Check Point Mobile Guide

Keyword: VPN

http://www.infosec.fedex.com/vpn/

CHECK POINT MOBILE USER GUIDE 9/28/2012

P a g e | 1

Table of Contents Introduction 2

Getting a VPN Account 3

Installing Check Point Mobile 3

Authentication 6

Compliance & System Requirements 7

System Tray 8

Connecting with Check Point Mobile 9

Stopping and Starting Check Point Mobile 14

Compliance Window 14

VPN Options

Advanced VPN Options 15

Deleting and Creating Sites 16

Collecting and Sending Log Files 17

Troubleshooting 18

Technical Support 22

Appendix

Client Icon 23

Software Downloads 23


P a g e | 2

Introduction

Virtual Private Networks (VPNs) allow FedEx employees and vendors to work away from the office. VPNs create secure

tunnels over the Internet, ensuring confidentiality, integrity, and authenticity. This form of remote access makes services

such as internal web sites, email, and departmental servers available from places such as a home office or hotel.


P a g e | 3

Getting a VPN Account

A VPN account must first be requested. Both FedEx employees and vendors must:

1. Login to IdM using your FedEx ID and enterprise password

2. Click the System Access tab at the top of the page

3. Click the Application/Data Access link in the left-hand menu

4. Select VPN using the keyword search and complete the request form. The request will automatically be sent to your

manager for approval.

The next step is getting an IdentityGuard eGrid account. After your VPN request has been fully approved in IdM, you must:

1. Login to the FedEx IdentityGuard self-service web site to complete a short enrollment process.

2. You'll receive an IdentityGuard eGrid sheet (JPEG image format) that will be used for VPN login.

3. Keep your eGrid secure and do not share it with others.

Installing Check Point Mobile

1. Sign in to https://idguard.fedex.com. This link works from both inside and outside the FedEx network. You will be

required to authenticate using your FedEx ID, enterprise password and eGrid card.

2. Select 'I'd like to download the Remote Access Software'.

3. Download Check Point Mobile.

a. Internet Explorer 8 or older

i. Click the Check Point Mobile VPN Client link.

ii. Click Save on the File Download window.

iii. Select desktop to save the file to your desktop.

iv. Click Save

v. After download completes close the browser.

b. Internet Explorer 9

i. Click the Check Point Mobile VPN Client link.

ii. Click the drop down arrow next to Save then select Save As.

iii. Select desktop to save the file to your desktop.

iv. Click Save

v. After the download completes disregard the “unsafe“ message and close the browser.

4. Perform the installation using the evpn-installer file on your desktop.

5. Double-click the installer to open it. It may be in your Downloads folder or on your Desktop.

https://identity.web.fedex.com/

https://idguard.fedex.com/



P a g e | 4

6. Click Next 7. Accept the license agreement

8. Click Next 9. Click Next


P a g e | 5

10. Installation in progress [no interaction required] 11. Click Finished

12. Test the connection by following the normal procedures used to establish VPN connectivity.


P a g e | 6

Authentication

FedEx requires two-factor authentication to login to VPN. Your employee number and enterprise password are the first factor, and the security grid card is the second. The security grid card is called an eGrid.

New/replacement eGrids can be acquired at the IdentityGuard web site, Keyword “eGrid”. The eGrid web site is externally accessible (ie from home or hotel) at https://idguard.fedex.com. If you’ve lost your eGrid you can access the site using your challenge questions. If you’ve forgotten your challenge questions you can contact your regional/OpCo help desk for a one-time PIN. The temporary PIN will allow you to download a new eGrid. Always be sure to cancel lost/compromised eGrids at the IdentityGuard site.

eGrid provides secure and cost effective two-factor authentication. The eGrid contains a series of numbers and letters in clearly marked rows and columns. After entering the user name and enterprise password the user will be prompted for the eGrid coordinates. The user then cross-references each letter and number combination, similar to using a Bingo card. For example, if Mobile VPN prompted the user for [C5] [D4] [H4], the user would match [C5] with “J”, [D4] with “E”, and [H4] with “E”.

Check the expiration date on your eGrid before logging in

Check the expiration date on your eGrid before logging in




P a g e | 7

Compliance & System Requirements Check Point Mobile VPN requires a working personal firewall and anti-virus agent in order to use FedEx Remote Access. This requirement is enforced by Mobile VPN using a Compliance Policy. Most any anti-virus and personal firewall software that gives a “green light” in Window’s Security Center (XP/Vista) or Action Center (Windows 7) satisfies the Compliance Policy. Anti-virus software that has not received updates for 14 days will fail the compliance check. McAfee anti-virus is available to FedEx employees at no cost for the personal computer they use for VPN. Both Check Point Mobile and McAfee can be downloaded at Keyword “VPN” and the Internet-accessible IdentityGuard eGrid web site.

The Compliance Policy is updated during every connection attempt. Enabling Automatic Updates (Windows Update) is not required but recommended. The user can check their compliance status at the Compliance Window. Systems that are not compliant cannot use VPN until they are.

Supported Operating Systems

Windows XP Home and Professional 32-bit, with or without Service Packs 1, 2, or 3

Windows Vista 32-bit and 64-bit, with or without Services Packs 1 or 2

Windows 7 32-bit and 64-bit, Premium or Enterprise, with or without Service Pack 1

Windows Firewall will satisfy the Personal Firewall requirement.


P a g e | 8

System Tray

The VPN client can be accessed from an area on your PC known as the System Tray, or Systray. It is in the bottom right-hand

corner, immediately left of the clock. You may already see some icons there such as WiFi, volume control, and Outlook. The

icon you’re looking for is a gold padlock. It may be hidden from view, which you can expand by clicking on the double up

arrows.

1. This is a screenshot of the System Tray.

1.2 The VPN client icon is currently visible.

1.3 Right-click on the icon to display the VPN client’s

menu.

2. This is a screenshot of the System Tray.

2.1 The VPN client icon is currently hidden from view.

2.2 Left-click on the up arrows to expand the System

Tray.

3. The System Tray has been expanded.

3.1 The VPN client icon, a gold padlock, is now visible.

4. You can right-click on the icon to show the menu

for the VPN client. From here you can connect to

VPN, create a new site, and more.


P a g e | 9

Connecting with Check Point Mobile You will be able to connect after installing Check Point Mobile and acquiring your eGrid.

1. Right-click the icon in the Systray

2. Click Connect to...


P a g e | 10

3. Input your login credentials.

Username = FedEx ID Password = Enterprise password (8 characters)

4. Click Connect


P a g e | 11

5. You are presented with the eGrid challenge-response.

6. Look up the coordinates on your eGrid card and input the results.


P a g e | 12

7. [No interaction required] Check Point Mobile will now connect.

8. You should receive a successful connection.

You can click Close or wait for the window to close automatically.

From here you can use Outlook and access internal FedEx web sites.


P a g e | 13

Quick Connect

Quick Connect re-connects to the user’s last VPN

Gateway

Open the Systray (gold padlock), right-click

on the icon, and click Connect.

Disconnecting from a Site

1. Open the Systray (gold padlock), right-click on the icon, and click Disconnect

2. Click Yes to confirm disconnecting 3. A tooltip appears above the system tray

informing the user that the client is disconnected.

Changing Sites

You may experience better network performance by choosing a

VPN gateway geographically closer to you.


P a g e | 14

Stopping and Starting Check Point Mobile

To stop Checkpoint Mobile:

Open the Systray (gold padlock), right-click on the icon, and click Shutdown Client

To start Checkpoint Mobile:

1. From the Start Menu click Programs 2. Select Check Point 3. Click Check Point Mobile

Compliance Window

Right-clicking the client icon in the system tray and selecting Show Client displays the main client window.

The left-hand navigation tree displays information regarding:

Status: Displays the details of the VPN connection, Firewall, and Compliance. Tools: Gives the option of Connect or Disconnect depending on the status of VPN.


P a g e | 15

Advanced VPN Options (normally not needed)

1. Right-click the client icon in the system tray and select

VPN Options.

2. The Options window opens. Select

Advanced Options.

Enable Logging: Collects information useful for

troubleshooting

Collect Logs: Exports logs to a CAB file.

Reproduce the problem before sending your

logs to support.

Proxy Settings: Open and Set to “No Proxy”

Use Secure Authentication API File: do not

check

Enable Secure Domain Logon: Log into VPN

upon logging into Windows


P a g e | 16

Deleting and Creating Sites

For troubleshooting purposes a site may need to be deleted and re-created. For example, if you have trouble connecting to

wtce but not the other three employee VPN gateways, deleting and re-creating the wtce site would be a good first step

towards solving the issue.

1. Go to VPN Options from the Systray

2. Delete the previous site at the VPN Options screen.

3. At the VPN Options screen click New.

4. At the Welcome screen, click Next.

5. Input the site name you are creating. Then click

Next.

6. For Authentication Method, pick Username and

Password. Then click Next.

7. Click Finish.

8. You will be prompted to test your new connection.

It is highly recommended that you do so.

VPN Sites

Location Employees Vendors

Memphis wtce.fw.fedex.com wtcy.fw.fedex.com

Memphis ctce.fw.fedex.com memy.fw.fedex.com

EMEA nose.fw.fedex.com nosy.fw.fedex.com

APAC singapore.vpn.fedex.com siny.fw.fedex.com


P a g e | 17

Collecting and Sending Log Files

To troubleshoot unforeseen issues with Check Point Mobile VPN, the user’s support person may ask them to send log files.

Logging must be enabled in Advanced Options before the user can collect logs. The user must then reproduce the problem

with logging enabled. The logs can then be sent to support.

Click “Collect Logs” under Advanced Options. After a few seconds a Computer Folder window opens. Go up one directory to “Check Point Endpoint Security”.

Go up one directory. Then right-click on the highlighted file and do Send to >> Documents. The file is now in the Documents folder, ready to be attached to an email. It is named format “trlogs_dd-mm-yyyy_hh.mm.ss”.

From file name

dd Day, as in 21 mm Month, as in 05 yyyy Year, as in 2012 hh 24 Hour format, as in 14 mm Minute, as in 02 ss Second, as in 31


P a g e | 18

Troubleshooting

Wrong username/password when trying to connect

Check the expiration date on your eGrid. Its in the bottom right-hand corner. If its expired you need to get a

new one at the eGrid site using your challenge questions. If you’ve forgotten your challenge questions you can get

a temporary PIN from your regional/OpCo help desk.

Vendors: Make sure you are using the vendor package with the vendor sites and not attempting to

connect to the employee sites.

Verify your eGrid is not locked out by logging into the eGrid web site.

Make sure your caps lock is off.

Verify your enterprise password hasn't expired by logging into the eGrid web site. Verify the date and

time on your computer is correct.

Missing Systray Icon

By default all icons in the Systray do show. To un-hide the Systray icon in Windows 7 go to Control Panel >> Notification Area Icons.

Click the drop down menu beside Check Point Endpoint Connect GUI to Show icon and

Notifications or select Always show all icons and notifications on the taskbar.

For Windows XP, right-click on the task bar (bar at bottom of the screen). Select Properties, then uncheck Hide Inactive Icons.


http://webdev1.infosec.fedex.com/vpn/kbase/?Misc_Info:VPN_Sites




P a g e | 19

Not Compliant

Check Point Mobile VPN will tell you how to become compliant. The above graphic informs the user that they need to

update their Anti-Virus software.

Compliance Policy is corrupt

This occurs because the client has not

connected and downloaded the Compliance

Policy.

Cannot Connect

Connection errors are the second most commonly reported error with Check Point Mobile. This section will provide step-by-step troubleshooting instructions.

Try pinging at least two major web sites.

Go to Start >> All Programs >> Command Prompt

Use the ping command

ping google.com

ping twitter.com

ping facebook.com

ping yahoo.com


P a g e | 20

If you get a "reply from (IP address here)", you have basic Internet connectivity. If there is packet loss during several

ping attempts it is an indicator that connectivity at their location is having issues, such as interference with WiFi,

faulty home network equipment, or Internet Service Provider issues.

Try accessing at least two major web sites with a web browser

http://www.google.com

http://www.twitter.com

http://www.facebook.com

http://www.yahoo.com

Are you attempting to connect over a connection with some kind of web filtering or VPN blocking?

VPN will not work at a FedEx location unless you are using a mobile broadband connection such as a MiFi or AirCard.

Some hotels block VPN connections. Contact the IT support staff for the hotel and verify VPN (IPSec protocol) is not

blocked.

Some hotspots such as those at public libraries, coffee shops, universities, or airports block VPN connections. Contact

the IT support staff for that hotspot and verify VPN (IPSec protocol) is not blocked.

Some mobile broadband/cellular/3G/4G providers such as Verizon, AT&T, Sprint, or T-Mobile may require proprietary

drivers/applications to connect with a MiFi or AirCard (USB, ExpressCard, or PC Card). Contact your provider and verify

they don't block VPN (IPSec protocol) and that the proprietary drivers/applications are configured properly for VPN

(IPSec protocol).

Disable Proxy usage in Check Point VPN Client (see Check Point Mobile Technical Guide)

1. Open the Internet Options menu

2. From Internet Explorer: go to Tools >> Internet Options

3. From the Control Panel: go to Internet Options

4. Go to the Connections tab at the top of the menu

5. Go to LAN Settings near the bottom of the menu

6. Check Automatically Detect Settings

7. Uncheck everything else


P a g e | 21

Make sure the system is using an automatically assigned (DHCP) IP address and not a static IP address (frequently used at

FedEx locations).

Windows 7

Go to: Start Control Panel >> Network >> Sharing

Click Change View (top right corner of Control Panel)

Set to Small Icons.

Click Network >> Sharing

On the left side, click Change Adapter Settings

Right-click on the network adapter being used for Internet Access and select Properties

For Ethernet, it will usually be named "Local Area Connection 1, 2, 3, etc."

For WiFi, it will usually be named "Wireless Network Connection

For 3G/4G AirCard, it may be named "Mobile Broadband" or 3G/4G adapter"

In the Networking tab, click Internet Protocol Version 4 (TCP/IPv4) and select Properties

Set both radio buttons to Obtain IP address/DNS server address automatically

Click Ok, then click Close

Windows XP

Go to: Start >> Control Panel >> Network Connections

For Ethernet, it will usually be named "Local Area Connection 1, 2, 3, etc."

For WiFi, it will usually be named "Wireless Network Connection 3. For 3G/4G aircard, it may be named "Mobile

Broadband" or "3G/4G adapter"

In the Networking tab, click Internet Protocol Version 4(TCP/IPv4) and select Properties

Set both radio buttons to Obtain IP address/DNS server address automatically

Click Ok, then click Close


P a g e | 22

Technical Support

Check the expiration date on your eGrid before calling

Argentina: 4630-3456

Asian Pacific (APAC): http://iserv.apac.fedex.com/aboutus/contact.php

Canada: 1-888-783-33339

Chile: 361-6099

Colombia: 414-8854

Corporate Executives: 1-901-818-7326

Europe/Middle East/Africa (EMEA): 011-32-2-752-6666

FedEx Custom Critical: 1-234-310-4140 x 2302

FedEx Express Domestic / Pilots: 1-888-339-8324

FedEx Freight: 1-870-391-7708

FedEx Ground (including Sales): 1-800-435-7647

FedEx Office: 1-800-546-5674

FedEx Services 1-888-339-8324

FedEx Services Sales: 1-877-852-4322

FedEx Supply Chain Services: 1-800-432-7657

FedEx Trade Networks: 1-716-879-1278

GSP Tech Support: 32-2-752-6666

Internal Audit: 1-888-339-8324

LAC Keyword: LAC Help Latin America and the Caribbean (LAC): http://lac-miaweb01.prod.fedex.com:8888/NexusJump/

Mexico: 55-5228-8025

Miami/PRC: 1-786-388-2855

Uruguay: 623-1878

Venezuela: 1-212-205-3128

Verizon Help Desk: 1-877-852-4322

Check the expiration date on your eGrid before calling

http://iserv.apac.fedex.com/aboutus/contact.php

http://lac-miaweb01.prod.fedex.com:8888/NexusJump/


P a g e | 23

Appendix

Client Icon

Software Downloads

Check Point Mobile and McAfee anti-virus are available at the following sites:

http://www.infosec.fedex.com/vpn Keyword: VPN

https://idguard.fedex.com/ Externally accessible from Internet (ie from home or hotel). Requires eGrid to login.

http://www.infosec.fedex.com/vpn/
