Download - CP GO R75 UserGuide

14 November 2011

User Guide

Check Point GO

R75

Classification: [Public]

2011 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Revision History

Date Description

14 November 2011 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Check Point GO R75 User Guide).

Contents

Important Information ............................................................................................. 3 Check Point GO Secure Portable Workspace ....................................................... 5

Welcome to Check Point GO ............................................................................... 5 First Time Setup .................................................................................................. 5

Selecting a Strong Password .......................................................................... 6 Updating the Check Point GO Policy ................................................................... 6 Logging Into Check Point GO .............................................................................. 7

Folder Mode ................................................................................................... 7 Resetting a Lost Password ............................................................................. 8 Device Expiration ............................................................................................ 8

Advanced Operations .......................................................................................... 8 Disk Cleanup ....................................................................................................... 9 Working with the Virtual Desktop ......................................................................... 9

The Check Point GO Desktop Icons ............................................................... 9 Start Menu and Taskbar ................................................................................10 FTP Shared Folder ........................................................................................11 Switching Between Check Point GO and the Host PC ...................................11 Switching Between the Host PC and Check Point GO ...................................11 Exporting Files to the Host .............................................................................11 Importing Files from the Host PC ...................................................................12

Closing Secure Portable Workspace ..................................................................12 Portable Apps ....................................................................................................... 13 Using the Remote VPN Client .............................................................................. 14

Overview ............................................................................................................14 Creating a Site Using the Site Wizard .................................................................14 Connecting to the Site ........................................................................................15 Hotspot Detection and Exclusion ........................................................................15 Staying Connected to the Site ............................................................................15 Selecting an Authentication Scheme ..................................................................15

Certificates .....................................................................................................16 User Name and Password .............................................................................18 SecurID..........................................................................................................18 Challenge Response......................................................................................18

Changing Authentication Schemes .....................................................................19 Troubleshooting ................................................................................................... 20

Logging Into Windows ........................................................................................20 Collecting Logs ...................................................................................................20

Chapter 1

Check Point GO Secure Portable Workspace

This section explains how to work with the Check Point GO Secure Workspace.

In This Chapter

Welcome to Check Point GO 5

First Time Setup 5

Updating the Check Point GO Policy 6

Logging Into Check Point GO 7

Advanced Operations 8

Disk Cleanup 9

Working with the Virtual Desktop 9

Closing Secure Portable Workspace 12

Welcome to Check Point GO Check Point GO is a portable secure virtual workspace featuring security software from Check Point integrated with an encrypted USB flash drive.

Check Point GO creates a temporary secure virtual workspace on any PC, providing you with secure access to resources from anywhere without fear of data loss.

Using Check Point GO, you can store working files on the encrypted USB drive and transfer files to and from the host PC, if this is allowed by the security policy. When your Check Point GO session ends, no trace of the session is left on the host PC.

First Time Setup This section has tips for selecting a strong password and instructions for setting up Check Point GO for the first time.

To set up Check Point GO for the first time:

1. Insert the Check Point GO USB disk into an available USB port on the host PC.

The first-time setup wizard should guide you through the initial configuration. If the setup does not appear automatically:

a) On the desktop of the Host PC, double-click My Computer.

b) Right-click the new Check Point GO drive and select open.

Names of the Check Point GO drive may vary according to the Windows version.

c) Double-click the Check Point GO icon.

Check Point GO begins to load.

2. The first time configuration wizard opens. Optionally, select a language. This sets the language for the Check Point GO interface and Online Help. Make sure that your host computer supports the selected language. You can also change the language at a different time from the Advanced settings of the login window.

Updating the Check Point GO Policy

Check Point GO Secure Portable Workspace Page 6

3. Click Next.

The License Agreement displays.

4. Select I accept the terms of the agreement, and click Next.

5. Enter a password for the device.

Be sure to create a strong password (using the password strength indicator), and to remember the password for subsequent device logins.

You can create a password for your Check Point GO device using either of the following methods:

Enter a password in the Create Password field, and confirm it in the Confirm Password field, then click Next.

Click the Virtual Keyboard button located to the right of the Create Password and Confirm Password fields to open the virtual keyboard. Use your mouse to enter your password, and click Return.

Note - The virtual keyboard enhances the security of the login process. It makes sure that keystroke loggers cannot record your password.

6. Click Next. Wait for Check Point GO to load and the Check Point GO virtual desktop to display.

The Getting to Know Check Point GO pop-up window explains operations available on the Check Point GO control bar.

Applications permitted to run within secure workspace have icons displayed either on the virtual desktop or the Start menu.

This setup process occurs once. The second time you insert the Check Point GO device, you need only to log in and the virtual desktop opens.

Selecting a Strong Password When you set up Check Point GO for the first time, you will be asked to select a password. We recommend that you select a strong password for the device.

Strong passwords:

Are lengthy

A 15-character password composed of random letters and numbers is much more secure than an 8-character password composed of characters taken from the entire keyboard. Each character that you add to the password increases the protection that the password provides.

Combine letters, numbers, and symbols

A mixture of upper and lower case letters, numbers, and symbols (including punctuation marks not on the upper row of the keyboard).

Avoid sequences or repeated characters

For example 12345, or aaaaa.

Avoid look-alike substitutions of numbers or characters

For example replacing the letter "i" with the number "1", or zero with the letter "o".

Avoid your login name

Avoid dictionary words in any language

Updating the Check Point GO Policy It is recommended to immediately update the Check Point GO policy. Click the Connect to Site icon on the Check Point GO desktop. Clicking the icon opens a wizard to configure a built-in remote access VPN client (see "Using the Remote VPN Client" on page 14).

After the VPN client has been configured, a pop-up alert opens with this message: Check Point GO environment update is available. Click to restart Check Point GO.

To get the update, do one of these:

Click the alert message when it is open to get the update and then Restart Check Point GO.

Logging Into Check Point GO


Click the Restart icon at any time and Check Point GO will get the update and restart.

Logging Into Check Point GO

Important - After seven failed login attempts, the Check Point GO device is locked. Remote password reset is required to unlock the device. If you continue to attempt to access the device, Check Point GO detects this as a brute force attack and reformats the device after three such attempts. The reformatting process erases all stored data. If you have forgotten your password, follow the instructions for Resetting a Lost Password.

To Log in to Check Point GO:

1. Insert the Check Point GO USB disk into the host PC.

Secure Workspace initializes when the USB disk is inserted, and the login screen displays:

2. You can log in the Check Point GO using either of the following methods:

Enter the device password created in First Time Setup in the Device Password field and click Login.

Click the Virtual Keyboard button located to the right of the Device Password field to open the virtual keyboard. Use your mouse to enter your password, and click Return.

Note - Using the virtual keyboard enhances the security of the login process by ensuring that keystroke loggers cannot record your password.

If you have forgotten your password, you can reset it ("Resetting a Lost Password" on page 8).

Note - Password reset is available only after the first time you log into a VPN gateway.

Folder Mode Folder mode gives access to encrypted Check Point GO folders on the device without opening the Secure Workspace desktop environment. In Windows explorer, browse to the encrypted storage and add or remove files directly.

To Access Files and Folders directly on the Device:

1. Insert the device.

2. On the Login window, select Folder mode only.

3. Enter the device password.

Windows explorer opens showing the Check Point GO User folder. The Check Point GO User folder contains sub-folders for:

AppData

Desktop

Documents

Links

Music

Pictures

Public

Videos

4. Edit, add or remove files as necessary.

Note - The File > Open, File > Save (or Save As) options within any Windows application (such as Word) cannot be used to navigate to and change a file inside Check Point GO.

Use Windows Explorer to copy or move the file outside of the Check Point GO folder before opening, changing, and saving.

Advanced Operations


Resetting a Lost Password

Important - After seven failed login attempts, the Check Point GO device is locked. Remote password reset unlocks the device. If you continue to attempt to access the device, Check Point GO detects this as a brute force attack and reformats the device after three such attempts. The reformatting process erases all stored data. If you forget your password, do the instructions in this section.

To Reset a Lost Password:

1. In the Check Point GO Login window click Forgot your password?

The Password Reset wizard opens.

Select one of the Password Reset modes:

Basic- This is the default. If you are not instructed otherwise by your administrator, select this option.

Advanced- Select this option only if you are instructed to do so by your administrator.

2. Enter your new password.

3. Wait for the Help ID to display.

4. Using the number listed, call the help desk and present the Help ID.

5. Enter the Unlock Code supplied by the Help Desk and wait until the Remote password reset finished complete message appears.

Note - If you enter the Unlock Code incorrectly, the reset process fails. If you remove the Check Point GO from the computer between reset attempts, or disconnect from the VPN site, a maximum of five reset attempts remain.

6. Login to the Check Point GO device using your new password.

Device Expiration When logging in to the Check Point GO device, you might see a Device Locked message. The Check Point GO device locks after:

A specified date.

You tried to complete the first-time wizard after a pre-defined date.

A specified time period has passed.

The device expired after a predefined duration.

A pre-defined number of failed VPN authentication attempts.

Seven incorrect password attempts.

If your device expires you can:

Format the device. Use the Advanced button > Format Device tab > Back to Factory Default option.

Use the Remote Password Reset link shown in the Check Point GO login window.

For Remote Password Reset to be available:

You must have connected at least once to the designated VPN site.

Your system administrator must have Remote Password Reset configured for you.

Advanced Operations Clicking the Advanced button on the device login window gives access to these tabs:

Change Password - Change the password. Use this option if you know your old password. You can enter your password change using your physical keyboard, or you can click the Virtual Keyboard icon next to each field and use your mouse to enter your password change information.

Format Device - From this tab you can restore Check Point GO to its default setting and erase all data on the device. Two options:

Disk Cleanup


Delete user data and Portable Apps (maintains security policy and VPN Settings)

The format option available to all users, user password required. (User format)

Revert to factory defaults

This format option requires a password set by your system administrator. (Admin format).

Reset Password - Use this option to reset a lost or forgotten password. Get to the same option by clicking Forgot Your Password from the login window.

Device Operations - From this tab you can:

Enable logging and Collect Logs for your system administrator - If you select Collect Logs, the Log Collector opens. Enter the Device Password, which is the same password you use to log in to Check Point GO.

Install or Uninstall the Automatic Launcher - The automatic launcher installs on your host computer and automatically launches Check Point GO when it is inserted into that host.

Automatically upgrade the automatic launcher - Upgrades to the automatic launcher will automatically be installed on the host computer.

Device information Displays software and firmware versions as well as the Device serial number, specific to your Check Point GO device.

General - From this tab you can:

Restore compatibility warnings - If you selected at any point that Check Point GO not display compatibility warnings, this setting displays them again.

Set the Language - Sets the language for the Check Point GO interface and Online Help. Make sure that your host computer supports the selected language. You can also select a language from the First Time Wizard.

View the Check Point GO Video Tutorial from YouTube.

Disk Cleanup Right-clicking the Check Point GO icon in the system tray of the host PC opens a menu showing the disk cleanup feature.

Disk Cleanup removes Check Point GO working files, such as temporary logs.

Working with the Virtual Desktop On the Check Point GO virtual desktop, only a limited number of pre-approved applications are allowed to run. By default, the virtual desktop does not allow you to:

Print

Customize the desktop

Perform any system configuration

If you need this kind of functionality, or another program added to the list of approved applications, contact your system administrator.

The Check Point GO Desktop Icons This table explains the icons on the Check Point GO Desktop Toolbar and system tray and the function of each icon.

Icon Name Function

Check Point GO icon

Click to switch between Check Point GO and the host desktop.

Right-click for a variety of options.

Working with the Virtual Desktop


Icon Name Function

Check Point GO folder icon

To keep files on the device place them in this folder.

Portable apps Click to manage portable apps.

VPN icon Right-click to connect to the VPN or see the VPN settings. If it has a red x, the VPN is not connected. When the globe is colored, the VPN is connected.

Close Check Point GO icon

Close Check Point GO. A confirmation window opens before Check Point GO closes.

Minimize icon Minimize the Check Point GO desktop to see the host PC.

Restart icon Restart Check Point GO. When an update is ready to be installed, restarting also installs the update.

Trusted or Untrusted Host icon

Put the mouse on this to check whether your host PC is trusted. A trusted host is a PC that was is or once was located inside the company's internal network. Even if the PC is no longer within the corporate network, it is still regarded as trusted. An untrusted PC is one that was never within the internal network.

USB Disk Capacity Indicator

Put the mouse on this to check how much space is available on the Check Point GO disk, move your mouse close to the Disk Capacity indicator on the Check Point GO Control strip

Export icon Export files to the host computer.

Import icon Import files from the host computer to Check Point GO.

Hide Toolbar icon Hides the toolbar. Put the mouse over the toolbar area to see it again.

Start Menu and Taskbar The virtual desktop start menu and taskbar function in the same manner as the start menu and taskbar on the host PC: providing shortcuts to allowed applications. Approved applications appear on the Start > Secured Programs menu.

Applications in Check Point GO, such as Internet Explorer and Word, function in the same manner as on the host desktop.

Working with the Virtual Desktop


FTP Shared Folder

If you see this shared folder shortcut on the desktop, then your system administrator has configured an FTP link to a shared folder inside the corporate network. Clicking the shortcut opens Windows Explorer. Windows explorer shows the contents of the shared folder.

Switching Between Check Point GO and the Host PC To switch between Check Point GO and the host PC, either:

Click the Check Point GO icon in the taskbar notification area.

Click the Minimize button on the Check Point GO toolbar.

Use the keyboard shortcut: Windows Key + S.

Note - Due to the persistence of other applications on the Host PC, the Windows key + S shortcut may not always be available.

Switching Between the Host PC and Check Point GO To switch between the host PC and Check Point GO, either:

Right-click the Check Point GO icon in the system tray of the host PC and select Switch to Check Point GO Desktop.

Use the keyboard shortcut: Windows Key + S.

Note - The Windows key + S shortcut may not work in all instances due to the persistence of other applications on the host PC.

Exporting Files to the Host Even though it may appear that files can be saved directly to the host PC, this is not the case. Files cannot be saved directly to the host PC.

Important - Files can be saved to the host PC only by exporting them using the Check Point GO Export button.

Understanding the Check Point GO Virtualized File System

When loaded, Check Point GO creates a virtualized copy of the host PCs file system. This has a number of implications. If you open Windows Explorer within Check Point GO and enter the letter of a drive on the host PC, the drive is displayed. You are not, however, seeing the drives actual file system. You are seeing the Check Point GO virtualized copy of it. To actually transfer files to and from the host PC, you must use the Check Point GO import and export features.

If you edit a file in Windows Explorer and save it directly to the host, the file is saved as a virtualized copy on Check Point GO and not to the file system on the host. For example if you go to the C Drive of your host computer while in Check Point GO and edit the contents of a text document and save it, changes are not saved. You must save the file to Check Point GO and then export it to the host PC by clicking the Export icon on the Check Point GO control bar.

Clicking the Export Button

1. Click the Export button on the Check Point GO control bar

The Copy Files to PC window opens.

Closing Secure Portable Workspace


2. Select the file to be exported, and click Copy to PC.

3. Switch to the host PC.

The exported file is in the Downloaded from Check Point GO folder on the desktop.

Importing Files from the Host PC Files are imported from the host PC using the Import button available on the Check Point GO Control bar.

You have read-only (access) privileges to all folders and files on the host PC, including those files and folders available through mapped drives. However, if you attempt to run a program or open a file for which you do not have permission, an error message appears.

To import a file to Check Point GO:

1. Inside Check Point GO, click the Import icon on the Control bar

The Copy Files to Check Point GO window opens.

2. Browse to the file on the host PC that you wish to import.

3. Select the required file and click Copy to Check Point GO.

The file is imported and placed in the Downloaded from PC folder on the Check Point GO virtual desktop.

Closing Secure Portable Workspace Check Point GO can be closed in a number of ways:

From the Start Menu inside Check Point GO - From the Check Point GO Start menu, select Close Check Point GO. A confirmation and reminder to save open files appears.

From the Check Point GO Control bar - Click the X button on the Check Point GO Control bar.

From the System Tray on the host PC - Right-click the Check Point GO icon in the system tray and select Close Check Point GO.

Note - Flash USB drives contain a FAT system that does not respond well to sudden power downs, as occurs when the device is ejected during the middle of an input-output operation. To prevent data loss, corruption of the FAT file system, or frozen processes on the HostPC, always shut Check Point GO down correctly. Wait until you are told that it is safe to remove the device. If FAT corruption leads to total data loss, reformat the device to factory defaults.

Chapter 2

Portable Apps Portable apps are virtualized versions of Windows programs that run in the Check Point GO Secure Workspace desktop environment. Portable apps are stored in the cloud. The Secure Workspace policy set by your system administrator determines which apps are :

Required - Required apps are already installed on the device and cannot be uninstalled.

Optional - You can install and uninstall these apps as necessary.

Important - Similar to many mobile devices, Portable Apps are the only way to install new applications to Check Point GO. Do not install any application, utility, or upgrade that is not delivered as a portable app. You cannot install on Check Point GO.

This is a virtual installation. The Secure Workspace changes its virtual file system structure and virtual registry structure, to appear to have the new application. But the installation is done in a different way.

Your administrator can give you shortcuts to use applications from the host computer through the Secure Workspace. These are not portable apps. The portable app is on the Check Point GO stick, completely isolated from the host. If you have a choice of a host-application or a portable app, it is usually best to choose the portable app. It is more secure.

If you save a file from a portable app, you cannot save it on the host computer. If you are able to Save As to a hard drive, it is not actually on the host computer. The path is a virtual path on Check Point GO. For example: in the Secure Workspace, you save a Microsoft Word document to C:\Users\Default\Documents. On the host computer, the document will not be in that path. It is not on the host computer at all. On Check Point GO, the file is saved with a virtual path: "C:\Users\Default\Documents\Mynewdoc.doc".

The virtual path is not kept between sessions. Paths that do not start with a drive letter of Check Point GO are deleted when Check Point GO exits. Check Point GO can have a different drive letter on different computers, but it is best to save all files in the Check Point GO Documents or Desktop folders. These are guaranteed to be on the Secure Workspace.

To install a portable app:

1. On the Check Point GO desktop, double click the Manage Portable Apps icon.

The Check Point GO Portable Apps window opens.

This window shows which portable apps are available from the cloud for download, and divides the apps into suitable categories.

2. Click install on the required portable app to download and install it.

During the time it takes to download and install the portable app, the operation can be canceled.

An app already installed can be uninstalled by clicking uninstall.

After installation, an icon for the portable app shows on the desktop. Icons with a downward pointing arrow indicate portable applications downloaded from the cloud.

This is an example of a Portable App icon on the Secure Workspace.

Chapter 3

Using the Remote VPN Client

In This Chapter

Overview 14

Creating a Site Using the Site Wizard 14

Connecting to the Site 15

Hotspot Detection and Exclusion 15

Staying Connected to the Site 15

Selecting an Authentication Scheme 15

Changing Authentication Schemes 19

Overview Check Point GO contains a remote VPN client for securely accessing resources on the corporate enterprise.

This same secure VPN connectivity is also used to:

Update the device's software

Download a security policy

Creating a Site Using the Site Wizard If Check Point GO is located within the internal network the first time you try to connect to a site, the device may automatically detect any site previously configured by your system administrator.

Note - Automatic detection is available only if your system administrator configured this behavior.

If Check Point GO is not located within the internal network, the site wizard opens. The site wizard lets you manually configure the site.

To create a VPN site using the Wizard:

1. Click Next and enter a server address or name, and an easy to remember display name (optional).

If you do not know this information, contact your system administrator.

2. Click Next, and compare the fingerprint from your system administrator with the one displayed on screen.

If the fingerprints match, click OK.

The Authentication Method window opens.

Note - This window does not appear if your administrator preset an authentication method, such as user password.

3. Select a method of authentication ("Selecting an Authentication Scheme" on page 15).

This is provided by your system administrator.

4. Enter your authentication credentials. For example, if you authenticate using a certificate, browse to the certificate supplied by your system administrator.

5. Click Next to finish creating the site.

A message shows that the site is created.

Connecting to the Site

Using the Remote VPN Client Page 15

6. Click Finish.

Multiple Sites

For security reasons, multiple sites are not supported. This is to prevent sensitive information on one site being accidentally transferred to another.

To connect to a different site, you must reformat the device ("Advanced Operations" on page 8) and run the Site wizard again. Remember that reformatting the device erases all stored data.

Connecting to the Site To connect to the site:

1. Right-click the VPN Client icon in the Check Point GO system tray to display the client's menu.

If you manually configured a site, you must select an authentication scheme.

2. Click Connect.

Check Point GO has a built-in Single Sign-On feature. When you authenticate using a user name and password or a certificate, you must enter your login credentials only during your first login. The client stores and automatically reuses these credentials the next time a connection is opened to the corporate site.

If you authenticate using any other method, for example, SecurID, enter your credentials for every session when prompted. Wait while Check Point GO connects and downloads the Check Point GO policy configured by your system administrator.

While the VPN client is connected to the site, the icon in the system tray remains green.

Hotspot Detection and Exclusion

Note - The Hotspot Detection feature is available only if your administrator has activated it.

Many public wireless networks ("wireless hotspots") have a Web portal for greeting guests and obtaining some form of authentication or payment. Such portals block the VPN component of the device from automatically connecting to the designated site. Hotspots of this kind are automatically detected by the device. When connecting for the first time through the Hotspot server:

1. The connection naturally fails because no registration details have been presented.

2. The client automatically opens its internal browser window showing the hotspot registration form.

3. Enter the relevant authentication and payment credentials.

The client automatically detects when the form is submitted and immediately connects to the site.

Staying Connected to the Site To ensure that you remain connected to the active site:

1. Right-click the client icon in the system tray and select Properties.

The Site Properties window opens.

2. On the Settings tab, In the Always-Connect area of the window, select Enable Always-Connect.

Selecting an Authentication Scheme This section covers various ways to authenticate to the designated site. If you configure your site manually, then you must select one of the following authentication methods:

User Name and Password

Certificates

Selecting an Authentication Scheme


SecurID

Challenge Response

Smart Card

Certificates Your system administrator might request that you use a certificate file for authentication.

Understanding Certificates

A certificate is the digital equivalent of an ID card issued by a trusted third party known as a Certification Authority (CA). While there are well known external CAs such as VeriSign and Entrust, Check Point GO typically uses the digital certificates issued by the site's security gateway, which has its own Internal Certificate Authority (ICA). The digital certificate used by Check Point GO contains:

Your name

A serial number

Expiration dates

A copy of the certificate holder's public key (used for encrypting messages and digital signatures)

The digital signature of the certificate-issuing authority, in this instance the ICA, so that the security gateway can verify that the certificate is real and (if real) still valid.

A certificate is a file in the PKCS#12 format with the .p12 extension.

Authenticating with an Existing Certificate

When Certificates are the selected authentication method, by default Check Point GO attempts to import the .p12 file.

When you get the message:

Please import your p12 certificate in order to communicate with your Check Point GO server.

1. Click Import to browse to your certificate.

2. Enter the certificate's password in the Password field.

3. Click Connect.

Obtaining a Certificate

You can get certificates from your system administrator, or through the enrollment and renewal process. You can also enroll for a certificate by clicking the link "Click here if you don't have a certificate for this site" that appears on the Connect dialog box.

Enrolling a Certificate

Enrollment refers to the process of applying for and receiving a certificate from a recognized Certificate Authority (CA), in this case Check Point's Internal CA. In the enrollment process, your system administrator creates a certificate and sends you the certificate's registration key. The client sends this key to site's gateway and in return receives a certificate, which is saved directly on the Check Point GO device.

To enroll a certificate:

1. Right-click the VPN client icon in the Check Point GO system tray.

2. Select Site Properties.

3. On the Settings tab click Enroll.

The registration window opens.

4. Enter:

a) A password for your new certificate.

b) The registration key supplied by your system administrator



5. Click Connect, and wait while the certificate is enrolled.

The certificate is stored directly on the Check Point GO device.

Re-Importing a Certificate

If you need to re-import a certificate:



3. On the Settings tab click Reset.

This action removes previously stored authentication data.

4. Right-click the VPN client icon in the Check Point GO system tray. From the menu, select Connect:

The certificate import window opens:

5. Click Import.

The Open Certificate File window opens:

6. Select a certificate, and click Open.

7. Once you have returned to the import window, enter the certificate's password and click Connect.

Renewing a Certificate

When using certificates for authentication, each time you connect to the site, the client checks to see how close the certificate is to its expiration date. If necessary, and simultaneously with the connect process, the certificate is renewed. A message balloon appears in the system tray: Certificate renewal in progress.

To manually renew a certificate:



3. On the Settings tab click Renew.

The certificate is automatically renewed and saved to the Check Point GO device.

Smart Card

Before using a Smart Card to authenticate to the VPN site, make sure that the Smart Card reader:

Is attached to the Host PC.

Can identify your certificate. After inserting the card, the reader's graphical interface should show your certificate.

To Authenticate using a Smart Card:

1. Insert Check Point GO.

2. Open the Check Point GO VPN client.

3. If Smart Card is already defined as the authentication method, select the certificate from the drop-down box and click Connect.

The client connects to the site.

Important Notes:

Each time you remove/insert the Smart Card, the Smart Card client prompts for the Smart Card password before the VPN connects.

While the Smart Card remains inside the reader, you can connect and disconnect from the site without giving the Smart Card password.

If the Smart Card reader or Smart Card is removed from the USB port on the hostPC, during the next reauthentication the client detects that the certificate is no longer available and disconnects from the site.

When Smart Card is the chosen authentication method, the Check Point GO VPN client does not show options for certificate enrollment or renewal.



User Name and Password User name and password is the simplest form of authentication. Decide on an appropriate user name and password.

User name and Password Reset

The option exists to remove the last user name and password entered, effectively erasing data in the Single Sign-On (SSO) cache. The Single Sign On cache is where the Check Point GO device stores VPN authentication credentials so that you only have to enter them once, the first time you establish a connection with the corporate site. If you wish to remove them, on the Site Properties > Settings tab, click Reset.

SecurID The RSA SecurID authentication mechanism consists of either hardware (USB memory key fob or USB slim card token) or software (SoftID) that generates an authentication code at fixed intervals (usually one minute) using a built-in clock and an encoded random key.

The Check Point GO site wizard supports both methods as well as SoftID.

Check Point GO uses both the PIN and tokencode or just the passcode to authenticate to the security gateway.

SecurID Authentication Devices

Several versions of SecurID devices are available. The older format is a small device that displays a numeric code (tokencode) and time bars. The token code changes every sixty seconds, and provides the basis for authentication. To authenticate, the user must add to the beginning of the tokencode a special PIN (Personal Identification Number). The time bar indicates how much time is left before the next tokencode is generated. The remote user is requested to enter both the PIN number and tokencode into the Client's main connection window.

The newer format resembles a credit card, and displays the tokencode, time bars and a numeric pad for typing in the PIN number. These types of device mix the tokencode with the entered PIN number to create a passcode. The VPN Client requests only the passcode.

Key Fobs

A small hardware device with built-in authentication mechanisms that control access to network services and information is known as a key fob. While a password can be stolen without the owner's knowledge, a missing key fob is immediately apparent. Key fobs provide the same two-factor authentication as other SecurID devices: the user has a personal identification number (PIN), which authenticates them as the device's owner; after the user correctly enters their PIN, the device displays a number which allows them to log on to the network. The SecurID SID700 Key Fob is a typical example of such a device.

When the Check Point GO window opens for a user that has identified SecurID as the preferred method of authentication, a field for the PIN is displayed.

SoftID

SoftID operates the similarly to a passcode device but consists only of software installed on the host computer.

The Advanced view displays the tokencode and passcode with Copy buttons, allowing the user to cut and paste between softID and the client.

Challenge Response Challenge-response is an authentication protocol in which one party presents a question (the challenge) and another party provides an answer (the response). For authentication to take place, a valid answer must be provided to the question. Security systems that rely on smart cards are based on challenge-response.

Changing Authentication Schemes


Changing Authentication Schemes To change the authentication scheme used by the VPN client for the designated site:

1. Right-click the client's icon in the system tray, and select Site Properties.

The Site Properties window opens

2. On the Settings tab, use the drop-down Authentication box to select one of the following:

Username and password (default)

Certificate - P12

SecurID - Keyfob

SecurID - PinPad

SoftID

Challenge Response

Smart Card

Chapter 4

Troubleshooting

In This Chapter

Logging Into Windows 20

Collecting Logs 20

Logging Into Windows Check Point GO does not support the Guest account on the host PC. If you experience unexpected behavior when logging into Windows, make sure that the active user account on the host PC is not the Guest account.

Collecting Logs To troubleshoot issues with the Check Point GO, your system administrator may ask you to collect log files from the device.

You can collect logs when the device is open, closed, or fails to respond.

Open means that the Check Point GO device is loaded and you are logged in to the Secure Workspace.

Closed or locked means that Check Point GO is running, but you have not yet logged in to the Secure Workspace.

Frozen means that the device fails to launch or ceases to respond.

Collecting Logs From an Open Device

Logs are created using the Log Collector. The Log Collector can be run either from within the Check Point GO device or outside of it.

To run Log Collector from within Check Point GO:

1. In the Check Point GO system tray, right-click the Check Point GO icon.

2. Select Collect Logs.

3. A pop-up message directs you to the host desktop where the Log Collector runs.

To run Log Collector from outside of Check Point GO:

1. In the system tray of the Host PC, right-click the Check Point GO icon.

2. Select Collect Logs.

The Log collector opens.

3. Select the type of logs to collect: Normal or Extended.

If you are not sure, ask your system administrator.

4. Write a short description of the problem in the text box.

5. Click Collect Logs.

The Logs collected successfully window open and the Logs are saved to your device.

6. Click one of the options in the window as instructed by your administrator:

Send- Send the logs to Check Point with FTP.

Save- Save the log file to a different location.

Close- Close the window and the logs stay on the Check Point GO device.

Collecting Logs

Troubleshooting Page 21

To collect logs from a closed device:

1. Click the Advanced button in the device login window.

2. Select the Device Operations tab.

3. Select Enable logging, and click Collect Logs.

4. Follow the instructions in the procedure above, To run Log Collector from outside of Check Point GO, starting with step 3. You will be prompted to enter the device password in the Log Collector dialog box.

Note - To use the Log Collector when the device is closed, you are required to enter your password. If you do not enter the correct password, you can collect only a minimal set of logs via the Collect only login logs link. After the logs are collected and compressed into a .cab file, the directory where the .cab file is saved opens automatically.

Alternate method for collecting logs from a closed device:

You can also collect logs from a closed device by opening the Utils directory on the CD (Check Point GO drive) and clicking CollectTool.exe.

To collect logs from a frozen device:

If the Check Point GO device fails to launch or ceases to respond, logs can still be collected:

1. On the host PC, open My Computer to display the drives.

2. Open the CD (Check Point GO drive).

3. Open the Utils directory.

4. Click CollectTool.exe to initiate log collection.

Important InformationCheck Point GO Secure Portable WorkspaceWelcome to Check Point GOFirst Time SetupSelecting a Strong Password

Updating the Check Point GO PolicyLogging Into Check Point GOFolder ModeResetting a Lost PasswordDevice Expiration

Advanced OperationsDisk CleanupWorking with the Virtual DesktopThe Check Point GO Desktop IconsStart Menu and TaskbarFTP Shared FolderSwitching Between Check Point GO and the Host PCSwitching Between the Host PC and Check Point GOExporting Files to the HostUnderstanding the Check Point GO Virtualized File SystemClicking the Export Button

Importing Files from the Host PC

Closing Secure Portable Workspace

Portable AppsUsing the Remote VPN ClientOverviewCreating a Site Using the Site WizardConnecting to the SiteHotspot Detection and ExclusionStaying Connected to the SiteSelecting an Authentication SchemeCertificatesUnderstanding CertificatesAuthenticating with an Existing CertificateObtaining a CertificateEnrolling a CertificateRe-Importing a CertificateRenewing a CertificateSmart Card

User Name and PasswordSecurIDSecurID Authentication DevicesSoftID

Challenge Response

Changing Authentication Schemes

TroubleshootingLogging Into WindowsCollecting Logs