SecureClient NG AI R55 / 56 for Mac OS X FAQ
||NG AI R56, NG AI R55
- My Security Gateway supports VPN connections with SecuRemote. Will you be distributing SecuRemote with this build of SecureClient?
SecureClient can connect to any gateway that supports SecuRemote connections. A SecuRemote version of Mac OS X SecureClient is not planned.
- I have a customized
userc.C file for Windows SecureClient. Can I use the same database file on my Mac SecureClient?
Yes. The Mac OS X SecureClient supports the same
userc.C format as SecureClient for Windows R56. Note that some Windows features are not supported on the Mac OS X.
Note the following issues:
- The format of a text file on UNIX machines is different than the format used on Windows machines. Use
dos2unix command for the
userc.C file before using it on the MAC client.
- The MAC client works in what is called CLI Mode with an added a script to help in the process. Follow this procedure when transferring a
userc.C file from Windows to Mac OS X:
- On the Windows machine, run:
[c:\program files\checkpoint\securemote\bin]scc setmode cli
- Copy the file from the Windows machine to the MAC machine (to the
/tmp directory in this example).
- On the MAC machine, open a terminal and run the following commands as root:
tcsh - to run in tcsh
source /opt/CPsrsc-50/.cshrc - to add environment vars
scc stop - to stop SecureClient
cp $SRDIR/database/userc.C $SRDIR/database/userc.C.bak - to backup the current
mv /tmp/userc.C $SRDIR/database - replace the
$SRDIR/bin/cpdos2unix $SRDIR/database/userc.C - to convert th filw to UNIX format.
scc start - to start SecureClient.
- In Finder, run SecureClient GUI from Applications.
- How to change the boot Security policy to a Restrictive policy?
When installing SecureClient for Mac OS X, the default boot Policy "accept all" (same as the Windows client). Mac OS X comes packaged with two Policy files in the
sc_boot_acceptall.bin (accept all)
sc_boot_blockinbound.bin (block inbound connections).
$SRDIR/default.bin points to one of them, and is used as the effective boot Policy file. To change the boot Policy, change the link to point to
sc_boot_blockinbound.bin after the client is already installed.
- How to stop SecureClient from automatically starting when I log in?
Starting the SecureClient GUI is done by adding the GUI application to the list of applications run by any user on login.
To change this behavior do the following:
- Start a terminal application.
- Change to root.
StartupItemsMgr remove $SRDIR/bin/SecureClient.app
To add automatic GUI startup to just one user, add it to the user's startup items, from system-preferences -> Users applet.
Note: This procedure will only affect the launching of the SecureClient GUI. The daemons will still be running as usual.
- How to enforce desktop rules on my IPv6 network interfaces?
SecureClient for Mac OS X does not enforce rules on IPv6 traffic.
- After installing SecureClient for Mac OS X, my machine is with a message to reboot. This is happening on every reboot, so I cannot uninstall SecureClient from the Finder. How to uninstall SecureClient without reinstalling the whole machine?
There is no need to reinstall the machine. Follow this procedure:
- Turn the machine off and back on.
- You are now in Single User Mode. Hold down the Apple and S keys for a few seconds until you see a black screen containing a few lines of text.
- Type at the command prompt:
/bin/fsck -yf - (this may take several minutes)
/sbin/mount -uw /
mv /opt /opt2 - to rename the SecureClient installation folder.
The machine should now reboot, as SecureClient is no longer loaded.
- You must still uninstall, by opening a terminal window and typing:
sudo mv /opt2 /opt - enter your password when prompt.
- Uninstall SecureClient.
Using the Finder, open the Applications folder, then the Check Point SecureClient folder.
Click Uninstall SecureClient.
- My gateway blocks traffic from clients that do not pass Secure Configuration (SCV) tests. How do I configure the Gateway to allow such traffic from my Mac OS X clients?
- On the gateway's management, open the
- In the SCVGlobalParams section, add the field
- Save the file and install the Desktop Security Policy on the relevant Gateway (using SmartDashboard). Once the Policy is installed, traffic from Mac OS X clients will be allowed, even if SCV is enforced.
- How to use Entrust Digital ID with this client release?
Customers using Entrust Digital ID's in the *.epf format need to export them into *.p12 format using the Entrust Entelligence 6.0 'Export' feature. The Export feature is accessed by right clicking on the Entrust key Tray icon and selecting Entrust Options. Users must have their account configured with suitable export policies by their PKI administrator before the PKCS#12 Export feature is enabled in Entrust Entelligence.
- How can I use Bonjour after applying a block-inbound Desktop Security policy?
A block-inbound Desktop Security Policy does not allow incoming connections to the desktop machine. Bonjour requires IP multicast traffic to function properly.
To support Bonjour, add a desktop-security rule above the block-inbound rule:
Source: (IP: 184.108.40.206-220.127.116.11, 18.104.22.168-22.214.171.124)
Service: tcp, udp
This will allow the necessary incoming multicast connections for Bonjour.
- How to configure SecureClient to not appear in the Doc?
Note:This procedure limits the ability to access open dialogs by using the Apple and Tab keys, and clicking the SecureClient menu icon when it is hidden by other applications' menus.
- Open Terminal Application and execute the command:
- Double-click the
Info.plist file to open it (opened in Property List Editor).
Add a new sibling to root with the following parameters:
- Save the
Info.plist file using File -> Save, and quit the application.
- In Terminal Application, run this command:
- If the SecureClient GUI is running, click its icon in the Doc and choose Quit.
- Run SecureClient GUI from the Applications menu in Finder.
To download SecureClient for Mac OS X, click here.
This solution is about products that are no longer supported and it will not be updated