topic Re: Initial client including VPN site in Endpoint

Initial client including VPN site

CP-Shark — Wed, 20 May 2026 12:58:26 GMT

Hello everyone,

I’ve recently switched our deployment strategy to use the Check Point Initial Client to ensure our endpoints always fetch and install the latest available version.

However, because the initial client package is generic, it installs without our custom VPN site pre-configured.

Could anyone share the best practices or scripts to automate the VPN site configuration locally on the endpoint immediately after the initial client installs?

Note: We are not motivated to use a centralized push operation from the portal.

Any hints, scripts, or documentation references would be highly appreciated!

Cheers, Olli

Re: Initial client including VPN site

PhoneBoy — Wed, 20 May 2026 14:11:28 GMT

While the paths are different, you should be able to use the CLI to add a site: https://support.checkpoint.com/results/sk/sk55620
The other option would be to replace trac.config on the client: https://support.checkpoint.com/results/sk/sk183469

Re: Initial client including VPN site

Duane_Toler — Wed, 20 May 2026 14:15:43 GMT

Are you using the Endpoint Security / Harmony Endpoint suite? Or just the VPN-only client? You can't use the Initial Client with the VPN-only client (the unmanaged client).

With the Harmony Endpoint suite, the Initial Client is created with the address of the Endpoint/Harmony Security server defined when you export the package from the package deployment. Initial Client is to be used when users are already on your network somewhere and have direct access to the Endpoint server (assuming you're not using the cloud service). If your users are remote-only, then you need to send them a full package with the VPN site and feature blades pre-defined.

When you do this, be sure you have a Software Deployment rule configured that will match the blades and components of the exported package; otherwise, when the client installs, the first thing it does is check the Software Deployment rules for any blade updates (install/remove blades) before it tries to load a policy. This may result in multiple reboots while the client is trying to align itself with the server.

Hope that helps!

Re: Initial client including VPN site

morris — Thu, 21 May 2026 10:05:17 GMT

The VPN Site configuration is inside of trac.config (C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect). You can copy that file to your new endpoints. Restart CP service TracSrvWrapper (or better reboot machine) and you client is ready to connect.

If you open trac.config you see gibberish. To ungibberish edit trac_defaults, change "1" to "0" in the first line "OBSCURE_FILE". Restart TracSrvWrapper and you see trac.config in cleartext.