topic Re: Deployment of VPN site while fresh installation in Endpoint

Deployment of VPN site while fresh installation

CP-Shark — Thu, 14 Nov 2024 21:46:15 GMT

Hello folks,

we´ve set up a new way to install Harmony Endpoint client via MS Intune through UEM Integration:

This works great. But how can a add our default VPN Site to this deployment? It can´t be the solution to add it manually or via "Push Operation".

Any hints from the admins?

Cheers,
Oliver

Re: Deployment of VPN site while fresh installation

Lesley — Thu, 14 Nov 2024 21:56:24 GMT

You need to create one package that contains all info you want to use. see it as a baseline.

There are different ways to do this depending what you use.

Here is an example:

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-Common-for-HEP/Adding-New-VPN-Site-to-Exported-Package.htm#AddingNewPackagetoVPNSite

Or here:

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-HEP/Deploying-Endpoint-Agent-using-Intune.htm

How to change from .exe to .msi -> https://support.checkpoint.com/results/sk/sk181442

Re: Deployment of VPN site while fresh installation

CP-Shark — Thu, 14 Nov 2024 22:02:58 GMT

Okay that´s not new to me.

But we want to use the UEM integration for Intune followed by Software deployment policy.
So I want a solution for that.

The two solutions above needs to be updated everytime we decide to use a new endpoint agent version.

Re: Deployment of VPN site while fresh installation

PhoneBoy — Thu, 14 Nov 2024 22:19:04 GMT

It might help us to understand if you can explain the expected workflow in more detail.
As far as I know, unless it's added to the MSI file, adding a VPN site requires a push operation.
If it's just updating an existing site, then that should occur the next time the user connects to the VPN

Re: Deployment of VPN site while fresh installation

CP-Shark — Thu, 14 Nov 2024 22:28:16 GMT

For sure.

We use autopilot-managed devices via MS Intune (EntraID-registered), which are sent to employees. After their first login (via EntraID authentication), applications are deployed through MS Intune.

To deploy the Harmony client in MS Intune, we use the UEM integration provided by Check Point (see the screenshot in my first post). Once the initial client is installed, the deployment policy takes over, though there is currently no option to automatically configure a VPN site.

Using the MSI deployment (suggested by Leasly) isn't feasible, as we would need to update the package every time a new agent version is released. Since an external service provider manages this service, our Security department requires the flexibility to quickly choose which version is deployed. This is why we prefer using the deployment policy.

Everything else is too maintenance-intensive

Re: Deployment of VPN site while fresh installation

PhoneBoy — Thu, 14 Nov 2024 22:38:31 GMT

Possible this is an RFE.
Adding @BarYassure

Re: Deployment of VPN site while fresh installation

CP-Shark — Thu, 14 Nov 2024 22:41:49 GMT

Please tell me not there is no other solution for that.
This is such an obvious use case 🙄

Re: Deployment of VPN site while fresh installation

PhoneBoy — Thu, 14 Nov 2024 22:57:13 GMT

What's not clear in what you've said so far is why a Push operation isn't an acceptable alternative.
The Push Operation can potentially be automated via an API call: https://app.swaggerhub.com/apis/Check-Point/web-mgmt-external-api-production/1.9.221#/AddVpnSiteParams

I'll admit, I'm not an Endpoint expert, so it's possible there is another way to do this.