Configuring Machine Authentication on the Client

Configure machine authentication using the trac.defaults configuration file.

Available attributes:

• enable_machine_auth - Enables machine authentication with a machine certificate from the Windows System Store (if the certificate exists). If this parameter is set to true, authentication passes for both factors: machine certificate authentication and user authentication. If this parameter is set to false, authentication passes only with user authentication (legacy mode).

  Default value: true.

• machine_tunnel_site - Contains the display name of the site that the client will connect to, using only machine authentication.

  Default value: empty.

  Note - Create the machine site before configuring the default site value.

• machine_tunnel_before_logon - Lets the client establish a VPN tunnel before the user logs in to the endpoint computer. If this attribute is set to true and the machine_tunnel_site has a value, and the value matches the display name of the created site, then authentication passes only with machine certificate before the user logs in to Windows.

  Default value: true.

• machine_tunnel_after_logon - Lets the client ignore user authentication and authenticate using machine certificate only after a user logs in to the endpoint computer. If this attribute is set to true and the machine_tunnel_site has a value, and the value matches the display name of the created site, then authentication passes only with machine certificate after the user logs in to Windows.

  Default value: false.

To edit the attributes:

1. On the client computer, edit the trac.defaults configuration file in a plain-text editor, with Administrator permissions.

   • EPS (managed client):

     C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect\trac.defaults

   • EPC (standalone client):

     C:\Program Files (x86)\CheckPoint\Endpoint Connect\trac.defaults

2. Save the changes and close the editor.

3. Reboot the client computer.