Userc.C and Product.ini Configuration Files

Introduction to Userc.C and Product.ini

The VPN administrator can use the Packaging Tool to produce customized SecuRemote/SecureClient packages for distribution to end-users. The Packaging Tool changes the behavior of SecuRemote/SecureClient by changing the values of the properties in the Userc.C and Product.ini files contained in the package.

However, not all of the properties in these files can be changed using the Packaging Tool. It is possible to changes the behavior of SecuRemote/SecureClient by manually editing the Userc.C and Product.ini files in the SecuRemote/SecureClient package, before distributing the package to end users.

The Userc.C File

The Userc.C configuration text file contains has three sections. Global, Managers, and Security Gateways.

• Global— Properties that are not specific to the site (managed by a single Security Management server) or to the peer Security Gateway. It does not change on the client machine. To change the Global Properties section of the objects database, do not make any manual changes to the Global section of userc.C. Either edit the SmartDashboard Global Properties, or use the DBedit command line or the graphical Database Tool on the Security Management server.
• Managers — Properties that apply per Security Management server. Updated whenever the end user performs a Site Update.
• Security Gateway— Properties that are specific to a particular Security Gateway. Updated whenever the end user performs a Site Update.

The section of the file where each parameter resides is indicated in the Userc.C file parameter tables (below), in the column labeled Location in Userc.C.

Structure of Userc.C

The Userc.C configuration text file contains has three sections. Global, Managers, and Security Gateways.

• Global— Properties that are not specific to the site (managed by a single Security Management server) or to the peer Security Gateway. It does not change on the client machine. To change the Global Properties section of the objects database, do not make any manual changes to the Global section of userc.C. Either edit the SmartDashboard Global Properties, or use the DBedit command line or the graphical Database Tool on the Security Management server.
• Managers — Properties that apply per Security Management server. Updated whenever the end user performs a Site Update.
• Security Gateway— Properties that are specific to a particular Security Gateway. Updated whenever the end user performs a Site Update.

The section of the file where each parameter resides is indicated in the Userc.C file parameter tables (below), in the column labeled Location in Userc.C.

How Userc.C Is Automatically Updated

When the Security Policy is installed on the Security Gateways, the objects database is also installed on the Security Gateways. The part of the database that relates to remote clients is sent to the Topology Server on the Security Gateway. When the clients perform a Site Update, they are actually downloading the Topology information from the Topology server, which updates the Managers and Security Gateway sections of userc.C on the clients. The file is stored on the client machine in the SecuRemote\database directory. The parameters appear in the options section.

How to Manually Edit Userc.C

Do not make any manual changes to the Global section of userc.C.

Manually edit the Managers and Security Gateway sections of userc.C as follows:

1. Extract userc.C from the original SecuRemote/SecureClient tgz format installation package.
2. Edit the userc.C parameters, as needed.

   Important - SecuRemote/SecureClient performs minimal syntax checking for the userc.C file. If a parameter is edited incorrectly, the file may become corrupted, and sites may need to be redefined.

3. Recreate the tgz file.

The Product.ini file

The Product.ini configuration text file contains mostly properties that relate to the package installation. The properties are fixed. The Product.ini file is read only upon installation of the SecuRemote/SecureClient.

To change products.ini use the Packaging Tool, or if necessary, edit the file manually as follows:

1. Extract products.ini from the original SecuRemote/SecureClient tgz format installation package.
2. Perform the required manual editing of products.ini.
3. Recreate the tgz file. This is the SecuRemote/SecureClient package for end-users.

Userc.C File Parameters

The following lists describe the parameters included in the Userc.C configuration file, arranged by the features that the parameters relate to.

SecureClient

• default_ps (n.n.n.n) — Specifies the IP address of the default Policy Server. If this property exists, SecureClient will automatically log on to the Policy Server (with IP n.n.n.n) when it is launched, relieving the user of the need to manually log on to the Policy Server — Global.
• manual_slan_control (true, false) — Disabling this property will remove the Disable Policy menu items from the Policy menu — Global.
• allow_clear_in_enc_domain (true, false) — If enabled, unencrypted connections will be accepted by SecureClient NG over Encrypt desktop rules and by SecureClient 4.1 running Encrypted Only or Outgoing and Encrypted policy, as long as both the source and the destination IP addresses are in the encryption domain of a single Security Gateway — Global.
• disable_stateful_dhcp (true, false) — As long as this attribute is false, DHCP packets will be allowed by SecureClient regardless of the enforced Desktop Security policy. If you set this attribute to true, DHCP will be allowed only if the Desktop Security policy allows it explicitly. This requires SecureClient version 4.1 to run a policy of Allow All and SecureClient NG to have DHCP enabled through specific rules — Global.
• block_conns_on_erase_passwords (true, false) — If true, the Close VPN option will replace Erase Password in the SecureClient's Passwords menu and the button will appear in the toolbar. Selecting Close VPN or clicking the above button will result in blocking all encrypted connections — Managers.
• enable_automatic_policy_update (true, false) — Specifies whether Automatic Policy Update is enabled or not — Managers.
• silent_policy_update (true, false) — If true, the client will not prompt the user to update the policy upon client startup, even if the time specified in automaic_policy_update_frequency has passed. The client will still attempt to update the policy after successful key exchange — Managers.
• PS_HA (true, false) — Use backup Policy Servers on logon failure — Managers.
• PS_LB (true, false) — If true will randomize policy server — list so not all clients will try to connect to the same policy server — Managers.
• LB_default_PS (true, false) — If true, when default_ps(x.x.x.x) is set it will go to a random Policy Server in the same site (found by examining topology) — Managers.
• no_policy (true, false) — Indicates disable policy state — Global.
• policy_expire (60) — Timeout of policy, in minutes. This property can also be controlled in SmartDashboard — Managers.
• retry_frequency (30) — If logged in to a Policy Server, but failed to re-logon after half the expiry time, this parameter (in seconds) specifies the amount of time before retrying logon. On each attempt all Policy Servers are tried — Managers.
• automaic_policy_update_frequency (10080) — Controls how frequently (in seconds) SecureClient should update policy files — Managers.
• suppress_all_balloons (true, false) - which controls all balloon messages. If the flag is set to true, no message balloons are displays. If false, all balloons are displayed. Note that the balloon's messages will still appear in the .tde files and will be logged in the Status Dialog's MessageViewer.
• sdl_browse_cert (true, false) - When set to false, the browse certificate in "change authentication" is disabled. When set to true, the browse dialog in SDL mode is restricted, you can only browse files, not create, change or launch applications.
• disconnect_when_in_enc_domain (true, false)- If the client is connected to a site, and an interface appears with an IP address located within one of the Security Gateway's VPN domains, the client is disconnected. A message balloon explains why.
• open_full_diagnostic_tool (true, false) - When set to false, SC will open only log-view of diagnostic. When set to true, SC will open full diagnostic. In any case, the full diagnostic tool will open from the start menu.
• tt_failure_show_notification (true, false) - If fail_connect_on_tt_failure is false, (meaning that a connection will succeed even though tt failed) then a string notification of tt-failure will show in the connection progress details because of this flag.
• simplified_client_route_all_traffic (true, false) - This attribute determines whether the Simplified Client performs connections using route-all-traffic or not.
• scv_allow_sr_clients (true, false)- If set to true, SecuRemote clients, which by default are not SCV verified, will send a verified state to the enforcing Security Gateway.
• use_profile_ps_configuration (true, false) - Set to true to enable remote users to connect to one Security Gateway and logon to a Policy Server behind another Security Gateway.
• force_route_all_in_profile (true, false) — If set to true, profiles created by the user will have the "route all traffic" option selected and grayed in the profile creation/edit dialog. - Global
• enable_mode_switching (true, false) - If set to true, client has the option to switch between Extended View and Compact View.

HotSpot Registration

• enabled (true, false) - Set to true to enable a user to perform Hotspot registration.
• log (true, false) - Set to true to send logs with the list of IP addresses and ports accessed during registration.
• connect_timeout (600) - Maximum number of seconds to complete registration.
• max_ip_count (5) - Maximum number of IP addresses allowed during registration.
• block_hotspot_after_connect (true, false) - If set to true upon successful connect, the recorded ports and addresses will not remain open.
• max_trials (0) - This value represents the maximum number of unsuccessful hotspot registration attempts that an end user may perform. Once this limit is reached, the user will not be allowed to attempt registration again. The counter is reset upon reboot, or upon a successful VPN connect. In addition, if you modify the max_trials value, the modification will take affect only upon successful connect, or reboot.

  If the max_trials value is set to 0, an unlimited number of trials is allowed.

• local subnets (true, false) - Restrict access to local subnets only.
• ports (80, 443, 8080) - Restrict access to specific ports.

Encryption

• use_cert (true, false) — Specifies whether Use Certificate will be checked in the IKE Authentication window — Global.
• use_entelligence (true, false) — Specifies whether SecuRemote should attempt to use the Entrust Entelligence toolkit, if installed — Global.
• entrust_inifile — Full path to a non-default entrust.ini file, to be used by SecuRemote/SecureClient when working with entrust certificates — Global.
• certfile — Name of the last certificate used — Global.
• gettopo_port (264) — Which port to use for topology update — Global.
• pwd_erase_on_time_change (true, false) — Performs Erase Passwords when the user changes the system clock — Global.
• force_udp_encapsulation (true, false) — Indicates whether UDP encapsulation is used (transparent, and active profile in connect mode). Also used in Connect Mode to create the default profile — Global.
• support_tcp_ike (true, false) — Indicates whether TCP over IKE is used (transparent, and active profile in connect mode). Also used in Connect Mode to create the default profile — Global.
• support_tcp_ike (true/false/use_site_default) — Determine whether or not to attempt IKE over TCP — Security Gateway.
• support_ip_assignment (true, false) — Indicates whether Office Mode is used (transparent, and active profile in connect mode). Also used in connect mode to create the default profile — Global.
• ChangeUDPsport (true, false) — If the value of both flags ChangeUDPsport and force_udp_encapsulation is true, a random source port is used for IKE packets, and another random source port is used for UDP encapsulation packets — Global.
• uencapport (2746) — Specifies the port to be used on the UDP encapsulated packets when using UDP encapsulation — Security Gateway.
• ChangeIKEPort (true, false) — If true, do not bind to port 500. Instead, use router port and use address translation to make it seem as if the connection originated from port 500. This parameter allows other client applications (such as IPSO and Microsoft) to use that port. Note if the port is taken, another port will be used — Global.
• send_clear_traffic_between_encryption_domains (true, false) — if true and the source and the destination are behind encryption domains (not same domains), packets will be sent clear. This feature is enabled only if a single site is defined — Managers.
• send_clear_except_for_non_unique (true, false) — If true, send_clear_traffic_between_encryption_domains will not function for IP addresses which are defined as NAT private addresses.
• send_clear_except_for_specific_addresses (true, false)— If true, send_clear_traffic_between_encryption_domains will not function for IP addresses which are defined in send_clear_except_for_address_group — Managers.
• send_clear_except_for_address_group — Address group specification for send_clear_except_for_specific_addresses — Managers.
• dns_encrypt (true, false) — Overwrites the encrypting attribute received in the topology in the dnsinfo section.
• disable_split_dns_when_in_om (true, false) — Disable split DNS when in Office Mode — Global.
• disable_split_dns_when_disconnected (true, false) — Disable split DNS when disconnected — Global.
• disconnect_on_IKE_SA_expiry (true, false) — In connect mode, if the IKE timeout expires and this property is true, disconnect instead of erasing the passwords — Global.
• renew_users_ica_cert (true, false) — Specifies whether users be able to renew their certificates (explicitly or implicitly) — Managers.
• renew_users_ica_cert_days_before (1-1000) 60 — How many days before expiration to start and perform an implicit renewal — Managers.
• upgrade_fp1_and_below_users_ica_cert (true, false) — Whether or not to implicitly renew certificates that were issued before NG FP2 — Managers.
• ike_negotiation_timeout (36) — Determines the maximum time in seconds that the IKE engine will wait for a response from the peer before timing out. This is the maximum interval between successive packets, and not the maximum negotiation lifetime — Managers.
• phase2_proposal (large, small) — Determines the size of the proposal sent by the client in Quick Mode, packet 1. This property is for backwards compatibility. NG FP3 and higher clients use phase2_proposal_size — Managers.
• phase2_proposal_size (large, small) — Determines the size of the proposal sent by NG FP3 or higher clients in Quick Mode, packet 1. If the value is missing the value of phase2_proposal is taken instead. NG FP3 clients will try a large proposal after a small proposal attempt fails — Managers.
• vpn_peer_ls (true, false) — In a MEP fully overlapping encryption domain configuration, if this property is TRUE, a Security Gateway will be chosen randomly between the MEP Security Gateways and will be given priority — Managers.
• ike_support_dos_protection (true, false) — Determines whether the client is willing to respond to a DoS protection request, by restarting Main Mode using a stateless protection. Equivalent to the SmartDashboard Global Property: Support IKE DoS Protection from unidentified Source — Managers.
• sr_don't_check_crl (true, false) — Do not check the CRL of the certificate — Managers.
• crl_start_grace (610200) — SecuRemote/SecureClient may accept CRLs that are not yet valid — Managers.
• crl_end_grace (1209600) — SecuRemote/SecureClient may accept CRLs that have recently expired — Managers.
• site_default_tcp_ike (true, false) — Determines the site default for attempting IKE over TCP. Each Security Gateway has a property: "supports_tcp_ike" (true, false or use_site_default). If the value is set to 'use_site_default' then the management property site_default_tcp_ike is used by the client to determine whether to attempt IKE over TCP or not — Managers.
• suppress_ike_keepalive (true, false) — If the IPsec keepalive is turned on, and the value of the property "suppress_ike_keepalive" is false, empty UDP packets will be sent to the Security Gateway (destination port 500). The UDP keepalive packets are sent only if there is an IKE SA with the peer and if UDP encapsulation was chosen — Managers.
• default_phase1_dhgrp — This field indicates which DH group to use for IKE phase 1 before the client has a topology. If the flag does not exist, group 2 will be used — Global.
• to_expire (true, false) — Whether or not to have a timeout for the phase2 IKE authentication. This property can also be controlled in SmartDashboard — Managers.
• expire (120) — Timeout of IKE phase2. This property can also be controlled in SmartDashboard — Managers.
• ICA_ip_address — The IP address of the Internal CA — Global.
• allow_capi (true, false) — Allow the disabling of CAPI storage to Internal CA registration — Global.
• allow_p12 (true, false) — Allow the disabling of p12 file storage to Internal CA registration — Global.
• trust_whole_certificate_chain (true, false) — This attribute improve connectivity where there is a Certificate hierarchy, and the CA trusted by the Security Gateway is a subordinate CA (not necessarily a direct subordinate) of the client trusted CA. Without this flag, both the Security Gateway and the client must trust exactly the same CA — Global.
• is_subnet_support (true, false) — If turned on, IPsec SA will be valid for a subnet, otherwise it will be valid for a specific address — Security Gateway.
• ISAKMP_hybrid_support (true, false) — If turned on, when the authentication pop up appears, the user will have the option to choose between Hybrid mode and certificates as an authentication mode. (Otherwise the user will have the option to choose between certificates and pre-shared secret) — Security Gateway.
• resolve_multiple_interfaces (true, false) — If 'resolve_interface_ranges' (static interface resolving) is disabled or failed, and this property is turned on, then dynamic interface resolving will be done when addressing this Security Gateway. In this case the interfaces of the Security Gateway will be probed once — Security Gateway.
• interface_resolving_ha (true, false) — If dynamic interface resolving is used (see resolve_multiple_interfaces) and this property is turned on- the interfaces of the Security Gateway will be probed per connection to see if they are live — Security Gateway.
• isakmp.ipcomp_support (true, false) — If the peer Security Gateway is a least NG and the client is SecureClient (and not SecuRemote) then: — If the client is in "send small proposal" mode and this property is turned on then IP compression will be proposed. (If the client is in "send large proposal" mode then IP compression will be offered regardless of the value of this property) — Security Gateway.
• supports_tcp_ike (use_site_default) — If IKE over TCP is configured on the client AND either this property is 'true' or it's 'use_site_default' and site_default_tcp_ike is 'true', then IKE phase 1 will be done over TCP — Security Gateway.
• supportSRIkeMM (true, false) — When the authentication method is PKI, if this property is false, Main mode is not supported — Security Gateway.

Multiple Entry Point

resolver_ttl (10) — Specifies how many seconds SecuRemote will wait before deciding that a Security Gateway is down — Global.

active_resolver (true, false) — Specifies whether SecuRemote should periodically check the Security Gateway status. Active Security Gateway resolving may cause the dial-up connection to try to connect to an ISP. Turning this property off will avoid problems associated with this behavior — Global.

resolver_session_interval (30) — Specifies for how many seconds the Security Gateway status (up or down) remains valid — Global, Managers.

Encrypted Back Connections

• keep_alive (true, false) — Specifies whether the Security Gateway will maintain session key information for the Client, to allow encrypted back connections at any time. This property can also be controlled in SmartDashboard — Global, Managers.
• keep_alive_interval (20) — When keep_alive is true, SecuRemote will ping the Security Gateway every n seconds, where n is the number specified by the keep_alive_interval property. This property can also be controlled in SmartDashboard — Global.

Topology

• topology_over_IKE (true, false) — Specifies whether New Site in SecuRemote will use IKE to authenticate the user. If this property is set to true, IKE will be used, either using Hybrid Authentication (i.e., any authentication method chosen in the Authentication tab of the user properties) or using certificates. If this property is set to False, SSL will be used (as in version 4.1), and users will need IKE pre-shared secret or certificate configured to define a new site — Global, Managers.
• encrypt_db (true, false) — Specifies whether the topology information in userc.C is maintained in encrypted format — Global.
• silent_topo_update (true, false) — Used for backwards compatibility, when working with servers that do not pass the property per site. This property can also be controlled in SmartDashboard — Global, Managers.
• silent_update_on_connect (true, false) — Tries to perform an update with the Security Gateway to which a connection is being attempted, before connecting (applies to IPSO clients) — Global.
• update_topo_at_start (true, false) — If the timeout expires, update the topology upon start up of the SecuRemote/SecureClient GUI application — Global, Managers.

NT Domain Support

• no_clear_tables (true, false) — Setting this property to true will enable the opening of new encrypted connections with the Encryption Domain after SecuRemote/SecureClient has been closed by logoff or shutdown, as long as encryption keys have been exchanged, and are still valid. This may be necessary when using a Roaming Profile with NT domains, since the PC tries to save the user's profile on the Domain Controller during logoff and shutdown, after SecuRemote/SecureClient has been closed by Windows. This feature should be used in conjunction with "keep_alive" (see Encrypted Back Connections), to ensure that valid encryption keys exist at all times — Global.
• connect_domain_logon (true, false) — Global. Setting this attribute to true enables clients using Connect Mode to log on to a Domain Controller via SDL. The user should do the following in order to logon to the Domain Controller:
  1. Log on to the local Windows machine.
  2. Connect to the organization.
  3. Logoff and log back on (within five minutes after logoff) to the protected Domain Controller, using the encrypted connection.

     Note - Enabling this setting will keep the client Connected to the organization for five minutes after the user logs off Windows. This feature was introduced before SDL in connect mode was introduced. In versions where SDL is supported, this property is used only for domain roaming profile support.

• sdl_main_timeout (60000) — In connect mode this property specifies the amount of time to wait for user to successfully connect or cancel the connect dialog — Global.

Miscellaneous

• enable_kill (true, false) — Specifies whether the user can Stop SecuRemote/SecureClient. If this option is set to false, Stop VPN-1 SecuRemote or Stop VPN-1 SecureClient does not appear in the File menu or when right-clicking on the system tray icon — Global.
• use_ext_auth_msg (true, false) — Specifies whether SecuRemote/SecureClient will show custom messages in the authentication window upon success or failure. The messages should be placed in a file named AuthMsg.txt located in the SecuRemote directory (typically in Program Files\CheckPoint). See the AuthMsg.txt file in the SecuRemote package for more details — Global.
• use_ext_logo_bitmap (true, false) — Specifies whether SecuRemote/SecureClient will show a custom bitmap in the authentication window. The file should be named logo.bmp and should be placed in the SecuRemote directory (usually located under Program Files\CheckPoint) — Global.
• guilibs — Used to specify SAA DLL, and is documented in this context — Global.
• pwd_type (now, later) — Used internally to indicates now or later auth dialog state. Do not modify — Global.
• connect_mode_erase_pwd_after_update (true, false) — Erase password after a site update in Connect Mode. Used with silent_update_on_connect — Global.
• disable_mode_transition (true, false) — Do not enable user to switch between modes via GUI or command line — Global.
• connect_api_support (true, false) — Indicates SecuRemote/SecureClient mode. Set to true in order to work with the Connect API — Global.
• connect_mode — Indicates SecuRemote/SecureClient mode. True for connect mode — Global.
• allow_clear_traffic_while_disconnected (true, false) — Topology is not loaded when disconnected, ensuring that there are no popups on the LAN when disconnected — Global.
• stop_connect_when_silent_update_fails (true, false) — If trying to connect in silent_update_on_connect mode, and the topology update fails, the connection will fail — Global.
• go_online_days_before_expiry (0) — The number of days before Entrust automatic key rollover (certificate renewal). Zero equals never — Global.
• go_online_always (true, false) — When true, will attempt the LDAP (entrust.ini) protocol after successful IKE negotiation — Global.
• implicit_disconnect_threshold (900) — When losing connectivity on physical adapter, SecuRemote/SecureClient keeps the connected state for the amount of time (in seconds) specified by implicit_disconnect_threshold. If the time elapses, or if connectivity resumes with a different IP address, SecuRemote/SecureClient disconnects. This is useful in network environments with frequent network disconnection, such as wireless — Global.
• active_test — Active tests configuration — Global.
• log_all_blocked_connections — Used internally to indicates the mode, and reflects the state of the GUI checkbox. Do not modify — Global.
• cache_password — Used internally to save the state of the checkbox called "Remember password, as per site settings". Do not modify — Global.
• dns_xlate (true, false) — Turn off the split DNS feature. May be needed in versions prior to NG FP3. In later versions, split DNS is not used by default when in Office Mode — Global.
• FTP_NL_enforce (0, 1, 2) — Indicates the strictness of the FTP inspection (0 -no check, 1- default check: Multiple newline characters allowed, 2-strict check: no multiple newline characters allowed — Global.
• show_disabled_profiles (true, false) — In connect mode, if the IKE timeout expires and this property is TRUE, disconnect instead of erasing the passwords — Global.
• post_connect_script — Specify full path for a script that SecuRemote/SecureClient will run after a connection has been established (Connect Mode only) — Managers.
• post_connect_script_show_window (true, false) — Specifies whether or not the post-connect script will run in a hidden window — Managers.
• list_style — How the site icons are presented in the main frame window — Global.
• mac_xlate (true, false) — Needs to be set to true to support Split DNS where traffic to the "real" DNS server may not be routed the same way as traffic to the "split" DNS server. The most common scenario is "real" DNS server on the same subnet as the client. Split DNS modifies the IP destination of the packet, but not the MAC destination. With mac_xlate set to true, the MAC destination address is set to the address of the default Security Gateway — Global.
• mac_xlate_interval — How frequently a check is made for the default Security Gateway's MAC address (see mac_xlate) — Global.
• sda_implicit (true, false) — The working mode of the Software Distribution Agent (SDA). True = implicit, false = explicit — Global, Managers.
• sda_imlicit_frequency — The frequency (in minutes) with which the Software Distribution Agent (SDA) connects to ASD server to check for updates — Global, Managers.
• sr_build_number, sr_sw_url_path, sr_sw_url_path_9x, sr_build_number_9x, sr_sw_url_path_nt,sr_build_number_nt, sr_sw_url_path_w2k,sr_build_number_w2k — On the Security Management server machine, the names are desktop_sw_version, desktop_build_number, etc. These attributes help SecureClient decide if it needs to upgrade itself — Managers.
• install_id_nt,install_id_9x,install_id_w2k — Installation IDs — Managers.

Product.ini Parameters

The following are the parameters included in the Product.ini configuration file.