topic Deploy list of VPN sites for macOS in Endpoint

Deploy list of VPN sites for macOS

IWildcard — Tue, 31 Dec 2024 08:26:47 GMT

Hi all,

I am trying to deploy a list of VPN sites that users can choose from, along with the CheckPoint client on all our company Macs.
Is there any documentation that describes how to do that?

As far as I understood, the trac.config file needs to be edited adding the details of each vpn site, but how is that done? Is there a specific console?

Thank you.

Re: Deploy list of VPN sites for macOS

PhoneBoy — Tue, 31 Dec 2024 17:33:11 GMT

The best way to “edit” trac.config file is to use the client to configure the required sites, then distribute trac.config.
On Windows at least this trac.config can be bundled into the installer.
Believe this is also possible on the Mac, but I’m not certain of the exact steps.

Re: Deploy list of VPN sites for macOS

the_rock — Tue, 31 Dec 2024 19:09:06 GMT

Is this what you are looking for?

Best,

Andy

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/Topics-VPNRG/MEP.htm

Re: Deploy list of VPN sites for macOS

IWildcard — Thu, 02 Jan 2025 16:28:58 GMT

Hi @PhoneBoy,

Just to clarify, are you suggesting that I set up all the VPN sites that we need to push to the CheckPoint client on a test Mac, then export the final trac.config file and distribute it to all devices?
I have tried this, and it appears to work well.

However, I’m facing another issue and would appreciate your assistance with it:
Occasionally, we need to add or remove VPN sites and deploy the updated trac.config file to our Macs.
I followed the same procedure, added a couple of VPN sites, and attempted to distribute the updated file. However, when trying to replace the trac.config file on Macs that already had the client installed, I encountered an issue where the file could not be replaced.
What's the correct way to stop the service before deploying the updated trac.config file to ensure the replacement goes smoothly?

Thank you.

Re: Deploy list of VPN sites for macOS

PhoneBoy — Thu, 02 Jan 2025 18:51:20 GMT

Yes, you have it correct, and yes you need to stop/start the relevant service to replace trac.config on a system with the VPN client running/installed.
The two commands to do this are:

sudo launchctl stop com.checkpoint.epc.service
sudo launchctl start com.checkpoint.epc.service

Re: Deploy list of VPN sites for macOS

IWildcard — Fri, 03 Jan 2025 10:47:02 GMT

Thank you for the quick reply @PhoneBoy.

The commands that you mentioned in your previous message seem to work for stopping the vpn service (I was connected when I launched the first command, and got immediately disconnected).
However, I was still unable to replace the trac.config file in the folder /Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect, receiving an error message saying that the operation was not permitted.
My assumption is that the file is still locked by another CheckPoint service on the device.

Re: Deploy list of VPN sites for macOS

PhoneBoy — Fri, 03 Jan 2025 19:36:29 GMT

It could very well be.
Another possibility is to use the "trac" binary (in the same location as trac.config) to add the sites via the CLI (e.g. with trac create).

Re: Deploy list of VPN sites for macOS

IWildcard — Wed, 08 Jan 2025 09:58:48 GMT

Hi @PhoneBoy,

Is it possible to know which are the CheckPoint services that lock the trac.config file, and if they can be stopped so the file can be replaced without having to uninstall the client and re-install it with the new trac.config file, which is not really an ideal workflow?

Thank you.

Re: Deploy list of VPN sites for macOS

G_W_Albrecht — Wed, 08 Jan 2025 12:20:24 GMT

If you select Shutdown Client from tray menue this should work using local admin rights - at least for the RA VPN only EP client i use. If you use the Harmony EPS blades it would be more difficult...

Re: Deploy list of VPN sites for macOS

PhoneBoy — Wed, 08 Jan 2025 23:50:50 GMT

The only service that needs it is the "epc" service.
I imagine the file is locked as a result of Harmony Endpoint self-protection features.
Not sure these can be disabled, but you should confirm with TAC.

Have you tried creating the site using the "trac" binary I mentioned above?
For example to create a site from the gateway at 192.0.2.54 and naming it "MyVPNSite" in the UI, you issue the following command:

"/Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/trac" create -s 192.0.2.254 -di MyVPNSite

Assuming you have some sort of remote execution capability on the Endpoints, this might be easier.