Patch-ID# 105582-04 Keywords: FireWall-1 Secure Remote SecuRemote 4.0 95 NT Synopsis: Solstice FireWall-1 4.0: Windows 95/NT SecuRemote Upgrade/Jumbo (VPN+DES) Date: Aug/27/98 Solaris Release: SunOS Release: Unbundled Product: Firewall-1 Unbundled Release: 3.0b Relevant Architectures: intel BugId's fixed with this patch: Changes incorporated in this version: Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: ./README ./sr40des95.exe ./sr40desnt.exe Description: ------------ This is a Check Point distribution of SecuRemote version 4.0. This page includes the Release Notes for SecuRemote 4.0 . Table of Contents: ------------------ Unpacking and Installing SecuRemote New Features Fixed Bugs Restrictions Known Bugs (Please read) Downloading SecuRemote Unpacking and Installing SecuRemote ----------------------------------- Having downloaded SecuRemote from the network as a single self-extracting file, you should first unpack it: 1.Create a temporary directory for installation, C:\TEMP, for instance. 2.Save the .exe files to your temporary directory and unzip it (double- click each file and follow wizard's instructions). 3.Enter the unzipped directory Disk1 (now located in your temporary directory) and run Setup.exe. 4.You should now define at least one site (for more information, run the program help). New Features ------------ IKE (previously known as ISAKMP/OAKLEY) key exchange with IPSec encryption is now supported. This applies only to encryption with version 4.0 gateways. Two authentication methods are supported: pre-shared secret (password) and certificate authentication. The user must choose how to authenticate, based on the credentials supplied. At present, for certificate authentication, Entrust certificates are supported for use with Entrust PKI. Certificates may reside on local file system, or on supported hardware tokens. Authenticated and encrypted topology download: In previous versions, if a management site was configured to "export" its topology, the information was conveyed to any SecuRemote client, in the clear. In version 4.0, the management may be configured to demand user authentication before divulging the information. SecuRemote 4.0 supports this. The authentication is done by means of the IKE credentials (password or certificate). In this case, the information is encrypted. FWZ key exchange and encryption are still supported. Fixed Bugs ---------- 1.In some cases, if a user was tardy responding to an authentication pop-up, and entered a password a few minutes after the window popped-up, an "Internal Error" would result (in some cases SecuRemote would crash). This has been fixed. 2.Windows 95 users could experience memory problems. If you are running on Windows 95 with sever memory restrictions (less than 16M), or with many drivers installed, you may be able to customize SecuRemote memory allocation. See README file for details. Restrictions ------------ 1.The new encryption features can only be utilized when encrypting with Firewall-1 version 4.0 (or later). However, this version is fully backward compatible with Firewall-1 version 3.0. 2.FWZ ICMP encryption: there are two "versions" of ICMP encryption, and for ICMP packets to be encrypted and decrypted successfully, the SecuRemote client and the firewall must agree on which version to use. FireWall-1 version 4.0 will, by default, use version "1" (new), as will SecuRemote version 4.0. SecuRemote can be forced to use version "0" (old), to be compatible with older firewalls, by editing the state/userc.set file in the SecuRemote directory. 3.NT 3.51 is no longer supported, though in all likelihood, SecuRemote will work correctly on this platform as well. Known Bugs ---------- 1.Using this version of SecuRemote for Windows 95, the Installation program is unable to overwrite existing files. To work-around it, please uninstall your current SecuRemote version and then reboot, before installing SecuRemote 4.0. This work-around has to be done regardless of whether you choose 'overwrite' or 'update'.