topic Remote Access CLI based script - how to extract system user and place it in a script? in SASE and Remote Access

Remote Access CLI based script - how to extract system user and place it in a script?

israelsc — Sat, 29 Mar 2025 02:09:17 GMT

Hello everyone!
Hoping you are doing well and having a great day.

I am developing a .bat script for the recreation of VPN site for VPN clients of one of our customers.

I am basing it on commands from the Remote Access documentation in the CLI section:
https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN-for-Win/CLI-Commands.htm?TocPath=Remote%20Access%20Clients%20Command%20Line%7CCLI%20Commands%7C_____0

For now, I have the following for my script:

@echo off
cd C:\Program Files (x86)\CheckPoint\Endpoint Connect\
trac.exe ver
trac.exe disconnect
trac.exe delete -s vpn.company.com
trac.exe create -s vpn.company.com -di vpn.company.com -a username-password -lo Standard

The script does the following:

@echo off to ensure that the script commands are not displayed in the cmd console.
Change to the directory where trac.exe is located.
Show client version
Disconnect client
Delete current VPN site
Recreate current VPN site with username and password as authentication method

The specific requirement of our customer is that, the domain username of the PC is extracted and defined in a variable in order to be able to execute the following command and that the username is the domain user:

trac.exe userpass -s <sitename> -u <username> -p <password>

I see that if I run the following in CMD, I can see my domain username based on a Windows system environment variable:
echo %USERNAME%

Then, I also see that if I run the following, I can save %USERNAME% in a variable called USER:
set USER=%USERNAME%

However, when I try to use this variable in the command trac.exe:
trac.exe userpass -s vpn.company.com -u %USER%

I see the following error:

I would like to know if there is a way to extract this domain username from a PC to configure it by “default” once I run my script to recreate the VPN site.
And that once the VPN client is reconfigured, the user can see his domain user so that he can just enter his passwords and then proceed with the VPN authentication/authorization using an LDAP with Identity Awareness. (This last one is already configured, I just want to see if the domain user can be configured so that the user just comes in and enters his password).

I know this is maybe something more related to .bat scripting but I hope you can help me.

Greetings!!

Re: Remote Access CLI based script - how to extract system user and place it in a script?

G_W_Albrecht — Mon, 31 Mar 2025 09:26:24 GMT

Command only works on ATM EPS clients as explained in the trac help ! So this is only possible with the unattended client version, but not the one installed here that has a GUI for the user...

Re: Remote Access CLI based script - how to extract system user and place it in a script?

PhoneBoy — Mon, 31 Mar 2025 15:20:42 GMT

If you replace %username% with an actual username, does it work?

Re: Remote Access CLI based script - how to extract system user and place it in a script?

israelsc — Mon, 31 Mar 2025 17:56:46 GMT

Hello @G_W_Albrecht , @PhoneBoy thanks for your comments and help!

@G_W_Albrecht
That's right, I saw that it works for ATM, but I don't know if this as such is a limitation for us to execute or not, these commands in a VPN client that does have a GUI such as Check Point Mobile Remote Access VPN client or Check Point Endpoint Security VPN client

@PhoneBoy
I made a couple of attempts, here are the results:

1st attempt: set username only, the result shows that the arguments are invalid.

2nd attempt: set only the username and leave the password field empty, the result shows that there is a missing password.

3rd attempt: set username, set password, the result shows that this feature is disabled.
And this last one is ok, maybe the Security Gateway is not configured for this.

However the 1st and 2nd attempt make me think that if you must make a username and password configured so that the executable parameters are complete and can run successfully.

Is there any way to achieve this requirement?
Or is it something that is out of scope of what trac.exe can do?

Greetings!

Re: Remote Access CLI based script - how to extract system user and place it in a script?

G_W_Albrecht — Tue, 01 Apr 2025 12:20:16 GMT

ATM is a seperate version without GUI, the CLI command will only work in that version but does not work with either Check Point Mobile Remote Access VPN client or Check Point Endpoint Security VPN client !

userpass -s <sitename> -u <username> -p <password>
                        save username and password (for ATM only)
certpass -s <sitename> -f <certificate filename> -p <password>
                        save certificate and password (for ATM only)