This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alias
Contributor
‎2021-05-26 05:15 AM

Pushing Global Properties on to VPN Remote Access Client

Hey Mates,

we are trying to change the Network Location Awareness from "Configured on endpoint client" to being configured globally.

I made the configuration through SmartConsole, installed policy on all gateways, installed database and yet, somehow, it doesn't seem to get to the clients.

On a test machine I installed the VPN client from scratch and there the configuration seems to work. But on all the other clients my change doesn't seem to have an effect? From what I found in the forum, it seems that the VPN client is supposed to get new configurations once it has established a connection?

What do I need to do to push the new configuration on to the already installed VPN clients (currently 84.40)? I tried reinitialising the vpn site, but this doesn't seem to change anything.

What am I missing?

Thanks in advance

Kind Regards

D

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-05-26 08:14 AM

The properties take effect (or should) on the next connection the client makes.
That also assumes policy was pushed to the relevant gateways as well.

0 Kudos
Alias
Contributor
‎2021-05-31 06:55 AM
In response to PhoneBoy

Hey Phoneboy,

thank you for your answer.

That is basically what I had expected. The client should connect and get the new policy from the gateway.

Unfortunately, that doesnt correspond with my experience so far.

Basically, my situation at the moment is that my colleagues go to the office and get the "secure domain logon" window during the Windows sign in. The clients seem to totally disregard the global location awareness configurations that should stop this window to pop up during logon from our office network. All the users are on 83.20

I had the secure domain logon window from my homeoffice (as it is supposed to). Due to some other VPN related issues, I upgraded my client to 84.40 while we had activated the location awareness on the gateway. I used the CP recommended configuration based on external interfaces. After the new install, the secure domain logon doesn't show up anymore. Like at all. No matter which network I use to sign in, the window doesn't appear anymore. 

Meanwhile, we changed the  configuration back to "configured on client" and I connected numerous times, but I still don't get the secure domain logon (it is activated in the client). Now, I've got another notebook to test the issue with. This notebook also uses the 84.40, the global configuration is set to "configured on client", the secure domain box is checked in the client settings but for some reason, the "secure domain logon" window doesn't show up.

 

EDIT: I just upgraded a colleague who had the secure logon in every network from VPN Client 83.20 to 84.40. Global configuration is on "configured on endpoint" and the box for secure domain logon is checked on his client. He doesn't get the domain logon on pop up - not in the company network but also not from external networks. Is there an issue with 84.40?

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-31 04:51 PM
In response to Alias

Recommend a TAC case here to figure out the SDL issue.

0 Kudos
Alias
Contributor
‎2021-06-03 11:49 PM
In response to PhoneBoy

Thank you, we will try with the 84.70 before making a case. I'll post results

0 Kudos
Alias
Contributor
‎2021-06-16 02:36 AM
In response to PhoneBoy

Hi,

the test with the 84.70 was unsuccessful as well.

By now I tried all available options. I used the recommended based on infrastructure, i used based on networks and the option behind the advanced button based on DNS.

Is there a way to validate that the client got the config?

I will open a case, as recommended.

Kind regards

D

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-16 03:03 PM
In response to Alias

You can review the trac.config on the client but most parts of it will be obscured.
Even so, it should have the last modified date of the last connection (give or take).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events