When I installed the management station, I simply selected it to be
installed, as I recall. This was FP3 to start with.
You go over to the Check Point public free downloads and get the
administrator version of the operating system you want. This is just the
install program but with the individual files available. Save it into a
folder on the management station. You have to have all GUI clients closed to
run the tool.
You select the "administrator" version folder as the source and pick your
options. The tool creates a single executable in a new destination folder
that you also select.
It's pretty nice as it lets you embed some limited topology information in
the installation executable, which makes the initial setup much easier since
it already knows the firewall IP and policy server IP. I have mine set to
default to Connect mode, know the firewall and policy server IPs, do not
allow the end user to unload the desktop policy or to stop SecureClient and
basically a three click install. Run it, OK the license and OK the reboot.
No muss, no fuss. I also have IKE over TCP and UDP Encapsulation preselected
and locked down.
We have the installation path hard-coded as well because we use iPass and it
needs to know the path to ConnSHApp.exe.
Ray
--- "Brett, Gary" <garybrett AT HALIFAXCETELEM DOT COM>
wrote:
> Thanks, do you know of any docs/whitepapers that
> explain how to use the
> SecureClient Packaging tool ?? and also, is this
> function available for NG
> FP3 ??? or is it an AI feature?
>
> -----Original Message-----
> From: Ray Pesek [mailto:sixsigma44 AT HOTMAIL DOT COM]
> Sent: 31 March 2004 17:47
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] SecureClient - Blocking web
> browsing
>
>
> 1. Use the SecureClient Packaging Tool on the
> management station to create a
> customized build of SecureClient. Select the options
> that do not allow them
> to unload the policy or shut down SecureClient.
> Allow DHCP to work even if
> the policy does not allow it.
>
> 2. Use SCV so they cannot connect to the internal
> network unless the policy
> is loaded.
>
> 3. Implement an Outbound desktop rule like so:
>
> Source: AllUsers@any
> Destination: any
> Service: any
> Action: drop
>
> This will cause one big issue. The "AllUsers@any"
> rules are the desktop
> security policy that is in effect when they are NOT
> VPNed in. Some hotel
> broadband systems, notably STSN, require that a
> browser outbound connection
> come from the laptop. They then intercept the call
> and pop up their own page
> that you have to click a button on to get Internet
> access.
>
> No clicky, no Internet. No browser outbound, no STSN
> page, no Internet, no
> VPN connection. Kind of a chicken-or-egg thing. If
> you have a forced browser
> home page, you could create an outbound rule to
> allow HTTP to it, even if it
> is unreachable from the Internet. This is enough to
> trip the STSN page.
>
> Ray
>
>
> >From: "Brett, Gary" <garybrett AT HALIFAXCETELEM DOT COM>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> >Subject: [FW-1] SecureClient - Blocking web
> browsing
> >Date: Wed, 31 Mar 2004 13:07:32 +0100
> >
> >Dear all
> >
> >I am implementing secure client for all remote
> users, but as my test bed
> >has
> >highlighted there are concerns over the users
> connecting to the internet
> >and
> >not using the VPN, i.e. for non work related
> reasons and installing all
> >types of goodies from the net on their laptops.
> Does anybody know of a way
> >I
> >can set it up so that when connecting to the net,
> it always and only
> >connects to the firewall hence not giving them the
> ability to browse the
> >web
> >at all? Unfortunately for me, my users are quite PC
> literate and as such
> >this method would have to be put in place with no
> workaround (well, no
> >obvious one at least). I am quite willing to look
> at reg hacks to lock the
> >OS down, but I don't know if they'll solve my
> problem
> >
> >
> >any help would be greatly appreciated
> >
> >regards
> >Gary
> >This electronic message contains information from
> Halifax Cetelem Credit
> >Ltd
> >which may be privileged or confidential. The
> information is intended to be
> >for the use of the individual(s) or entity named
> above. If you are not the
> >intended recipient be aware that any disclosure,
> copying, distribution or
> >use of the contents of this information is
> prohibited. If you have received
> >this electronic message in error, please notify us
> by telephone or email
> >(to
> >the numbers or address above) immediately.
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >fw-1-owner AT ts.checkpoint DOT com
> >=================================================
>
>
_________________________________________________________________
> MSN Toolbar provides one-click access to Hotmail
> from any Web page - FREE
> download!
> http://toolbar.msn.com/go/onm00200413ave/direct/01/
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> This electronic message contains information from
> Halifax Cetelem Credit Ltd
> which may be privileged or confidential. The
> information is intended to be
> for the use of the individual(s) or entity named
> above. If you are not the
> intended recipient be aware that any disclosure,
> copying, distribution or
> use of the contents of this information is
> prohibited. If you have received
> this electronic message in error, please notify us
> by telephone or email (to
> the numbers or address above) immediately.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway
http://promotions.yahoo.com/design_giveaway/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE
download! http://toolbar.msn.com/go/onm00200413ave/direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
