READ-ME File Check Point VPN-1 SecuRemote Beta version 4.1 build 4115 for Windows 2000
======================================================================================

NOTE - BETA DISCLAIMER
======================

This is a BETA version of SecuRemote for Windows 2000.  As such, it may behave in
unexpected ways, and could potentially adversely impact the Operating System on which it
is installed.  Check Point  recommends that it should not be used on production machines
or in situations where sensitive data is passed over the network and/or contained in
files on the machine on which this beta version is installed.

Check Point Software Technologies Ltd. is not responsible or liable for any damages that
may occur as a result of the installation and use of this software. 

Please contact your System Administrator if you're not sure whether this software
should be installed on your PC.

Content
=======
1. Unpacking SecuRemote.
2. New Features
3. Fixed Bugs
4. Limitations on installation on the PC.
5. Known Bugs and Issues

Unpacking SecuRemote
====================
If you have downloaded SecuRemote from the network as a single file,
you should first unpack it:
1. Create a temporary directory for installation: for example C:\TEMP
2. Copy SR41_NT.EXE to your temporary directory and run it. 
    This is a self extracting file.

    You should now run SETUP.EXE located in your temporary directory.
3. After completing the installation you should define at least one
    site, see the program help for more information.

New Features
============
1. Disabling a site: For your convenience, if you want to diable the encryption
    with some defined site, you may disable it (from the 'Sites' menu item, or
    by right-clicking on the site). You may want to do this if your are located 
    on a LAN that has a VPN connection with networks in the site. You may re-enable 
    the site from the 'Sites' menu item, or by right-clicking on the site.
2. Entrust Entelligence Integration: SecuRemote is now tightly integrated with
    Entrust's 'Entellignce' (if installed), to give a familiar Entrust experience.
3. Desktop Security Policy: This version of SecuRemote DOES NOT include
    the Desktop Security functionality available in SecuRemote 4.1 for other Windows platforms.

Fixed Bugs
==========

Limitations on installation on the PC
=====================================
1. The following data items are not encrypted:
    * The connection between the PC and the Manager when doing an
      "Add New Site" or "Update" operations, unless encryption of this data is
         enforced on the Manager. Even so, the information is signed.
    * The connection between the PC and a FireWall in which an FWZ key is exchanged.
      However the information is signed and the password and the session key
      are encrypted. ISAKMP key exchange is encrypted as the protocol dictates.
    * DNS information, unless otherwise configured (see Firewall User Guide).
    * If the SecuRemote station runs a GUI client, the communication with the management
      station is not encrypted by SecuRemote, unless configured otherwise. 
         The GUI client/server protocol (VPN version) implements encryption on its own.
    * Using FWZ encryption, in FTP, RealAudio, and VDOLive connections, some packets
      are not encrypted. These packets only contain information needed to
      open a back connection from the FireWall to the PC (e.g., data connection
      in FTP.)
    * Local connections are not encrypted. A connection is "local" if
      both the IP of the PC (i.e., the client) and the IP of the destination
      (i.e. the server) are both inside the same encryption domain of
      the same firewalled gateway.
2. For users to create their own certificates ("Entrust/Create User"), the client 
    must be able to open a TCP connection with the CA on the relevant port (usually 709). 
    If this communication is blocked (by the firewalled gateway), users will need 
    to receive their certificates out of band. 
3. FWZ ICMP encryption: there are two "versions" of ICMP encryption, and for ICMP 
    packets to be encrypted and decrypted successfully, the SecuRemote client and the 
    firewall must agree on which version to use. Firewall-1 version 4.0 will, by 
    default, use version "1" (new), as will SecuRemote version 4.0. SecuRemote can 
    be forced to use version "0" (old), to be compatible with older firewalls, by 
    editing the state/userc.set file in the SecuRemote directory.
4. This version of SecuRemote can work only on Windows 2000 (Release Candidate 1).

Known Bugs and Issues
=====================

1. When uninstalling, the user may be prompted to reboot the machine twice.
2. Token-Ring was not tested on this beta version.
3. This version of SecuRemote disables the IPSec service that is enabled
    by default in Windows 2000.
4. Selective adapter installation is not supported - the installation
    binds to all adapters, bindings can be disabled through the Network Control Panel.
5. "Re-Bind Adapters" is not supported in this beta release - adapters can be re-bound
    via the Network Control Panel.
6. When Adding a new Network Interface Card after SecuRemote is installed,
    A digital signature warning by Microsoft may appear, stating that a file
    being installed has not been digitally signed by Microsoft and may present
    a security problem. The files in question are Check Point driver files.