READ-ME File Check Point VPN-1 SecuRemote version 4.1 build 4118 for Windows 95/98 ================================================================================== Content ======= 1. Unpacking SecuRemote. 2. New Features 3. Fixed Bugs 4. Limitations on installation on the PC. 5. Known Bugs. Unpacking SecuRemote ==================== If you have downloaded SecuRemote from the network as a single file, you should first unpack it: 1. Create a temporary directory for installation: for example C:\TEMP 2. Copy SR41_95.EXE to your temporary directory and run it. This is a self extracting file. You should now run SETUP.EXE located in your temporary directory. 3. After completing the installation you should define at least one site, see the program help for more information. New Features ============ 1. Disabling a site: For your convenience, if you want to diable the encryption with some defined site, you may disable it (from the 'Sites' menu item, or by right-clicking on the site). You may want to do this if your are located on a LAN that has a VPN connection with networks in the site. You may re-enable the site from the 'Sites' menu item, or by right-clicking on the site. 2. Entrust Entelligence Integration: SecuRemote is now tightly integrated with Entrust's 'Entellignce' (if installed), to give a familiar Entrust experience. 3. Desktop Security Policy: This version of SecuRemote has the new capability of operating an access control policy. The available policies can be viewed in the "Policy" menu. If you want to obtain a policy which is other than "Allow All" or "Block All," login to a policy server to which you are assigned to install your policy. Fixed Bugs ========== 1. In some cases, if a user was tardy responding to an authentication popup, and entered a password a few minutes after the window popped up, an "Internal Error" would result (in some cases SecuRemote would crash). This has been fixed. Limitations on installation on the PC ===================================== 1. Memory restrictions: SecuRemote will, by default, allocate approximately 1.5Mb of "kernel" memory at boot time. This may be too much for your system to handle, depending on installed memory, and on what other drivers are installed. SecuRemote can run with less memory allocated, though performance may be impaired. If you cannot re-boot after installing SecuRemote, then re-boot in safe mode, and edit the registry (using regedit) as follows: Under HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\SecuRemote create a new string value named "Memory", and give it a value less than "1500000". It is not recommended to try values less than "100000". 2. The following data items are not encrypted: * The connection between the PC and the Manager when doing an "Add New Site" or "Update" operations, unless encryption of this data is enforced on the Manager. Even so, the information is signed. * The connection between the PC and a FireWall in which an FWZ key is exchanged. However the information is signed and the password and the session key are encrypted. ISAKMP key exchange is encrypted as the protocol dictates. * DNS information, unless otherwise configured (see Firewall User Guide). * If the SecuRemote station runs a GUI client, the communication with the management station is not encrypted by SecuRemote, unless configured otherwise. The GUI client/server protocol (VPN version) implements encryption on its own. * Using FWZ encryption, in FTP, RealAudio, and VDOLive connections, some packets are not encrypted. These packets only contain information needed to open a back connection from the FireWall to the PC (e.g., data connection in FTP.) * Local connections are not encrypted. A connection is "local" if both the IP of the PC (i.e., the client) and the IP of the destination (i.e. the server) are both inside the same encryption domain of the same firewalled gateway. 3. For users to create their own certificates ("Entrust/Create User"), the client must be able to open a TCP connection with the CA on the relevant port (usually 709). If this communication is blocked (by the firewalled gateway), users will need to receive their certificates out of band. 4. FWZ ICMP encryption: there are two "versions" of ICMP encryption, and for ICMP packets to be encrypted and decrypted successfully, the SecuRemote client and the firewall must agree on which version to use. Firewall-1 version 4.0 will, by default, use version "1" (new), as will SecuRemote version 4.0. SecuRemote can be forced to use version "0" (old), to be compatible with older firewalls, by editing the state/userc.set file in the SecuRemote directory. 5. This version of SecuRemote can work only on Windows 95 and Windows 98. For Windows NT, please download the NT version. 6. If the FW1 adapter is bound to an ethernet adapter, removing the card will not have the effect of removing it from the configuration. If you have two modes of work, one using an ether card (at work) that does not need encryption, and one using a dialup adapter (from home) that does need encryption, you have two options: 1. Install SecuRemote on dialup adapters only (at install time). 2. If you have already installed SecuRemote: Open the network applette and remove the FW1 adapter bound to your ether card, and reboot. Now, whenever your ethercard is properly removed, none of your routing will be through your ethercard. Be warned that in this configuration, no data travelling through your ether card will be encrypted by SecuRemote. 7. Only one "FW1 Adapter" can be added or removed in one session of the Network control panel applet. You must press OK after each "Remove" of "FW1 Adapter". 8. Consider the following situation: * You have several adapters but you have defined only one TCP/IP protocol Which is of course bounded to only one of them. * You have installed SecuRemote. As a result the SecuRemote adapter and protocol (FW1 Adapter and FW1 protocol) is placed in between your TCP/IP protocol and the original adapter. * Now you decided to install TCP/IP protocol on the other adapters. In this case you must act as follow: A. Uninstall SecuRemote. B. Add the new TCP/IP protocols. C. Re-install SecuRemote. 9. SecuRemote on Windows 95b and Windows 98 will work only with Ethernet, Dialup and Token Ring adapters. Known Bugs ========== 1. On Windows 95B (OSR2) and Windows 98, if your PC is configured to obtain an IP address on a LAN from a DHCP server, and if your previous DHCP lease expired while the PC was shut off, then you may not be able to obtain a new lease at boot time. Workaround: Using 'winipcfg' - renew your lease manually. This will be fixed in a future release.