Check Point Vpn-1/Securemote/Secureclient Version 4.1 SP2 ...

More documents

Recommendations

Info

SecuRemote/SecureClient Assume the service name is “CP_IPSec_transport_encapsulation”. To define it, add the set isakmp.udpencapsulation to the gateway object in the objects.C file on the VPN-1/SecuRemote/ SecureClient Management Station as follows: :isakmp.udpencapsulation ( :resource ( :type (refobj) :refname (“#_CP_IPSec_transport_encapsulation”) ) :active (true) ) ■ To disable UDP encapsulation, configure the VPN-1/SecuRemote/SecureClient gateway by adding the set isakmp.udpencapsulation with the attribute :active (false) to the gateway object in the objects.C file. Warning – Make sure you observe the following basic rules for configuring the objects.C file: ■ The objects.C file should be configured on the VPN-1/SecuRemote/SecureClient Management Station only. ■ Before configuring the objects.C file, stop the Management Station using the fwstop command and delete the files objects.C.sav and objects.C.bak. ■ The changes made in the objects.C file take effect only after the Security Policy has been installed. Warning – Please note the following: If UDP encapsulation mode is used (to convey IPsec traffic from a SecuRemote or SecureClient to a VPN-1 gateway through a machine that performs NAT), make sure that: ■ The primary gateway’s IP address is the one closest to the SecuRemote client (that is, the external IP address). ■ The user’s IKE Data Integrity method is SHA1 (the default). This parameter is defined in the Encryption tab of the user’s IKE Properties window, which can be accessed by editing the IKE Client Encryption Method in the Encryption tab of the user’s User Properties window. 2 Branding — It is possible to “brand” the SecuRemote authentication dialog boxes, in two ways: ■ Add a custom bitmap, which will be displayed in the empty space on the left side of the dialog box ■ Add text that will be shown when authentication ends (with different texts for success and failure). To use this feature, proceed as follows: a. Overwrite logo.bmp on the installation package with the required bitmap (maximum 140 x 111 pixels: width times height). b. Edit the AuthMsg.txt file and insert the required authentication success/failure messages as described in the file. c. Edit the product.ini file and set “IncludeBrandingFiles=1”. To disable the custom message feature, edit the “:options” setting in userc.c, and add: :use_ext_auth_msg (false) For your convenience, RGB (192, 192, 192) is considered “transparent”. This color will be displayed as the dialog background color, whatever it is (not necessarily gray). You may take advantage of this to disable the customized logo feature by providing a (small) transparent bitmap. PLEASE REVIEW THE LICENSE AGREEMENT BEFORE USING THIS OPTION! 3 Multiple interface resolution for gateways — A gateway’s interfaces may not all be routable from all IP addresses. Internal interfaces may be routable only from the LAN, and exportable interfaces may be routable only from the WAN. SecuRemote can be configured to try all of a gateway’s interfaces, in the event that the interface it should use depends on the client’s location. The connection will be opened with the first address to reply. Limitations — ■ This feature applies only to IKE key exchange, not to FWZ, or to topology download (defining or updating sites). ■ There is no High Availability between interfaces. Therefore, a SecuRemote client which remains at the same IP address will not be able to switch to another interface if the interface it works with is down. ■ Topology must be downloaded only from the canonical IP. ■ For SecureClient Policy Server (PS) logon, it will work for logon to Policy Servers if: Logon was “implicit”, that is, the PS logon is triggered by a packet needing encryption, and 2 VPN-1/SecuRemote/SecureClient Version Version 4.1 SP2 - Release Notes
SecuRemote/SecureClient Communication with the Policy Server is encrypted, that is, the Policy Server has an encryption domain (probably its own) and SecureClient is not in this encryption domain. This means that if the feature is needed, the interface order should be such that the internal interface is attempted first, since the second interface will be used only in encryption scenarios. This feature requires both SecuRemote and the gateways to be running Version 4.1 SP2. This feature is not enabled by default and must be configured per gateway. To configure the feature, add the set :resolve_multiple_interfaces with the true value to the gateway object. 4 The SDL feature may be enabled on the installation package, sparing the need for an additional reboot. To do this, edit product.ini on the package, adding “EnableSDL=1”. SecureClient-specific 1 Optionally allow unencrypted LAN connections with "Encrypted Only" policy — If enabled, unencrypted connection will be accepted with an”Encrypted Only” policy, as long as both the source and the destination IP addresses are in the encryption domain of a single VPN-1 gateway. The same behavior applies to unencrypted connection to the client with “Encrypted and Outgoing”. This feature is controlled on the client, in userc.C, by adding the following attribute under “options”: :allow_clear_in_enc_domain (true) The default setting is false. 2 Optionally allow DHCP (unencrypted) with “Encrypted Only” policy — If enabled, “Encrypted Only” policy will not interfere with DHCP. This feature is controlled on the client, in userc.C by the following attribute under “options”: :disable_stateful_dhcp (true) The default setting is false, allowing DHCP. Platform Specific WIndows NT 1 The SDL and SSO features, which replace the active GINA DLL, can be configured to support non-Microsoft GINA DLLs. If this feature is enabled, ckpgina.dll, which acts as a “pass-through” GINA DLL, will pass handling on to whatever the active GINA DLL was when SecuRemote was installed, and not automatically to msgina.dll. This feature should be used with caution, Check Point’s GINA DLL has been tested only with msgina.dll. 2 If SecuRemote is installed on Dialup Only, but no dialup adapter is active (in a particular hardware profile, for example), SecuRemote will terminate with an error message. This message can be suppressed by setting “:load_fail_silent (true)” in userc.C. Bug Fixes The following bugs were fixed in Version 4.1 SP2. 1 IKE hybrid mode did not work with protocols that involved more than a single challenge, in particular SecurID New PIN Mode. 2 CRLs were sometimes wrongly considered to be invalid (expired). 3 Large IPSec packets (near MTU) were fragmented, even if the Don't Fragment flag was set. Now they are not fragmented, and instead he MTU is reduced. This behavior can be overwritten by setting IPSecAlwaysFragment=1 in the registry, under HKLM\software\checkpoint\securemote on Windows 9x and under HKLM\System\CurrentControlSet\Services\FW1\Parameters on Windows NT. 4 Sporadic application errors would occur up to 24 hours after disabling a site. 5 Using Roaming Profiles, the modified profile was not always written successfully to the domain controller. This problem can now be solved by adding :no_clear_tables (true) to the “options” section of userc.C. Using this feature will have the following side effect: If you start encrypting and then kill SecuRemote and restart it, you may be able to open new encrypted connections without re-authenticating. This anomaly will last less than 15 minutes. Limitation — This feature does not honor the MEP High Availability feature. 6 Automatic topology update, configured to run when SecuRemote was launched, did not work properly (bug was introduced in hotfix build 4157) 7 If automatic topology update failed for any reason, the key exchange that triggered it was also canceled. 8 Encryption key exchanges were blocked for 60 seconds after canceling an automatic topology update. 9 Unusually long text did not always fit into designated controls in dialog boxes. 10 Cached authentication data (user name, password) was not properly expired when machine was suspended (or hibernated). Version Version 4.1 SP2 — August 2000 3
Page 1: Introduction Check Point VPN-1/Secu
Page 5: SecuRemote/SecureClient Version Ver

Check Point Vpn-1/Securemote/Secureclient Version 4.1 SP2 ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?