topic Re: Endpoint Security VPN client configuration via cli in SASE and Remote Access

Endpoint Security VPN client configuration via cli

Olga_Kuts — Tue, 13 Mar 2018 09:40:30 GMT

We have a need of full configuration CheckPoint VPN client via cli (authentication method - CAPI certificate). We did all settings via cli using trac.exe except for certificate import.

How can we import certificate using cli (in particular using trac.exe)? The option of certificate importing the standard means of the Windows does not suit us.

Re: Endpoint Security VPN client configuration via cli

PhoneBoy — Tue, 13 Mar 2018 23:37:47 GMT

If you're using CAPI, then I presume you should use Microsoft's tools to manage the certificate store.

A quick Google search brought me to: windows - Import Certificate to Trusted Root but not to Personal [Command Line] - Stack Overflow

Re: Endpoint Security VPN client configuration via cli

Olga_Kuts — Wed, 14 Mar 2018 08:12:26 GMT

When we import a certificate using Microsoft's tools, the VPN connection does not establish. When importing directly through the CheckPoint VPN client - everything works.
Therefore, we are considering the option of importing through the CheckPoint VPN client, but using the command line. Why do we need the command line? We need to automate the process of installing the VPN client and its settings.

Re: Endpoint Security VPN client configuration via cli

G_W_Albrecht — Wed, 14 Mar 2018 12:46:05 GMT

Afaik, this is not possible using standard means - see Remote Access VPN Administration Guide R80.10 for details. Here we find:

Check Point's Internal Certificate Authority (ICA) offers two ways to create and transfer certificates to remote users:

1. The administrator generates a certificate in the Security Management Server for the remote user, saves it to removable media, and transfers it to the client "out-of-band."

2. The administrator initiates the certificate process on the Security Management Server (or ICA management tool), and is given a registration key. The administrator transfers the registration key to the user "out-of-band." The client establishes an SSL connection to the ICA (using the CMC protocol) and completes the certificate generation process using the registration key. In this way:
• Private keys are generated on the client.
• The created certificate can be stored as a file on the machines hard-drive, on a CAPI storage device, or on a hardware token.
This method is especially suitable for geographically spaced-remote users.

But nothing about a CLI installation method ! I would suggest to ask CP TAC for a solution and update us when it has worked for you .