@PhoneBoy ..just wondering, I dont see that global property option in R81 mgmt server. Was it removed by design and if so, is there another place where it can be configured?

It's been removed, but likely for good reason.

What pops up when I click on the "Configure" button next to "Scan Endpoint for spyware and compliance" on R80.40 is Endpoint Security on Demand.
The documentation says ESOD is for SNX connections in particular, which makes sense since the other VPN clients have other ways to do posture checking (SCV or Endpoint Compliance).
And yes, if you want to use this compliance checking for SNX, you can configure it in Mobile Access.

SNX is tied to Mobile Access these days.
That said, we also support the use of SNX without Mobile Access and have a portal on the gateway where a client can activate SNX from.
I presume this has existed since the Connectra days. 

For both MAB and the classic SNX portal, deployment of SNX/ESOD requires a browser plugin (Java or ActiveX), both of which have been deprecated by the various browser makers. 
In Mobile Access, we created a new deployment agent that doesn't require plugins, but still requires Java on the client.
That's described here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
This is integrated into the product from R80.40 onward.

The classic SNX portal still uses the old deployment methodology, and from what I can tell, there are no plans to update it.
Which basically means: that property is not terribly useful, which is likely why that particular Global Property was removed. 

Bottom line: if you want to do client posture checking, you have three options:

• SCV (supported in Check Point Mobile and Endpoint Security VPN)
• Endpoint Compliances (supported in Endpoint Security VPN)
• Endpoint Security on Demand (supported with SNX and Mobile Access Blade)

Thanks D. What do you recommend in this case for sandblast/endpoint VPN? Global property for SCV? That would apply in this case? If so, I dont see any option there for scanning before connecting to vpn. Anyway, we opened official tac case to get an answer on it!

The answer is "it depends."
Endpoint Compliance works on Windows and Mac but requires a full Endpoint license (SBA/Harmony/legacy ACCESS license).
SCV works on Windows clients only (I believe Mac is planned) but also works on Check Point Mobile.
In both cases, it will allow connection, but if you're not compliant, you can be blocked from accessing all but specific resources (i.e. for Remediation purposes).

So for SCV, can it be used for sandblast, as well as endpoint VPN clients?

Yes, assuming that client includes Remote Access.
The actual SCV rules are stored on the gateway itself (local.scv).
Which means the SCV checks can't be executed until the client is actually connected to the gateway via Remote Access.

Endpoint Compliance can operate independently of being connected to the gateway via Remote Access.

I will have to look into it, as I cant recall now if that endpoint compliance is actual fw blade or just global property check.

Endpoint Compliance is a separate Endpoint blade.

I guess thats probably enabled on endpoint side, as I dont see it anywhere on the fw...

Hey phoneboy,

Forgot to ask, does SCV apply at all to sandblast agents (harmony endpoint)?

It can, yes.

Any idea if endpoint compliance blade is same as ESOD?

ESOD is part of Mobile Access Blade.
It is different from Endpoint Compliance, though they serve similar functions.

Ok, so mobile access blade needs to be on for esod to function?

Yes and you must connect via the MAB portal for it to be activated.
Java is also required.

K thank you. We will have to think if that might be right option for customer that wants compliance checks done (similar to SCV) on vpn clients who dont work for their company. Are you saying that MAB portal activation is one time thing or is connecting to it always needed once activated?

I think you would need to log in via MAB each time.
This also implies using SNX.

Hello,

So to clear the confusion - ESOD for mobile access blade will not work for Endpoint Client? And then there is a separate solution for Endpoint Client to maintain the compliance? Can I know what that solutions is? so that we can evaluate in our lab?

TIA 

Blason R

Oh! This is EPM, so to achieve we need to have EPM licenses as well for Endpoint VPN clients connecting from home using office mode?

What exactly is the difference between these two options and what would you recommend for which scenario?

But ESOD Mobile is only for mobile ssl web not for client windows.

• Client-based - Client application installed on endpoint computers and devices. Clients are usually installed on a managed device, such as a company-owned computer. The client supplies access to most types of corporate resources according to the access privileges of the user.
• Clientless - Users connect through a web browser and use HTTPS connections. Clientless solutions usually supply access to web-based corporate resources.
• On demand client - Users connect through a web browser and a client is installed when necessary. The client supplies access to most types of corporate resources according to the access privileges of the user.