7 July 2010

Release Notes

Endpoint Connect

R73

© 2010 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

See the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

See the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights.

Important Information Latest Version

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=10651

For additional technical information visit Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

Dec 2009 Initial version

7 July 2010 Improved formatting and document layout.

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Endpoint Connect R73 Release Notes).

Contents

Important Information ............................................................................................. 3 Introduction ............................................................................................................. 5

What's New ......................................................................................................... 5 Supported Platforms ............................................................................................ 5

Installation ............................................................................................................... 6 Installing the Client .............................................................................................. 6 Updating the Endpoint Connect Version on the Gateway .................................... 6

VPN-1 Gateway .............................................................................................. 6 Connectra Gateway ........................................................................................ 6

Restoring the Original Endpoint Connect Version ................................................ 6 New MEP (Multiple Entry Point) Mode ................................................................... 8 Known Limitations .................................................................................................. 9

What's New

Introduction Page 5

Introduction Endpoint Connect is Check Point’s lightweight remote access client. Designed for reliable connectivity and maximum usability, Endpoint Connect provides mobile users with seamless,(IPSec) VPN connectivity to corporate network resources and information. Endpoint scanning capabilities check for malware and ensure compliance with corporate security policies before network access is granted.

The Endpoint Connect client works transparently with:

VPN-1 gateway NGX R65 HFA 40 and higher

Connectra gateway R66 and higher

Build Number: 835000022

What's New In this release of Check Point Endpoint Connect:

Support for Windows 7 is added.

New MEP mode support.

Supported Platforms The following Windows platforms are supported:

Windows 2000 Professional 32-bit with SP1-4

Windows XP Home & Professional 32-bit, with or without SP1-3

Windows Vista 32-bit and 64-bit, with or without SP1

Windows 7 32-bit and 64-bit, Premium or Enterprise

Installing the Client

Installation Page 6

Installation

Installing the Client To install the client on Windows:

Download Check_Point_Endpoint_Connect_R73_For_Windows_835000022.msi and run it.

Updating the Endpoint Connect Version on the Gateway

This release includes a gateway supplement that updates the Endpoint Connect version on the gateway.

VPN-1 Gateway Endpoint Connect is supported on VPN-1 gateway NGX R65 HFA 40 and higher (including R70).

Note - In addition to replacing the files on the gateway, you must make sure that the gateway is properly configured to work with Endpoint Connect. For information on configuring gateways to work with Endpoint Connect, refer to Endpoint Connect Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=8631.

To update the Endpoint Connect version on the gateway:

1. Backup the files TRAC.cab and trac_ver.txt in the $FWDIR/conf/extender/CSHELL directory.

2. Download the file:

Check_Point_Endpoint_Connect_R73_For_Windows_835000022.cab

3. Place the file in the $FWDIR/conf/extender/CSHELL directory and rename it: TRAC.cab

4. Run chmod 750 TRAC.cab to make sure the file has the correct permissions.

5. Edit the file trac_ver.txt by changing the build number inside to the new build number: 835000022

6. Install policy on the gateway.

Connectra Gateway To update the Endpoint Connect version on the gateway:

1. Backup the files trac.cab and trac_ver.txt in the $CVPNDIR/htdocs/SNX/CSHELL directory.

2. Download the file: Check_Point_Endpoint_Connect_R73_For_Windows_B835000022.cab

3. Place the file in the $CVPNDIR/htdocs/SNX/CSHELL directory and rename it to: trac.cab

4. Run chmod 750 TRAC.cab to make sure the file has the correct permissions.

5. Edit the file trac_ver.txt by changing the build number inside to the new build number: 835000022

6. Install policy on the gateway.

Restoring the Original Endpoint Connect Version

To revert back to the original Endpoint Connect version, restore the files you backed up in step 1 of the above procedures.

Restoring the Original Endpoint Connect Version

Installation Page 7

Restoring the Original Endpoint Connect Version

New MEP (Multiple Entry Point) Mode Page 8

New MEP (Multiple Entry Point) Mode For the legacy VPN client (SecureClient), the gateways have to belong to the same VPN domain for MEP to function. For Endpoint Connect, the gateways do not have to belong to the same VPN domain and the client does not send probing RDP packets to discover the available gateways.

Endpoint Connect behavior in a MEP deployment is determined by a list of gateway addresses held in a .ttm configuration file on the gateway. If the client fails to connect to any of the gateways, further attempts cease. If the client does connect, the topology of the VPN domain is downloaded to the client.

To configure the Security Gateway for MEP:

1. On the security gateway, open $FWDIR/conf/trac_client_1.ttm for editing.

2. Search for the enable_gw_resolving attribute:

:enable_gw_resolving (

:gateway (

:default (true)

)

)

Verify the attribute is set to its default value: true.

3. Manually add the mep_mode attribute using the following syntax:

:mep_mode (

:gateway (

:default (xxx)

)

)

Where xxx is the value for one of the following four MEP methods:

dns_base. If this value is selected, Endpoint Connect resolves gateway IP addresses according to DNS Geo Clustering

first_to_respond. If this value is selected, Endpoint Connectprobes all gateways on the list and builds a new list according to response time. The first gateway to respond becomes the first gateway on the list.

primary_backup. If this value is selected, Endpoint Connect works sequentially through the list, attempting to connect to the first IP address, then the second, and so on.

load_sharing. If this value is selected, Endpoint Connect randomly tries a gateway on the list. If the attempt fails, Endpoint Connectrandomly selects the next address from those remaining on the list.

4. Manually add the ips_of_gws_in_mep attribute using the following syntax:

:ips_of_gws_in_mep (

:gateway (

:default (192.168.53.220&#192.168.53.133&#)

)

)

This is the list of IP addresses the client should try according to the chosen MEP method. Note that:

IP addresses are separated by an ampersand and hash symbol (&#)

The last IP address in the list is followed by a final &#.

5. Install a policy.

Restoring the Original Endpoint Connect Version

Known Limitations Page 9

Known Limitations 00531067 - When renewing a CAPI certificate, the former one will be displayed until the user will re-select the certificate.

00523576 - Users who installed the EA client are required to uninstall it and reboot prior to installing the GA client