This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Peter_Dray
Explorer
‎2023-07-07 02:01 AM

Endpoint client option in trac.defaults to start at windows login

Working to implement machine tunnel VPN for remote access on gateway running R81.10 JHF Take 95, and clients are windows 10 using Endpoint Client E87.20.  Our existing remote access currently uses SDL, but part of the work is to disable this as an option, but is there a setting in the trac.defaults file that will do the job to start the Endpoint client when they login, rather than after this has completed.  Or would this need to be set via windows.

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2023-07-07 07:09 AM

Without SDL, the VPN client will start when the user logs in.
This is the default behavior.

0 Kudos
biskit
Advisor
‎2023-07-08 03:22 PM

Do you mean you're trying to do a machine based VPN as the machine boots?  Instead of waiting until after CTRL+ALT+DEL before establishing a user-login based VPN?

This is possible and there are a few options around whether the VPN stays logged in as the machine based even after Windows login, or whether it is machine based up until the Windows login, then it drops and prompts for user login credentials.  You can also disable the ability for the user to disconnect, forcing them to stay on VPN permanently.

Machine based is good for people wishing to push down GPO updates etc. when they have a workforce that infrequently connects on the LAN.

 

Machine based uses AD machine certificates.  So you need a CA on your AD, and all machines must have a machine certificate from your AD CA.  You need the root cert from the CA installed on the firewall (similar to sk149253).  

You possibly want sk121173.  Although that it's the one I followed...  I can't recall which one it was but I'll have a dig and let you know if I find it.  The method I used also requires a tweak to set enable_machine_auth=false in trac.defaults (probably what you're alluding to?) on all client machines (so this needs some prior planning).  I don't think that change can be pushed out centrally 🙄.  I think this stuff is in the VPN Admin guide too - presume you've checked there?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events