Check Point Vpn-1/Securemote/Secureclient Version 4.1 SP2 ...
Check Point Vpn-1/Securemote/Secureclient Version 4.1 SP2 ...
Check Point Vpn-1/Securemote/Secureclient Version 4.1 SP2 ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SecuRemote/SecureClient<br />
11 Non-Entrust certificates were sometimes considered invalid for as early as 3-4 months before they actually<br />
expired. This was fixed by ignoring the “PrivateKeyUsagePeriod” extension, which in effect allows the private<br />
key to expire before the certificate does. If this extension is important in your environment, you may instruct<br />
SecuRemote to honor it by adding “:check_PrivateKeyUsagePeriod (true)” in the “options” section<br />
of userc.C.<br />
12 There was a problem running alongside Citrix clients. This problem appears to have been solved by Citrix in<br />
their version 4.20.779.<br />
SecureClient specific Bug Fixes<br />
1 Excessive memory consumption (possible application errors) when SecureClient was blocking heavy load of<br />
unauthorized connections.<br />
2 If you logged on to a Policy Server implicitly (during encryption key exchange), then disabling the Security<br />
Policy did not always block the connection that initiated the key exchange. In particular, in the case of FTP,<br />
data connections may have been blocked while the control connection was not blocked.<br />
3 If a Security Policy was lost implicitly, by logging on to a Policy Server with a user not authorized to receive<br />
a Security Policy, then open connections were not blocked.<br />
Platform specific bug fixes<br />
Windows NT specific<br />
1 SecuRemote did not always recognize the need to re-negotiate IKE keys when its IP address changed (e.g.,<br />
disconnect and re-dial).<br />
2 If SDL was enabled, SecureClient’s IP forwarding is enabled dialog appeared too early, interfering with the<br />
logon process.<br />
3 SecuRemote would fail to initialize if the etc/hosts file was read-only (on NTFS).<br />
Windows 9x specific<br />
1 Occasional blue screen if PCI or PCMCIA slots were not functioning.<br />
2 SecuRemote did not always survive Suspend/Standby events. Now, if severe error conditions are encountered,<br />
SecuRemote will automatically be re-launched. It is possible to configure how long SecuRemote waits before<br />
giving up and re-launching, but it should not be necessary. If defaults are not satisfactory, please contact<br />
Technical Support.<br />
Known Limitations<br />
1 SecuRemote has only limited support for environments using multiple hardware profiles. In particular, there<br />
may be DHCP problems on NT, and there may be unexpected behavior on 9x platforms.<br />
2 In some rare cases, DHCP does not function correctly on the first reboot after installation (NT only). In some<br />
even rarer cases, this problem may persist on subsequent boots. If you encounter this problem, please contact<br />
your <strong>Check</strong> <strong>Point</strong> Technical Support.<br />
NTFS permission issues<br />
3 If etc/LMHOST is read-only (NTFS on NT), then the SDL feature will not function properly.<br />
4 SecuRemote will not function correctly in the unlikely event that the directory SecuRemote is installed on<br />
does not grant the interactive user write permissions.<br />
5 For logging to NTFS, you need to make sure the interactive user have write privileges on the log file.<br />
SecureClient specific<br />
6 When a new Security Policy is installed, it will not be applied to existing connections.<br />
7 Even if the Security Policy restricts incoming connections, IKE packets (UDP port 500) will be accepted from<br />
any IP address. SecuRemote will respond to these packets only if they are received from an authorized<br />
source.<br />
8 The Security Policy is applied very early during boot (by means of a service), but some unauthorized packets<br />
may make it through nonetheless.<br />
This applies to protocols that occur very early, for example DHCP.<br />
9 Switching between Policy Servers should be done explicitly. Implicit logon to a Policy Server when already<br />
logged on to some other Policy Server may cause the logon to fail.<br />
10 Some complex services involve opening back connections to the client. In general, a policy of “Outgoing<br />
Only” will prevent these services from running properly. The following complex services are supported with<br />
an Outgoing policy: DHCP, Ping, FTP PORT, FTP PASV, Real Audio (no G2/RTSP), VDOlive.<br />
11 If SecureClient is killed, the policy reverts to “Allow Outgoing and Encrypted”, regardless of the previously<br />
active policy.<br />
12 If you install SecureClient (SecuRemote with Desktop Security), you may receive messages advising you to<br />
logon to a Policy Server, even if no Policy Server is defined. If no Policy Servers are defined, Required Policy<br />
for All Desktops should be set on the management to “No Policy”.<br />
4 VPN-1/SecuRemote/SecureClient <strong>Version</strong> <strong>Version</strong> <strong>4.1</strong> <strong>SP2</strong> - Release Notes