Chapter 3
Setting up a Remote Access Client
In This Chapter
Configuring Proxy Settings
Configuring VPN
Changing the Site Authentication Scheme
12
12
13
Configuring Proxy Settings
If you are at a remote site which has a proxy server, the client must be configured to pass through the proxy server. Usually the client can detect proxy settings automatically. If not, you can configure it.
Before you begin, get the IP address of the proxy server from the local system administrator. Find out if the proxy needs a user name and password.
To configure proxy settings:
1. Right-click the Client icon and select VPN Options.
The Options window opens.
2. Open the Advanced tab.
3. Click Proxy Settings.
The Proxy Settings window opens.
4. Select an option.
No Proxy - Make a direct connection to the VPN.
Detect proxy from Internet Explorer settings - Take the proxy settings from Internet Explorer >
Tools > Internet options > Connections > LAN Settings.
Manually define proxy - Enter the IP address port number of the proxy. If required, enter a valid user name and password for the proxy.
5. Click OK.
Configuring VPN
You may have the option to go through the VPN for all your Internet traffic. This is more secure.
To configure VPN Tunneling:
1. Right-click the Client icon and select VPN Options.
The Options window opens.
2. On the Sites tab, select the site to which you want to connect, and click Properties.
The Properties window for the site opens.
Page 12
3. Open the Settings tab.
Changing the Site Authentication Scheme
4. In VPN tunneling, click Encrypt all traffic and route to gateway.
Note - In SecuRemote, this option is disabled, If this option is disabled in Endpoint Security VPN or Check Point Mobile for Windows, consult your system administrator.
5. Click OK.
Changing the Site Authentication Scheme
If you have the option from your system administrator, you can change the way that you authenticate to the
VPN.
To change the client authentication scheme for a specific site:
1. Right-click the Client icon and select VPN Options.
The Options window opens
2. On the Site tab, select the relevant site and click Properties.
The Properties window for the site opens.
On the Settings tab, select the appropriate Authentication Scheme drop-down menu option.
Username and password
Certificate - CAPI
Certificate - P12
SecurID - KeyFob
SecurID - PinPad
SecurID – Software Token
Challenge Response
SAA - Username and Password
SAA - Challenge Response
Certificate Enrollment and Renewal
You can import a certificate to the CAPI store or save it to a folder of your choice.
Setting up a Remote Access Client Page 13
Changing the Site Authentication Scheme
Before you enroll a certificate, make sure you have the registration key from the system administrator. Ask the system administrator whether you should use CAPI (if so, ask for the provider name) or P12.
To enroll a certificate:
1. Right-click the Client icon in the system tray, and select VPN Options.
2. On the Sites tab, select the site from which you want to enroll a certificate and click Properties.
The site Properties window opens.
3. Select the Settings tab.
4. Choose an Authentication Method (Certificate - CAPI or Certificate - P12), and click Enroll.
CAPI: In the window that opens, select the provider.
P12: In the window that opens, enter a new password for the certificate and confirm it.
5. Enter the Registration Key that your administrator sent you.
6. Click Enroll.
Your system administrator may tell you to renew your certificate, or you see a message that the certificate expired.
To renew a certificate:
1. In the Settings tab > Method, select either Certificate - CAPI or Certificate - P12.
2. Click Renew.
In the window that opens, select your certificate type:
Setting up a Remote Access Client Page 14
Changing the Site Authentication Scheme
CAPI: select the certificate from the list.
P12: browse to the P12 file and enter the password.
3. Click Renew.
Importing a Certificate into the CAPI Store
Before you can use the certificate to authenticate your computer, you must get:
The certificate file.
The password for the file.
The name of the site (each certificate is valid for one site).
If the system administrator said to save the certificate on the computer, import it to the CAPI store.
(Otherwise, the administrator will give you the certificate file on a USB or other removable media. Make sure you get the password.)
To import a certificate file to the CAPI store:
1. Right-click the client tray icon, and select VPN Options.
2. On the Sites tab, select the site and click Properties.
3. Open the Settings tab.
4. Make sure that Certificate - CAPI is selected in the Method list.
5. Click Import.
6. Browse to the P12 file.
7. Enter the certificate password and click Import.
Authenticating with Certificate File
If Certificate – P12 is used, browse to the P12 file to authenticate.
To authenticate with a P12 file:
1. Configure the client to use Certificate – P12 for authentication.
2. Connect to the site.
The connection dialog opens.
3. In the Certificate File area, browse to the P12 file.
4. Enter the certificate password.
5. Click Connect.
Note - If Always-Connect is on, the Client asks for the certificate password if a secure connection is lost. You do not have to browse to the certificate file again.
SecurID
RSA SecurID authentication uses hardware (Key Fob or PINPad) or software (softID) that generates an authentication code at fixed intervals (usually one minute), with a built-in clock and an encoded random key.
The Client uses both the PIN and tokencode, or just the passcode, to authenticate to the Security Gateway.
The most common form of SecurID token is the hand-held device, usually a Key Fob or PINPad.
With PINPad, you enter a personal identification number (PIN), to generate a passcode that you can use for the client.
When the token does not have a PINPad, a tokencode is displayed. A tokencode is the changing number displayed on the Key Fob. If Key Fob is the authentication method, you enter the PIN and the tokencode separately.
SoftID operates the same way as a passcode device, but consists only of software that sits on the desktop. You can use it as a simple Key Fob and copy the token code. Or, you can set the authentication method to SecurID Software Token, and the client will take the token code automatically.
Setting up a Remote Access Client Page 15
Changing the Site Authentication Scheme
Challenge-Response
Challenge-response is an authentication protocol in which one party provides the first string (the challenge), and the other party verifies it with the next string (the response). For authentication to take place, the response is validated.
Secure Authentication API (SAA)
Secure Authentication API (SAA) lets you use third- party authentication technologies with your Remote
Access client. To work, it requires a DLL file that is installed on your client.
If your administrator instructs you to select Secure Authentication API (SAA) as the authentication method when you create a site, you need this information:
The type of SAA authentication that you must select - one of these:
Username and Password - Users enter a username and password.
Challenge Response - Users enter a response to a challenge.
You might need a DLL file. If your administrator already configured this, then you do not need it.
Note - Only users with administrator permissions can replace the DLL.
If you select SAA as the authentication in the site wizard, a new page opens where you select the type of
SAA authentication and a DLL file, if required.
Replacing the SAA DLL File
Your administrator might instruct you to replace the DLL file on your client.
Note - Only users with administrator permissions can replace the DLL.
To replace the local DLL file:
1. Right-click the client icon and select Options.
2. In the Advanced tab, next to Use a Secure Authentication API File, browse to select the new DLL file.
This file is used for SAA authentication.
Setting up a Remote Access Client Page 16