Professional Documents
Culture Documents
Windows 32/64-bit
E80.50
User Guide
4 July 2013
Classification: [Protected]
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
(http://supportcontent.checkpoint.com/documentation_download?ID=24857)
For additional technical information, visit the Check Point Support Center (Check Point Support Center http://supportcenter.checkpoint.com).
For more about this release, see the Remote Access Client home page.
Revision History
Date
Description
03 July 2013
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Check Point Mobile for Windows
32/64-bit E80.50 User Guide).
Contents
Important Information .............................................................................................3
Introduction to Check Point Mobile for Windows .................................................5
The Installation Process ...................................................................................... 5
Receiving an Automatic Upgrade ........................................................................ 5
Getting Started ........................................................................................................6
Defining a Site ..................................................................................................... 6
Basic Operations ................................................................................................. 8
Connect Window ................................................................................................. 9
Client Icon ..........................................................................................................10
Compliance ........................................................................................................10
Setting up the VPN................................................................................................12
Configuring Proxy Settings .................................................................................12
Secure Domain Logon ........................................................................................12
Configuring VPN .................................................................................................12
Changing the Site Authentication Scheme ..........................................................13
Certificate Enrollment and Renewal ...............................................................13
Importing a Certificate into the CAPI Store.....................................................14
Authenticating with PKCS#12 Certificate File .................................................15
SecurID..........................................................................................................15
Challenge-Response .....................................................................................15
Secure Authentication API (SAA) ...................................................................15
Collecting Logs .....................................................................................................17
Chapter 1
Introduction to Check Point Mobile
for Windows
In This Chapter
The Installation Process
Receiving an Automatic Upgrade
5
5
Check Point Mobile for Windows is a remote access client for easy, secure connectivity to corporate
resources over the internet, through a VPN tunnel.
SecuRemote
After installation, the Client icon appears in the system tray notification area.
5. Double-click the Client icon.
If you are prompted to define a site, make a site with the IP address that your system administrator gave
you.
Chapter 2
Getting Started
In This Chapter
Defining a Site
Basic Operations
Connect Window
Client Icon
Compliance
6
8
9
10
10
Defining a Site
You must have at least one site to connect to a VPN. If your system administrator pre-configured the client
package, you can connect to the VPN site immediately. If not, you must define the site.
Before you start, make sure you know how you will authenticate to the VPN and that you have the
credentials (for example, password or certificate file). You might also require the gateway fingerprint, to
make sure that the client is connecting to the correct gateway. Get this from your system administrator.
To define a site:
1. Right-click the client icon and select VPN Options.
The Options window opens.
The first time you open the window, no sites are listed.
2. On the Sites tab, click New.
Getting Started
3. Click Next.
4. Enter the name or IP address of the Security Gateway and click Next.
7. Click Next and follow the instructions to enter your authentication materials.
Check Point Mobile for Windows 32/64-bit User Guide E80.50 | 7
Getting Started
If you selected Secure Authentication API (SAA), an SAA window opens to select the type of SAA and
a DLL file to use. See Secure Authentication API (SAA) (on page 15).
8. Click Finish.
The client opens a prompt to connect you to the newly created site.
9. Click Yes to connect to the site, or No to save the site details and connect at a different time.
Basic Operations
Right-click the Client icon in the system tray notification area to access basic operations.
(Not all options appear for every client status and configuration.)
If you are not connected to the VPN, to connect quickly to the last active site, double-click the Client icon. If
you are connected to the VPN and you double-click on the Client icon, the Client Overview window opens.
To access other basic operations, right-click the Client icon and select an option.
Option
Function
Connect
Opens the main connection window, with the last active site selected. If you
authenticate with a certificate, the client immediately connects to the selected site.
Connect to
Opens the main connection window and lets you select which site to connect to.
VPN Options
Opens the Options window to set a proxy server, choose interface language, enable
Secure Domain Logon, and collect logs.
Show Compliance See if your computer is compliant with the Security Policy, and if not, why not and how
Report
to fix the issue.
This option is shown when the client is not compliant.
Help
Show Client
Shutdown Client
Closes Check Point Mobile for Windows and the VPN connection.
Getting Started
You can also access most of these options from the Client Overview.
Connect Window
In the Connect window you authenticate to the VPN. Based on the settings that your administrator
configures, you might have options to choose a Site and Gateway, or only a Site.
If you have a Certificate, browse to the certificate file and enter the password.
If you use SecurID, enter your PIN or passcode. If you get a key in response, copy it.
If you use Username and Password, enter your username and password.
Check Point Mobile for Windows 32/64-bit User Guide E80.50 | 9
Getting Started
If you use Challenge Response, enter the first key. When the challenge comes, enter the response.
If you use SAA, click Connect and a new window opens for authentication.
While you use the VPN resources, you might have to enter your authentication credentials again. This can
occur if you try to access a resource that is on a different gateway and your credentials are not cached.
Getting Here - Right-click the client tray icon > Connect
Client Icon
The Client icon in the system tray notification area shows the status of Remote Access Clients.
Icon
Status
Disconnected
Connecting
Connected
Encryption (encrypted data is being sent or received on the VPN)
There is an issue that requires users to take action.
You can also hover your mouse on the icon to show the client status.
Compliance
Your administrator can configure checks for your computer or device to make sure it is compliant before you
connect to the VPN site. Some examples of what these checks can include are:
Your computer must be compliant with all checks to access the VPN.
If your computer is not compliant, the Client icon looks like this:
If your computer is found to be non-compliant based on one check, you cannot access the VPN. In the
Client Overview window, it shows that you are not compliant and a message opens. If your computer does
not comply based on multiple factors you can see multiple messages.
Follow the instructions in the message to make your computer compliant. If you have questions, contact
your administrator.
You can see a compliance report that shows if your computer is compliant with the Security Policy, and if
not, how to fix the issue. To get a compliance report, right-click the Client icon in the system tray and select
Show Compliance Report.
Check Point Mobile for Windows 32/64-bit User Guide E80.50 | 10
Getting Started
The compliance check always works in the background, if you are connected to the VPN or not. At any time
it can report that your computer has failed a check and is not compliant.
Chapter 3
Setting up the VPN
In This Chapter
Configuring Proxy Settings
Secure Domain Logon
Configuring VPN
Changing the Site Authentication Scheme
12
12
12
13
Detect proxy from Internet Explorer settings - Get the proxy settings from Internet Explorer >
Tools > Internet options > Connections > LAN Settings.
Manually define proxy - Enter the IP address port number of the proxy. If required, enter a user
name and password for the proxy.
5. Click OK.
Configuring VPN
You might have the option to go through the VPN for all your Internet traffic. This is more secure.
2. On the Sites tab, select the site to which you want to connect, and click Properties.
The Properties window for the site opens.
3. Open the Settings tab.
Certificate - CAPI
Certificate - P12
SecurID - KeyFob
SecurID - PinPad
Challenge Response
2. On the Sites tab, select the site from which you will enroll a certificate and click Properties.
The site Properties window opens.
3. Select the Settings tab.
4. Choose the setting type you want, CAPI or P12, and click Enroll.
The CAPI or P12 window opens.
5. For CAPI, choose the provider to which you will enroll the certificate.
6. For P12, choose a new password for the certificate and confirm it.
7. Enter the Registration Key that your administrator sent you.
8. Click Enroll.
The certificate is enrolled and ready for use.
B. To renew a certificate:
1. Right-click the client icon in the system tray, and select VPN Options.
2. On the Sites tab, select the site from which you will renew a certificate and click Properties.
The site Properties window opens.
The authentication method you chose is set and the certificate will be renewed accordingly.
3. Select the Settings tab.
4. Click the Renew button.
The CAPI or P12 window opens.
5. For CAPI, choose the certificate you want to renew from the drop-down list. For P12, choose a P12 file
and enter its password.
6. Click Renew.
The certificate is renewed and ready for use.
The name of the site (each certificate is valid for one site).
If the system administrator instructed you to save the certificate on the computer, import it to the CAPI store.
If not, the administrator will give you the certificate file on a USB or other removable media. Make sure you
get the password.
Enable strong private key protection - will prompt for the private key access permission, every
time you try to access the certificate.
Mark this key as exportable - lets you export the certificate into a .pfx file and set a new password.
Automatically select the certificate store based on the type of certificate - default.
Place all certificates in the following store - browse to the location where you want to store the
certificate.
9. Click Next.
Check Point Mobile for Windows 32/64-bit User Guide E80.50 | 14
SecurID
The RSA SecurID authentication mechanism consists of either hardware (FOB, USB token) or software
(softID) that generates an authentication code at fixed intervals (usually one minute), with a built-in clock
and encoded random key.
The most common form of SecurID Token is the hand-held device. The device is usually a key FOB or slim
card. The token can have a PIN pad, onto which a user enters a personal identification number (PIN) to
generate a passcode. When the token does not have a PIN pad, a tokencode is displayed. A tokencode is
the changing number displayed on the key FOB.
The Remote Access Clients site wizard supports both methods, as well as softID. Remote Access Clients
uses both the PIN and tokencode, or just the passcode, to authenticate to the gateway.
Challenge-Response
Challenge-response is an authentication protocol in which one party provides the first string (the challenge),
and the other party verifies it with the next string (the response). For authentication to take place, the
response is validated.
The type of SAA authentication that you must select - one of these:
You might need a DLL file. If your administrator already configured this, then you do not need it.
Note - Only users with administrator permissions can replace the DLL.
If you select SAA as the authentication in the site wizard, a new page opens where you select the type of
SAA authentication and a DLL file, if required.
Collecting Logs
Collecting Logs
If your system administrator or help desk asks for logs to resolve issues, you can collect the logs from your
client.
To collect logs:
1.
2.
3.
4.
5.