This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FloydG
Participant
‎2021-04-07 03:49 AM
Jump to solution

Prevent VPN from switching certificates

Dear CheckMates,

we are using certificate based authentification to establish VPN connections.
The certificate is based in users personal store.

When opening TrGui.exe, you can choose between those authentifications.
When deploying its set to "certificate" and the correct user certificate.

Whenever this certificate is renewed, checkpoint application will switch between those certificates and pick another one in this store.
That results in error when connection to site.
The end user can (if they remember) open TrGui.exe and switch it back.

But our environment is as large, as we have atleast 1 call every day, that the certificate is not working.

The Question:
Can I somehow force the endpoint to use exactly this certificate with specific name (for example).
Any regkey where the current choice is stored?

Thank you in advance.

0 Kudos
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2021-04-30 04:12 AM
In response to FloydG
Jump to solution

No, not at all - see sk55502: How to centrally manage the trac_client_1.ttm configuration file for Remote Access Clients for the suggested way of managing extended configurations for all clients. Or you can use sk122574 - VPN Configuration Utility for Endpoint Security VPN E80.71 (and above) Clients for Window.... The sk121196: Remote Access client disconnects after upgrade explains that you can use any track.defaults from same version clients for replacement. So nothing client-specific there...

But all three possible methods have inherent weaknesses:

- central managing the config following sk55502 will need manual editing again after SMS upgrade

- creating client packages with changed trac.default must be done for every new client version to be rolled out

- manual changes to clients trac.default will be overwitten by any new client version to be rolled out (this needs the most manual work that multiplies with the number of clients)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2021-04-09 10:38 AM
Jump to solution

Paging @AndreiR 

0 Kudos
FloydG
Participant
‎2021-04-22 06:20 AM
In response to FloydG
Jump to solution

Hi,

another question regarding SK article above.

Can we modify trac.defaults file and push it on all clients without any risks?
Or is this file personalized for every client, so that it does not work/fit on all devices/users?

Thank you.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-04-22 06:32 AM
In response to FloydG
Jump to solution

There are two options in sk169453:

- use GW trac_client_1.ttm for configuration, that will be downloaded by all clients when connecting

- use trac.defaults in client install package for configuration, then you can either roll out using one package or use packages with different trac.defaults for different clients

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
FloydG
Participant
‎2021-04-30 01:58 AM
In response to G_W_Albrecht
Jump to solution

Hi,

thank you for reply, but it does not really answer my question.
Is there any risk, when I create a trac.defaults file and replace this file on all systems in our environment (by basic copy & paste)?

Any user specific file metadata or something else, which could lead to issues in the future?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-04-30 04:12 AM
In response to FloydG
Jump to solution

No, not at all - see sk55502: How to centrally manage the trac_client_1.ttm configuration file for Remote Access Clients for the suggested way of managing extended configurations for all clients. Or you can use sk122574 - VPN Configuration Utility for Endpoint Security VPN E80.71 (and above) Clients for Window.... The sk121196: Remote Access client disconnects after upgrade explains that you can use any track.defaults from same version clients for replacement. So nothing client-specific there...

But all three possible methods have inherent weaknesses:

- central managing the config following sk55502 will need manual editing again after SMS upgrade

- creating client packages with changed trac.default must be done for every new client version to be rolled out

- manual changes to clients trac.default will be overwitten by any new client version to be rolled out (this needs the most manual work that multiplies with the number of clients)

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top