Layer-3 VPN Tunnel integrated with Endpoint Security
Additional Remote Access Solutions
Summary of Remote Access Options
Remote Access VPN Blade and Supported OS
VPN Client Version and supported Gateway Version
Gateways R71, R75, R76 and higher, VSX R67/R68
Gateways R65, R70, VSX R65 and Edge
Endpoint Security Server versions and supported Endpoint Security Client versions
Related Solutions
Revision History
(I) Providing Secure Remote Access
In today's business environment, it is clear that workers require remote access to sensitive information from a variety of locations and a variety of devices. Organizations must also make sure that their corporate network remains safe and that remote access does not become a weak point in their IT security.
This article will:
Help you decide which remote access client or clients best match your organization's requirements.
Give you information about Check Point's secure remote access options.
(II) Types of Remote Access Solutions
All of Check Point's Remote Access solutions provide:
Enterprise-grade, secure connectivity to corporate resources.
Strong user authentication.
Granular access control.
Factors to consider when choosing remote access solutions for your organization:
L3 VPN tunnel vs. Secure Business portal: Do you need a full VPN tunnel to protect the access from any installed application to the business, or do you need a simpler business portal that provides simple and secure access for published business applications?
Client-Based vs. Clientless: Does the solution require an agent to be installed on the endpoint computer, or is it clientless, for which only a web browser is required?
Secure Connectivity vs. Endpoint Security: Does the solution provide only secure connectivity, or also additional endpoint security functionalities, when the device is not connected via a VPN tunnel to the business?
(II-1) Types of Remote Access Solutions - SSL VPN Portal for published business application
Allows simple and secure usage of business resources from any PC, Mac, Smartphones and tablets.
Access business resources such as web-applications
Two factor user authentication
Secure access to published apps via any supported Internet Browser or a dedicated Smartphone/tablet app
Best fit for unmanaged-devices and "BYOD"
License required: Check Point Mobile on the Security Gateway. License count per concurrent connected devices.
Click here to view details of SSL VPN Portal for published business application
Check Point Mobile for iPhone and iPad and Check Point Mobile for Android have been deprecated and replaced by Capsule Workspace.
Capsule Workspace was previously named Mobile Enterprise.
(II-2) Types of Remote Access Solutions - Layer-3 VPN Tunnel
Secure access to the business from any installed application via a Layer-3 VPN tunnel
Check Point Mobile for Windows, Check Point VPN Plugin for Windows 8.1 and Check Point Capsule VPN for Windows 10 do not support "two factor user authentication". (The limitation applies only to E80.64 and earlier in the context of Check Point Mobile for Windows.)
Requires a VPN agent/app installation
Best fit for both managed or unmanaged-devices
License required: Check Point Mobile on the Security Gateway. License count per concurrent connected devices.
(II-3) Types of Remote Access Solutions - Layer-3 VPN Tunnel integrated with Endpoint Security
A full Layer-3 VPN tunnel integrated with enterprise grade endpoint security software blades.
Two factor user authentication.
Additional Endpoint Security functionalities - from desktop firewall and till full endpoint security software blades - such as Disk Encryption, Media Encryption, Anti Malware, and more.
Requires a VPN agent/app installation.
Best fit for managed devices.
The Endpoint Security VPN for Windows ATM msi is appropriate for ATM solutions.
License required: Endpoint Security Container on Endpoint Security Management Server and Endpoint Security VPN on Network Management Server. License count per installed devices.
Click here to view details of Layer-3 VPN Tunnel integrated with Endpoint Security
Click here to view summary of Remote Access Options
Below is a summary of each Remote Access option that Check Point offers. All supply secure remote access to corporate resources, but each has different features and meets different organizational requirements.
Important: Remote Access clients communicate with the Security Gateway through a single VPN tunnel. The VPN tunnel is not bound to a specific logged in user, and its remote access capabilities will be the same for any user/application on the client host. Multiple users on the same host are not supported, and thus Check Point does not support/recommend allowing VPN tunnels on multi-user machines such as Terminal Services.
The Mobile Access Portal is a clientless SSL VPN solution. It is recommended for users who require access to corporate resources from home, an internet kiosk, or another unmanaged computer. The Mobile Access Portal can also be used with managed devices.
It provides:
Secure Connectivity
Security Verification
The Mobile Access Portal supplies access to web-based corporate resources. You can use the on-demand client, SSL Network Extender (SNX), via the Portal to access all types of corporate resources.
Required Licenses
Mobile Access Software Blade on the Security Gateway.
Note: For VSX, you need only one MAB license per node, which will be replicated to all VSs. For example, if you have 10 VSs and one MAB license for 50 concurrent users then you will have 50 concurrent users per VS.
Supported Platforms
Windows, Mac OS X, Linux, iOS and Android
Where to get the Client
Included with the Security Gateway
SSL Network Extender (SNX)
Introduction
SSL Network Extender (SNX) is a thin SSL VPN on-demand client installed automatically on the user's machine via a web browser. It supplies access to all types of corporate resources. SSL Network Extender (SNX) has two modes:
Network Mode: Users can access all application types (Native-IP-based and Web-based) in the internal network. To install the Network Mode client, users must have administrator privileges on the client computer.
Application Mode: Users can access most application types (Native-IP-based and Web-based) in the internal network, including most TCP applications. The user does not require administrator privileges on the endpoint machine.
Required Licenses
Mobile Access Software Blade and IPSec VPN Blade on the Security Gateway
Supported Platforms
Network Mode: Windows, Mac OS X, Linux
Application Mode: Windows
Where to get the Client
Included with the Security Gateway
Check Point VPN Plugin for Windows 8.1
Introduction
Check Point VPN Plugin for Windows 8.1 is an L3 VPN client. It supplies secure connectivity and access to corporate resources using L3 SSL VPN Tunnel.
Required Licenses
Mobile Access Software Blade on the Security Gateway
Supported Platforms
Windows 8.1, Windows Phone
Where to get the Client
Preinstalled with Windows 8.1
Check Point Capsule VPN for Windows 10
Introduction
Check Point Capsule VPN uses SSL. It is now available for Windows 10.
Required Licenses
Mobile Access Software Blade on the Security Gateway
Check Point Mobile for Windows is an IPsec VPN client. It is best for medium to large enterprises that do not require an Endpoint Security policy.
It provides:
Secure Connectivity
Security Verification
Required Licenses
IPsec VPN and Mobile Access Software Blades on the Security Gateway.
Supported Platforms
Windows
Where to get the Client
Check Point Support Center
Check Point Mobile for iPhone and iPad
(Check Point Mobile is deprecated and replaced by Capsule Workspace)
Introduction
Check Point Mobile for iPhone and iPad is an SSL VPN client. It supplies secure connectivity and access to web-based corporate resources and Exchange ActiveSync. Check Point Mobile for iPhone and iPad is ideal for mobile workers who have iPhone or iPad devices.
Required Licenses
Mobile Access Software Blade on the Security Gateway
Supported Platforms
iOS
Where to get the Client
Apple App Store
SecuRemote
Introduction
SecuRemote is a secure, but limited-function IPsec VPN client. It provides secure connectivity.
Required Licenses
IPsec VPN Software Blade on the Security Gateway. It is a free client and does not require additional licenses.
Supported Platforms
Windows
Where to get the Client
Check Point Support Center
Endpoint Security VPN
Introduction
Endpoint Security VPN is an IPsec VPN client that replaces SecureClient. It is best for medium to large enterprises.
It provides:
Secure Connectivity
Security Verification
Endpoint Security that includes an integrated Desktop Firewall, centrally managed from the Security Management Server
Note: Endpoint Security VPN for Mac OS X includes a Desktop Firewall, but not Security Verification.
Required Licenses
The IPsec VPN Software Blade on the Security Gateway, an Endpoint Container license, and an Endpoint VPN Software Blade license on the Security Management Server.
Supported Platforms
Windows, Mac OS X
Where to get the Client
Check Point Support Center
Endpoint Security Suite
Introduction
The Endpoint Security Suite simplifies endpoint security management by unifying all endpoint security capabilities in a single console and a single client. Endpoint Security Software Blades include: Desktop Firewall and Security Verification, Full Disk Encryption, Media Encryption and Port Protection, SandBlast Agent, Anti-Malware and Program Control, WebCheck browser virtualization and Remote Access VPN.
Starting from Endpoint Security E80.41, Remote Access VPN Clients are part of the Endpoint Security offering, providing the next release of E75.30, including all flavors. The E75 Remote Access Clients series was previously known as Endpoint Security VPN R75.
(Remote Access Clients E75.30 (Endpoint Security VPN) replaced SecureClient, including 64-bit support. It replaced both SecureClient and Endpoint Connect.)
Client: Endpoint Security Container and Endpoint Security Software Blades - for any protected endpoint.
Supported Platforms
Windows, Mac OS X
Where to get the Client
Check Point Support Center
Capsule Workspace for iOS
Introduction
Capsule Workspace for iOS is an SSL VPN client. It supplies secure connectivity and access to web-based corporate resources and Microsoft Exchange services. It also gives secure access to Capsule Docs protected documents. It was previously called Mobile Enterprise.
Capsule Workspace is ideal for mobile workers who have privately-owned smart phones or tablets. It protects only the business data inside the App and does not require device-level security measures, such as device-lock or device-wipe.
Required Licenses
Capsule license on the Security Management
Supported Platforms
iOS
Where to get the Client
Apple App Store
Capsule Workspace for Android
Introduction
Capsule Workspace for Android is an SSL VPN client. It supplies secure connectivity and access to web-based corporate resources and Microsoft Exchange services. It also gives secure access to Capsule Docs protected documents. It was previously called Mobile Enterprise.
Capsule Workspace for Android is ideal for mobile workers who have privately-owned smart phones or tablets. It protects only the business data inside the App and does not require device-level security measures, such as device-lock or device-wipe.
Required Licenses
Capsule license on the Security Management
Supported Platforms
Android
Where to get the Client
Google Play Store
Capsule Connect (for iOS)
Introduction
Capsule Connect is a full L3 tunnel App that gives users network access to all mobile applications. It supplies secure connectivity and access to all types of corporate resources. It was previously called Mobile VPN.
Required Licenses
Mobile Access Software Blade on the Security Gateway
Supported Platforms
iOS 6.0 +
Where to get the Client
Apple App Store
Check Point Mobile for Android
(Check Point Mobile is deprecated and replaced by Capsule Workspace)
Introduction
Check Point Mobile for Android is an SSL VPN client. It supplies secure connectivity and access to web-based corporate resources and Exchange ActiveSync. Check Point Mobile for Android is ideal for mobile workers who have Android devices.
Required Licenses
Mobile Access Software Blade on the Security Gateway
Supported Platforms
Android
Where to get the Client
Google Play Store
Capsule VPN (for Android)
Introduction
Capsule VPN for Android devices is an L3 VPN client. It supplies secure connectivity and access to corporate resources using L3 IPSec/SSL VPN Tunnel. It was previously called Mobile VPN.
Required Licenses
Mobile Access Software Blade on the Security Gateway
Supported Platforms
Android 4 + (ICS+)
Where to get the Client
Google Play Store
Check Point GO (Deprecated)
Introduction
Check Point GO is a portable workspace with virtualized Windows applications, on a secure and encrypted USB Flash Drive. Users insert the USB device into a host PC and securely access their workspace and corporate resources via SSL VPN technology. Check Point GO is ideal for mobile workers, contractors, and disaster recovery. The virtual workspace is segregated from the host PC and controls the applications and data that can run in Check Point GO.
It provides:
Secure Connectivity
Security Verification
Required Licenses
IPsec VPN Software Blade on the Security Gateway and Check Point GO devices.
Supported Platforms
Windows
Where to get the Client
Check Point Support Center
Which license is required to allow L2TP VPN tunnels
Question: In order to allow L2TP VPN tunnels, if the customer already has the Endpoint VPN Remote Access Blade - is this enough, or is there a Mobile Access Blade license required? Meaning, for L2TP, do we need a Endpoint VPN Client license or a Mobile Access License?
Answer: In order to allow L2TP VPN tunnels, you would just need the IPSec VPN license on the Security Gateway. There is no need for the Mobile Access License.
Check Point products support for Windows 7, 8 and 10:
For information about Check Point products support for Windows 7, see:
Windows 7 Professional 32/64-bit (with or without SP1)
Windows 7 Enterprise 32/64-bit (with or without SP1)
Windows 7 Ultimate 32/64-bit (with or without SP1)
Windows 8 Pro 32/64-bit (E75.30 only)
Windows 8 Enterprise 32/64-bit (E75.30 only)
E75.10 / E75.20 / E75.30 Check Point Mobile for Windows
Windows
Windows XP Professional 32-bit (with SP2,SP3)
Windows Vista 32/64-bit (with SP1,SP2)
Windows 7 Home 32/64-bit (with or without SP1)
Windows 7 Professional 32/64-bit (with or without SP1)
Windows 7 Enterprise 32/64-bit (with or without SP1)
Windows 7 Ultimate 32/64-bit (with or without SP1)
Windows 8 Pro 32/64-bit (E75.30 only)
Windows 8 Enterprise 32/64-bit (E75.30 only)
E75.10 / E75.20 / E75.30 SecuRemote
Windows
Windows XP Professional 32-bit (with SP2,SP3)
Windows Vista 32/64-bit (with SP1,SP2)
Windows 7 Home 32/64-bit (with or without SP1)
Windows 7 Professional 32/64-bit (with or without SP1)
Windows 7 Enterprise 32/64-bit (with or without SP1)
Windows 7 Ultimate 32/64-bit (with or without SP1)
Windows 8 Pro 32/64-bit (E75.30 only)
Windows 8 Enterprise 32/64-bit (E75.30 only)
E75.01 Endpoint Security VPN
Mac OS X
Mac OS X 10.6 Snow Leopard (32/64-bit)
Mac OS X 10.7 Lion (32/64-bit)
Mac OS X 10.8 Mountain Lion (32/64-bit)
E75 Endpoint Security VPN
Mac OS X
Mac OS X 10.6 Snow Leopard (32/64-bit)
Mac OS X 10.7 Lion (32/64-bit)
SSL Network Extender (SNX) for Mobile Access Blade
Windows
Linux
macOS
Windows OS:
Windows XP Professional 32/64-bit (with SP2, SP3)
Windows 7 32/64-bit (with SP1)
Windows 8.1 update 1 32/64-bit
Windows 10 32/64-bit
Note: SSL Network Extender is not supported in 64-bit browsers on Windows OS prior to Windows 8. SSL Network Extender is supported in 64-bit Internet Explorer 10 in Windows 8.
macOS:
Mac OS X 10.6.8 (Snow Leopard) (32-bit and 64-bit)
Mac OS X 10.7, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5 (Lion) (32/64-bit)
OS X 10.8, 10.8.1, 10.8.2 (Mountain Lion) (64-bit), 10.8.4, 10.8.5 (32/64-bit)
OS X 10.9.x (Mavericks)
OS X 10.10 (Yosemite), 10.10.2 (32/64-bit)
OS X 10.11 (El Capitan)
macOS 10.12 (Sierra)
macOS 10.13 (High Sierra)
macOS 10.14 (Mojave)
macOS 10.15 (Catalina)
Linux OS:
Ubuntu 11.10 and higher (32-bit and 64-bit)
openSUSE 11.4 and higher (32-bit and 64-bit)
Fedora 15 and higher (32-bit and 64-bit) (Requires xterm (standard terminal emulator) for deployment)
RHEL 5.7 and 6.1 and higher (32-bit and 64-bit)
SSL Network Extender (SNX) for IPSec VPN Portal
Windows
Linux
Mac OS X
Windows OS:
Windows XP Professional 32/64-bit (with SP2, SP3)
Windows 7 32/64-bit (with SP1)
Windows 8.1 update 1 32/64-bit
Windows 10 32/64-bit
Note: SSL Network Extender is not supported on 64-bit browsers in Windows prior to Windows 8. SSL Network Extender is supported on 64-bit IE 10 in Windows 8.
Macintosh OS:
Mac OS X 10.6.8 (32/64-bit)
Mac OS X 10.7, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5 (Lion) (32/64-bit)
Mac OS X 10.8, 10.8.1, 10.8.2 (Mountain Lion) (64-bit), 10.8.4, 10.8.5