https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-client-option-in-trac-defaults-to-start-at-windows/m-p/185924#M4747 <P>Without SDL, the VPN client will start when the user logs in.<BR />This is the default behavior.</P> Fri, 07 Jul 2023 14:09:45 GMT PhoneBoy 2023-07-07T14:09:45Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-client-option-in-trac-defaults-to-start-at-windows/m-p/185899#M4746 <P>Working to implement machine tunnel VPN for remote access on gateway running R81.10 JHF Take 95, and clients are windows 10 using Endpoint Client E87.20.&nbsp; Our existing remote access currently uses SDL, but part of the work is to disable this as an option, but is there a setting in the trac.defaults file that will do the job to start the Endpoint client when they login, rather than after this has completed.&nbsp; Or would this need to be set via windows.</P> Fri, 07 Jul 2023 09:01:10 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-client-option-in-trac-defaults-to-start-at-windows/m-p/185899#M4746 Peter_Dray 2023-07-07T09:01:10Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-client-option-in-trac-defaults-to-start-at-windows/m-p/185924#M4747 <P>Without SDL, the VPN client will start when the user logs in.<BR />This is the default behavior.</P> Fri, 07 Jul 2023 14:09:45 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-client-option-in-trac-defaults-to-start-at-windows/m-p/185924#M4747 PhoneBoy 2023-07-07T14:09:45Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-client-option-in-trac-defaults-to-start-at-windows/m-p/185973#M4748 <P>Do you mean you're trying to do a machine based VPN as the machine boots?&nbsp; Instead of waiting until after CTRL+ALT+DEL before establishing a user-login based VPN?</P><P>This is possible and there are a few options around whether the VPN stays logged in as the machine based even after Windows login, or whether it is machine based up until the Windows login, then it drops and prompts for user login credentials.&nbsp; You can also disable the ability for the user to disconnect, forcing them to stay on VPN permanently.</P><P>Machine based is good for people wishing to push down GPO updates etc. when they have a workforce that infrequently connects on the LAN.</P><P>&nbsp;</P><P>Machine based uses AD machine certificates.&nbsp; So you need a CA on your AD, and all machines must have a machine certificate from your AD CA.&nbsp; You need the root cert from the CA installed on the firewall (similar to&nbsp;<SPAN>sk149253).&nbsp;&nbsp;</SPAN></P><P>You possibly want&nbsp;<SPAN>sk121173.&nbsp; Although that it's the one I followed...&nbsp; I can't recall which one it was but I'll have a dig and let you know if I find it.&nbsp; The method I used also requires a tweak to set&nbsp;<STRONG>enable_machine_auth=false</STRONG> in <STRONG>trac.defaults</STRONG>&nbsp;(probably what you're alluding to?) on all client machines (so this needs some prior planning).&nbsp; I don't think that change can be pushed out centrally&nbsp;<span class="lia-unicode-emoji" title=":face_with_rolling_eyes:">🙄</span>.&nbsp; I think this stuff is in the VPN Admin guide too - presume you've checked there?</SPAN></P><P>&nbsp;</P> Sat, 08 Jul 2023 22:22:57 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-client-option-in-trac-defaults-to-start-at-windows/m-p/185973#M4748 biskit 2023-07-08T22:22:57Z