Check Point Vpn-1/Securemote/Secureclient Version 4.1 SP2 ...
Check Point Vpn-1/Securemote/Secureclient Version 4.1 SP2 ...
Check Point Vpn-1/Securemote/Secureclient Version 4.1 SP2 ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
SecuRemote/SecureClient<br />
Communication with the Policy Server is encrypted, that is, the Policy Server has an encryption domain<br />
(probably its own) and SecureClient is not in this encryption domain.<br />
This means that if the feature is needed, the interface order should be such that the internal interface is<br />
attempted first, since the second interface will be used only in encryption scenarios.<br />
This feature requires both SecuRemote and the gateways to be running <strong>Version</strong> <strong>4.1</strong> <strong>SP2</strong>.<br />
This feature is not enabled by default and must be configured per gateway. To configure the feature, add the<br />
set :resolve_multiple_interfaces with the true value to the gateway object.<br />
4 The SDL feature may be enabled on the installation package, sparing the need for an additional reboot. To do<br />
this, edit product.ini on the package, adding “EnableSDL=1”.<br />
SecureClient-specific<br />
1 Optionally allow unencrypted LAN connections with "Encrypted Only" policy — If enabled, unencrypted<br />
connection will be accepted with an”Encrypted Only” policy, as long as both the source and the destination<br />
IP addresses are in the encryption domain of a single VPN-1 gateway. The same behavior applies to<br />
unencrypted connection to the client with “Encrypted and Outgoing”.<br />
This feature is controlled on the client, in userc.C, by adding the following attribute under “options”:<br />
:allow_clear_in_enc_domain (true)<br />
The default setting is false.<br />
2 Optionally allow DHCP (unencrypted) with “Encrypted Only” policy — If enabled, “Encrypted Only” policy<br />
will not interfere with DHCP. This feature is controlled on the client, in userc.C by the following attribute<br />
under “options”:<br />
:disable_stateful_dhcp (true)<br />
The default setting is false, allowing DHCP.<br />
Platform Specific<br />
WIndows NT<br />
1 The SDL and SSO features, which replace the active GINA DLL, can be configured to support non-Microsoft<br />
GINA DLLs. If this feature is enabled, ckpgina.dll, which acts as a “pass-through” GINA DLL, will pass<br />
handling on to whatever the active GINA DLL was when SecuRemote was installed, and not automatically to<br />
msgina.dll. This feature should be used with caution, <strong>Check</strong> <strong>Point</strong>’s GINA DLL has been tested only with<br />
msgina.dll.<br />
2 If SecuRemote is installed on Dialup Only, but no dialup adapter is active (in a particular hardware profile,<br />
for example), SecuRemote will terminate with an error message. This message can be suppressed by setting<br />
“:load_fail_silent (true)” in userc.C.<br />
Bug Fixes<br />
The following bugs were fixed in <strong>Version</strong> <strong>4.1</strong> <strong>SP2</strong>.<br />
1 IKE hybrid mode did not work with protocols that involved more than a single challenge, in particular<br />
SecurID New PIN Mode.<br />
2 CRLs were sometimes wrongly considered to be invalid (expired).<br />
3 Large IPSec packets (near MTU) were fragmented, even if the Don't Fragment flag was set. Now they are not<br />
fragmented, and instead he MTU is reduced. This behavior can be overwritten by setting<br />
IPSecAlwaysFragment=1 in the registry, under HKLM\software\checkpoint\securemote on Windows<br />
9x and under HKLM\System\CurrentControlSet\Services\FW1\Parameters on Windows NT.<br />
4 Sporadic application errors would occur up to 24 hours after disabling a site.<br />
5 Using Roaming Profiles, the modified profile was not always written successfully to the domain controller.<br />
This problem can now be solved by adding :no_clear_tables (true) to the “options” section of<br />
userc.C.<br />
Using this feature will have the following side effect: If you start encrypting and then kill SecuRemote and<br />
restart it, you may be able to open new encrypted connections without re-authenticating. This anomaly will<br />
last less than 15 minutes.<br />
Limitation — This feature does not honor the MEP High Availability feature.<br />
6 Automatic topology update, configured to run when SecuRemote was launched, did not work properly (bug<br />
was introduced in hotfix build 4157)<br />
7 If automatic topology update failed for any reason, the key exchange that triggered it was also canceled.<br />
8 Encryption key exchanges were blocked for 60 seconds after canceling an automatic topology update.<br />
9 Unusually long text did not always fit into designated controls in dialog boxes.<br />
10 Cached authentication data (user name, password) was not properly expired when machine was suspended<br />
(or hibernated).<br />
<strong>Version</strong> <strong>Version</strong> <strong>4.1</strong> <strong>SP2</strong> — August 2000 3