Check Point Endpoint Security Vpn

IMPORTANT: Client VPN/Endpoint versions E81.10 or earlier – MUST UPDATE before January 1st 2021

On August 2019 we released version E81.20 addressing usage limitation of older versions of Check Point’s Endpoint, VPN and SandBlast agent (sk158912). These older, out of support versions – Endpoint/VPN E80.81 to E81.10 (Windows only) and SandBlast agent E80.61 to E81.10 (Windows only) –WILL CEASE TO OPERATEon January 1st 2021.

  1. Check Point Endpoint Security is the first and only single agent that combines all critical components for total security on the endpoint while maintaining a transparent user experience. Market-leading data security prevents corporate data loss, while collaborative endpoint and network protections reduce complexity and cost.
  2. Download endpoint security vpn for free. Security tools downloads - Check Point Endpoint Security by Checkpoint Software Inc. And many more programs are available for instant and free download.

Unfortunately, we see that some customers haven’t updated these old versions. Their update will become more difficult to facilitate after January 1st.

This document presents the procedures for installing Check Point Endpoint Security Client on a local machine and for creating a self-extracting installation package for deploying Endpoint Security Client on remote client computers. Endpoint Security Client combines firewall, network access control, program control, anti-malware.

Therefore, we urge to all customers reminding them that users of versions E81.10 and before are required to update their versions by January 1st 2021 in order to make sure their systems remain operational.

We offer our customers two options to address this request. Upgrade to a newer version (Recommended) or apply a simple fix to the old version:

  • Upgrade to a newer version (E81.20 or later versions). We recommend using version E84.0 (Download link), or
  • Apply a quick and temporary fix (sk171213).

Either way, customers should make sure to carry upgrades to supported versions (E83 or later versions) at a later time to ensure they receive the best security.

It’s important to stress that this notification is disconnected of any contemporary security guidelines following Sundburst. As said, it was already addressed by versions starting from E81.20 and customers who use them don’t need to take extra measures.

This request for upgrade has nothing to do with a security vulnerability in the VPN/Endpoint.

Our TAC services are available to support any customer needs regarding this request. More information can be found on this web page.

Please find some FAQ below:

FAQs

  • Q: Why are we approaching all customers now?
    On August 2019 we released version E81.20 addressing usage limitation of older versions of Check Point’s Endpoint, VPN and SandBlast agent (sk158912). These older, out of support versions will cease to operate on January 1st 2021. We are approaching all customers as we saw that many of them haven’t updated these old versions, and their update will become more difficult to facilitate after January 1st. So, we need to make sure they do so this week – before January 1st – to ensure a smooth and easy to facilitate transition to newer versions.
  • Q: What is the technical problem?
    The issue happens due to the internal certificate used by VPN/Endpoint services. One of the certificates expires on January 1st 2021, therefore all services that use this certificate will stop working on January 1st 2021. The fix is within the driver library: epklib. The library fixes an issue with regards to the certificate’s expiration validation (current date and not the signing date).
  • Q: Is this a security update? Is there a vulnerability in the software?
    A:No. This is a functional update to ensure VPN and blade connectivity and functionality. There are no known security vulnerabilities.
  • Q: Is this a pressing matter?
    A:Yes! Customers need to act before Jan-1st 2021. After this date they may experience client malfunctions For Stand Alone VPN with Firewall – the Firewall and the VPN may stop working. For Endpoint client – Firewall, Forensics, Threat Emulation, Anti-Bot and in some cases also the VPN may stop working.
  • Q: What products and versions are affected?
  1. Standalone VPN:
    Check Point Stand Alone VPN with Firewall from versions E80.81 to E81.10 (no longer under support)
  2. Check Point Endpoint / SandBlast Agent:
    Check Point Endpoint / SandBlast Agent from versions E80.61 to E81.10 (no longer under support)

Check Point Endpoint Security Vpn Service Is Lost

  • Q: What products and versions are not affected?
  1. Standalone VPN:
    I. Check Point Stand Alone VPN from versions E81.20 and above
    II. Check Point Stand Alone VPN without Firewall – all versions (includes Check Point Mobile and SecuRemote)
  2. Check Point Endpoint / SandBlast Agent:
    I. Check Point Endpoint and SandBlast Agent from versions E81.20 and above
    II. Check Point Endpoint, not using Forensics, Threat Emulation and Anti-Bot blades from versions E80.80 and below (no longer under support)
  • Q: Are customers notified?
    Impacted versions are already out-of-support. See Check Point Support Life Cycle Policy.
  • Q: What is the suggested course of action?
    Please follow SK171213 for the full details on all the actions.
    • A. Upgrade to a newer version (E81.20 or later versions). We recommend using version E84.0 Download link, or
    • B. Apply a quick and temporary fix that takes a minute to install (Download from sk171213).

Either way, you should make sure to carry upgrades to supported versions (E83 or later versions) at a later time to ensure you receive the best security.

Security
  • Q: Who should I approach for additional information?
    The Check Point TAC should be consulted.
  • Q: What indications customers will encounter facing this problem?
  1. Inability to connect using remote access VPN. Error message while connecting “Connectivity with the Check Point Endpoint Security service is lost”.
  2. “Blade not running” indicated in Endpoint/VPN client Display Overview.

Important: By default, a Security Gateway comes with a license for 5 users. You can attach a larger blade, if more users are required.
The blades come in 3 sizes: 50, 200 or Unlimited. You can attach 1 blade only. If more users are needed you have to trade in, and go to the next higher blade. For the MOB blade, each Security Gateway needs its own blade.
With a 50 blade attached, 55 concurrent users are supported; with a 200 blade attached, 205 concurrent users are allowed; and with Unlimited an Unlimited number are supported.


Check Point offers the following licenses for VPN products:

  1. Endpoint Security Remote Access VPN (CPSB-EP-VPN)
  2. Capsule Workspace (CP-CPSL-WORK or CP-CPSL-TOTAL)

IPSec VPN (CPSB-VPN)

The IPSec VPN Software Blade enables Check Point Security Gateways to allow encrypted traffic to traverse the enforcement point in general. This encrypted traffic passes over Site-to-Site VPN tunnels, as well as, over VPN tunnels established by SecuRemote.

Note: The IPSec VPN blade enables encrypted traffic to traverse the Security Gateway; this is not limited to IPSec VPN traffic. For exmaple, SSL traffic is also enabled. Additional licensing may still be required depending on the client license requirements as well. See below for more information.

Endpoint Security Remote Access VPN (CPSB-EP-VPN)

The Remote Access VPN Software Blade enables remote clients to connect to the network and to obtain an Office Mode IP address. The VPN clients enabled by this license include:

  1. Endpoint Security E80.x
  2. Endpoint Security VPN E75
  3. Endpoint Connect R73 (this product has officially reached end of life)
  4. SecureClient NGX R60 (this product has officially reached end of life)

This license is enforced based on installed endpoint clients. Both online (actively connected via VPN) and offline (not currently actively connected via VPN) endpoint clients require a license. An Endpoint is defined as a computer instance in the Check Point secured environment.

Security

CPEP-C-1+1000 CPSB-EP-FW+1000 CPEP-PERP CPSB-SWB

The is the Endpoint firewall license that comes with EP-ACCESS. It would not allow VPN.

Mobile Access (CPSB-MOB)

The Mobile Access Software Blade enables both client and clientless remote users to connect to the network. These users may or may not receive an Office Mode IP address, and this depends on the type of connection that the user is making. The VPN connections permitted by this license include the following:

  1. Mobile Access (also known as SSL VPN, and formerly known as Connectra; not supported for use with the IPSO operating system)
  2. SSL Network Extender (also knows as SNX; 'Network Mode' provides an Office Mode IP address; 'Application Mode' does not offer an Office Mode IP address)
  3. Check Point Mobile for Windows

This license is enforced based on concurrent connections. Users connecting with one of these solutions will consume a license for the duration of the connection only; the license will be released for use by another user upon termination of the current connection.

CPSB-SSLVPN-5/10/50/U

This is the string that the MOB-x blade generates.

CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M

Check Point Endpoint Security Vpn Uninstall Stuck

This is the license that allows SSL Network Extender. It generates from the MOB blade

Capsule Workspace (CP-CPSL-WORK or CP-CPSL-TOTAL)

The Mobile Enterprise Software Blades enables remote applications installed on SmartPhones and tablets to connect to a network and access limited network resources.

This license is enforced by user; each user can register up to 3 devices (for example, iPhone and iPad). Users connecting with this solution are issued a registration key for each device, which remain valid for a period of time determined by the Security Administrator.

Which license is required to allow L2TP VPN tunnels

Question: In order to allow L2TP VPN tunnels, if the customer already has the Endpoint VPN Remote Access Blade - is this enough, or is there a Mobile Access Blade license required? Meaning, for L2TP, do we need a Endpoint VPN Client license or a Mobile Access License?

Answer: In order to allow L2TP VPN tunnels, you would just need the IPSec VPN license on the Security Gateway. There is no need for the Mobile Access License.

More information about Office Mode

Mobile Access licenses are dependent on the client being used to connect to the Remote Access Gateway. There are 3 basic clients: SecuRemote, Check Point Mobile, and the Endpoint Security VPN client.
SecuRemote requires no additional license, but does not offer an Office Mode IP. It is not designed for a large number of users.
The Check Point Mobile client offers an Office Mode IP.
This client uses the Mobile Access blade license on the gateway itself. By default, a gateway comes with a license for 5 users. Then you can attach a larger blade if more users are required. The blades come in 3 sizes. 50, 200 or Unlimited.
You can attach 1 blade only. If more users are needed you have to trade in and go to next higher blade. For the MOB blade, each gateway needs its own blade. With a 50 blade attached, 55 concurrent users are supported. With a 200 blade attached, 205 concurrent users are allowed, and with Unlimited an Unlimited number are supported. The eval for this would be the 'all in one' eval.
The third client is the Endpoint Security VPN client. It offers an Office Mode IP.
In order to use the Endpoint Security VPN client, an Endpoint Security VPN license is purchased. This license is applied to the Management server that manages the Remote Access gateways, and it creates a pool of licenses the Remote Access gateways share. This license is purchased based on the total number of endpoints. It is not a concurrent use license.

Check Point Endpoint Security Vpn Download


Check Point Endpoint Security Vpn Autostart

As a user connects, they are given an Office Mode IP valid for 30 days. The eval for this would be 'Sandblast complete' eval. It is a 100 user eval and is additive.For more information about Check Point VPN products, refer to sk67820 (Check Point Remote Access Solutions).