Endpoint Connect

R73
Release Notes
7 July 2010

 2010 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
See the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
See the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights.

Important Information
Latest Version
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=10651
For additional technical information visit Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History
Date

Description

Dec 2009

Initial version

7 July 2010

Improved formatting and document layout.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Endpoint Connect R73 Release
Notes).

Contents
Important Information .............................................................................................3
Introduction .............................................................................................................5
What's New ......................................................................................................... 5
Supported Platforms ............................................................................................ 5
Installation ...............................................................................................................6
Installing the Client .............................................................................................. 6
Updating the Endpoint Connect Version on the Gateway .................................... 6
VPN-1 Gateway .............................................................................................. 6
Connectra Gateway ........................................................................................ 6
Restoring the Original Endpoint Connect Version ................................................ 6
New MEP (Multiple Entry Point) Mode ...................................................................8
Known Limitations ..................................................................................................9

What's New

Introduction
Endpoint Connect is Check Points lightweight remote access client. Designed for reliable connectivity and
maximum usability, Endpoint Connect provides mobile users with seamless,(IPSec) VPN connectivity to
corporate network resources and information. Endpoint scanning capabilities check for malware and ensure
compliance with corporate security policies before network access is granted.
The Endpoint Connect client works transparently with:

VPN-1 gateway NGX R65 HFA 40 and higher

Connectra gateway R66 and higher

Build Number: 835000022

What's New
In this release of Check Point Endpoint Connect:

Support for Windows 7 is added.

New MEP mode support.

Supported Platforms
The following Windows platforms are supported:

Windows 2000 Professional 32-bit with SP1-4

Windows XP Home & Professional 32-bit, with or without SP1-3

Windows Vista 32-bit and 64-bit, with or without SP1

Windows 7 32-bit and 64-bit, Premium or Enterprise

Introduction

Page 5

Installing the Client

Installation
Installing the Client
To install the client on Windows:
Download Check_Point_Endpoint_Connect_R73_For_Windows_835000022.msi and run it.

Updating the Endpoint Connect Version on

the Gateway
This release includes a gateway supplement that updates the Endpoint Connect version on the gateway.

VPN-1 Gateway
Endpoint Connect is supported on VPN-1 gateway NGX R65 HFA 40 and higher (including R70).
Note - In addition to replacing the files on the gateway, you must make sure that the
gateway is properly configured to work with Endpoint Connect. For information on
configuring gateways to work with Endpoint Connect, refer to Endpoint Connect
Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=8631.

To update the Endpoint Connect version on the gateway:

1. Backup the files TRAC.cab and trac_ver.txt in the $FWDIR/conf/extender/CSHELL directory.
2. Download the file:
Check_Point_Endpoint_Connect_R73_For_Windows_835000022.cab
3. Place the file in the $FWDIR/conf/extender/CSHELL directory and rename it: TRAC.cab
4. Run chmod 750 TRAC.cab to make sure the file has the correct permissions.
5. Edit the file trac_ver.txt by changing the build number inside to the new build number: 835000022
6. Install policy on the gateway.

Connectra Gateway
To update the Endpoint Connect version on the gateway:
1. Backup the files trac.cab and trac_ver.txt in the $CVPNDIR/htdocs/SNX/CSHELL directory.
2. Download the file:
Check_Point_Endpoint_Connect_R73_For_Windows_B835000022.cab
3. Place the file in the $CVPNDIR/htdocs/SNX/CSHELL directory and rename it to: trac.cab
4. Run chmod 750 TRAC.cab to make sure the file has the correct permissions.
5. Edit the file trac_ver.txt by changing the build number inside to the new build number:
835000022
6. Install policy on the gateway.

Restoring the Original Endpoint Connect

Version
To revert back to the original Endpoint Connect version, restore the files you backed up in step 1 of the
above procedures.
Installation

Page 6

Restoring the Original Endpoint Connect Version

Installation

Page 7

Restoring the Original Endpoint Connect Version

New MEP (Multiple Entry Point) Mode

For the legacy VPN client (SecureClient), the gateways have to belong to the same VPN domain for MEP to
function. For Endpoint Connect, the gateways do not have to belong to the same VPN domain and the client
does not send probing RDP packets to discover the available gateways.
Endpoint Connect behavior in a MEP deployment is determined by a list of gateway addresses held in a
.ttm configuration file on the gateway. If the client fails to connect to any of the gateways, further attempts
cease. If the client does connect, the topology of the VPN domain is downloaded to the client.

To configure the Security Gateway for MEP:

1. On the security gateway, open $FWDIR/conf/trac_client_1.ttm for editing.
2. Search for the enable_gw_resolving attribute:
:enable_gw_resolving (
:gateway (
:default (true)
)
)
Verify the attribute is set to its default value: true.
3. Manually add the mep_mode attribute using the following syntax:
:mep_mode (
:gateway (
:default (xxx)
)
)
Where xxx is the value for one of the following four MEP methods:

dns_base. If this value is selected, Endpoint Connect resolves gateway IP addresses according to
DNS Geo Clustering

first_to_respond. If this value is selected, Endpoint Connectprobes all gateways on the list and
builds a new list according to response time. The first gateway to respond becomes the first gateway
on the list.

primary_backup. If this value is selected, Endpoint Connect works sequentially through the list,
attempting to connect to the first IP address, then the second, and so on.

load_sharing. If this value is selected, Endpoint Connect randomly tries a gateway on the list. If the
attempt fails, Endpoint Connectrandomly selects the next address from those remaining on the list.
4. Manually add the ips_of_gws_in_mep attribute using the following syntax:
:ips_of_gws_in_mep (
:gateway (
:default (192.168.53.220&#192.168.53.133&#)
)
)
This is the list of IP addresses the client should try according to the chosen MEP method. Note that:

IP addresses are separated by an ampersand and hash symbol (&#)

The last IP address in the list is followed by a final &#.

5. Install a policy.

New MEP (Multiple Entry Point) Mode

Page 8

Restoring the Original Endpoint Connect Version

Known Limitations
00531067 - When renewing a CAPI certificate, the former one will be displayed until the user will re-select
the certificate.
00523576 - Users who installed the EA client are required to uninstall it and reboot prior to installing the GA
client

Known Limitations

Page 9