- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Prevent VPN from switching certificates
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Prevent VPN from switching certificates
Dear CheckMates,
we are using certificate based authentification to establish VPN connections.
The certificate is based in users personal store.
When opening TrGui.exe, you can choose between those authentifications.
When deploying its set to "certificate" and the correct user certificate.
Whenever this certificate is renewed, checkpoint application will switch between those certificates and pick another one in this store.
That results in error when connection to site.
The end user can (if they remember) open TrGui.exe and switch it back.
But our environment is as large, as we have atleast 1 call every day, that the certificate is not working.
The Question:
Can I somehow force the endpoint to use exactly this certificate with specific name (for example).
Any regkey where the current choice is stored?
Thank you in advance.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, not at all - see sk55502: How to centrally manage the trac_client_1.ttm configuration file for Remote Access Clients for the suggested way of managing extended configurations for all clients. Or you can use sk122574 - VPN Configuration Utility for Endpoint Security VPN E80.71 (and above) Clients for Window.... The sk121196: Remote Access client disconnects after upgrade explains that you can use any track.defaults from same version clients for replacement. So nothing client-specific there...
But all three possible methods have inherent weaknesses:
- central managing the config following sk55502 will need manual editing again after SMS upgrade
- creating client packages with changed trac.default must be done for every new client version to be rolled out
- manual changes to clients trac.default will be overwitten by any new client version to be rolled out (this needs the most manual work that multiplies with the number of clients)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Paging @AndreiR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the answer here
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
another question regarding SK article above.
Can we modify trac.defaults file and push it on all clients without any risks?
Or is this file personalized for every client, so that it does not work/fit on all devices/users?
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two options in sk169453:
- use GW trac_client_1.ttm for configuration, that will be downloaded by all clients when connecting
- use trac.defaults in client install package for configuration, then you can either roll out using one package or use packages with different trac.defaults for different clients
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thank you for reply, but it does not really answer my question.
Is there any risk, when I create a trac.defaults file and replace this file on all systems in our environment (by basic copy & paste)?
Any user specific file metadata or something else, which could lead to issues in the future?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, not at all - see sk55502: How to centrally manage the trac_client_1.ttm configuration file for Remote Access Clients for the suggested way of managing extended configurations for all clients. Or you can use sk122574 - VPN Configuration Utility for Endpoint Security VPN E80.71 (and above) Clients for Window.... The sk121196: Remote Access client disconnects after upgrade explains that you can use any track.defaults from same version clients for replacement. So nothing client-specific there...
But all three possible methods have inherent weaknesses:
- central managing the config following sk55502 will need manual editing again after SMS upgrade
- creating client packages with changed trac.default must be done for every new client version to be rolled out
- manual changes to clients trac.default will be overwitten by any new client version to be rolled out (this needs the most manual work that multiplies with the number of clients)
