CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 10 of 10

Thread: Abra Demo

  1. #1
    Join Date
    2006-12-16
    Posts
    539
    Rep Power
    14

    Default Abra Demo

    Has anyone tested the product ? I am about to demo the product.
    CCSA,CCSE,CCSE+,CCMSE+P1,CCMSE+VSX,CCMA #23

  2. #2
    Join Date
    2009-04-14
    Location
    Ottawa, Ontario, Canada
    Posts
    319
    Rep Power
    11

    Default Re: Abra Demo

    One of my Sales buddies just showed me his Abra running over Windows VMWare on his Mac Powerbook. He says he uses it all the time... concensus is that Abra is a Good Thing.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Pierre Lamy - Escalation Engineer Ottawa TAC
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  3. #3
    Join Date
    2007-03-20
    Posts
    51
    Rep Power
    13

    Default Re: Abra Demo

    I've got one here, but I'm waiting on CP giving me the Eve2 patch so I can run it on R65. From what I saw at CPX it looks good, although CP played down the fact that if you have (for example) a Word doc on the stick and didn't have Word installed on the client PC you were stuffed. Later in the year there may be a release that allows approved Apps to be on the stick.
    Mike
    CCSA/CCSE/CCSE+/CCMSE/CCNA/NSA

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Abra Demo

    If you are interested in having particular applications officially supported on Abra, your Check Point SE would love to hear from you :)

    Informally, I've heard that single EXE files (including most things from portableapps.com) tend to work best with Abra, provided the relevant EXE is included in the Program Control configuration.
    Last edited by PhoneBoy; 2010-04-20 at 02:16.

  5. #5
    Join Date
    2010-01-11
    Posts
    100
    Rep Power
    11

    Default Re: Abra Demo

    I am evaluating Abra on an R70.20 platform. Not terribly impressed yet. I've spoken to my CE and they are going to try a put mstsc.exe on the stick so my users could use any machine in the windows world and connect to a terminal server in house. This is really not too big a deal for me or most of my users. I'm most likely missing how the office on a stick concept is supposed to benefit me or my users but will continue to work with CP to see if we can come up with some compelling reason for me to spend a lot more time getting this working.

  6. #6
    Join Date
    2010-08-06
    Location
    UK (Surrey)
    Posts
    48
    Rep Power
    0

    Default Re: Abra Demo

    been doing some Abra testing today, so I thought I’d share my observations

    gateway : SPLAT running R71.10
    initial Abra : R70 build 1.6.153.14
    subsequent Abra : R70 build 133 (all bar 1 test run on this version)

    here’s what I found

    • The “Abra R70 Client Automatic Upgrade Package” procedure works OK

    • CIFS does not work through the tunnel – so no network drive mapping; known limitation ref: sk44397 for this and others..

    • All connections to the gateway come in on https (as expected), then the Tracker logs the decrypted connections as service: CP_SSL_Network_Extender (tcp-444) with a source IP of the external host and a destination IP of the gateway external interface. Onward (clear) connections all appear to originate from the gateway internal IP as source. This ‘proxy’ behaviour is not very helpful from a troubleshooting, reporting or audit point of view.

    • The “smart location awareness” was not very smart, i.e. by default it’s set to configured on endpoint client. I tested Abra from the outside and connected OK to the gateway a few times, then I took that same test laptop and patched it into the LAN, and launched Abra; it still kept trying to connect to the gateway external IP, which failed of course. What I had to do was explicitly set location awareness via the Global properties > Abra in the SmartDashboard. So it begs the question, how does Abra determine the location?

    • The other thing I noticed is that in terms of data import/export policy, Abra considers all internal machines as “trusted”…so you can see where this is going, if I need to explicitly set location aware networks to get this working, and my corporate internal network ranges overlap with a remote location … then if I plug my Abra into a host PC on that location I can import/export at will if the SecureWorkspace policy is set to allow this from trusted hosts only

    • While connected, although ping was an allowed application, I could not ping any internal hosts. I could ping external hosts OK

    • While connected, DNS resolution seems to work (short names tested ok); note this was using a corporate laptop with the correct dns suffixes etc. I did not test from a non-corporate host.

    ipconfig /all does not show any Endpoint VPN or SecureClient style virtual connections

    netstat –an shows a ton of connections to loopback 127.0.0.1 and then 1 or 2 to the gateway external IP on tcp-443. Pretty standard stuff for ssl vpn type activity.

    route print – again this shows no special routes for corporate or office mode networks, as expected.

    • One of my concerns is with scalability, the release notes say only 10 “heavy users” supported on UTM-1 270 platform, and strangely that VNC viewer, Citrix or other thin client connections (if connected all day) would qualify as a heavy user…not sure how they work that out?? Anyways the prospect of paying for a UTM-1 3070(@$28.8k) or above to support 100 ‘heavy users’ is not really going to fly….so I hope Check Point improve on the concurrent connections capabilities in the next release. Maybe someone else understands the details of this limitation better than me.

    • The ESOD (endpoint security on demand) stuff is fairly clunky and needs better integration. Abra displays messages that my host PC was being scanned before the Abra workspace was launched, and also after connecting to the gateway – does it really scan twice? Also I seem to have lost all my default ESOD policies somewhere in upgrading from R70.20 and R71.10.

    Anyway that’s for now, will post more info when I get some more time to run more tests.
    No doubt other have extra info to share too

    Thanks
    Patrick

  7. #7
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Abra Demo

    Quote Originally Posted by gahanpa View Post
    ipconfig /all does not show any Endpoint VPN or SecureClient style virtual connections
    As expected, there is no VNA with Abra

    • One of my concerns is with scalability, the release notes say only 10 “heavy users” supported on UTM-1 270 platform, and strangely that VNC viewer, Citrix or other thin client connections (if connected all day) would qualify as a heavy user…not sure how they work that out?? Anyways the prospect of paying for a UTM-1 3070(@$28.8k) or above to support 100 ‘heavy users’ is not really going to fly….so I hope Check Point improve on the concurrent connections capabilities in the next release. Maybe someone else understands the details of this limitation better than me.
    Don't know about the next release, but yes scalability and performance improvements are (relatively) near-term (as in "official" type folks has openly said so to customers). No date commitment, but if this is an issue for you, as it sounds, please talk to your SE directly.

    • The ESOD (endpoint security on demand) stuff is fairly clunky and needs better integration. Abra displays messages that my host PC was being scanned before the Abra workspace was launched, and also after connecting to the gateway – does it really scan twice? Also I seem to have lost all my default ESOD policies somewhere in upgrading from R70.20 and R71.10.

    Yes it scans twice. First time with the cached policy, second time with the newly downloaded policy.
    As for losing the default policy, I haven't heard of that, please report it to TAC. It may be related to a GUI problem in 71.10 that I have heard mention of (No I don't have details. Didn't effect any of my customers so it got filed away).

    Thanks for the feedback.

  8. #8
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Abra Demo

    Quote Originally Posted by gahanpa View Post
    • The “smart location awareness” was not very smart, i.e. by default it’s set to configured on endpoint client. I tested Abra from the outside and connected OK to the gateway a few times, then I took that same test laptop and patched it into the LAN, and launched Abra; it still kept trying to connect to the gateway external IP, which failed of course. What I had to do was explicitly set location awareness via the Global properties > Abra in the SmartDashboard. So it begs the question, how does Abra determine the location?
    Generally we assume the client is outside and make a number of checks to see if we're inside or not. The fact that you might be on a different site with the same private address space should not be an issue. Abra checks with the gateway whether or not you are actually on the inside by connecting to the gateway and asking. Since the gateway will only see the NAT/proxy address and not the client's real IP (we purposely don't transmit that), it should correctly determine "external" (unless that NAT/proxy address is in your internal network).

    Other things you can do to enhance the robustness of these checks is to look for particular DNS suffix on the client. You can also check to see if you can reach a particular domain controller that is not available through a VPN tunnel.

  9. #9
    Join Date
    2010-08-06
    Location
    UK (Surrey)
    Posts
    48
    Rep Power
    0

    Default Re: Abra Demo

    thanks for the points of clarification, very useful. will be v.interesting to see how this develops as a product.

    -PG

  10. #10
    Join Date
    2006-02-02
    Location
    Czech Republic
    Posts
    42
    Rep Power
    0

    Default Re: Abra Demo

    Quote Originally Posted by gahanpa View Post
    • While connected, although ping was an allowed application, I could not ping any internal hosts. I could ping external hosts OK
    This is expected. I am afraid that it is not possible to redirect ping to VPN without touching TCP IP stack which is not possible in Abra because it does not require admin rights.

Similar Threads

  1. USB-1 ABRA users - are there any?
    By varera in forum GO (The Product Formerly Known As Abra)
    Replies: 23
    Last Post: 2010-05-21, 20:10
  2. Offline/Demo mode
    By thefunkygibbon in forum SmartDashboard
    Replies: 4
    Last Post: 2008-08-08, 10:51
  3. Help with demo -> nondemo license
    By osterber in forum Licensing
    Replies: 7
    Last Post: 2007-10-24, 21:10
  4. New Flash Demo
    By danjun in forum Mobile Access Blade (Formerly Connectra)
    Replies: 0
    Last Post: 2007-06-08, 10:47
  5. NGX Demo software download
    By rameshbabu in forum CCSA NGX Exam 156-215.1 (No Longer Offered)
    Replies: 7
    Last Post: 2006-10-24, 06:44

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •