CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 1
Table of Contents Introduction 2
Getting a VPN Account 3
Installing Check Point Mobile 3
Authentication 6
Compliance & System Requirements 7
System Tray 8
Connecting with Check Point Mobile 9
Stopping and Starting Check Point Mobile 14
Compliance Window 14
VPN Options
Advanced VPN Options 15
Deleting and Creating Sites 16
Collecting and Sending Log Files 17
Troubleshooting 18
Technical Support 22
Appendix
Client Icon 23
Software Downloads 23
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 2
Introduction
Virtual Private Networks (VPNs) allow FedEx employees and vendors to work away from the office. VPNs create secure
tunnels over the Internet, ensuring confidentiality, integrity, and authenticity. This form of remote access makes services
such as internal web sites, email, and departmental servers available from places such as a home office or hotel.
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 3
Getting a VPN Account
A VPN account must first be requested. Both FedEx employees and vendors must:
1. Login to IdM using your FedEx ID and enterprise password
2. Click the System Access tab at the top of the page
3. Click the Application/Data Access link in the left-hand menu
4. Select VPN using the keyword search and complete the request form. The request will automatically be sent to your
manager for approval.
The next step is getting an IdentityGuard eGrid account. After your VPN request has been fully approved in IdM, you must:
1. Login to the FedEx IdentityGuard self-service web site to complete a short enrollment process.
2. You'll receive an IdentityGuard eGrid sheet (JPEG image format) that will be used for VPN login.
3. Keep your eGrid secure and do not share it with others.
Installing Check Point Mobile
1. Sign in to https://idguard.fedex.com. This link works from both inside and outside the FedEx network. You will be
required to authenticate using your FedEx ID, enterprise password and eGrid card.
2. Select 'I'd like to download the Remote Access Software'.
3. Download Check Point Mobile.
a. Internet Explorer 8 or older
i. Click the Check Point Mobile VPN Client link.
ii. Click Save on the File Download window.
iii. Select desktop to save the file to your desktop.
iv. Click Save
v. After download completes close the browser.
b. Internet Explorer 9
i. Click the Check Point Mobile VPN Client link.
ii. Click the drop down arrow next to Save then select Save As.
iii. Select desktop to save the file to your desktop.
iv. Click Save
v. After the download completes disregard the “unsafe“ message and close the browser.
4. Perform the installation using the evpn-installer file on your desktop.
5. Double-click the installer to open it. It may be in your Downloads folder or on your Desktop.
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 4
6. Click Next 7. Accept the license agreement
8. Click Next 9. Click Next
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 5
10. Installation in progress [no interaction required] 11. Click Finished
12. Test the connection by following the normal procedures used to establish VPN connectivity.
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 6
Authentication
FedEx requires two-factor authentication to login to VPN. Your employee number and enterprise password are the first factor, and the security grid card is the second. The security grid card is called an eGrid.
New/replacement eGrids can be acquired at the IdentityGuard web site, Keyword “eGrid”. The eGrid web site is externally accessible (ie from home or hotel) at https://idguard.fedex.com. If you’ve lost your eGrid you can access the site using your challenge questions. If you’ve forgotten your challenge questions you can contact your regional/OpCo help desk for a one-time PIN. The temporary PIN will allow you to download a new eGrid. Always be sure to cancel lost/compromised eGrids at the IdentityGuard site.
eGrid provides secure and cost effective two-factor authentication. The eGrid contains a series of numbers and letters in clearly marked rows and columns. After entering the user name and enterprise password the user will be prompted for the eGrid coordinates. The user then cross-references each letter and number combination, similar to using a Bingo card. For example, if Mobile VPN prompted the user for [C5] [D4] [H4], the user would match [C5] with “J”, [D4] with “E”, and [H4] with “E”.
Check the expiration date on your eGrid before logging in
Check the expiration date on your eGrid before logging in
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 7
Compliance & System Requirements Check Point Mobile VPN requires a working personal firewall and anti-virus agent in order to use FedEx Remote Access. This requirement is enforced by Mobile VPN using a Compliance Policy. Most any anti-virus and personal firewall software that gives a “green light” in Window’s Security Center (XP/Vista) or Action Center (Windows 7) satisfies the Compliance Policy. Anti-virus software that has not received updates for 14 days will fail the compliance check. McAfee anti-virus is available to FedEx employees at no cost for the personal computer they use for VPN. Both Check Point Mobile and McAfee can be downloaded at Keyword “VPN” and the Internet-accessible IdentityGuard eGrid web site.
The Compliance Policy is updated during every connection attempt. Enabling Automatic Updates (Windows Update) is not required but recommended. The user can check their compliance status at the Compliance Window. Systems that are not compliant cannot use VPN until they are.
Supported Operating Systems
Windows XP Home and Professional 32-bit, with or without Service Packs 1, 2, or 3
Windows Vista 32-bit and 64-bit, with or without Services Packs 1 or 2
Windows 7 32-bit and 64-bit, Premium or Enterprise, with or without Service Pack 1
Windows Firewall will satisfy the Personal Firewall requirement.
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 8
System Tray
The VPN client can be accessed from an area on your PC known as the System Tray, or Systray. It is in the bottom right-hand
corner, immediately left of the clock. You may already see some icons there such as WiFi, volume control, and Outlook. The
icon you’re looking for is a gold padlock. It may be hidden from view, which you can expand by clicking on the double up
arrows.
1. This is a screenshot of the System Tray.
1.2 The VPN client icon is currently visible.
1.3 Right-click on the icon to display the VPN client’s
menu.
2. This is a screenshot of the System Tray.
2.1 The VPN client icon is currently hidden from view.
2.2 Left-click on the up arrows to expand the System
Tray.
3. The System Tray has been expanded.
3.1 The VPN client icon, a gold padlock, is now visible.
4. You can right-click on the icon to show the menu
for the VPN client. From here you can connect to
VPN, create a new site, and more.
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 9
Connecting with Check Point Mobile You will be able to connect after installing Check Point Mobile and acquiring your eGrid.
1. Right-click the icon in the Systray
2. Click Connect to...
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 10
3. Input your login credentials.
Username = FedEx ID Password = Enterprise password (8 characters)
4. Click Connect
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 11
5. You are presented with the eGrid challenge-response.
6. Look up the coordinates on your eGrid card and input the results.
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 12
7. [No interaction required] Check Point Mobile will now connect.
8. You should receive a successful connection.
You can click Close or wait for the window to close automatically.
From here you can use Outlook and access internal FedEx web sites.
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 13
Quick Connect
Quick Connect re-connects to the user’s last VPN
Gateway
Open the Systray (gold padlock), right-click
on the icon, and click Connect.
Disconnecting from a Site
1. Open the Systray (gold padlock), right-click on the icon, and click Disconnect
2. Click Yes to confirm disconnecting 3. A tooltip appears above the system tray
informing the user that the client is disconnected.
Changing Sites
You may experience better network performance by choosing a
VPN gateway geographically closer to you.
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 14
Stopping and Starting Check Point Mobile
To stop Checkpoint Mobile:
Open the Systray (gold padlock), right-click on the icon, and click Shutdown Client
To start Checkpoint Mobile:
1. From the Start Menu click Programs 2. Select Check Point 3. Click Check Point Mobile
Compliance Window
Right-clicking the client icon in the system tray and selecting Show Client displays the main client window.
The left-hand navigation tree displays information regarding:
Status: Displays the details of the VPN connection, Firewall, and Compliance. Tools: Gives the option of Connect or Disconnect depending on the status of VPN.
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 15
Advanced VPN Options (normally not needed)
1. Right-click the client icon in the system tray and select
VPN Options.
2. The Options window opens. Select
Advanced Options.
Enable Logging: Collects information useful for
troubleshooting
Collect Logs: Exports logs to a CAB file.
Reproduce the problem before sending your
logs to support.
Proxy Settings: Open and Set to “No Proxy”
Use Secure Authentication API File: do not
check
Enable Secure Domain Logon: Log into VPN
upon logging into Windows
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 16
Deleting and Creating Sites
For troubleshooting purposes a site may need to be deleted and re-created. For example, if you have trouble connecting to
wtce but not the other three employee VPN gateways, deleting and re-creating the wtce site would be a good first step
towards solving the issue.
1. Go to VPN Options from the Systray
2. Delete the previous site at the VPN Options screen.
3. At the VPN Options screen click New.
4. At the Welcome screen, click Next.
5. Input the site name you are creating. Then click
Next.
6. For Authentication Method, pick Username and
Password. Then click Next.
7. Click Finish.
8. You will be prompted to test your new connection.
It is highly recommended that you do so.
VPN Sites
Location Employees Vendors
Memphis wtce.fw.fedex.com wtcy.fw.fedex.com
Memphis ctce.fw.fedex.com memy.fw.fedex.com
EMEA nose.fw.fedex.com nosy.fw.fedex.com
APAC singapore.vpn.fedex.com siny.fw.fedex.com
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 17
Collecting and Sending Log Files
To troubleshoot unforeseen issues with Check Point Mobile VPN, the user’s support person may ask them to send log files.
Logging must be enabled in Advanced Options before the user can collect logs. The user must then reproduce the problem
with logging enabled. The logs can then be sent to support.
Click “Collect Logs” under Advanced Options. After a few seconds a Computer Folder window opens. Go up one directory to “Check Point Endpoint Security”.
Go up one directory. Then right-click on the highlighted file and do Send to >> Documents. The file is now in the Documents folder, ready to be attached to an email. It is named format “trlogs_dd-mm-yyyy_hh.mm.ss”.
From file name
dd Day, as in 21 mm Month, as in 05 yyyy Year, as in 2012 hh 24 Hour format, as in 14 mm Minute, as in 02 ss Second, as in 31
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 18
Troubleshooting
Wrong username/password when trying to connect
Check the expiration date on your eGrid. Its in the bottom right-hand corner. If its expired you need to get a
new one at the eGrid site using your challenge questions. If you’ve forgotten your challenge questions you can get
a temporary PIN from your regional/OpCo help desk.
Vendors: Make sure you are using the vendor package with the vendor sites and not attempting to
connect to the employee sites.
Verify your eGrid is not locked out by logging into the eGrid web site.
Make sure your caps lock is off.
Verify your enterprise password hasn't expired by logging into the eGrid web site. Verify the date and
time on your computer is correct.
Missing Systray Icon
By default all icons in the Systray do show. To un-hide the Systray icon in Windows 7 go to Control Panel >> Notification Area Icons.
Click the drop down menu beside Check Point Endpoint Connect GUI to Show icon and
Notifications or select Always show all icons and notifications on the taskbar.
For Windows XP, right-click on the task bar (bar at bottom of the screen). Select Properties, then uncheck Hide Inactive Icons.
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 19
Not Compliant
Check Point Mobile VPN will tell you how to become compliant. The above graphic informs the user that they need to
update their Anti-Virus software.
Compliance Policy is corrupt
This occurs because the client has not
connected and downloaded the Compliance
Policy.
Cannot Connect
Connection errors are the second most commonly reported error with Check Point Mobile. This section will provide step-by-step troubleshooting instructions.
Try pinging at least two major web sites.
Go to Start >> All Programs >> Command Prompt
Use the ping command
ping google.com
ping twitter.com
ping facebook.com
ping yahoo.com
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 20
If you get a "reply from (IP address here)", you have basic Internet connectivity. If there is packet loss during several
ping attempts it is an indicator that connectivity at their location is having issues, such as interference with WiFi,
faulty home network equipment, or Internet Service Provider issues.
Try accessing at least two major web sites with a web browser
http://www.google.com
http://www.twitter.com
http://www.facebook.com
http://www.yahoo.com
Are you attempting to connect over a connection with some kind of web filtering or VPN blocking?
VPN will not work at a FedEx location unless you are using a mobile broadband connection such as a MiFi or AirCard.
Some hotels block VPN connections. Contact the IT support staff for the hotel and verify VPN (IPSec protocol) is not
blocked.
Some hotspots such as those at public libraries, coffee shops, universities, or airports block VPN connections. Contact
the IT support staff for that hotspot and verify VPN (IPSec protocol) is not blocked.
Some mobile broadband/cellular/3G/4G providers such as Verizon, AT&T, Sprint, or T-Mobile may require proprietary
drivers/applications to connect with a MiFi or AirCard (USB, ExpressCard, or PC Card). Contact your provider and verify
they don't block VPN (IPSec protocol) and that the proprietary drivers/applications are configured properly for VPN
(IPSec protocol).
Disable Proxy usage in Check Point VPN Client (see Check Point Mobile Technical Guide)
1. Open the Internet Options menu
2. From Internet Explorer: go to Tools >> Internet Options
3. From the Control Panel: go to Internet Options
4. Go to the Connections tab at the top of the menu
5. Go to LAN Settings near the bottom of the menu
6. Check Automatically Detect Settings
7. Uncheck everything else
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 21
Make sure the system is using an automatically assigned (DHCP) IP address and not a static IP address (frequently used at
FedEx locations).
Windows 7
Go to: Start Control Panel >> Network >> Sharing
Click Change View (top right corner of Control Panel)
Set to Small Icons.
Click Network >> Sharing
On the left side, click Change Adapter Settings
Right-click on the network adapter being used for Internet Access and select Properties
For Ethernet, it will usually be named "Local Area Connection 1, 2, 3, etc."
For WiFi, it will usually be named "Wireless Network Connection
For 3G/4G AirCard, it may be named "Mobile Broadband" or 3G/4G adapter"
In the Networking tab, click Internet Protocol Version 4 (TCP/IPv4) and select Properties
Set both radio buttons to Obtain IP address/DNS server address automatically
Click Ok, then click Close
Windows XP
Go to: Start >> Control Panel >> Network Connections
For Ethernet, it will usually be named "Local Area Connection 1, 2, 3, etc."
For WiFi, it will usually be named "Wireless Network Connection 3. For 3G/4G aircard, it may be named "Mobile
Broadband" or "3G/4G adapter"
In the Networking tab, click Internet Protocol Version 4(TCP/IPv4) and select Properties
Set both radio buttons to Obtain IP address/DNS server address automatically
Click Ok, then click Close
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 22
Technical Support
Check the expiration date on your eGrid before calling
Argentina: 4630-3456
Asian Pacific (APAC): http://iserv.apac.fedex.com/aboutus/contact.php
Canada: 1-888-783-33339
Chile: 361-6099
Colombia: 414-8854
Corporate Executives: 1-901-818-7326
Europe/Middle East/Africa (EMEA): 011-32-2-752-6666
FedEx Custom Critical: 1-234-310-4140 x 2302
FedEx Express Domestic / Pilots: 1-888-339-8324
FedEx Freight: 1-870-391-7708
FedEx Ground (including Sales): 1-800-435-7647
FedEx Office: 1-800-546-5674
FedEx Services 1-888-339-8324
FedEx Services Sales: 1-877-852-4322
FedEx Supply Chain Services: 1-800-432-7657
FedEx Trade Networks: 1-716-879-1278
GSP Tech Support: 32-2-752-6666
Internal Audit: 1-888-339-8324
LAC Keyword: LAC Help Latin America and the Caribbean (LAC): http://lac-miaweb01.prod.fedex.com:8888/NexusJump/
Mexico: 55-5228-8025
Miami/PRC: 1-786-388-2855
Uruguay: 623-1878
Venezuela: 1-212-205-3128
Verizon Help Desk: 1-877-852-4322
Check the expiration date on your eGrid before calling
CHECK POINT MOBILE USER GUIDE 9/28/2012
P a g e | 23
Appendix
Client Icon
Software Downloads
Check Point Mobile and McAfee anti-virus are available at the following sites:
http://www.infosec.fedex.com/vpn Keyword: VPN
https://idguard.fedex.com/ Externally accessible from Internet (ie from home or hotel). Requires eGrid to login.
Top Related