Introduction to SecuRemote and SecureClient

SecuRemote and SecureClient are really just two different names for the same piece of software: Check Point's VPN client software for Microsoft Windows. This software is designed to allow a single Windows client to transparently initiate a client-to-site VPN with a Check Point firewall. This chapter builds on the concepts discussed in Chapter 11. It is a separate chapter because the setup and troubleshooting for SecuRemote are different than those for site-to-site VPNs.

References to SecuRemote also include SecureClient, which has some additional features that allow network administrators to enforce a security policy on the client. If the client has a policy that does not match the one prescribed or is configured in an undesirable manner, the client can be denied access to the VPN. Thus references to SecuRemote include SecureClient, but not necessarily the other way around.

Much like FireWall-1 on Microsoft Windows, SecuRemote binds to the Windows TCP/IP stack. This allows it to intercept connections destined for a remote encryption domain and encrypt them. Likewise, it can decrypt incoming encrypted packets. There is also a user-level process that allows you to fetch the remote encryption domain, be authenticated, and otherwise control SecuRemote. This manifests itself on the client as a little envelope in the Windows taskbar.

Much of the planning that goes into using SecuRemote is pretty much the same as planning for site-to-site encryption; that is, you still have to define an encryption domain and configure network objects. However, you can do things on a user-by-user basis. For example, some users can use different encryption parameters. You can restrict some users from going some places but not others. You get all the flexibility of User Authentication with encryption.

One issue you do have to worry about with SecuRemote is end-user support. Although the client is generally easy to install and use, sometimes it does not go well. While most general installation problems have gone away, exotic network configurations or hardware can sometimes confuse SecuRemote or cause issues with your TCP/IP stack. I've encountered more than my share of destroyed TCP/IP stacks over the years. Also, users may not know what to do when various dialog boxes appear or even fully understand what is going on, especially if they are behind a NAT device.