R60 HFA_02 SecureClient install issues

[lammbo]

So I built my own packages for my users with this procedure:

How to… Create new VPN Client Builds

1) Download the latest client build from Checkpoint
2) Obtain the MSI packaging tool provided by Checkpoint. Provided you have the Dashboard installed, this tool can be located here: (this shows the R65 path)
C:\Program Files\CheckPoint\SmartConsole\R65\PROGRAM\util
3) With ‘cpmsi_tool.exe’ we will now extract the MSI downloaded in step 1
a. Create a directory x:\SecureClient
b. Place the latest SecureClient download and cpmsi_tool.exe in this directory
c. Create sub-directory ‘Built’
d. Rename the downloaded msi package to Base.msi
e. Open a command prompt to the SecureClient directory
f. Type: cpmsi_tool.exe Base.msi out all (This will extract the files from the MSI)
4) Edit the file product.ini – change the following parameters:
ShowWelcome=0
ShowLic=0
OverwriteConfiguration=1
ShowUpdateOverwrite=0
PathAskUser=0
DesktopSecurityAskUser=0
MakeServiceNonInteractive=0
5) Repackage the file, type: cpmsi_tool.exe Base.msi in all
6) Install base package to laptop
7) Configure Site connections (more details to follow in this section later)
8) Test connectivity (which also updates topology fully)
9) Now stop the services and get this file:
“C:\Program Files\ChekPoint\SecuRemote\database\userc.C”
10) Now that we have the basic site configuration file, we will edit some of the default values. Make the following changes:
:encrypt_db (true)
:allow_clear_in_enc_domain (true)
:open_full_diagnostic_tool (true)
:default_ps (vvv.xxx.yyy.zzz) Main site IP here (Optional)
11) Now we need to assemble the package for the site with everything in the package
a. Since you still have the base.msi available, make a copy and rename it to site-xxx.msi (or whatever) and extract it.
b. Now replace the default userc.C file with your site config userc.C file and re-compile

You should now have a fully configured and deployable msi package for CheckPoint’s SecureClient.


So, using this process, I created my packages (damn CheckPoint for not using the exe any longer, MSI is a pain). Most users are not having an issue, they run CPCLean to nuke the old client and reboot. They run CPClean again after reboot - reboot a second time if necessary. Then, once all remnants of the old client are gone, they run my new MSI package. Now is when the fun starts...


There have been 3 users so far with this issue. Common issue:
My package would not complete installation.
In each case, an error was generated that stated the "wizard was interrupted before completion".
If you go to Add/Remove programs, it shows in the installed list but no options for uninstall or change are available. CPClean removes nothing on these installs.

More specifics for each instance:
1) New VISTA install (very clean OS install). Since my package would not install, I installed the clean package from CP as SecureClient - It installed OK. Ran my install package over the top of it (since I set my install to overwrite) and it now completed install. So now it was installed and would connect, but Desktop Policy was not downloading. The policy directory was just missing - created a directory called policy (in the appropriate location) and all worked well. This issue resolved.

2) XP Pro on a laptop. Nearly an identical issue to case #1. Installing the unconfigured client and then ran mine over the top. Never had the same policy issue, works fine. This issue resolved.

3) XP Pro on a laptop. None of the above works at all. Here is the text of what the Help Desk is telling me:

Bad news, I have another user who has successfully uninstalled the old client, install the new client, login successfully but when the user disconnects from VPN – it said that the default policy is corrupted and that user needs to login to fix this which the user did but then when logged out same error – default policy is corrupted.

I used cpclean twice to uninstall and reboot instructed, on the second clean it indicated that nothing to clean but when I check Add/Remove Programs – the program still exist but no option to remove (similar to <the other user's> issue) so I follows the instruction you supplied to <the other user>.

After install SC_NGX_R60_HFA2_630000044.msi – I’ve checked Add/Remove Programs – it listed Check Point VPN-1 Secureremote/secureClient NGX R60 HFA2 twice and there is no option to remove both instance of this program.

I then used cpclean once more (twice) – again second clean it indicated that nothing to clean but when I check Add/Remove Program – it still listed Check Point VPN-1 Secureremote/secureClient NGX R60 HFA2 and not option to remove.

I then revert back to the old client – it installed and user can connect, when disconnect it did not provide the error regarding the default policy is corrupted. User will test at home to see if VPN worked or not.


Anyone have similar issues or have any ideas at all? I can't believe it's my package because it works fine on MANY other laptops/home PCs. So why does this screw up 1 out of 50 installs - even on CLEAN machines that only have an OS (OK, granted, it was VISTA but still...)

[melipla]

Quote:

Originally Posted by lammbo

(damn CheckPoint for not using the exe any longer, MSI is a pain).

I couldn't agree more.

Quote:

Originally Posted by lammbo

Most users are not having an issue, they run CPCLean to nuke the old client and reboot. They run CPClean again after reboot - reboot a second time if necessary. Then, once all remnants of the old client are gone, they run my new MSI package. Now is when the fun starts...

I was told by support that you had to use the Add/Remove programs to uninstall the EXE. That using cpclean, a program which hasn't been updated in years, to uninstall is not acceptable. I specifically asked in my futile efforts to find a way to automate the removal of the EXE install of SecureClient.

Quote:

Originally Posted by lammbo

My package would not complete installation.
In each case, an error was generated that stated the "wizard was interrupted before completion".
If you go to Add/Remove programs, it shows in the installed list but no options for uninstall or change are available. CPClean removes nothing on these installs.

I've found that if the MSI file isn't saved locally that the user isn't able to run the install at all when transfering the file to the client via ftp. However I haven't seen an MSI SecureClient install error like yours. Out of curiosity does the MD5 hash of the MSI they saved the same as the master copy?

I have had problems with the EXE SecureClient staying listed in Add/Remove Programs. This happened when I did not uninstall the EXE version properly before installing the MSI. On my test system I have about 10 "Check Point SecureClients" listed w/no way to remove them, not even CPClean finds them.

Quote:

Originally Posted by lammbo

Anyone have similar issues or have any ideas at all? I can't believe it's my package because it works fine on MANY other laptops/home PCs. So why does this screw up 1 out of 50 installs - even on CLEAN machines that only have an OS (OK, granted, it was VISTA but still...)

Besides checking the package integrity I'd look at other things--"The Wizard was interrupted before ..." seems to be a fairly common MSI error, I looked at a few and the first thing I saw was a post talking about AV, a possible cause. Might be worth reading through some to see if they help.

[Wullum]

Used this post to build myself a new package vor SecureClient R60_hfa02.
Worked great!

Only drawback is that I cannot find a way to include my old AuthMsg.txt file I used in my old R56 package in the new package. This file used to display messages for users what to do when connection fails etc.

Anyone knows how to do this in the R60 client?

[jhspecialty]

I ran into the same issues on a laptop with XP Pro Service Pack 2 - I was unable to install the msi - and I could not do anything in the Add/Remove Programs like previously described.

To fix the problem - I right clicked on the msi file - and clicked uninstall - this did uninstall the rest of the program and it was no longer under add/remove programs - and i was able to re-install.

Hope this helps - thanks.