Endpoint Security VPN for Mac

8 April 2012

Release Notes

Endpoint Security VPN for Mac

E75

Classification: [Protected]

© 2012 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information

Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at:

http://supportcontent.checkpoint.com/documentation_download?ID=14881 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

For more about this release, see the E75 home page

(http://supportcontent.checkpoint.com/solutions?id=sk69622).

Revision History

Date Description

08 April 2012 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments

(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Endpoint Security VPN for Mac E75 Release Notes).

Contents

Important Information ... 3

Introduction ... 5

Summary of Included Features ... 5

Connectivity Features ... 6

Security Features ... 6

Migrating from SecureClient ... 7

Remote Access Clients Comparison ... 8

System Requirements ... 10

Client Requirements ...10

Gateway Requirements ...10

Build Numbers ...10

Installation ... 11

Installing the Endpoint Security VPN Hotfix ...11

Uninstalling a Hotfix ...11

Installing the Client ...12

Uninstalling the Client ...12

Known Limitations ... 12

Introduction

Endpoint Security VPN for Mac Release Notes E75 | 5

Introduction

Endpoint Security VPN for Mac is a simple and secure way for endpoints to connect remotely to corporate resources over the Internet, through a VPN tunnel. It incorporates Remote Access VPN with Desktop Security in a single client. It is recommended for managed endpoints that require a simple and transparent remote access experience together with desktop firewall rules.

 This release replaces SecureClient for Mac.

 An integrated desktop firewall, is centrally managed from Security Management Server.

 It requires the IPsec VPN Software Blade on the gateway, an Endpoint Container license, and the Endpoint VPN Software Blade on the Security Management Server.

Summary of Included Features

Endpoint Security VPN is installed on the desktop or laptop of the user. It has enhanced connectivity, security, installation, and administration capabilities.

Main Capability Description

Full IPSec VPN Internet Key Exchange (version 1) support for secure authentication.

A Virtual Private Network (VPN) provides a secured, encrypted connection over the Internet to your organization's network. The VPN tunnel gives remote access users the same security that LAN users have. IPSec makes the tunnel seem transparent because users can run any application or service that you do not block for the VPN. (Compare to SSL VPN, which works through web applications only.)

Dead Gateway Detection If the client fails to receive an encrypted packet within a specified time interval, it sends a tunnel test packet to the gateway. If the tunnel test packet is acknowledged, the gateway is considered active. If several consecutive tunnel test packets remain unacknowledged, the gateway is considered inactive, or dead. You can configure this feature.

Multiple Entry Point Provides a gateway High Availability and Load Sharing solution for VPN connections. For Endpoint Security VPN, in an environment with MEP, more than one gateway protects and gives access to the same VPN domain. MEP lets the Endpoint Security VPN connect to the VPN from multiple gateways.

Visitor Mode If the firewall or network limits connections to ports 80 or 443, encrypted (IPSec) traffic between the client and the gateway is tunneled through a regular TCP connection.

NAT-T UDP Encapsulation of IPSec Traffic. Endpoint Security VPN can connect seamlessly through devices that do not permit native IPSec traffic (such as firewalls and access points).

Hub Mode Increases security. It routes all traffic through the VPN and your gateway.

At the gateway, the traffic is inspected for malicious content before being passed to the client, and you can control client connectivity.

VPN Tunneling Increases connectivity performance. Encrypts only traffic targeted to the VPN tunnel, and lets users browse more easily to sites where security is not an issue (such as public portals and search engines).

Summary of Included Features

Endpoint Security VPN for Mac Release Notes E75 | 6 Main Capability Description

Desktop Firewall Endpoint Security VPN enforces a Desktop Firewall on remote clients. The administrator defines the Desktop Security Policy in the form of a Rule Base. Rules can be assigned to either specific user groups or all users;

this permits the definition of flexible policies.

Certificate Enrollment and Renewal

Automatic enrollment and renewal of certificates issued by Check Point Internal CA server.

Connectivity Features

Feature Description

Automatic Connectivity Detection

If the IPsec VPN network connection is lost, the client seamlessly reconnects without user intervention.

Roaming If the IP address of a client changes, (for example, if the client on a wireless connection physically connects to a LAN that is not part of the VPN

domain), interface roaming maintains the logical connection.

Multiple Sites Remote access users can define many gateways to connect to the VPN. If you have multiple VPN gateways, users can try another gateway if the previous one is down or overloaded.

Hotspot Detection Automatically detects hotspots that prevent the client system from establishing a VPN tunnel.

When a hotspot is detected users have the option to lower the firewall restrictions and register to the hotspot through a browser.

Office Mode Lets a remote client appear to the local network as if it is using a local IP address.

Machine Idleness Disconnects the VPN tunnel if the machine becomes inactive (because of lock or sleep) for a specified duration.

Keep-alive Send keep-alive messages from the client to the VPN gateway to maintain the VPN tunnel.

Proxy Detection and Replacement

Proxy servers between the client and the gateway are automatically detected and authenticated to if necessary.

Tunnel Idleness Detection Idle or inactive VPN tunnels are detected and shut down.

Security Features

Feature Description

Strong Authentication Schemes:

User names and passwords Including cached passwords.

Challenge-Response This is an authentication protocol in which one party provides the first string (the challenge), and the other party verifies it with the next string (the response). For authentication to take place, the response must be validated.

Security systems that rely on SecurID are based on challenge-response.

Keychain software and hardware tokens

You can use the keychain to store and access hardware and software tokens.

Migrating from SecureClient

Endpoint Security VPN for Mac Release Notes E75 | 7

Feature Description

SecurID Two-factor authentication. An example of a type of SecurID configuration requires a password and a token code. SecurID authentication methods supported by Endpoint Security VPN: Key Fob, and PIN Pad.

Certificate Enrollment and Renewal

Enrollment refers to the process of application for, and receipt of, a certificate from a recognized Certificate Authority (CA), in this case Check Point's Internal CA. In the enrollment process, you create a certificate and send the registration key to users. The client sends this key to the gateway, and in return receives the certificate. Renewal lets the client renew a certificate that is going to expire.

Migrating from SecureClient

Endpoint Security VPN for Mac is not compatible with SecureClient for Mac. You must uninstall SecureClient before you install Endpoint Security VPN.

Remote Access Clients Comparison

Endpoint Security VPN for Mac Release Notes E75 | 8

Remote Access Clients Comparison

Feature Endpoint Security VPN for Windows

Check Point Mobile for Windows

SecuRemote Endpoint Security VPN for Mac

Description

Client Purpose Secure connectivity with desktop firewall &

compliance checks

Secure connectivity

& compliance checks

Basic secure connectivity

Secure connectivity with desktop firewall

Replaces Client SecureClient NGX R60 Endpoint Connect R73

Endpoint Connect R73

SecuRemote NGX R60

SecureClient for Mac

IPSEC VPN Tunnel

All traffic travels through a secure VPN tunnel.

Security Compliance Check (SCV)

Monitor remote computers to confirm that the configuration complies with organization's security policy.

Integrated Desktop Firewall

Integrated endpoint firewall centrally managed from a Security Management Server

Split Tunneling Encrypt only traffic targeted to

the VPN tunnel.

Hub Mode Pass all connections through

the gateway.

Dynamic Optimization of Connection Method

When NAT-T connectivity is not possible, automatically connect over TCP port 443 (HTTPS port).

Multi Entry Point (MEP)

Manual only

Client seamlessly connects to an alternative site when the primary site is not available.

Secondary Connect

End-users can connect once and get transparent access to resources, regardless of their location.

Office Mode IP Each VPN client is assigned an

IP from the internal office network.

Remote Access Clients Comparison

Endpoint Security VPN for Mac Release Notes E75 | 9 Feature Endpoint

Security VPN for Windows

Check Point Mobile for Windows

SecuRemote Endpoint Security VPN for Mac

Description

Back Connection Protocols

Support protocols where the client sends its IP to the server and the server initiates a connection back to the client using the IP it receives. These protocols include: Active FTP, X11, some VoIP protocols.

Auto Connect and Location Awareness

Intelligently detect if the user is outside the internal office network, and automatically connect as required. If the client senses that it is inside the internal network, the VPN connection is terminated.

Roaming Tunnel and connections remain

active while roaming between networks.

Always Connected

VPN connection is established whenever the client exits the internal network.

Secure Domain Logon (SDL)

VPN tunnel and domain connectivity is established as part of Windows login allowing GPO and install scripts to execute on remote machines.

Split DNS Resolves internal names with

the SecuRemote DNS Server configuration.

Hotspot Detection and

Registration Detection

only

Makes it easier for users to find and register with hot spots to connect to the VPN through local portals (such as in hotels or airports).

Secure Authentication API (SAA)

Allows third party-extensions to the standard authentication schemes. This includes 3-factor and biometrics authentication.

Required Licenses

On Gateway:

IPsec VPN Blade On

Management:

Endpoint Container &

Endpoint VPN Blade for all installed endpoints

IPsec VPN Blade and Mobile Access Blade (based on concurrent connections)

On Gateway:

IPsec VPN Blade for an unlimited number of connections

On Gateway:

IPsec VPN Blade On

Management:

Endpoint Container &

Endpoint VPN Blade for all installed endpoints

System Requirements

Endpoint Security VPN for Mac Release Notes E75 | 10

System Requirements

Read all requirements carefully.

Client Requirements

Endpoint Security VPN E75 can be installed on these Mac platforms in 32 and 64 bit:

 Mac OS X 10.6 Snow Leopard

 Mac OS X 10.7 Lion

Gateway Requirements

These Check Point versions support E75 Endpoint Security VPN:

Check Point Version Version Supported for Endpoint Security VPN

Security Gateway NGX R65 R65.70 and the Endpoint Security VPN Hotfix for your platform.

Security Gateway R70 R70.40 and the Endpoint Security VPN Hotfix for your platform.

R70.50 (no Hotfix required)

Security Gateway R71 R71.30 R71.40 R71.50*

Security Gateway R75 R75

R75.10 R75.20 R75.30 R75.40*

VSX R65 Not Supported

VSX R67 R67.10

UTM-1 Edge 8.2.33

*Not yet released.

If a Hotfix is required, get it from sk69622 (http://supportcontent.checkpoint.com/solutions?id=sk69622).

Build Numbers

The build number of the Endpoint Security VPN for E75 is 835017012.

To see the build on your computer, click the client and select Help > About.

Installation

Endpoint Security VPN for Mac Release Notes E75 | 11

Installation

Before you install this release, make sure that you have supported gateways, and if necessary, a required Hotfix.

If Visitor mode is configured on port 443 and WebUI is enabled on the gateway, the WebUI must listen on a port other than 443. Otherwise, Endpoint Security VPN cannot connect.

Installing the Endpoint Security VPN Hotfix

Install the Endpoint Security VPN E75 Hotfix on gateways or standalone, self-managed gateway

deployments. In a Multi-Domain Security Management environment install the Hotfix on the Multi-Domain Server.

If you have R71.30 and higher or R75 and higher installed on a gateway, Security Management Server, or Multi-Domain Server, it can support Endpoint Security VPN. It is not necessary to install a Hotfix. See the System Requirements section of the Release Notes for exact details.

For other supported gateway versions, install the Hotfix.

(http://supportcontent.checkpoint.com/solutions?id=sk69622)

Before you install the Hotfix:

This Hotfix has possible conflicts with other installed Hotfixes. If you can, it is safest to uninstall all Hotfixes installed on the Security Management Server or gateways. See Uninstalling a Hotfix (on page 11). If you cannot uninstall a Hotfix, contact Check Point Technical Support.

To install the Hotfix on a Security Gateway or Security Management Server:

1. Download the Hotfix.

2. Copy the Hotfix package to the Security Gateway or Security Management Server.

3. Run the Hotfix:

On SecurePlatform, Disk-based IPSO, and Solaris:

a) tar -zxvf <name_of_file>.tgz b) ./UnixInstallScript

On Windows platforms: double-click the installation file and follow the instructions.

4. Reboot the Security Gateway or Security Management Server.

To install the Hotfix on a Multi-Domain Server:

1. On the Multi-Domain Server, run: mdsenv.

2. Download the Endpoint Security VPN Hotfix

(http://supportcontent.checkpoint.com/solutions?id=sk69622) to the Multi-Domain Server.

3. Run the Hotfix on SecurePlatform and Solaris:

a) tar -zxvf <name_of_file>.tgz b) ./UnixInstallScript

4. Follow the on-screen instructions.

5. Reboot the Multi-Domain Server.

Uninstalling a Hotfix

If you need to uninstall a Hotfix, use this procedure.

To uninstall a Hotfix from a gateway:

1. Go to the installation directory: cd /opt/CPsuite-version/

For example, the installation directory on an R70.40 gateway is: /opt/CPsuite-R70/

2. Run: ./uninstall_<name_of_original_Hotfix_file>

Known Limitations

Endpoint Security VPN for Mac Release Notes E75 | 12 The name of the Hotfix is different for gateway version and for Hotfix functionality.

3. Enter y at the prompt.

4. Reboot the Security Gateway.

Installing the Client

Install the client on a supported Mac platform booted in 64-bit or 32-bit mode.

To install Endpoint Security VPN for Mac on a client computer:

1. Download the Endpoint_Security_VPN.dmg file to the client computer.

2. Double-click the file.

After the disk image mounts to the file system, a Finder window opens with the contents of the package.

3. Double-click the Endpoint_Security_VPN.pkg file to start the installation.

4. Follow the on-screen instructions.

Uninstalling the Client

If necessary, you can uninstall the Endpoint Security VPN client.

To install Endpoint Security VPN for Mac from a client computer:

1. Double-click the Endpoint_Security_VPN.dmg file.

After the disk image mounts to the file system, a Finder window opens with the contents of the package.

2. Double-click the Uninstaller to start the uninstall process.

3. Follow the on-screen instructions.

Known Limitations

For known limitations, see sk69623 (http://supportcontent.checkpoint.com/solutions?id=sk69623).