Support Center > Search Results > SecureKnowledge Details
Check Point Capsule, Endpoint Security & Remote Access VPN E80.60 Known Limitations Technical Level

This article lists all of the known limitations of Check Point Capsule, Endpoint Security & Remote Access VPN E80.60.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > My Profile > My Subscriptions.

Important notes:

  • These limitations apply to all E80.60 Remote Access VPN clients. This includes:

    • Remote Access Clients: Endpoint Security VPN, Check Point Mobile for Windows, and SecuRemote
    • Endpoint Security Clients that include the Remote Access VPN blade, managed by SmartEndpoint on an R77 Security Management Server. For these clients also see R77 Known Limitations.

  • This release includes all limitations of Endpoint Security Suite and Remote Access Clients E80.51

  • For additional limitations for all Mac Client versions, see sk110975.

  • To get a fix for an issue listed below contact Check Point Support with the issue ID.

  • To see if an issue has been fixed, search for the issue ID in Support Center.

For more information on Check Point Capsule, Endpoint Security & Remote Access VPN E80.60, refer to sk102651 (Check Point Capsule, Endpoint Security & Remote Access VPN E80.60).

Visit our discussion forums to ask questions and get answers from technical peers and Support experts.
Popular forums:


Table of Contents

  • Endpoint Security E80.60 Clients for Windows
    • General
    • Capsule Docs
    • Capsule Docs for Mac
    • URL Filtering
    • Anti-Bot
    • Anti-Malware
    • Endpoint Security Media Encryption
    • Full Disk Encryption
    • Forensics
  • Remote Access VPN E80.60 Clients for Windows

Endpoint Security E80.60 Clients for Windows


ID Symptoms
01361047 Upgrade to Endpoint Security client E80.50 and later is not supported on Windows XP systems with Cisco VPN installed.
01355780 Endpoint Security webRH Admin users get erased during upgrades to E80.60, and need to be reconfigured.
01339944 If you install or upgrade a client on a system that does not already have .NET4 framework, the installation or upgrade can take up to 1.5 hours.
01340556 In the Client 'Advanced settings > Personalization', you cannot select an option other than "Display Overview" to occur when you double-click the Endpoint Security client icon.
01171561 The fw fetchlocal command is not supported on Endpoint Security Management Servers. It can cause database corruption.
Upgrade to E80.60 is not available for Endpoint Security Clients with WebCheck Software Blade installed.
For Endpoint Security clients to work correctly in proxy environment, define the proxy configuration in Internet Explorer.
Capsule Docs

On Windows XP computers, pdf files cannot be opened with Adobe Acrobat X or higher, if the user is not logged into Check Point Capsule Docs.

Workaround: Before you open Adobe Acrobat X or higher, launch one of the supported Office applications, and login with your Check Point Capsule Docs user credentials.


In Windows XP, Check Point Capsule Docs plugin interface does not show in Adobe Acrobat Reader X and above.

Workaround: Disable Enhanced Security in Adobe Acrobat: 'Edit > Preferences > Security (Enhanced)'

01400505 If a user logs out of his Windows account and then logs back in, the changes to his Check Point Capsule Docs policy apply only after the computer is restarted, or after 24 hours.
01339857 Standalone Check Point Capsule Docs client cannot be installed on a computer that has Check Point Endpoint Security Client installed.
01347973 User authentication with Active Directory fails for users whose Active Directory entity is not associated to any email address, and for users whose Active Directory entities are associated with the same email address.
01345240 Check Point Capsule Docs Software Blade is not supported for E80.60 Endpoint Security on Microsoft Windows Vista 64-bit OS.
If you install an Endpoint Security client with the Check Point Capsule Docs blade on a computer without .NET 4 Framework, the installation launches .NET 4 installation. During that time, a pop-up message shows "Product update failed". This is because the Endpoint Security installation is waiting for the .NET installation to finish. Ignore the message.
01338021 Unprotecting documents using a file printer works when the protected file classification contains the "Print" permission and does not contain "Unprotect/Change Classification" permissions.
01311685 SmartView Tracker does not support filtering logs by the Check Point Capsule Docs blade.
01492716 When using Capsule Docs with Microsoft Office 2013 32/64 bit or Office 2010 64bit, these limitations apply:
  • PrintScreen restriction is not enforced.
  • Mail Merge is not supported.
  • Document Review Features have limited support.
  • Insertion of OLE objects into documents is not supported.
  • Insertion of online video objects into documents is not supported.
01487765 To support compatibility with McAfee software: Add an exclusion for the Neon.exe process to Application Protection List on the McAfee policy server.

When configuring Reverse Proxy, if the Mobile Access portal name is the same as the email domain, problems occur with SSO in the Capsule Workspace app when accessing Capsule Docs.

For example, if the Mobile Access portal name is "" and the email domain is "", the problem will occur. If the Mobile Access portal name is "" and the email domain is "", the problem will not occur.

Use one of these workarounds:

1. Rename the Mobile Access portal in the portal settings of the gateway object. Make sure to add a new DNS name for the gateway.

2. Use the Gateway only as a Reverse Proxy without the SSO feature for Mobile capsule users. You must NOT include the Capsule Docs Web Application in SmartDashboard in any Mobile Access Policy rules.

01536559 Localized (non-English) Office 2003 is not supported by Document Security\Capsule Docs client.
01501075 Upgrade from Document Security client version 91.0.908/ and below is not supported. You must uninstall the old client first.
01537669 Capsule Docs on Mobile (iOS and Android) does not send audit logs for these events: Print, Screen Capture, and Copy to Clipboard.
Capsule Docs for Mac

In Word, embedded picture might not show in .docx documents.

In Powerpoint, slide thumbnails on the left side of the app window might be displayed upside down and in reverse order.
01516114 Capsule Docs client cannot open hyperlinks from protected word documents on OS X 10.10.
Protected word document cannot open pictures from external sources, only text will be displayed.
URL Filtering
01451173 When SmartEndpoint is configured to have Endpoint Security enforce URL Filtering, only if the Trusted gateway does not enforce it, the Main URL of the UserCheck portal on the Trusted gateway must be unchanged. If the Main URL is changed, both - Endpoint Security and the Trusted gateway will enforce URL Filtering.
01402552 Applications that use active ftp on Windows XP need to be manually added to the list of exclusions in the URL Filtering Endpoint Security policy.
  In distributed deployment, the Endpoint Security Management Server with URL Filtering is only supported if both servers have Gaia OS. In one-computer deployments, it is supported on both - Gaia and Windows operating systems.

In distributed deployments, where the Network Security Management Server is R75.40 or higher, but lower than E80.60, to install the URL Filtering policy on Endpoint Security clients, the Endpoint Security Management Server object must be defined as version R75.40 in SmartDashboard.

If it has a different version, this error shows on policy installation: "Installation failed. Reason: Load on Module failed - Policy installation failed because the gateway version, as defined in SmartDashboard, does not match the version installed on the gateway."

To resolve this issue, correct the version property in SmartDashboard, or upgrade the gateway.

Note: Whenever the Endpoint Security Management Server object is opened again, the version automatically changes back to R77. This is an intentional feature for gateways. Change it to R75.40 again.

01339185 If you create a rule to block the "Uncategorized" category, hotspots and proxies that do not have a specific category will be blocked.

When establishing SIC for the first time for a new SmartDashboard Endpoint Security object, after you successfully establish SIC, an error message shows that says that Get Topology failed due to a SIC issue: "Failed to connect to [object name] (IP Address: '[IP Address]'). Please make sure Check Point Services are running on [object name], and trust has been established."

This message is incorrect and can be ignored. SIC is established.

01445012 Endpoint Security ignores the "Block all requests when the web service is unavailable" option, configured in the URL Filtering policy section of SmartDashboard. When the web service is unavailable, requests are always allowed.
01190133 Authenticate proxy and IPv6 proxy are not supported. If such proxies are configured on client computers, the URL Filtering policy is not enforced correctly.
01859945 HTTPS sites are blocked or allowed according to the domain that appears in the CN section of the site's certificate.

In the URL Filtering policy there are two settings for which you can define patterns: Override Category and Custom Application.

Up to 256 patterns total are supported.

If you define more than 256, Endpoint URL Filtering might not work, as expected.

  Signature patterns are not supported.
  IP reputation service is not supported.
  HTTPS is not supported.
Exclusions of files or folders configured for scheduled scans in the Anti-Malware policy are also enforced in on-demand scans (Click "Scan system now" from the Endpoint Security Client Overview).
Anti-Malware Blade status in Endpoint Security client shows warning "Your machine was not scanned yet" even though there was a recent scan.
  Check Point Anti-Malware is not supported with other Anti-virus software.
01274634 On E80.50 and higher clients, the Disable Policy action is not enforced. The action from the previous policy installed is enforced instead.
Endpoint Security Media Encryption
When trying to move a file or folder to the Business Data part of the encrypted media, the "cut" operation works as "copy" and does not remove the original.
On Windows XP computers, business related data is not detected and will not be encrypted.
When you try to burn an encrypted CD, a message shows that the file size exceeds the CD capacity. The message is incorrect. Click "OK" to continue the burn process.
01496619 During installation of Media Encryption and Port Protection on Windows Server 2003, the user is notified about installation of an unsigned driver named "Check Point Media Encryption Disk Dynamic Bus Enumerator". This driver is required to access encrypted media on that machine.
01560715 When re-add a device that was deleted as an exception to ME policy, the device appears with its old name. See sk104416.
Full Disk Encryption

When using Secure Boot on Lenovo tablet 2, the computer starts recovery mode after it boots.

Workaround: Disable Secure Boot.


Surface Pro 2 and Fujitsu X913 can have a black screen during boot if the Windows generic video driver is used.

Workaround: Use the dedicated video drivers for the hardware.

00674411, 00674743
  • After changing the password in Pre-boot (and using either "Bi-directional Update for Pre-boot and OS Password Upon Change", or "Update OS Password Upon Pre-boot Password Change"), an autologon is performed, but with invalid password.

  • Endpoint Security Client might crash with Red Screen of Death (RSOD) - *** STOP in PsMain ***, Error code 0x50017b0 - when providing "Remote password change" to a user, which has SSO enabled.

    Workaround: Perform "One Time Login" instead of the "Remote password change".
Refer to sk108514.
If an incident occurs while the client is offline, the report will not be sent to the server. Also, if two consecutive incidents occur there is a chance that only one report will be sent to the server.
Forensics should not be installed on a machine with a 3rd party Anti-Malware installed.

Remote Access VPN E80.60 Clients for Windows

ID Symptoms
Remote Access VPN
If the client computer's OS generates a User Logon event a long time after the actual logon, the VPN client identifies it as a different user logon and disconnects the VPN tunnel.
On some devices, such as MS Surface, you must make the font smaller to display the client UI correctly.
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document