Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FloydG
Participant

Prevent VPN from switching certificates

Jump to solution

Dear CheckMates,

we are using certificate based authentification to establish VPN connections.
The certificate is based in users personal store.

When opening TrGui.exe, you can choose between those authentifications.
When deploying its set to "certificate" and the correct user certificate.

Whenever this certificate is renewed, checkpoint application will switch between those certificates and pick another one in this store.
That results in error when connection to site.
The end user can (if they remember) open TrGui.exe and switch it back.

But our environment is as large, as we have atleast 1 call every day, that the certificate is not working.

The Question:
Can I somehow force the endpoint to use exactly this certificate with specific name (for example).
Any regkey where the current choice is stored?

Thank you in advance.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
0 Kudos
6 Replies
PhoneBoy
Admin
Admin
0 Kudos
FloydG
Participant
FloydG
Participant

Hi,

another question regarding SK article above.

Can we modify trac.defaults file and push it on all clients without any risks?
Or is this file personalized for every client, so that it does not work/fit on all devices/users?

Thank you.

0 Kudos
G_W_Albrecht
Legend
Legend

There are two options in sk169453:

- use GW trac_client_1.ttm for configuration, that will be downloaded by all clients when connecting

- use trac.defaults in client install package for configuration, then you can either roll out using one package or use packages with different trac.defaults for different clients

0 Kudos
FloydG
Participant

Hi,

thank you for reply, but it does not really answer my question.
Is there any risk, when I create a trac.defaults file and replace this file on all systems in our environment (by basic copy & paste)?

Any user specific file metadata or something else, which could lead to issues in the future?

0 Kudos
G_W_Albrecht
Legend
Legend

No, not at all - see sk55502: How to centrally manage the trac_client_1.ttm configuration file for Remote Access Clients for the suggested way of managing extended configurations for all clients. Or you can use sk122574 - VPN Configuration Utility for Endpoint Security VPN E80.71 (and above) Clients for Window.... The sk121196: Remote Access client disconnects after upgrade explains that you can use any track.defaults from same version clients for replacement. So nothing client-specific there...

But all three possible methods have inherent weaknesses:

- central managing the config following sk55502 will need manual editing again after SMS upgrade

- creating client packages with changed trac.default must be done for every new client version to be rolled out

- manual changes to clients trac.default will be overwitten by any new client version to be rolled out (this needs the most manual work that multiplies with the number of clients)