This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
IWildcard
Explorer
‎2024-12-31 12:26 AM
Jump to solution

Deploy list of VPN sites for macOS

Hi all,

I am trying to deploy a list of VPN sites that users can choose from, along with the CheckPoint client on all our company Macs.
Is there any documentation that describes how to do that?

As far as I understood, the trac.config file needs to be edited adding the details of each vpn site, but how is that done? Is there a specific console?

Thank you.

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-01-08 03:50 PM
In response to IWildcard
Jump to solution

The only service that needs it is the "epc" service.
I imagine the file is locked as a result of Harmony Endpoint self-protection features.
Not sure these can be disabled,  but you should confirm with TAC.

Have you tried creating the site using the "trac" binary I mentioned above?
For example to create a site from the gateway at 192.0.2.54 and naming it "MyVPNSite" in the UI, you issue the following command:

 "/Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/trac" create -s 192.0.2.254 -di MyVPNSite

Assuming you have some sort of remote execution capability on the Endpoints, this might be easier.

View solution in original post

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2024-12-31 09:33 AM
Jump to solution

The best way to “edit” trac.config file is to use the client to configure the required sites, then distribute trac.config.
On Windows at least this trac.config can be bundled into the installer.
Believe this is also possible on the Mac, but I’m not certain of the exact steps.

0 Kudos
IWildcard
Explorer
‎2025-01-02 08:28 AM
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy,

Just to clarify, are you suggesting that I set up all the VPN sites that we need to push to the CheckPoint client on a test Mac, then export the final trac.config file and distribute it to all devices?
I have tried this, and it appears to work well.

However, I’m facing another issue and would appreciate your assistance with it:
Occasionally, we need to add or remove VPN sites and deploy the updated trac.config file to our Macs.
I followed the same procedure, added a couple of VPN sites, and attempted to distribute the updated file. However, when trying to replace the trac.config file on Macs that already had the client installed, I encountered an issue where the file could not be replaced.
What's the correct way to stop the service before deploying the updated trac.config file to ensure the replacement goes smoothly?

Thank you.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-02 10:51 AM
In response to IWildcard
Jump to solution

Yes, you have it correct, and yes you need to stop/start the relevant service to replace trac.config on a system with the VPN client running/installed.
The two commands to do this are:

  • sudo launchctl stop com.checkpoint.epc.service
  • sudo launchctl start com.checkpoint.epc.service
0 Kudos
IWildcard
Explorer
‎2025-01-03 02:47 AM
In response to PhoneBoy
Jump to solution

Thank you for the quick reply @PhoneBoy.

The commands that you mentioned in your previous message seem to work for stopping the vpn service (I was connected when I launched the first command, and got immediately disconnected).
However, I was still unable to replace the trac.config file in the folder /Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect, receiving an error message saying that the operation was not permitted.
My assumption is that the file is still locked by another CheckPoint service on the device.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-03 11:36 AM
In response to IWildcard
Jump to solution

It could very well be.
Another possibility is to use the "trac" binary (in the same location as trac.config) to add the sites via the CLI (e.g. with trac create).

0 Kudos
IWildcard
Explorer
‎2025-01-08 01:58 AM
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy,

Is it possible to know which are the CheckPoint services that lock the trac.config file, and if they can be stopped so the file can be replaced without having to uninstall the client and re-install it with the new trac.config file, which is not really an ideal workflow?

Thank you.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-01-08 04:14 AM
In response to IWildcard
Jump to solution

If you select Shutdown Client from tray menue this should work using local admin rights - at least for the RA VPN only EP client i use. If you use the Harmony EPS blades it would be more difficult...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-08 03:50 PM
In response to IWildcard
Jump to solution

The only service that needs it is the "epc" service.
I imagine the file is locked as a result of Harmony Endpoint self-protection features.
Not sure these can be disabled,  but you should confirm with TAC.

Have you tried creating the site using the "trac" binary I mentioned above?
For example to create a site from the gateway at 192.0.2.54 and naming it "MyVPNSite" in the UI, you issue the following command:

 "/Library/Application Support/Checkpoint/Endpoint Security/Endpoint Connect/trac" create -s 192.0.2.254 -di MyVPNSite

Assuming you have some sort of remote execution capability on the Endpoints, this might be easier.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-12-31 11:09 AM
Jump to solution

Is this what you are looking for?

Best,

Andy

 

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/T...

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events