Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DunN
Participant
Jump to solution

Checkpoint Mobile VPN - enable SDL programmatically

Hi, we need to enable CheckPoint Mobile VPN - SDL (Secure Domain Logon) option centrally. Preferred method is through scripting like Powershell. It seems that adding registry key HKLM\SOFTWARE\Wow6432Node\CheckPoint\TRAC SDLEnabled REG_DWORD 0x1 is not enough. Only thing we see is that the checkbox is ticket but it is not resulting in SDL option from Windows logon screen. We recently already deployed Checkpoint VPN to thousands of endpoints, only SDL option needs to be activated programmatically.

After registry deployed as described above, we do see that the checkbox is enabled, but it is not working as when a user manually enable this checkbox.

SDLenabled.png

0 Kudos
1 Solution

Accepted Solutions
DunN
Participant

I reconfigured the installation with VPN Configuration Utility you mentioned, enabled SDL and monitor registry changes during the installation. Now I noticed a new registry. What that, I was succesfully enabled SDL for already deployed clients.
RegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{a7fd389f-fac9-4772-b6af-54e09f65a2a3}"

Now it works. Thank you.

View solution in original post

13 Replies
PhoneBoy
Admin
Admin

In addition to the registry setting, you will have to deploy a version of the client where this option was enabled.
This means building an MSI using the following tool: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
Then redeploy the client. 
Unfortunately, that is the only way to achieve this that I am aware of.

0 Kudos
DunN
Participant

I reconfigured the installation with VPN Configuration Utility you mentioned, enabled SDL and monitor registry changes during the installation. Now I noticed a new registry. What that, I was succesfully enabled SDL for already deployed clients.
RegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{a7fd389f-fac9-4772-b6af-54e09f65a2a3}"

Now it works. Thank you.

PhoneBoy
Admin
Admin

Not 100% sure that is universal or not but glad you got it working.

0 Kudos
florinbaciu
Explorer

Hi, 

do you know if there is any other way to enable SDL without deploying a new VPN client on each computer? 

I tried to add a registry key with both values but the Network sign-in button is not shown on the user client.

registry added via a GPO ( computer configuration section)

{a7fd389f-fac9-4772-b6af-54e09f65a2a3)

SDLenable=1

Deploying a new package is too difficult because all users are out of the office.

0 Kudos
PhoneBoy
Admin
Admin

Like I mentioned earlier in the thread, not sure what was mentioned in the thread by @DunN is universal or not.
Recommend manually enabling it the same way to see if it creates the same registry key in the same location.

0 Kudos
DunN
Participant

Currently Check Point VPN version 98.61.58 is deployed and SDL is available (see GUI i posted ealier) but the checkbox is unticket. We like to enable this option for already deployed clients without going through the whole building and redeploy installation process. Is there an alternative way? 

0 Kudos
Velocy
Participant

Just my 2 Cents...

Deploying this via Registry brought up the SDL Window as the user logs on, but on a lot of cases the Connect Button on the Logon Window was missing.

We programatically enabled SDL by simply running: %ProgramFiles(x86)%\CheckPoint\Endpoint Connect\trac.exe sdl -st enable once per Client.
This can be done by an software deployment system for example, with basically every user.

DunN
Participant

I have observed that sometimes CP screen is in the background. By ALT-TAB'ing you can make the screen shows.

Velocy
Participant

Sorry, I probably didn't describe it sufficient. I don't mean the CP Screen itselfe... if you have SDL enabled, you should have an addition icon on the bottom right of the Windows 10 Logon Screen, left of the Icon that indicates the Network Status (Wifi Icon for example). If you click this button / icon you can manually establish the connection before entering a useraccount to the Logonscreen. This is especially helpful if you want to logon with a windows domain account that has never been logged on to before and has no cached credentials (aka if a user receives a new device via mail and wants to logon with this AD account for the first time).

This Button / Icon was missing for a lot of our users were we tried to deploy it via registry. It always appeared for the people we enabled SDL via trac.exe.

DunN
Participant

Ah yes, if you first enable SDL via the GUI or with trac.exe command you already discribed (i haven't tested it that), there will be few keys created under:

RegistryPath = "HKLM:\SOFTWARE\Classes\CLSID\{a7fd389f-fac9-4772-b6af-54e09f65a2a3}"
RegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{a7fd389f-fac9-4772-b6af-54e09f65a2a3}"

With those, the icon you mentioned will be created so users without a user profile can succesfully logon. I'm using registry keys depoyment so I can remediate already deployed configurations. Of course I am aware that this method is not supported by Checkpoint. 

UserWin10
Explorer

We are using 86.70 version. We would like to hide or lock this option where the user can't make a change on the secure domain login option, but we enabled using registry settings. Can you help us with the registry settings? 

0 Kudos
PhoneBoy
Admin
Admin

You should be able to both push the necessary registry changes described in this thread and lock them through GPO.
We don't provide a way to do this, however.

0 Kudos
Andrew_Scott
Participant

For anyone else that struggles with this in the future due to absolutely no official documentation, you need to do the following on the client:

Create these registry keys and values:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7FD389F-FAC9-4772-B6AF-54E09F65A2A3}]
@="CPEPC_PLAP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A7FD389F-FAC9-4772-B6AF-54E09F65A2A3}\InprocServer32]
@="CPEPC_PLAP.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\{A7FD389F-FAC9-4772-B6AF-54E09F65A2A3}]
@="CPEPC_PLAP"


Run the following command to enable Secure Domain Logon:

"C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\trac.exe" SDL -ST Enable


You don't actually have to create the registry values before running the trac command but you do have to create the {A7FD389F-FAC9-4772-B6AF-54E09F65A2A3} keys under both CLSID and PLAP Providers.

If you create the keys then the command will set the values for you.

If you don't create the keys then trac.exe will not create the values and the logon screen icon will not appear.

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events