Packaging SecureClient

Introduction: The Need to Simplify Remote Client Installations

As remote access to organizations becomes more widespread, administration of the remote client software becomes more difficult. Users often lack the technical expertise to configure the software themselves, requiring administrators to provide support for large numbers of users, many of whom may be geographically dispersed and using a wide variety of platforms. The administrator's task is even more difficult if the organization has several groups of users, each of which requires a different configuration.

Administrators need a tool to automate the configuration of software to large user communities. This tools must enable the administrator to preconfigure the software, so that users do not have to do this themselves.

The Check Point Solution - SecureClient Packaging Tool

Overview

The SecureClient Packaging Tool enables the administrator to create pre-configured SecureClient installation packages. Users can then use the configured package to install the software without being required to configure details, ensuring that users cannot inadvertently misconfigure their SecureClient software.

Pre-packaging can be done using either the:

• Check Point Packaging Tool Wizard
• MSI Packaging

The benefits of packaging are:

• Configuration (site creation, connection and encryption parameter specification, etc.) is performed by professional administrators, rather than by unsophisticated and error-prone users.
• Installation and support overhead are greatly reduced.
• Users' security configurations are more uniform across the organization, because they are pre-defined by the administrator rather than specified by each user individually.
• The administrator can more quickly respond to security threats by automatically updating remote users' security software.

How Does Packaging Tool Work?

Packaging Tool combines a client installation package (for example, the generic SecureClient installation package) with a package profile to create a preconfigured SecureClient package. The administrator can then distribute the package to the users.

The administrator can pre-configure the client's installation and configuration settings, such as the connection mode to the VPN Security Gateway (Connect/Transparent), encryption properties and more. These settings are saved in a package profile, and can then be used for configuring packages.

The administrator can create different package profiles for different user groups. For example, the administrator can create one profile with the configuration parameters for Windows XP users, and another for Windows 98 users. The administrator can save all the profiles in a central database.

To allow the client to connect to the organization from the moment it is installed, the administrator can specify Partial Topology information for a site, that is, the IP address of the site or of its Security Management server. This information is included in the package. The first time the user connects to and authenticates to the site, the site's full topology is downloaded to the client.

The SecureClient package can also include scripts to be run after the installation of SecureClient.

The MSI Packaging Solution

MSI is a standard file format for application distribution in a Windows environment. Once a profile is created, it is saved and may be distributed to SecuRemote and SecureClient users.

The MSI package installs SecuRemote/SecureClient Extended View with default settings and can be customized using the command line based tool - cpmsi_tool.

Split Installation

When used with 3rd party software distribution systems, the connection to the distribution server is broken once the SecuRemote/SecureClient kernel is installed; the result is that the distribution server is not aware that the installation ended.

In order to resolve such cases a Split Install feature is available.

Creating a Preconfigured Package

The Packaging Tool wizard guides an administrator through the process of creating a preconfigured SecureClient installation package. Each package can contain a different combination of a SecureClient version and a pre-configured profile.

You create a package in two essential stages:

1. Configuring and saving a package profile. The profile contains all the settings to be installed by the package by default.
2. Applying the profile to an existing installation package, thus creating a properly preconfigured package.

Creating a New Package Profile

1. To create a new profile, Select Profile > New. Enter the profile details and press Next.
2. The Packaging Tool wizard will guide you through the next several windows, in which you should configure different parameters regarding the user's profile, such as policy, encryption, topology (including Partial Topology information), certificates, client installation and logon parameters (SDL/Gina DLLs). For information about these features, see the relevant chapters in the documentation.
3. After pre-configuring all of the client's settings, you will be presented with the Finish screen. In this screen you can decide if Packaging Tool should continue to create a new package containing the changes as they appear in the profile or finish the process of profile generation without creating a new package. The options in this screen are:
   • No, Create Profile only — The profile will be created according to the setting you have pre-defined in the wizard and you will be returned to the main Packaging Tool window.
   • Yes, Create profile and generate package — If you choose this option the profile you've created will be saved and you will be taken to the package generation wizard. For instructions regarding this wizard, proceed to Generating a Package.

You can always create packages from a saved profile at a later time.

Generating a Package

This section describes how to generate a SecureClient package according to the settings defined in a package profile.

Preparation

If you have not already prepared a base package, do so now, as follows:

1. Obtain an original SecureClient installation package. This package will be the base package, upon which the Packaging Tool will create the new custom SecureClient package.
2. Copy the clean SecureClient package to an empty directory. If the package is zipped or tarred you should unpack the package to the empty directory.

Once you have a base package, proceed as follows:

1. Run the SecureClient package generation wizard. You can run the wizard immediately after creating a new package profile (by selecting Yes, Create profile and generate package), or from the main Packaging Tool window by highlighting a previously created profile and selecting Profile>Generate.
2. You will be asked to enter a package source and destination folders.

   Under Package source folder, select the directory in which the original SecureClient installation you prepared in step 2 is located. Make sure you select the directory in which the SecureClient setup files actually exist and not a higher level directory.

   Under Package destination folder and file name, select an empty directory to which the new package will be copied, and enter a name for the file being generated.

   Press Next to continue to the next window.

3. If the package details cannot be extracted from the package, enter the package details (operating system type, SecureClient version and service pack) when prompted. If the package details conflict with another package, a prompt asks you to approve the replacement of the older package with the newer one.

The Packaging Tool will perform the actions you requested.

Adding Scripts to a Package

To specify that a script should be run after the user installs or uninstalls SecureClient, proceed as follows:

1. Edit the product.ini file.
2. To specify a post-installation script, add the file's name to the [install] section.
3. To specify a post-uninstallation script, add the file's name to the [uninstall] section.

The script should be accessible through the OS PATH variable.

The script is not part of the package, and should be transferred to the client separately.

Configuring MSI Packaging

To customize a profile used for remote users save the .msi file provided by Check Point. Once the file is saved, configurable files may be extracted from the file, customized, and then placed back into the file.

To edit one of the configurable files:

1. Use cpmsi_tool <SC-MSI-package-name> out <file-name> to extract the file from the package.
2. Customize the file.
3. Use cpmsi_tool <SC-MSI-package-name> in <file-name> to insert the file back into the package.

The configurable files are:

• product.ini
• userc.c
• userc.set
• reg.ini
• SecuRemoteAuthenticate.wav
• SecuRemoteConnected.wav
• SecuRemoteDisconnected.wav
• SecuRemoteFailed.wav
• logo.bmp
• logging.bat
• install_boot_policy.bat
• collect.bat
• scvins.bat
• scvuins.bat
• msfw.bat
• harden.bat

Add and Remove Files in Package

To add new files to the package:

cpmsi_tool <SC-MSI-package-name> add <file-name>

To remove a newly added file:

cpmsi_tool <SC-MSI-package-name> remove <file-name>

Installation Command Line Options

The following are the command line parameters.

Split Installation

To activate:

1. Set SplitKernelInstall=0 in the product.ini file.
2. Install the product except for the kernel.
3. An automatic reboot, initiated by the end user, will occur.
4. After the reboot, the automatic kernel installation takes place.
5. A second automatic reboot will occur

Debug

In order to debug the MSI installation, run the /l*v log_file_name_parameter. log_file_name and install_securemote.elg are used for troubleshooting.

Zone Labs Endpoint Security Client

When installing the SecureClient MSI package with Zone Labs integration, use the following syntax:

msiexec /i <package_name> [ZL=1] [INSTALLDIR=<install_dir>] [/qr|/qb|/qb!]

• package_name - the SecureClient msi package name
• ZL=1 - install with Zone Labs configuration
• INSTALLDIR=<install_dir> - the folder where the package is installed
• [/qr|/qb|/qb!] - standard MSI UILevel support used for silent installation.

Using this command, the product.ini file is automatically modified.