
Example
cd $FWDIR/conf/extender/language
mkdir custom
cd custom
mkdir <language_name>
Best Vpn For Macbook Pro
cd <language_name>
copy ././chkp/english/messages.js
Editthemessages.js
file andtranslate the text bracketed by quotation marks.
Save.
In custom/english/messages.js
, add a line as follows:
<language_name>='translation of language_name';
Install Policy.
Note - No spaces are allowed in the |
Modifying a Language
- Enter the
custom
subdirectory. - Create a folder with a language name that matches the
chkp
language folder to be modified. - Create an empty
messages.js
file, and insert only those messages that you want to modify, in the following format:<variable_name>='<desired text>';
Note - For reference, refer to the
messages.js
file, located inchkp/<language>
.
Installation for Users without Administrator Privileges
The SSL Network Extender usually requires Administrator privileges to install the ActiveX component. To allow users that do not have Administrator privileges to use the SSL Network Extender, the Administrator can use his/her remote corporate installation tools (such as, Microsoft SMS) to publish the installation of the SSL Network Extender, as an MSI package, in configuring the SSL Network Extender.
To prepare the SSL Network Extender MSI package:
- Move the
extender.cab
file, located in$FWDIR/conf/extender
, to a Windows machine and open the file using WinZip. - Extract the
cpextender.msi
, and use as an MSI package, for remote installation.
On Windows , Mac and Linux, it is possible to install SSL Network Extender for users that are not administrators, if the user knows the admin password. In this case, perform a regular SSL Network Extender installation and supply the administrator password when asked.
SSL Network Extender User Experience
This section describes the user experience, including downloading and connecting the SSL Network Extender client, importing a client certificate, and uninstalling on disconnect.
Configuring Microsoft Internet Explorer
Check Point SSL Network Extender uses ActiveX controls and cookies to connect to applications via the Internet. These enabling technologies require specific browser configuration to ensure that the applications are installed and work properly on your computer. The Trusted Sites Configuration approach includes the SSL Network Extender Portal as one of your Trusted Sites. This approach is highly recommended, as it does not lessen your security. Please follow the directions below to configure your browser.
Trusted Sites Configuration
- In Internet Explorer, select Tools > Internet Options > Security.
- Select Trusted sites.
- Click Sites.
- Enter the URL of the SSL Network Extender Portal and click Add.
- Click OK twice.
About ActiveX Controls
ActiveX controls are software modules, based on Microsoft's Component Object Model (COM) architecture. They add functionality to software applications by seamlessly incorporating pre-made modules with the basic software package.
On the Internet, ActiveX controls can be linked to Web pages and downloaded by an ActiveX-compliant browser. ActiveX controls turn Web pages into software pages that perform like any other program.
The SSL Network Extender can use ActiveX control in its applications. To use ActiveX you must download the specific ActiveX components required for each application. Once these components are loaded, you do not need to download them again unless upgrades or updates become available. If you do not want to use an ActiveX component you may work with a Java Applet.
Note - You must have Administrator rights to install or uninstall software on Windows XP Professional, as well as on the Windows 2000 operating systems. |
Downloading and Connecting the Client
The following section discusses how to download and connect the SSL Network Extender.
To Download the Client:
- Using Internet Explorer, browse to the SSL Network Extender portal of the Security Gateway at https://<GW name or IP>. The following Security Alert message may be displayed
The site's security certificate has been issued by an authority that you have not designated as a trusted CA. Before you connect to this server, you must trust the CA that signed the server certificate. (The system administrator can define which CAs may be trusted by the user.) You can view in the certificate in order to decide if you wish to proceed.
Note - The administrator can direct the user to the
URL, http://< mngmt IP>:18264
, to install this CA certificate, thereby establishing trust, and avoiding future displays of this message. - Click Yes.
If Endpoint Security on Demand is enabled, the ESOD web page is displayed.
If this is the first time that the user is scanned with ESOD, the user should install the ESOD ActiveX object.
If this is the first time that ESOD is used, the following Server Confirmation window appears. The user is asked to confirm that the listed ESOD server is identical to the organization's site for remote access.
- Click one of the following:
- No: an error message is displayed and the user is denied access.
- Yes: the ESOD client continues the software scan. Moreover, if the Save this confirmation for future use check box is selected, the Server Confirmation window will not appear the next time the user attempts to login.
Once the user has confirmed the ESOD server, an automatic software scan takes place on the client's machine. Upon completion, the scan results and directions on how to proceed are displayed as shown below.
ESOD not only prevents users with potentially harmful software from accessing your network, but also requires that they conform to the corporate Anti-Virus and firewall policies, as well. A user is defined as having successfully passed the ESOD scan only if he/she successfully undergoes scans for Malware, Anti-Virus, and Firewall. Each malware is displayed as a link, which, if selected, redirects you to a data sheet describing the detected malware. The data sheet includes the name and a short description of the detected malware, what it does, and the recommended removal method/s.
The options available to the user are configured by the administrator on the ESOD server.The options are listed in the following table:
Scan Option | Description |
---|---|
Scan Again | Allows a user to rescan for malware. X particles 3.5 crack. This option is used in order to get refreshed scan results, after manually removing an undesired software item. |
Cancel | Prevents the user from proceeding with the portal login, and closes the current browser window. |
Continue | Causes the ESOD for Mobile Access client to disregard the scan results and proceed with the log on process. |
To continue with the download:
- From the Scan Results, select a different language from the list. If you change languages, while connected to the SSL Network Extender portal, you will be informed that if you continue the process you will be disconnected, and must reconnect.
- From the Scan Results, you can select a different skin from the Skin drop-down list . You can change skins, while connected to the SSL Network Extender portal.
- Click Continue.
- If the configured authentication scheme is User Password Only, an SSL Network Extender Login window is displayed. Enter the User Name and Password and click OK.
Note - If user authentication has been configured to be performed via a 3rd party authentication mechanism, such as SecurID or LDAP, the Administrator may require the user to change his/her PIN, or Password. In such a case, an additional Change Credentials window is displayed, before the user is allowed to access the SSL Network Extender.
- If the configured authentication scheme is Certificate without Enrollment, and the user already has a certificate. If the user does not already have a certificate, access is denied.
- If the configured authentication scheme is Certificate with Enrollment, and the user does not already have a certificate, the Enrollment window is displayed:
- If the configured authentication scheme is User Password Only, an SSL Network Extender Login window is displayed. Enter the User Name and Password and click OK.
- Enter the Registration Key and select PKCS#12 Password.
- Click Ok. The PKCS#12 file is downloaded.
At this point the user should open the file and utilize the Microsoft Certificate Import wizard as follows.
Note - It is strongly recommended that the user set the property Do not save encrypted pages to disk on the Advanced tab of the Internet Properties of Internet Explorer. This will prevent the certificate from being cached on disk.
Importing a Client Certificate with the Microsoft Certificate Import Wizard to Internet Explorer
Importing a client certificate to Internet Explorer is acceptable for allowing access to either a home PC with broadband access, or a corporate laptop with a dial-up connection. The client certificate will be automatically used by the browser, when connecting to an SSL Network Extender Security Gateway. Ssh tunnel 15.09.
To import a client certificate:
- Open the downloaded PKCS#12 file. The following Certificate Import Wizard opens.
- Click Next. The File to Import window appears:
The P12 file name is displayed.
- Click Next. The Password window appears:
It is strongly recommended that the user enable Strong Private Key Protection. The user will then be prompted for consent/credentials, as configured, each time authentication is required. Otherwise, authentication will be fully transparent for the user.
- Enter your password, click Next twice. If the user enabled Strong Private Key Protection, the following Importing a New Private Exchange Key window appears:
- If you click OK, the Security Level is assigned the default value Medium, and the user will be asked to consent each time the certificate is required for authentication.
- If you click Set Security Level, the Set Security Level window appears. Select either High or Medium and click Next.
- Click Finish. The Import Successful window appears.
- Click OK.
- Close and reopen your browser. You can now use the certificate that has now been imported for logging in.
- If you are connecting to the SSL Security Gateway for the first time, a VeriSign certificate message appears, requesting the user's consent to continue installation.
- If you connect using Java Applet, a Java security message will appear. Click Yes.
- If the system administrator configured the upgrade option, the following Upgrade Confirmation window is displayed:
If you click OK, you must re-authenticate and a new SSL Network Extender version is installed.
- If you click Cancel, the client connects normally. (The Upgrade Confirmation window will not be displayed again for a week.) The SSL Network Extender window appears. A Click here to upgrade link is displayed in this window, enabling the user to upgrade even at this point. If you click on the Click here to upgrade link, you must reauthenticate before the upgrade can proceed.
- At first connection, the user is notified that the client will be associated with a specific Security Gateway. Click Yes.
The server certificate of the Security Gateway is authenticated. If the system Administrator has sent the user a fingerprint, it is strongly recommended that the user verify that the root CA fingerprint is identical to the fingerprint, sent to him/her.
The system Administrator can view and send the fingerprint of all the trusted root CAs, via the Certificate Authority Properties window in SmartDashboard.
- If the user is using a proxy server that requires authentication, the Proxy Authentication pop-up is displayed. The user must enter his/her proxy username and password, and click OK.
- If you are connected with Windows Vista, a Windows Firewall message will appear. Click Unblock.
You may work with the client as long as the SSL Network Extender Connection window, shown below, remains open, or minimized (to the System tray).
Once the SSL Network Extender is initially installed, a new Windows service named Check Point SSL Network Extender and a new virtual network adapter are added. This new network adapter can be seen by typing
ipconfig /all
from the Command line.Note - The settings of the adapter and the service must not be changed. IP assignment, renewal and release will be done automatically.
Note - The Check Point SSL Network Extender service is dependent on both the virtual network adapter and the DHCP client service. Therefore, the DHCP client service must not be disabled on the user's computer.
Both the virtual network adapter and the Check Point SSL Network Extender service are removed during the product uninstall.
There is no need to reboot the client machine after the installation, upgrade, or uninstall of the product.
- When you finish working, click Disconnect to terminate the session, or when the window is minimized, right-click the icon and click Disconnect. The window closes.
Uninstall on Disconnect
If the administrator has configured Uninstall on Disconnect to ask the user whether or not to uninstall, the user can configure Uninstall on Disconnect as follows.
To set Uninstall on Disconnect:
- Click Disconnect. The Uninstall on Disconnect window is displayed, as shown in the following figure.
- Click Yes to Uninstall.
If you select Cancel, the SSL Network Extender will not be uninstalled.
If you click Yes, the Uninstall on Disconnect window will be displayed the next time the user connects to the SSL Network Extender.
Using SSL Network Extender on Linux / Mac Operating Systems
There are two methods to access Network Applications using Linux:
Endpoint Security Vpn Client Download
- Java
- Command Line
Java
- When connecting for the first time, the SSL Network Extender installation archive package is downloaded.
This process is similar to the Windows Java installation.
- If the user does not have root permissions, the user is prompted to enter a root password in order to install the package. Enter the password and press Enter.
After the installation is finished, the applet will try to connect.
If it is the first time, the following window is displayed:
If the system Administrator has sent the user a fingerprint, it is strongly recommended that the user verify that the server certificate fingerprint is identical to the Root CA Fingerprint seen in the window.
- Click Yes to confirm.
Command Line
To download the SSL Network Extender installation archive package:
Checkpoint Vpn 82.50 Download For Mac
- In the Network Applications Settings window, click on click here in the sentence For Linux command line SSL Network Extender installation click here. The Shell archive package is downloaded to the users home directory.
Before running the installation script, make sure execute permissions are available on the file. Use the command chmod + x snx_install.sh to add execution permissions.
- Download and select the SSL Network Extender manual installation.
- Download MSI installation package for Windows
- Download command line SSL Network Extender for Linux
- Download command line SSL Network Extender for Macintosh
- Select the operating system.
The Shell archive package is downloaded to the user's home directory.
- Run
snx_install.sh
.If the user does not have root permissions, the user is prompted to enter a root password in order to install the package. Enter the password and press Enter.
To disconnect after installation, run
Server_1:/ snx -d
.
SSL Network Extender Command Attributes
Attributes | Description |
---|---|
snx -f <configuration file> | Run SSL Network Extender using parameters defined in a configuration file other than the default name or location. |
snx -d | Disconnect from Mobile Access |
snx -s <server> | Specify server IP or hostname |
snx -u <username> | Specify a valid user |
snx -c <certificate file> | Specify which certificate is used to authenticate. |
snx -l <CA directory> | Define the directory where CA's certificates are stored. |
snx -p <port> | Change the HTTPS port. (default port is TCP 443). |
snx -g | Enable debugging. snx.elg log file is created. |
snx -e <cipher> | Force a specific encryption algorithm. Valid values - RC4 and 3DES. |
Configuration File Attributes
It is possible to predefine SSL Network Extender attributes by using a configuration file (.snxrc
) located in the users home directory. When the SSL Network Extender command SSL Network Extender is executed, the attributed stored in the file are used by the SSL Network Extender command. To run a file with a different name execute the command snx -f <filename>
.
Attributes | Description | |
---|---|---|
server | Change the HTTPS port. (default port is TCP 443). | |
sslport | Change the HTTPS port. (default port is TCP 443). | |
username | Specify a valid user | |
certificate | Specify which certificate is used to authenticate | |
calist | Define the directory where CA's certificates are stored. | |
reauth | Enable reauthentication. Valid values -{yes, no} | |
debug | Enable debugging. | |
cipher | Force a specific encryption algorithm. Valid values: | |
proxy_name | Define a Proxy hostname | |
proxy_port | Define a proxy port | |
proxy_user | Define a proxy user | |
proxy_pass | Define a password for proxy authentication | |
Note - Proxy information can only be configured in the configuration file and not directly from the command line. |
Removing an Imported Certificate
If you imported a certificate to the browser, it will remain in storage until you manually remove it. It is strongly recommended that you remove the certificate from a browser that is not yours.
To remove the imported certificate:
Checkpoint Vpn Windows Client
- In the Internet Options window of your browser, access the Content tab.
- Click Certificates.
The Certificates window is displayed:
- Select the certificate to be removed, and click Remove.
Troubleshooting SSL Network Extender
Download Checkpoint Endpoint Security Vpn
The following sections contain tips on how to resolve issues that you may encounter when using SSL Network Extender.
SSL Network Extender Issues
All user's packets destined directly to the external SSL Network Extender Security Gateway will not be encrypted by the SSL Network Extender.
If there is a need to explicitly connect to the gateway through the SSL tunnel, connect to the internal interface, which is part of the encryption domain.
- The SSL Network Extender gateway allows users to authenticate themselves via certificates. Therefore, when connecting to the SSL Network Extender gateway, the following message may appear: 'The Web site you want to view requests identification. Select the certificate to use when connecting.'
In order not to display this message to the users, two solutions are proposed:
On the client computer, access the Internet Explorer. Under Tools > Options > Security tab, select Local intranet > Sites. You can now add the SSL Network Extender gateway to the Local intranet zone, where the Client Authentication pop-up will not appear. Click Advanced, and add the gateway external IP or DNS name to the existing list.
On the client computer, access the Internet Explorer. Under Tools > Options > Security tab, select Internet Zone > Custom Level. In the Miscellaneous section, select Enable for the item Don't prompt for client certificate selection when no certificates or only one certificate exists. Click OK. Click Yes on the Confirmation window. Click OK again.
Note - This solution will change the behavior of the Internet Explorer for all Internet sites, so if better granularity is required, refer to the previous solution.
- If the client computer has Endpoint Security VPN software installed, and is configured to work in 'transparent mode', and its encryption domain contains SSL Network Extender gateway, or otherwise overlaps with the SSL Network Extender encryption domain, the SSL Network Extender will not function properly.
To resolve this, disable the overlapping site in Endpoint Security VPN.
- If the client computer has Endpoint Security VPN software installed, and is configured to work in 'connect mode', and its encryption domain contains SSL Network Extender gateway, or otherwise overlaps with the SSL Network Extender encryption domain, the SSL Network Extender will not function properly.
To resolve this, verify that the flag allow_clear_traffic_while_disconnected is True (which is the default value).
Check Point Endpoint Security Vpn Download
ESOD Issues
- User did not pass the scan (a 'Continue' button is not displayed).
The user probably did not match the policy requirements.
- If using 'ESOD per User Group' feature – Verify that the user is using the correct policy.
- According to the policy, Explain the user how to remove the elements that are blocking him.
- User cannot access the given URL for his specific group.
- Make sure that the group listed in the URL is listed in the ics.group file, with the correct xml file.
- Make sure that the xml file that is assigned to the group exists in $FWDIR/conf/extender.
- Make sure Install Policy has been made since the ics.group file has changes.
- User has passed the ESOD scan, but gets a 'Wrong ESOD Scan' error when trying to connect.
This means that the user has passed the scan intended for a group that he does not belong to.
- Verify that the user is using the correct URL.
- Look at the SmartView Tracker. The log should state which xml file the user used for the scan.
- Make sure that this file is the same as the user's group file. If not, direct the user to the correct URL.