PDA

View Full Version : Endpoint connect is failing on "no license"



pmb1010
2009-11-10, 08:24
Purpose: support Win64 clients VPN connect.

I have duplicated my production R65 w/ no HF, on Windows, and using upgrade/export into a Windows Hyper V virtual environment to sort this task out.
Currently, we use only SecureRemote which works fine.

In the virtual environment:

Upgraded to HF50. That seems OK.

Downloaded the R71 Endpoint Connect lightweight client.
Installed on 64 bit Win client.

Downloaded the R71 cab file, and did the copy/rename TRAC file tweaks on the gateway. From the R65.4 docs it references, it says to use GUI EDIT to change some of CP's registry-type keys.
PROBLEM 1 - I don't seem to have those keys...
It also says to Windows Edit some type of file to "enable the right options".
That process is very confusing. Not sure what the right options are supposed to be.. Changed what I thought was right. Nothing in there said EndPoint Connect.

So I attempt to follow the rest of the doc, it says to change this and that at the Gateway. I made those changes. Sure appears to be enabling Office Mode to me. I always thought Office Mode needed SecureClient (which I am not licensed to...)

Attempt to connect - lots of times I get either "not responding" or when I get closer, "FW-1 at FW01 - access denied".
I did putz enought with the settings on the FW to get a login prompt at the 64bit client.
At that point, the FW logs says "user is connecting, but there are no licenses available", and the client says "authenticated" but "connection failed".

I thought the new lightweight client didn't need licenses.

So whats the deal here? Did I miss an obvious step?

PhoneBoy
2009-11-10, 19:28
My understanding is that you need a license of some sort for Endpoint Connect. Do you at least have a SecuRemote license?

tomama
2009-11-10, 19:51
From the Check Point Knowledge Base:



Licensing:

* The use of Check Point Endpoint Connect will be covered by Check Point Endpoint Security - Secure Access license.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk36681

Thorpuse
2009-11-10, 19:55
Check Point have not committed to a $0 VPN Client post-SecuRemote. If you currently use SecuRemote and don't want to get caught out by this when it is EOLed, shout it out long and loud to Check Point now so they realise how big a mistake this is.

pmb1010
2009-11-11, 01:03
My understanding is that you need a license of some sort for Endpoint Connect. Do you at least have a SecuRemote license?

Yes I have the old SecureRemote License attached in the FW. 100 user license. Its still in the CPCONFIG screen.

I also upgraded from 65HF50 to R70, to R70.1/HF10.

WHatever the issues is, still carries forward.
It's gotta be come configuraton checkbox I have set wrong.

WHen my secureRemote users connect in production with R65, we do NOT get pushed an IP address. If I do IPCONFIG at the client, just the internal IP address. Tracert to anything internal shows my FW external interface, then internal IP host.

Hope this helps some one point me in the right directon to solve this.

pmb1010
2009-11-11, 01:09
Check Point have not committed to a $0 VPN Client post-SecuRemote. If you currently use SecuRemote and don't want to get caught out by this when it is EOLed, shout it out long and loud to Check Point now so they realise how big a mistake this is.

I thought that was already done, from March to now.

Rather than the fat client "Endpoint Security", they stripped the stuff I already have on most of my office PC's --- and gave us lightweight Endpoint Connect. I would have thought the SecureRemote licenses covered this item.
From the post above, I guess not. Now I'm very confused...

Thorpuse
2009-11-11, 01:25
Endpoint Cnnnect relies on Office Mode being set up correctly for connections to work, as it issues the EPC Virtual Adapter an IP address from an OM pool. Contrary to popular belief, you have never needed a SecureClient license for OM to work (there is still some debate about the legality of that, but that's been discussed elsewhere).

EPC works without a SecureClient/SecureAccess license at this stage. Again, expect this to change sometime. Technically, at the moment the correct answer from a licensing perspective is that you need a SecureAccess license to use EPC, and there is NO $0 option. If you don't like this, make your feelings known to your nearest CP rep. They've already had to extend the EOL date of SecuRemote for this among other reasons. But as 64-bit and other unsupported OSes become the standard, this will become a bigger issue....

pmb1010
2009-11-11, 07:40
So where lies my connection problem?
License or Config?

If I technically don't need licenses to get Secure Connect to link in, I should be able to configure the checkboxes on the server to allow 64 bit client in.

But its griping about licenses in the FWlog - while using setting configured in the only way I can get the client to allow me to enter name&Password...

lammbo
2009-11-11, 09:04
Test if it's a licensing issue or some other misconfiguration by putting an eval license on your SCS. If it works with the eval in place, it's a license issue.

pmb1010
2009-11-11, 22:17
I've done eval licenses long ago, like in ver 3 days.

Can I get just eval license for Endpoint connect, or whatever it needs - or do I need to request full system eval from Checkpoint?

Guess I'm not sure what I need to do to make that happen anymore..

help?

Thorpuse
2009-11-12, 00:48
You'll need to request an eval either from your friendly CP SE or your reseller. It will be a full eval.

PhoneBoy
2009-11-12, 01:00
As I understand this, you can request an eval for the entire Endpoint Security suite, of which Secure Access is a part of. You may even be able to do this yourself in User Center. If not, your SE can help.

I know when I generate my own evals in User Center for Endpoint Security, I have to generate several sub-licenses as one license does not cover everything. I don't remember the exact breakdown, though.

Thorpuse
2009-11-12, 01:12
From my testing, the generic VPN-1 eval license should be sufficient.

Endpoint Security licensing is pretty ugly - it may be the only license that could be improved by Software Blades!

PhoneBoy
2009-11-12, 11:09
I would assume that once we have unified management on the Endpoint side of the house, the licensing for Endpoint would also get cleaned up a little as well. However, despite being on the inside, I don't have any inside information on that. It's just a guess. :)

Barry J. Stiefel
2009-11-12, 19:17
From my testing, the generic VPN-1 eval license should be sufficient.

Endpoint Security licensing is pretty ugly - it may be the only license that could be improved by Software Blades!What are you, a CCLE?

pmb1010
2009-11-12, 20:46
Well the eval license isn't working out so well.

Detatched my production license, added in the eval.
Tried to open SmartDashboard, and it runs thru the modules, and stalls on "Loading SmartMap". Then the application disappears.
Event viewer says Dr. Watson etc "FWPOLICY.EXE generated application error C000005".
Yech.

Dam. Reboot same result. Guess I'll rebuild this again, I saved an VM image and try from R65 again with the trial license.

SmartView MOnitor works. I guess the old policy is installed.
FW UNLOADLOCAL yanked that out, now I got red stopsign no policy installed. Not sure what command line syntax to load it back.

In addition, new error on list. "Error: Endpoint Security not responding. Verify that EPS is installed on the gateway. Wants me to edit the gateway object to remove it.

Oh - Endpoint connect gave same error. Not surprised though with the FW all jacked up.

I now seem to remember why I don't putz with my FW. Hours and hours of endless fun ensues...

Edit - additional:
Restore back to R65HF50.
Even with eval license, still having much difficulty. Maybe better, getting "no 2nd proposal found" so it looks like I need to go back and read all the docs to configure this silly thing.

Checkpoint - this would have been all fine and good -> just port SecureRemote to 64 bit and leave what was working - alone. We were perfectly happy with that. Give us the OPTION to move forward - at a cost - if we want to use Endpoint Connect & all the other stuff it provided.

Thorpuse
2009-11-13, 01:00
Checkpoint - this would have been all fine and good -> just port SecureRemote to 64 bit and leave what was working - alone. We were perfectly happy with that. Give us the OPTION to move forward - at a cost - if we want to use Endpoint Connect & all the other stuff it provided.

For some perverse reason in their code, CP couldn't port SR to 64-bit without a complete rewrite, thus the decision to clean it up and write EndPoint Connect. I agree with the sentiment, especially seeing as EPC is missing some major features currently. Regarding licensing, there's no need to detach prod licenses to get te eval license going - they can happily coexist.

My suggestion - get Office mode and Visitor mode working with SecureClient first (yes, you CAN do this without a SecureAccess license, but the eval license will cover that too). Once that is working, EPC should also work, but at least you won't be adding as many variables that way.

pmb1010
2009-11-18, 22:43
When I use the eval license, I can get connected OK.

Removing the Eval license back to my subscription VPN & SecureRemote Licenses, I get authenticated, but client drops out with "connection failed".

On the FW logs, it says OM user [myname] has tried to connect but you have reached the number of purchased licenses.

My reseller is working to find me "the best license solution to fit this problem" in R70 and Blades. And I just re-upped my software subscription and maintenance. I can't go back and ask for more cash for this. No more budget.

Checkpoint, you're going to lose a long time customer due to this.
Too much drama for this small time company. It may be easy for many here much smarter than me in regards to CP, but I don't have time to fiddle-fart around with this. I wear a lot of hats in my company.

I like Ray's suggestion of Juniper VPN. Especially the ICE option.
Looking into that.

Thorpuse
2009-11-19, 00:14
Checkpoint, you're going to lose a long time customer due to this.
Too much drama for this small time company. It may be easy for many here much smarter than me in regards to CP, but I don't have time to fiddle-fart around with this. I wear a lot of hats in my company.



I hear ya - even for those of us who work with this stuff every day, CP doesn't do us or itself any favours with this sort of nonsense. At least SecureAccess licenses are "per user" which should allow you to tailor things a little bit. Make sure you contact CP directly and let them know about this as well - they need to hear that their decision of not providing a viable $0 Remote Access VPN Client will cost them business.

PhoneBoy
2009-11-19, 00:57
I would also open a TAC case on this, if you haven't already. It seems reasonable that you should be able to use SecuRemote-type functionality with Endpoint Connect using your existing licenses. Any sort of fix for this would come in the form of an updated cp.macro file (most likely).

Thorpuse
2009-11-19, 02:26
I would also open a TAC case on this, if you haven't already. It seems reasonable that you should be able to use SecuRemote-type functionality with Endpoint Connect using your existing licenses. Any sort of fix for this would come in the form of an updated cp.macro file (most likely).

Damn Phoneboy, I wish you worked in Product Management! :)

P.S. If this can be fixed in cp.macro, I want a copy of this!

PhoneBoy
2009-11-19, 02:50
I interface with Product Management as part of my job, and even do a few things that you might consider Product Management. However, it's not my official job. ;)

My theory is that the old SecuRemote licenses do not map to the appropriate Secure Access features that are required by Endpoint Connect. That could be fixed in cp.macro, as that's where the license/feature mapping generally occurs. It might also require a code-level change, but since I'm not in R&D, I can't say for sure. Thus my suggestion to take the TAC route.

Thorpuse
2009-11-19, 03:06
Interesting.... so in theory, could you hack cp.macro to turn on other features? I thought R70 (and R6x, for that matter) had gone down the path of embedding license checking into the code. I know the last times I've had licensing-related issues, the code had to be changed because it wasn't doing those licensing checks properly (yes, I'm looking at you AV and Messaging Security....). If cp.macro mods could be that powerful, that's a really interesting insight.

Not to diss your idea, but entitling this outside of a product management change would seem like the TAC is setting product entitlement policy. My understanding is that, at a policy level, CP still hasn't committed to a $0 VPN Client being available post-SecuRemote. If you have different information, I'm definitely interested to hear it. I have customers that are waiting to hear this to determine their Remote Access strategy, and have been lobbying about this ever since the EOL on SecuRemote and EPC was announced. I agree with you, this is eminently reasonable - sadly product management decisions are rarely made based on "reasonableness".

PhoneBoy
2009-11-19, 03:47
My thought for going through TAC would be based on the assumption that the Endpoint Connect client should work with a SecuRemote license, considering you'd be essentially using the same functionality. Regardless of what the official Product Management position might be, it's either a bug that needs to be fixed or a "feature" that requires documentation in SecureKnowledge. Both of these avenues lead through TAC.