Professional Documents
Culture Documents
E75.30
Release Notes
24 September 2012
Classification: [Protected]
2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=17161 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the E75.30 home page (http://supportcontent.checkpoint.com/solutions?id=sk84220).
Revision History
Date 23 September 2012 Description First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Remote Access Clients for Windows 32/64-bit E75.30 Release Notes).
Contents
Important Information .............................................................................................3 Introduction .............................................................................................................5 What's New ..............................................................................................................5 Remote Access Clients Comparison .....................................................................7 Upgrading from SecureClient ................................................................................9 System Requirements ..........................................................................................10 Client Requirements ...........................................................................................10 Client Hardware Requirements ...........................................................................10 Security Management Server and Security Gateway Requirements ...................10 Additional Requirements ....................................................................................10 Build Numbers ....................................................................................................11 Installation .............................................................................................................11 Installing the Remote Access Clients Hotfix ........................................................11 Uninstalling this Hotfix ........................................................................................11 Upgrading Clients to E75.30 ...............................................................................12 Known Limitations ................................................................................................13 Resolved Issues ....................................................................................................14
Introduction
Introduction
Remote Access Clients provide a simple and secure way for endpoints to connect remotely to corporate resources over the Internet, through a VPN tunnel. Check Point offers 3 enterprise-grade flavors of Remote Access to fit a wide variety of organizational needs. The clients offered in this release are: Endpoint Security VPN - Incorporates Remote Access VPN with Desktop Security in a single client. It is recommended for managed endpoints that require a simple and transparent remote access experience together with desktop firewall rules. Check Point Mobile for Windows - An easy to use IPsec VPN client to connect securely to corporate resources. Together with the Check Point Mobile clients for iPhone and Android, and the Check Point SSL VPN portal, this client offers a simple experience that is primarily targeted for non-managed machines. SecuRemote - A secure, yet limited-function IPsec VPN client, primarily targeted for small organizations that require very few remote access clients.
See Remote Access Clients Comparison (on page 7) for a detailed feature comparison. We recommend that you read this document before installing E75.30 Remote Access clients. Note - The E75 Remote Access Clients series was previously known as Endpoint Security VPN R75.
What's New
This release includes these new features and enhancements: Windows 8 Ready This release supports client installation on windows 8 OS 32/64 bit. Intel Smart Connect Technology When Intel Smart connect technology is enabled, the Remote Access client reconnects to the VPN automatically (based on the authentication method and configuration). RSA Software Token RSA Software Token 4.1 is supported in this release. Desktop Firewall Monitoring Command line utility (PacketMon.exe) that inspects traffic handled by the Desktop Firewall. Disable Secure Domain Logon (SDL) on LAN/Encryption domain The client automatically disables SDL when the endpoint client is connected to an internal network. This decision is based on the Location Awareness feature or on the client having an IP address in an encryption domain. Location-Based Policy Support for Desktop Firewall Adds location awareness support for the Desktop Firewall using these policies: Connected Policy - Enforced when: VPN is connected. VPN is disconnected and Location Awareness determines that the endpoint computer is on an internal network. The Connected Policy is not enforced "as is" but modified according to the feature's mode. Disconnected Policy - Enforced when the VPN is not connected and Location Awareness determines that the endpoint computer is not on an internal network.
Remote Access Clients for Windows 32/64-bit Release Notes E75.30 | 5
What's New
No Office Mode & Secondary Tunnel Resilience This release gives No Office Mode functionality for improved ATM connectivity. Proxy Improvements for Endpoint Security VPN This feature includes these enhancements for Endpoint Security VPN with proxy servers: Significantly faster connections from Endpoint Security clients to gateways when using a proxy server. Endpoint Security clients can now use a proxy server for outbound encrypted data.
Allow/Block IPv6 Traffic The administrator can configure the desktop firewall to allow or block IPv6 traffic. By default, IPv6 traffic is blocked. CLI Enhancements Hotspot Registration - Temporarily allows endpoint connections from Hotspots in public places, such as airports and hotels, so that users can register with the portal. Enable/Disable Firewall - New CLI command that lets you enable and disable the Desktop Firewall. Start GUI Connection from the CLI - New argument for the connectgui command that lets you select which site to connect to.
For more on these features, see the E75.30 Remote Access Client for Windows 32/64-bit Administration Guide.
Replaces Client
All traffic travels through a secure VPN tunnel. Monitor remote computers to confirm that the configuration complies with organization's security policy. Integrated endpoint firewall centrally managed from a Security Management Server Encrypt only traffic targeted to the VPN tunnel. Pass all connections through the gateway. When NAT-T connectivity is not possible, automatically connect over TCP port 443 (HTTPS port). Client seamlessly connects to an alternative site when the primary site is not available. End-users can connect once and get transparent access to resources, regardless of their location. Each VPN client is assigned an IP from the internal office network.
Split Tunneling
Hub Mode
Secondary Connect
Office Mode IP
Feature
SecuRemote
Description
Support protocols where the client sends its IP to the server and the server initiates a connection back to the client using the IP it receives. These protocols include: Active FTP, X11, some VoIP protocols. Intelligently detect if the user is outside the internal office network, and automatically connect as required. If the client senses that it is inside the internal network, the VPN connection is terminated. Tunnel and connections remain active while roaming between networks. VPN connection is established whenever the client exits the internal network. VPN tunnel and domain connectivity is established as part of Windows login allowing GPO and install scripts to execute on remote machines. Resolves internal names with the SecuRemote DNS Server configuration. Makes it easier for users to find and register with hot spots to connect to the VPN through local portals (such as in hotels or airports). Allows third party-extensions to the standard authentication schemes. This includes 3factor and biometrics authentication. E75.30 On the Gateway: IPsec VPN Blade On the Management: Endpoint Container & Endpoint VPN Blade for all installed endpoints IPsec VPN Blade and Mobile Access Blade (based on concurrent connections) On the Gateway: IPsec VPN Blade for an unlimited number of connections
Roaming
Always Connected
Split DNS
System Requirements
System Requirements
Read all requirements carefully.
Client Requirements
Remote Access Clients E75.30 can be installed on these platforms: Microsoft Windows 8 32 bit and 64 bit (release preview) Microsoft Windows 7 all editions 32 bit and 64 bit, with or without SP1 Microsoft Windows Vista 32 bit and 64 bit, SP1 Microsoft Windows XP 32 bit SP3
Additional Requirements
To enable Secondary Connect, see the requirements in sk65312 (http://supportcontent.checkpoint.com/solutions?id=sk65312). To enable automatic, implicit MEP (Multiple Endpoint Connections), you must install the Remote Access Clients Hotfix on the Security Management Server and on all Security Gateways. This procedure is not necessary for manual MEP. The Security Management Server and Security Gateway can be installed on open servers or appliances. On UTM-1 appliances, you cannot use the WebUI to install Remote Access Clients. Remote Access Clients cannot be installed on the same device as Check Point Endpoint Security R73 or R80. If Zone Alarm is installed on a device, you can install Check Point Mobile for Windows and SecuRemote but not Endpoint Security VPN. All Security Gateways used as primary MEP connections must support this release, with the Remote Access Clients Hotfix installed. NGX R65.70 Security Gateways must be managed by NGX R65.70 Security Management Servers. The servers must also have the Remote Access Clients Hotfix installed.
Remote Access Clients for Windows 32/64-bit Release Notes E75.30 | 10
Installation
Build Numbers
The build number for Remote Access Clients for E75.30 is B835017083. To see the build number on your computer, right-click the client and then select Help > About.
Installation
Before you install this release, make sure that you have supported gateways and servers, and if necessary, required hotfixes. If Visitor mode is configured on port 443 and WebUI is enabled on the gateway, the WebUI must listen on a port other than 443. Otherwise, Remote Access Clients cannot connect.
Installation
The name of the Hotfix is different for gateway version and for Hotfix functionality. 3. Enter y at the prompt. 4. Reboot the Security Gateway.
Known Limitations
Known Limitations
For a list of E75.30 open issues, see the Known Limitations (http://supportcontent.checkpoint.com/solutions?id=sk84500). Known limitations from these versions are applicable to this release: Remote Access Clients R75 (http://supportcontent.checkpoint.com/documentation_download?ID=11607) Remote Access Clients E75.10 (http://supportcontent.checkpoint.com/documentation_download?ID=11999) Remote Access Clients E75.20 (http://supportcontent.checkpoint.com/solutions?id=sk65315)
These are the Resolved Issues for the Known Limitations above: E75.10 (http://downloads.checkpoint.com/dc/download.htm?ID=11999) E75.20 (http://supportcontent.checkpoint.com/solutions?id=sk65317)
Resolved Issues
Resolved Issues
For a list of E75.30 fixes, see the Resolved Issues (http://supportcontent.checkpoint.com/solutions?id=sk84501).