Check Point GO R75 Release Notes 21 December 2011 Classification: [Public]
2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?id=12065 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk65602). Revision History Date Description 21 December 2011 Many updates, including: Throughput per R75.20 Gateway (on page 8), Maximum Users per Gateway (on page 9), Supported End User Platforms and Requirements ("Supported End User Platforms" on page 6), and Supported Portable Apps (on page 7). 24 November 2011 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on Check Point GO R75 Release Notes).
Contents Important Information... 3 Introduction... 5 What's New... 5 Supported Platforms... 6 Supported Check Point Versions... 6 Supported Gateway and Server Platforms... 6 Supported End User Platforms... 6 Supported Applications... 7 Supported Portable Apps... 7 Throughput per R75.20 Gateway... 8 Maximum Users per Gateway... 9 Installation and Upgrade... 9 Upgrading SmartDashboard... 9 Upgrading Check Point GO Devices... 10 Resolved Issues and Known Limitations... 10
What's New Introduction Thank you for using Check Point GO, Check Point's virtual portable workspace technology made available on a USB Flash drive. This release contains new features and enhancements and resolves various issues for Check Point GO. What's New New features and enhancements in this release: Portable applications (apps) are virtualized versions of Windows programs that run in the Check Point GO Secure Workspace desktop environment. Check Point GO Customization Tool. A tool to pre-configure policies and user profiles and burn them on the Check Point GO device. Remote Device Lock. A way to configure the Check Point GO device to lock after a certain period of time, or after several VPN authentication failures. This is the Check Point GO solution for "remote wipe" (also known as "poison pill") requirements. A locked device can be opened only by password recovery or a full format of the device. Remote Device Lock is configured using the Check Point GO Customization Tool. Enhanced performance for HTTP, login and shutdown. Folder mode. Gives direct access to encrypted Check Point GO folders on the device without running the Secure Workspace desktop environment. Using Windows explorer, users can browse to encrypted storage, add and remove files directly. FTP shared folder. Lets users access a shared network folder in the organization. Smart Card Support for the VPN client. Certificate Persistence. (CAPI Virtualization). After the certificate from a HTTPS-based website has been imported to the device, the certificate remains valid for subsequent Check Point GO sessions on the next Host PC or operating system. This is part of the Check Point GO personalization, where changes made in Secure Workspace (such as downloading CAPI certificates) remains persistent across different Check Point GO sessions and different Windows versions. Format the device in a granular way there are two ways of formatting Check Point GO. The option: Format user data is protected with the user s password. It does not clear the security policy, VPN configuration, pre-configured portable apps, and other information that was configured using the Check Point GO Customization Tool. Restore factory defaults is protected with the administrator's password. Custom End User License Agreement - Add a license that users read and agree to each time they start to use Check Point GO. Data Wipe Mode - In this mode, users have a clean secure workspace and access to approved resources. Session data is deleted from the device on logon and logoff. New look and feel. Introduction Page 5
Supported Check Point Versions Supported Platforms Configure Check Point GO in an environment that includes a Security Gateway, Security Management server, and SmartDashboard. Supported Check Point Versions These Check Point products are supported for installing and managing Check Point GO: Product, from R70.20 Security Gateway Notes On R71 to R71.30 Check Point GO does not work if the Mobile Access Software Blade is enabled. On R71.40 Check Point GO does work with the Mobile Access Software Blade, but certificate authentication for VPN is not supported. Security Management server All Security Management server versions that work with the supported gateways. SmartDashboard Version Install together with SmartDashboard for the version with the Check Point GO R75 Secure Workspace Manager Upgrade Supported Gateway and Server Platforms Check Point GO is supported on Gateways and Security Management servers on these platforms: SecurePlatform appliances and open servers IPSO 4.2/6.2 Disk based and 4.2/6.2 Flash based Windows Server 2003 SP1 32-bit Windows Server 2008 SP1 32-bit - for Check Point versions R70.20 or higher Supported End User Platforms Check Point GO is supported on these Windows platforms on a regular computer or on VMware Workstation version 6.5 or higher: Windows Edition Service Packs Architecture XP Home and Professional SP3 or higher 32-bit Vista Home Basic/Premium, Business, Ultimate SP2 or higher 64-bit 7 Home Premium, Professional, Ultimate 32-and 64-bit Note - Users can log in to Windows using an Administrator or a non-administrator account. Currently, Check Point GO does not support the GUEST account on the host PC. If you require support for other environments, contact Check Point support (http://supportcenter.checkpoint.com). The host computer must have these minimum system requirements: RAM: 512 MB, plus more for each portable app. The amount required for each portable app varies. Processor: Pentium 1 GHz and higher Supported Platforms Page 6
Supported End User Platforms Windows Explorer: 2 free drive letters Supported Applications These applications have been tested for usability within the Check Point GO Secure Workspace when installed on the host computer. Adobe Acrobat (writer) Adobe Reader 8/9 Citrix (web and fat clients, XenApp, NetScaler) ClearQuest CuteFTP Cyberarc Famatech Remote Administrator FileZilla IBM Lotus inotes Mozilla Firefox, version 3 and later Microsoft HyperTerminal Microsoft Windows Image Viewer Microsoft Internet Explorer 6/7/8/9 Open Office (Writer, Calc, and Impress) Outlook Web Access Personal Communications Workstation Program PowerTerm InterConnect for Windows Putty SecureCRT Siebel Client VNC Viewer WebDav WinRar WinZip WordPadCalc WS_FTP Home/PRO Microsoft Media Player Microsoft Notepad Microsoft Paint Microsoft Office XP/2003/2007/2010 Excel, PowerPoint, and Word Microsoft Terminal Services (RDP) client, also called MSTSC Supported Portable Apps These applications have been tested for operations within the Check Point GO Secure Workspace when installed on Check Point GO as portable applications. Supported Portable Application Version Microsoft Office 2003 Mozilla Firefox 5.0.1 Citrix XenApp client (full client and web plugin) 11.2 VMView client 4.5 Supported Applications Page 7
Throughput per R75.20 Gateway Throughput based on VPND CPU Usage The VPND.exe process manages VPN activity. Gateway Appliance with 50% CPU Usage with 80% CPU Usage UTM-1 130 21 33 41 UTM-1 270 42 67 86 2200 Appliance 120 132-4200 Appliance 120 133 - UTM-1 1070 133 150 187 UTM-1 2070 139 175 218 Power-1 9070 153 251 314 4600 Appliance 503 527-4800 Appliance 473 532 - Supported End User Platforms with 100% CPU Usage Cluster of Gateways where N is the number of gateways in the cluster Gateway throughput * N Gateway throughput * N Gateway throughput * N Throughput based on Gateway CPU Usage Gateway Appliance with 50% CPU Usage with 80% CPU Usage 2200 Appliance 80 120 132 4200 Appliance 85 117 133 4600 Appliance 330 511 527 4800 Appliance 513 - - Notes: with 90% CPU Usage If the primary function of a gateway is to use the IPSec VPN Software Blade with Check Point GO, we recommend not exceeding 80% CPU usage. This ensures that no packets are lost. If you use additional Software Blades on a gateway, we recommend not exceeding 50% CPU usage. Do not exceed 100% CPU usage. After 100% CPU usage is exceeded, TCP connections might behave unexpectedly. The throughput for Gateway Clusters that is shown is correct for clusters that are used only for Check Point GO traffic. In multi-core gateways, Check Point GO uses one of the cores. The CPU numbers shown are for that one core. Other cores can be use to run other Software Blades. The maximum number of concurrent connections per device is 400. This limit applies to all gateway devices. To have more than 400 concurrent connections, use a clustered configuration with multiple gateway devices. 400 concurrent connections can support as many as 4000-5000 light remote access users, or as few as 100 heavy users. Throughput per R75.20 Gateway Page 8
Upgrading SmartDashboard An example of a heavy user is one with 4 constant concurrent connections, such as a temp employee or contractor who is constantly connected through Check Point GO to the office resources. A light user might need to download 10Mb of email traffic every 1 hour, which is approximately 2.5Kbps. Maximum Users per Gateway The table below shows the maximum recommended number of light users, medium users, and heavy users for each appliance. All are based on 80% CPU usage. If more than one device is listed, there are multiple options. Number of users Gateway device for light users [Throughput for user] Gateway device for medium users [Throughput for user] Gateway device for heavy users [Throughput for user] 100 UTM-1 130 [330 Kbps] UTM-1 270 [580 Kbps] 200 UTM-1 130 [165 Kbps] UTM-1 270 [290 Kbps] UTM-1 1070 [750 Kbps] 500 UTM-1 270 [116 Kbps] 2200 Appliance [240 Kbps] 4200 Appliance [240 Kbps] 1000 UTM-1 1070 [150 Kbps] UTM-1 2070 [175 Kbps] 2200 Appliance [120 Kbps] 4200 Appliance [120 Kbps] 2000 4600 Appliance [255 Kbps] 4800 Appliance [256 Kbps] 4000 4600 Appliance [127 Kbps] 4800 Appliance [128 Kbps] UTM-1 1070 [300 Kbps] UTM-1 2070 [350 Kbps] 2200 Appliance [240 Kbps] 4200 Appliance [240 Kbps] UTM-1 9070 [251 Kbps] 4600 Appliance [511 Kbps] 4800 Appliance [513 Kbps] 4600 Appliance [255 Kbps] 4800 Appliance [256 Kbps] Cluster of 2 4600 or 4800 Appliances [256 Kbps] UTM-1 9070 [502 Kbps] 4600 Appliance [511 Kbps] 4800 Appliance [513 Kbps] Cluster of 2 UTM-1 9070 [502 Kbps] 4600 Appliance [511 Kbps] 4800 Appliance [513 Kbps] Cluster of 2 4600 or 4800 Appliances [512 Kbps] Cluster of 4 4600 or 4800 Appliances [512 Kbps] Installation and Upgrade To install or upgrade to this release, make sure that you have a gateway and Security Management Server with the version and platform requirements. Then: Use the Secure Workspace Manager Update utility to update the SmartDashboard. Update your Check Point GO settings in SmartDashboard. Provision and upgrade the Check Point GO devices. Upgrading SmartDashboard In this release, a new tool makes it easy to upgrade your Check Point GO Secure Workspace Manager in SmartDashboard. To upgrade your SmartDashboard for Check Point GO R75: 1. Download (http://supportcenter.checkpoint.com) the Check Point GO R75 Secure Workspace Manager Upgrade Utility to the computer with SmartDashboard installed. 2. Run the program. 3. When prompted, select the version of SmartDashboard that you have installed and want to update. 4. Follow the on-screen instructions. Maximum Users per Gateway Page 9
Upgrading Check Point GO Devices When you open SmartDashboard it will be ready to work with Check Point GO R75. Upgrading Check Point GO Devices When you upgrade an existing Check Point GO device: No policy install is required. The user's data is not erased. To upgrade the device: 1. Download (http://supportcenter.checkpoint.com) the new version of Check Point GO. 2. Verify that the package filename is CheckPointGOUpdater.tgz (case sensitive). 3. Copy the file to the Security Gateway computer, to $FWDIR/conf/extender/CSHELL 4. In $FWDIR/conf/extender/CSHELL, run tar xzf Check Point GOUpdater.tgz 5. Only on R71.40 gateways with Mobile Access Software Blade: a) Copy the files to an additional location on the Security Gateway computer: $CVPNDIR/htdocs/SNX/CSHELL/ b) In $CVPNDIR/htdocs/SNX/CSHELL/ run tar xzf Check Point GOUpdater.tgz c) Run $CVPNDIR/scripts/cvpn_post_utility.csh When users connect Check Point GO devices to the gateway, the devices detect the new version, download it and upgrade automatically. Resolved Issues and Known Limitations For issues resolved in Check Point GO R75, see sk65604 (http://supportcontent.checkpoint.com/solutions?id=sk65604). For known limitations, see sk65603 (http://supportcontent.checkpoint.com/solutions?id=sk65603). Resolved Issues and Known Limitations Page 10