This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
israelsc
Collaborator
Collaborator
Friday

Remote Access CLI based script - how to extract system user and place it in a script?

Hello everyone!
Hoping you are doing well and having a great day.

I am developing a .bat script for the recreation of VPN site for VPN clients of one of our customers.

I am basing it on commands from the Remote Access documentation in the CLI section:
https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN...

For now, I have the following for my script:

  • @echo off
  • cd C:\Program Files (x86)\CheckPoint\Endpoint Connect\
  • trac.exe ver
  • trac.exe disconnect
  • trac.exe delete -s vpn.company.com
  • trac.exe create -s vpn.company.com -di vpn.company.com -a username-password -lo Standard

The script does the following:

  • @echo off to ensure that the script commands are not displayed in the cmd console.
  • Change to the directory where trac.exe is located.
  • Show client version
  • Disconnect client
  • Delete current VPN site
  • Recreate current VPN site with username and password as authentication method

 

The specific requirement of our customer is that, the domain username of the PC is extracted and defined in a variable in order to be able to execute the following command and that the username is the domain user:

trac.exe userpass -s <sitename> -u <username> -p <password>

I see that if I run the following in CMD, I can see my domain username based on a Windows system environment variable:
echo %USERNAME%

Then, I also see that if I run the following, I can save %USERNAME% in a variable called USER:
set USER=%USERNAME%

However, when I try to use this variable in the command trac.exe:
trac.exe userpass -s vpn.company.com -u %USER%

I see the following error:

trac.exe.png

I would like to know if there is a way to extract this domain username from a PC to configure it by “default” once I run my script to recreate the VPN site.
And that once the VPN client is reconfigured, the user can see his domain user so that he can just enter his passwords and then proceed with the VPN authentication/authorization using an LDAP with Identity Awareness. (This last one is already configured, I just want to see if the domain user can be configured so that the user just comes in and enters his password).

I know this is maybe something more related to .bat scripting but I hope you can help me.

Greetings!!

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend
17 hours ago

Command only works on ATM EPS clients as explained in the trac help ! So this is only possible with the unattended client version, but not the one installed here that has a GUI for the user...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
11 hours ago

If you replace %username% with an actual username, does it work?

0 Kudos
israelsc
Collaborator
Collaborator
9 hours ago
In response to PhoneBoy

Hello @G_W_Albrecht , @PhoneBoy thanks for your comments and help!

@G_W_Albrecht 
That's right, I saw that it works for ATM, but I don't know if this as such is a limitation for us to execute or not, these commands in a VPN client that does have a GUI such as Check Point Mobile Remote Access VPN client or Check Point Endpoint Security VPN client

@PhoneBoy 
I made a couple of attempts, here are the results:

1st attempt: set username only, the result shows that the arguments are invalid.

2nd attempt: set only the username and leave the password field empty, the result shows that there is a missing password.

3rd attempt: set username, set password, the result shows that this feature is disabled.
And this last one is ok, maybe the Security Gateway is not configured for this.

However the 1st and 2nd attempt make me think that if you must make a username and password configured so that the executable parameters are complete and can run successfully.

new attemps.png

Is there any way to achieve this requirement?
Or is it something that is out of scope of what trac.exe can do?

Greetings!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events