Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Check Point VPN-1 Secure Client Protocol Problem 2

Status
Not open for further replies.
ITchappie

ITchappie

IS-IT--Management
Dec 10, 2002
11
GB
My Parent company has installed Checkpoint NG on their network and now my UK users sadly cannot use the CISCO VPN clients anymore.

Each remote XP Pro laptop now has the Checkpoint VPN-1 Secure Client software installed. When they visit the office and connect to my local network the Check Point SecureRemote protocol must be turned off. They have to do this manaully by un-ticking the protocol on the network card. When they return home and want to connect via ADSL/VPN they must re-tick the SecureRemote protocol on the network card to be able to connect.

My question is therefore is there a way (VBS script or the like) that my UK users can use to tick or untick the protocol on the network card. Sadly with some of them simply finding their way to the network card is too much which is why I use Netswitcher for them. Sadly Netswitcher cannot change this network card setting. My parent company tell me the protocol can only be turned on /off manually, is this right??

Any help will be greatly appreciated!
Glenn
 
Sort by date Sort by votes
Glenn,

Why does the SecureRemote Protocal have to be turned off? Is is because it is trying to encrypt outbound traffic from the client?

If so you can a couple of things - set SecureRemote to use Connect Mode instead of Transparent. When users want to connect to the Corporate Network, they must manually connect.

There is also an option in the Global Properties you can set at the Managment Station - Under Remote Access, VPN-Advanced, you can say that SecureRemote/Client Packets are "sent in clear" when disconnected and traffic is sent to the ecryption domain.

Hope this is useful.



Akiwondo (MCSE, CCSE)
 
Upvote 0 Downvote
Hello Akiwondo

Thanks for the info.

The protocol has to be disabled when my user is "in house" as the network uses DHCP. If the SecureClient Remote is on it prevents the laptop from aquiring a DHCP address. Also, once you have aquired the address activating the protocol destroys the IP address on the network card and the users drops off the network. At home the laptops use static IP and the protocol must be on to connect the VPN tunnel to Germany. Sadly I have no access to the Global controls or policies as these are all made at Head Office as part of the new corporate roll out.

Thanks again.
Glenn
 
Upvote 0 Downvote
not sure how to 'untick' the protocol, but doing a;
net stop "Check Point SecuRemote WatchDog"

will stop the watchdog and may help. (you may want to also stop the "securemote service") not tested this though.

I've had problems with the cisco and checkpoint vpn clients on the same machine, and found that upgrading to the latest cisco client helped.
 
Upvote 0 Downvote
Thanks for the information stooo, however I had to delete my Cisco Clients in favour of the "corporate" Checkpoint software. I have only the Checkpoint software on the laptops just non-technical users not turning the protocol on and off under the correct circumstances. A simple desktop icon that ran a batch file or VB script that did it for them would save a lot of Valium...

Thanks
Glenn
 
Upvote 0 Downvote
hi ITchappie,

Is your problem solved? I'm having the same problem. Do you have a script allready?

Yeppe
 
Upvote 0 Downvote
Hello Yeppe

No sadly my problem isn't solved. All the info I keep getting is negative. I have taken a registry snapshot before and after the protocol is turned on and there are over 80 changes made by the Check Point SecuRemote protocol. I am beginning to believe what my parent company tell me that it is not a simple "switch" that can be turned on in the registry. The protocol itself can be stopped/started easily from a command window (batch file). But the binding of the protocol to the network card on/off status just seems impossible without the users help.

Regards
Glenn
 
Upvote 0 Downvote
What versions of both software are you using?
I use Checkpoint secure client NG AI R56 Build 619 and
Cisco vpn cxlient version 4.6.00.0045
together without any problems (although not both connecting at the same time)
 
Upvote 0 Downvote
Hi,

Run a registry monitoring tool such as active registry monitor, deselect the binding then compare it with the orginal registry snapshot, then create two registry files say called bind and unbind. You can then execute these as needed.
 
Upvote 0 Downvote
I think it depends on the desktop security policy. Have a look at the log files while you try to rech a ressource when you're in house.
 
Upvote 0 Downvote
hello,

within the secure-client you can configure a secuity-policy which is applied on the client. in this policy you must configure the rules for the vpn-traffic AND for the non vpn-traffic. otherwise the client will block the traffic.
thats all...

martin

----------------------------------
Martin Peinsipp, Austria
CCSA,
IT-Security-Administrator
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
297
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
365
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
78
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top