The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: How do I automate a SecuRemote Configuration?

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


In NG, the Secure Client Packaging Tool allows you to easily make custom-configured installations of Secure Client with all the necessary options chosen for them. All a user will have to do is run a self-expanding archive that installs the software with the necessary options chosen for them. You may also do some additional tweaking of the product.ini file included within the Secure Client package.

ShowWelcome=1: Suppresses the Welcome to Check Point Secure Client screen upon installation if set to 0. ShowLic=1: Suppresses the display of the End User License Agreement if set to 0. This option cannot be set in the Secure Client Packaging Tool. OverwriteConfiguration=0: Indicates that, when a previous version of Secure Client is detected, the default should be to upgrade the configuration if this option is set to 0. Overwrite will be the default if this option is set to 1. ShowUpdateOverwrite=1: Does not present the end user with the choice of whether or not to overwrite the previous configuration if this option is set to 0. Instead, the client will use the default specified in the previous option. PathAskUser=1: Asks the end user where the software should be installed if set to 1. If set to 0, the client will be installed in the default location, which is C:\Program Files\CheckPoint\SecuRemote. DesktopSecurityDefault=1: Specifies whether this is a SecuRemote install (set to 0) or a Secure Client install (set to 1) by default, that is, whether or not to include the Desktop Security options. DesktopSecurityAskUser=1: Does not prompt the user about Desktop Security if set to 0 and uses the previous option to determine whether to install SecuRemote or Secure Client. InstallDialupOnly=0: Configures the usual default to install on all interfaces if set to 0. If set to 1, the default will be to install only on dial-up interfaces. ShowNetworkBindings=1: Does not prompt the end user about whether to install on all interfaces or just dial-up ones if set to 0. Instead, the previous option will specify the installation on interfaces. ShowReadmeFile=1: Suppresses the request to display the readme.txt file if set to 0. EnableSDL=0: Enables Secure Domain Logon by default if set to 1. SupportFWZ=0: Supports FWZ on the client if set to 1. Deprecated for NG FP2 and later. OverwriteEntINI=0: Overwrites the entrust.ini file (if it exists) if this option is set to 1. IncludeBrandingFiles=0: Includes a custom logo.bmp file, which replaces the Check Point logo everywhere, if set to 1. Support3rdPartyGina=1: Attempts to chain with other GINA DLL files that might exist if set to 1. This is especially critical if you use Secure Domain Logon. If set to 0, no attempt to chain with other GINA DLL files will be made. MajorVersion=5: Specifies the major version of Secure Client. NG is version 5. MinorVersion=3: Specifies the minor version of Secure Client. For Feature Pack 3, it's 3. For NG AI R54, it's 4. For NG AI R55, it's 5. EnablePolicyView=1: Allows the end user to view the security policy pushed to their client if set to 1. EnableLogView=1: Allows the end user to look at the local Secure Client logs if set to 1. EnableDiagnosticsView=1: Allows the end user to view diagnostic information in Secure Client if set to 1. EntrustSupport=1: Enables Entrust support if set to 1. Support is disabled if this option is set to 0. ShowDriverSignatureWarning=1: Suppresses driver signature warnings (which might occur in Windows 2000 and XP during installation) if this option is set to 0. MakeServiceNonInteractive=0: Allows the service to run in an unattended automated state (i.e., does not require a user to log on) if set to 1.

ShowRestart=1: Does not ask the end user to restart upon completion of installation if set to 0. RestartAfterInstall=1: Specifies whether or not to default to a restart after installation. If the previous option is set to 0 and this option is set to 1, the end user's machine will be rebooted without prompting.

For the 4.1 client, you can also do some amount of pre-packaging, but the work must be done manually.

Most configuration settings are in userc.C or userc.set on the SecuRemote client, including encryption domain. Manually configure the client to your liking, copy the userc.C and/or userc.set file from this system and replace the userc.C or userc.set file that is part of the normal SecuRemote installation files. Package this file and distribute it to the users. When they install SecuRemote, their client will automatically be configured with your encryption domains, encryption keys, and most of your preferred settings.

You can also modify the product.ini that is included in the installation files. The information needed in this file includes

Edition=3DES: This is DES for a DES version
MaxKeyLength=168: 56 for a DES version
Encryption=1: 1 is currently the only valid setting
DesktopSecurityDefault=1: Desktop Security Enabled by default, 0 if not
DesktopSecurityAskUser=1: Use with previous setting to silently set this setting
IncludeEntrustCertUtil=1: If not using Entrust, you can set this to 0
IncludeBrandingFiles=0: Include logo.bmp with installation to replace Check Point logo
SupportFWZ=1: If set to 0, FWZ is not supported
Support3rdPartyGina=0: If you are using a third-party GINA.DLL, set to 1
OvewriteEntINI=0: If you have an existing entrust.ini file, overwrite if set to 1

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.