Configuring Post Disconnect Scripts

The Post Disconnect Script feature runs a script or executable file on the Remote Access VPN client computers after they disconnect from the Security Gateway.

You must make sure that the script or executable file exists on the client computers, in the correct path.

Important Note - The Post Disconnect script runs with user-level permissions. For security reasons, running the Post Disconnect Script is not supported if users do a Secure Domain Login before Windows login.

Do these steps on each applicable Security Gateway / each Cluster Member:

  1. Connect to the command line on the Security Gateway / each Cluster Member.

  2. Log in to the Expert mode.

  3. Back up the current $FWDIR/conf/trac_client_1.ttm file.

  4. To configure the Post Disconnect feature, add these sections in the current $FWDIR/conf/trac_client_1.ttm file:

    Copy 
    :post_disconnect_script_show_window (
        :gateway (
            :valid (false)
            :default (true)
        )
    )

    :post_disconnect_script (
        :gateway (
            :valid (false)
            :default ("<Full Path to the script file on the Remote Access VPN computer>")
        )
    )

    :post_disconnect_mode (
        :gateway (desktop_post_disconnect_mode
            :valid (false)
            :default (1 or 2)
        )

  5. Save the changes in the TTM file.

  6. In SmartConsole, install the policy on the Security Gateway and, or Cluster Member.

New settings are effective on the next connection of the Remote Access VPN client computer to the Security Gateway and, or Cluster Member.

Notes:

  • The "default" value of the "post_disconnect_script_show_window" is true or false.

    • To show the script window, set to true.

    • To hide the script window (this is the default), set it to false.

  • The "default" value of the "post_disconnect_script" is the path to the script on the client's computer. The default value is an empty string.

  • The "default" value of the "post_disconnect_mode" can be:

    • 0 - Feature is disabled (this is the default).

    • 1 - Only user-initiated events will run the script.

    • 2 - All events will run the script

  • For example, “Should you need to turn off the Post Disconnect Script. To turn it off you should set “0” to the value of the "post_disconnect_mode".

In addition, you can configure the Post Disconnect Script through the trac.defaults file.

To enable Post Disconnect Script:

  1. Go to the Endpoint Connect program folder:

    • 64-bit systems - %programfiles(x86)%\CheckPoint\Endpoint Connect\

    • 32-bit systems - %programfiles%\CheckPoint\Endpoint Connect\

  2. Edit the trac.defaults file in a plain-text editor, such as Notepad.

  3. Set applicable values for these parameters:

    Copy

    post_disconnect_script STRING "<Full Path to the script file on the Remote Access VPN computer>" GW_USER 0

    post_disconnect_script STRING "<Full Path to the script file on the Remote Access VPN computer>" GW_USER 0 
    post_disconnect_script                          STRING        "<Full Path to the script file on the Remote Access VPN computer>"      GW_USER     0

    post_disconnect_script_show_window              STRING        <true or false>                   GW_USER     0

    post_disconnect_mode                            INT           <1 or 2>                       GW_USER     0

  4. Save the file.

  5. Open the Command Prompt as Administrator and run:

    > net stop TracSrvWrapper

    > net start TracSrvWrapper

To disable Post Disconnect Script:

  1. Go to the Endpoint Connect program folder:

    • 64-bit systems - %programfiles(x86)%\CheckPoint\Endpoint Connect\

    • 32-bit systems - %programfiles%\CheckPoint\Endpoint Connect\

  2. Edit the trac.defaults file in a plain-text editor, such as Notepad.

  3. Find the post_disconnect_mode parameter and set its value to “0”.

  4. Save the file.

  5. Open the Command Prompt as Administrator and run:

    > net stop TracSrvWrapper

    > net start TracSrvWrapper